Greetings, I believe this is the thread that discusses the problem. https://groups.google.com/forum/#!searchin/ossec-list/wui/ossec-list/mUfhTsNUCkQ/6f5tb_-xqt8J
Regards, Mike -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dayco Telecom Sent: Monday, June 18, 2012 3:53 PM To: ossec-list Subject: [ossec-list] Re: Error in message formating on OSSEC Wui Hi Dan, I had been reading all the posts in the archives like you suggested, but I don't find the links you mentioned. The only one post with the symthoms is the message with the ID: CAMyQvMqSgODHH4qOOVcdUoC0V5baO7J_GiQxrSEEJs-_KXW4hg () mail ! gmail ! com from 2012-03-01 11:09:16 But you two are talking about a tool called "splunk" and not about the solution. can you be more specific in where are the links or even the solutions? Thanks a lot... Kind regards! On 18 jun, 13:19, "dan (ddp)" <[email protected]> wrote: > On Mon, Jun 18, 2012 at 1:12 PM, Dayco Telecom <[email protected]> wrote: > > Hi OSSEC Comunity, I have an issue with a new > > installation of OSSEC 2.6, I just have been installed and configured > > the server. This server is RHEL 6.2 compiled to MySQL and it's in > > the network 192.x.x.x and the agents in the network 10.x.x.x with 2 > > FW between them. The problem is that the Wui show the messasges in > > an incorrect format, i.e.: > > > 2012 Jun 15 16:43:38 Rule Id: 11 level: 4 > > Location: (oraclemanager) 172.28.67.242->WinEvtLog Src IP: > > mdaycohost Excessive number of events (above normal). > > > 2012 Jun 15 16:38:40 Rule Id: 5501 level: 3 > > Location: ossec->/var/log/secure > > Src IP: 6:38:39 ossec su: pam_unix(su-l:session): session opened for > > user root by accdayco(uid=500) Login session opened. > > ** Alert 1339794683.22885: mail - ossec, > > 2012 Jun 15 16:41:23 ossec->ossec-monitord > > Rule: 502 (level 3) -> 'Ossec server started.' > > ossec: Ossec started. > > 2012 Jun 15 16:35:01 Rule Id: 5501 level: 3 > > Location: ossec->/var/log/secure > > Src IP: 6:35:00 ossec sshd[8458]: pam_unix(sshd:session): session > > opened for user accdayco by (uid=0) Login session opened. > > ** Alert 1339794307.22371: - pam,syslog,authentication_success, > > 2012 Jun 15 16:35:07 ossec->/var/log/secure > > Rule: 5501 (level 3) -> 'Login session opened.' > > Jun 15 16:35:06 ossec su: pam_unix(su-l:session): session opened for > > user root by accdayco(uid=500) > > > Can you help me? > > > Kind regards! > > > Oscar D'Lima > > Especialista I | Coordinación de Mejora Continua de los Servicios > > Tlf: +58 212 999.90.38 | +58 414 236.78.02 > > > Torre Dayco, Calle Londres, Urb. Las Mercedes, > > Caracas, Venezuela. ZP 1060-A > > Master +58 212 999.9100 > > > daycohost.com > > It's a known issue in the WUI 0.3 release. Some people have fixed it, > look in the archives for links.
