Oh, I thought it was a daily report. What did you run exactly?
On Thu, Apr 19, 2012 at 9:13 AM, C. L. Martinez <[email protected]> wrote: > My previous example is running report manually ... > > > On Thu, Apr 19, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: >> What happens if you run the report manually? >> >> On Thu, Apr 19, 2012 at 3:59 AM, C. L. Martinez <[email protected]> wrote: >>> Hi all, >>> >>> I have detected a strange problem with my daily reports. In all of >>> them, only "root" is showed as a top Username, like this: >>> >>> Report completed. == >>> ------------------------------------------------ >>> ->Processed alerts: 1695 >>> ->Post-filtering alerts: 1695 >>> ->First alert: 2012 Apr 19 00:01:32 >>> ->Last alert: 2012 Apr 19 09:50:19 >>> >>> >>> Top entries for 'Source ip': >>> ------------------------------------------------ >>> 192.168.1.12 |364 | >>> 192.168.46.11 |182 | >>> 192.168.88.11 |156 | >>> 192.168.68.11 |136 | >>> 192.168.38.15 |124 | >>> >>> Top entries for 'Username': >>> ------------------------------------------------ >>> root |3 | >>> >>> I have several rules that catch user and dstuser ... Why these are >>> not showed in reports?? What fields or options uses ossec-reportd to >>> display Top entries for 'Username'??
