Hi all, I have detected a strange problem with my daily reports. In all of them, only "root" is showed as a top Username, like this:
Report completed. == ------------------------------------------------ ->Processed alerts: 1695 ->Post-filtering alerts: 1695 ->First alert: 2012 Apr 19 00:01:32 ->Last alert: 2012 Apr 19 09:50:19 Top entries for 'Source ip': ------------------------------------------------ 192.168.1.12 |364 | 192.168.46.11 |182 | 192.168.88.11 |156 | 192.168.68.11 |136 | 192.168.38.15 |124 | Top entries for 'Username': ------------------------------------------------ root |3 | I have several rules that catch user and dstuser ... Why these are not showed in reports?? What fields or options uses ossec-reportd to display Top entries for 'Username'??
