Yeah, it looks like you're using the 0.3 version. It's known to be broken. There are patches on the list. Use alerts.log. On Jul 11, 2012 10:39 PM, "cosmaschi cristian" <[email protected]> wrote:
> Dan , > > Is this the type of alert are u looking for? > > looks like its still messed up.. > > i just "updated" the web-ui to make sure i have the latest version and the > allerts are looking the same > > 2012 Jul 11 22:29:01 Rule Id: > 6212<http://www.ossec.net/wiki/index.php/Rule:6212>level: 10 > Location: (Hp22) 209.217.109.82->/var/log/messages > Src IP: 2:28:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 in > handle_request_register: Registration from '<sip:[email protected]:5060>' > failed for '99.251.108.141:5060' - No matching peer found > Login session failed (invalid extension). ** Alert 1342060143.22702224: - > syslog,proftpd,connection_attempt, > 2012 Jul 11 22:29:03 (Hp17) 209.xx.xx.xx->/var/log/messages > Rule: 11201 (level 3) -> 'FTP session opened.' > Src IP: 127.0.0.1 > Jul 11 22:28:44 h17 proftpd[3689]: 209.xx.xx.xx (localhost[127.0.0.1]) - > FTP session opened. > > ps. im running latest ossec version on server and agents. > > Thanks , > > > > On Wed, Jul 11, 2012 at 10:25 PM, cosmaschi cristian < > [email protected]> wrote: > >> The Web UI version im using its 0.3 >> >> >> On Wed, Jul 11, 2012 at 9:58 PM, Ivan Zenteno <[email protected]>wrote: >> >>> Dan, >>> >>> Ouch, you just killed me... >>> >>> Maybe Cristian doesn't know the netiquette in mail lists. >>> >>> Rules >>> >>> 2012/7/11 dan (ddp) <[email protected]> >>> >>> >>>> On Jul 11, 2012 9:43 PM, "cosmaschi cristian" < >>>> [email protected]> wrote: >>>> > >>>> > i see that the rules are being processed , but when i check ip >>>> tables to se if the host was blocked ... nothing... >>>> > >>>> > its used to work util 2 days ago... >>>> > >>>> >>>> What changed? What is your configuration? How did you check iptables? >>>> Anything in the active response log? Why didn't you include that info? >>>> >>>> > >>>> > Results: >>>> > Total alerts found: 424 >>>> > >>>> > >>>> > >>>> > Alert list >>>> > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 >>>> > Location: (Hp22) 209.217.109.82->/var/log/messages >>>> > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 >>>> in handle_request_register: Registration from '< >>>> sip:[email protected]:5060>' failed for '99.251.108.141:5060' - No >>>> matching peer found >>>> > Login session failed (invalid extension). ** Alert >>>> 1342054561.21049945: - syslog,asterisk, >>>> > >>>> >>>> It looks like you're using the broken web ui. Stop that. Either fix it >>>> or don't use it, and definitely give me an un-messed up alert. >>>> >>>> > >>>> > >>>> > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <[email protected]> wrote: >>>> >> >>>> >> >>>> >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" < >>>> [email protected]> wrote: >>>> >> > >>>> >> > Hello , >>>> >> > >>>> >> > Im trying to debug on ossec , following >>>> >> > http://www.ossec.net/doc/faq/unexpected.html >>>> >> > >>>> >> > example If you have logs similar to the following in >>>> /var/ossec/queue/ossec/queue: >>>> >> > >>>> >> > when i run >>>> >> > >>>> >> > tail -f /var/ossec/queue/ossec/queue >>>> >> > >>>> >> > >>>> >> >>>> >> That page does not tell you to do that. It probably wants you to >>>> tail the logfile: >>>> >> `tail -f /var/ossec/logs/ossec.log` >>>> >> >>>> >> > i get >>>> >> > >>>> >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No >>>> such device or address >>>> >> > tail: no files remaining >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> > >>>> > >>>> >>> >>> >> >
