Oh, ok. I don't use the WUI.
What about the important part of my response?

On Thu, Jul 26, 2012 at 2:12 PM, William Lindfors
<[email protected]> wrote:
>
> Here is a screen capture of what I'm talking about. Thx.
>
>
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Thursday, July 26, 2012 1:08 PM
> To: [email protected]
> Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server?
> All agents inactive, what gives?
>
>
>
> On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors
> <[email protected]> wrote:
>
> > How do I get all the agents back online?  I stopped and started the
> > service, but they all remain red and I am getting the following message:
>
> >
>
>
>
> Red? What are you seeing red in?
>
>
>
> >
>
> > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8
>
> > Location: profim01->/var/log/secure
>
> > Src IP: UNKNOWN
>
> > Possible attack on the ssh server (or version gathering).
>
> >
>
> >
>
>
>
> This looks unrelated. There should be a log message that goes with that.
>
>
>
> Check the ossec.log on the manager and the agents to see if there are any
> log messages about why they are disconnected. Double check with
> `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your
> agents been connected at some point?
>
>
>
> >
>
> >
>
> > -----Original Message-----
>
> > From: [email protected] [mailto:[email protected]]
>
> > On Behalf Of dan (ddp)
>
> > Sent: Thursday, July 26, 2012 9:02 AM
>
> > To: [email protected]
>
> > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH
> > server? All agents inactive, what gives?
>
> >
>
> > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors
> > <[email protected]> wrote:
>
> >>
>
> >>
>
> >>
>
> >>
>
> >> Latest events
>
> >>
>
> >>
>
> >>
>
> >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8
>
> >> Location: profim01->/var/log/secure
>
> >> Src IP: UNKNOWN
>
> >> Possible attack on the ssh server (or version gathering).
>
> >
>
> > What's the question exactly?

Reply via email to