Thanks for the reply.
OK so on the OSSEC server I run /opt/ossec/bin/ossec-logtest and paste in the
syslog entry from the OSSEC agent host that I'd like to trigger an email:
[r...@ossec-server-host ~]# /opt/ossec/bin/ossec-logtest -c
/opt/ossec/etc/ossec.conf
<pasting now...>
Apr 29 17:19:45 ossec-agent-host sshd[2798]: pam_unix(sshd:session): session
opened for user max by (uid=0)
**Phase 1: Completed pre-decoding.
full event: 'Apr 29 17:19:45 ossec-agent-host sshd[2798]:
pam_unix(sshd:session): session opened for user max by (uid=0)'
hostname: ' ossec-agent-host '
program_name: 'sshd'
log: 'pam_unix(sshd:session): session opened for user max by (uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
But no email when I log in to hosts running the OSSEC agent?
Do I have to add extra config on the server or the agent to get the agents
syslog entries processed?
I noticed some syslog entries on the agent do trigger alerts, eg:
Received From: (ossec-agent-host) 10.1.11.122->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Apr 27 22:12:11 ossec-agent-host postgres[24620]: [2-1] ERROR: database "DB1"
already exists
Any ideas where I'm going wrong? It works on the OSSEC server but not on the
agents.
Cheers,
Max
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: 29 April 2010 14:32
To: [email protected]
Subject: Re: [ossec-list] User logged in notification for all agents
That particular alert only fires the first time a user logs into a
server (or it's supposed to anyways).
If you want notifications of when users log in, find a log entry for
the user logging in and create a rule for it.
Use /var/ossec/bin/ossec-logtest to see how the alert is decoded and
if there is currently a rule for it. If there is a rule, you can
either overwrite that rule (using overwrite="yes" in the rule), or
create a rule that uses the <if_sid> parameter.
If you need help, send an example of the logs you are trying to alert
on, along with the ossec-logtest output.
On Thu, Apr 29, 2010 at 5:52 AM, Max Williams <[email protected]> wrote:
> Hi OSSEC List,
>
> I am new to OSSEC. I have it running on a few Linux and Windows hosts with
> more or less the default settings and I am very happy with it.
>
> I notice that when I log in to the OSSEC server I immediately receive an
> email notifying me that someone has logged in:
>
>
>
> Received From: [email protected]>/var/log/secure
>
> Rule: 10100 fired (level 4) -> "First time user logged in."
>
>
>
> I'd like to receive these notifications for all Linux agents, not just the
> server. How can I achieve this?
>
> "/var/log/secure" is specified for monitoring on both the server and the
> agents already but I only get the email notifications for the server.
>
> TIA and best regards,
>
> Max Williams
