Hi!
I'm following the example in the OSSEC book, and page 122 gives an
example of how to configure an alert for successful and failed ssh
logins. In my 'local_rules.xml" file, I have this...
<group name="syslog,sshd,">
<rule id="100123" level="2">
<decoded_as>sshd</decoded_as>
<description>Logging all decoded sshd messages</
description>
</rule>
<rule id="100124" level="7">
<if_sid>100123</if_sid>
<match>^Failed password</match>
<group>authentication_failure</group>
<description>Failed SSHD password attempt</
description>
<options>alert_by_email</options>
</rule>
<rule id="100125" level="3">
<if_sid>100123</if_sid>
<match>^Accepted password</match>
<group>authentication_success</group>
<description>Successful SSHD password attempt</
description>
<options>alert_by_email</options>
</rule>
</group>
However, I still can't get alert 100125 to show up in the alerts
file. The ossec.log does not give any help or says there are any
errors.
Does anybody have any ideas on why an alert isn't getting generated?
Thanks!
