cat /data/ossec/logs/alerts/alerts.log | /data/ossec/bin/ossec-reportd
On Thu, Apr 19, 2012 at 3:35 PM, dan (ddp) <[email protected]> wrote: > Oh, I thought it was a daily report. What did you run exactly? > > On Thu, Apr 19, 2012 at 9:13 AM, C. L. Martinez <[email protected]> wrote: >> My previous example is running report manually ... >> >> >> On Thu, Apr 19, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: >>> What happens if you run the report manually? >>> >>> On Thu, Apr 19, 2012 at 3:59 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Hi all, >>>> >>>> I have detected a strange problem with my daily reports. In all of >>>> them, only "root" is showed as a top Username, like this: >>>> >>>> Report completed. == >>>> ------------------------------------------------ >>>> ->Processed alerts: 1695 >>>> ->Post-filtering alerts: 1695 >>>> ->First alert: 2012 Apr 19 00:01:32 >>>> ->Last alert: 2012 Apr 19 09:50:19 >>>> >>>> >>>> Top entries for 'Source ip': >>>> ------------------------------------------------ >>>> 192.168.1.12 |364 | >>>> 192.168.46.11 |182 | >>>> 192.168.88.11 |156 | >>>> 192.168.68.11 |136 | >>>> 192.168.38.15 |124 | >>>> >>>> Top entries for 'Username': >>>> ------------------------------------------------ >>>> root |3 | >>>> >>>> I have several rules that catch user and dstuser ... Why these are >>>> not showed in reports?? What fields or options uses ossec-reportd to >>>> display Top entries for 'Username'??
