Thanks Dan. I have found the problem: decoders. In some of them I have used "srcuser" in order option. When I use ossec-logtest to check rules, it shows me sometimes as a dstuser and anothers as a srcuser. Changing to "user" in all decoders, reports are ok.
On Thu, Apr 19, 2012 at 6:07 PM, dan (ddp) <[email protected]> wrote: > It works for me. Did you check to make sure the User field was > populated with something other than root in your logs? > > On Thu, Apr 19, 2012 at 10:17 AM, C. L. Martinez <[email protected]> wrote: >> cat /data/ossec/logs/alerts/alerts.log | /data/ossec/bin/ossec-reportd >> >> On Thu, Apr 19, 2012 at 3:35 PM, dan (ddp) <[email protected]> wrote: >>> Oh, I thought it was a daily report. What did you run exactly? >>> >>> On Thu, Apr 19, 2012 at 9:13 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> My previous example is running report manually ... >>>> >>>> >>>> On Thu, Apr 19, 2012 at 3:02 PM, dan (ddp) <[email protected]> wrote: >>>>> What happens if you run the report manually? >>>>> >>>>> On Thu, Apr 19, 2012 at 3:59 AM, C. L. Martinez <[email protected]> >>>>> wrote: >>>>>> Hi all, >>>>>> >>>>>> I have detected a strange problem with my daily reports. In all of >>>>>> them, only "root" is showed as a top Username, like this: >>>>>> >>>>>> Report completed. == >>>>>> ------------------------------------------------ >>>>>> ->Processed alerts: 1695 >>>>>> ->Post-filtering alerts: 1695 >>>>>> ->First alert: 2012 Apr 19 00:01:32 >>>>>> ->Last alert: 2012 Apr 19 09:50:19 >>>>>> >>>>>> >>>>>> Top entries for 'Source ip': >>>>>> ------------------------------------------------ >>>>>> 192.168.1.12 |364 | >>>>>> 192.168.46.11 |182 | >>>>>> 192.168.88.11 |156 | >>>>>> 192.168.68.11 |136 | >>>>>> 192.168.38.15 |124 | >>>>>> >>>>>> Top entries for 'Username': >>>>>> ------------------------------------------------ >>>>>> root |3 | >>>>>> >>>>>> I have several rules that catch user and dstuser ... Why these are >>>>>> not showed in reports?? What fields or options uses ossec-reportd to >>>>>> display Top entries for 'Username'??
