Thanks Dan. I have found the problem: decoders. In some of them I have
used "srcuser" in order option. When I use ossec-logtest to check
rules, it shows me sometimes as a dstuser and anothers as a srcuser.
Changing to "user" in all decoders, reports are ok.


On Thu, Apr 19, 2012 at 6:07 PM, dan (ddp) <[email protected]> wrote:
> It works for me. Did you check to make sure the User field was
> populated with something other than root in your logs?
>
> On Thu, Apr 19, 2012 at 10:17 AM, C. L. Martinez <[email protected]> wrote:
>> cat /data/ossec/logs/alerts/alerts.log | /data/ossec/bin/ossec-reportd
>>
>> On Thu, Apr 19, 2012 at 3:35 PM, dan (ddp) <[email protected]> wrote:
>>> Oh, I thought it was a daily report. What did you run exactly?
>>>
>>> On Thu, Apr 19, 2012 at 9:13 AM, C. L. Martinez <[email protected]> 
>>> wrote:
>>>> My previous example is running report manually ...
>>>>
>>>>
>>>> On Thu, Apr 19, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote:
>>>>> What happens if you run the report manually?
>>>>>
>>>>> On Thu, Apr 19, 2012 at 3:59 AM, C. L. Martinez <[email protected]> 
>>>>> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>>  I have detected a strange problem with my daily reports. In all of
>>>>>> them, only "root" is showed as a top Username, like this:
>>>>>>
>>>>>>  Report completed. ==
>>>>>> ------------------------------------------------
>>>>>> ->Processed alerts: 1695
>>>>>> ->Post-filtering alerts: 1695
>>>>>> ->First alert: 2012 Apr 19 00:01:32
>>>>>> ->Last alert: 2012 Apr 19 09:50:19
>>>>>>
>>>>>>
>>>>>> Top entries for 'Source ip':
>>>>>> ------------------------------------------------
>>>>>> 192.168.1.12                                    |364     |
>>>>>> 192.168.46.11                                   |182     |
>>>>>> 192.168.88.11                                   |156     |
>>>>>> 192.168.68.11                                   |136     |
>>>>>> 192.168.38.15                                   |124     |
>>>>>>
>>>>>> Top entries for 'Username':
>>>>>> ------------------------------------------------
>>>>>> root                                            |3       |
>>>>>>
>>>>>>  I have several rules that catch user and dstuser ... Why these are
>>>>>> not showed in reports?? What fields or options uses ossec-reportd to
>>>>>> display Top entries for 'Username'??

Reply via email to