Hi, I actually have realized I had a rule to omit the ip addresses in local_rules.xml. Now the ip also seems to be written on the output.
This are the logs generated when I login: 1-) 2010 Mar 22 16:49:15 Rule Id: 5502 level: 3 Location: (server) yyyy->/var/log/secure Login session closed. Mar 22 16:49:08 server sshd[8376]: pam_unix(sshd:session): session closed for user xxxx 2-) 2010 Mar 22 16:49:13 Rule Id: 5501 level: 3 Location: (b1-server) yyyy->/var/log/secure Login session opened. Mar 22 16:49:06 B1-server sshd[8376]: pam_unix(sshd:session): session opened for user xxxx by (uid=0) 3-) 2010 Mar 22 16:49:13 Rule Id: 5715 level: 3 Location: (b1-server) yyyy->/var/log/secure Src IP: myipno SSHD authentication success. Mar 22 16:49:06 server sshd[8376]: Accepted password for systems from myipno port 45539 ssh2 I have added the rule that Wim suggested it it DOES stop the alert number 3 from appearing but I still get the first 2 alerts. How can I stop these 3 all together if I enter from server with ip yyyy? Thanks. Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Mon, Mar 22, 2010 at 2:39 PM, dan (ddp) <[email protected]> wrote: > According to that log (unless you've removed the IP from the message > instead of obscuring it) there is no recorded IP. > "Mar 22 11:21:18 server sshd[4012]: pam_unix(sshd:session): session > opened for user xxxx by (uid=0)" > If ossec doesn't get the IP in the log, then it will not know about the IP. > What OS/distro are you using? Are there any logs surrounding the ones > that set off the alerts here that might be more useful? We can create > rules around those logs to do what you want, if there are. > > On Mon, Mar 22, 2010 at 8:18 AM, Ozgur Ozdemircili > <[email protected]> wrote: > > Hi, > > I still seem to get the same messages: > > 2010 Mar 22 10:08:15 Rule Id: 5502 level: 3 > > Location: (server) yyyy->/var/log/secure > > Login session closed. > > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session closed > > for user xxxx > > > > 2010 Mar 22 10:08:15 Rule Id: 5501 level: 3 > > Location: (server) 94.125.143.164->/var/log/secure > > Login session opened. > > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session opened > > for user xxxx by (uid=0) > > > > 2010 Mar 22 10:08:13 Rule Id: 5502 level: 3 > > Location: (server) yyyy->/var/log/secure > > Login session closed. > > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session closed > > for user xxxx > > > > 2010 Mar 22 10:08:13 Rule Id: 5501 level: 3 > > Location: (server) yyyy->/var/log/secure > > Login session opened. > > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session opened > > for user xxxx by (uid=0) > > > > I need somehow not to receive alerts if the user xxx is conecting from ip > > yyyy. > > Can be done? > > Just an update. Now looking at the alert.log I have seen that Src ip is > not > > written. We are using public key auth to connect to servers is there any > > reasonf for src ip not to be written to alert log? > > ** Alert 1269253279.90719: - pam,syslog,authentication_success, > > 2010 Mar 22 11:21:19 (server) yyyy->/var/log/secure > > Rule: 5501 (level 3) -> 'Login session opened.' > > Src IP: (none) > > User: (none) > > Mar 22 11:21:18 server sshd[4012]: pam_unix(sshd:session): session opened > > for user xxxx by (uid=0) > > > > Thanks > > > > Özgür Özdemircili > > http://www.acikkod.org > > Code so clean you could eat off it > > > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
