hi,all There is a problem,when some host make a different log,ossec can associated and has False positives!
for example OSSEC HIDS Notification. 2013 May 13 18:39:12 Received From: l-logbackup1->/var/log/secure Rule: 40112 fired (level 12) -> "Multiple authentication failures followed by a success." Portion of the log(s): May 13 18:39:10 l-logbackup1.ops.cn1.qunar.com sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2 --END OF NOTIFICATION OSSEC HIDS Notification. 2013 May 13 18:39:12 Received From: l-interdb3->/var/log/secure Rule: 40501 fired (level 15) -> "Attacks followed by the addition of an user." Portion of the log(s): May 13 18:39:12 l-interdb3 useradd[16574]: new user: name=bob, UID=40025, GID=1002, home=/home/bob, shell=/bin/bash May 13 18:39:10 l-logbackup1 sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2 May 13 18:39:10 l-logbackup1 sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2 --END OF NOTIFICATION i don't konw why l-logbackup1's log And he together l-interdb3. i have Syslog server to Collecting all the log use rsyslog. thanks&Best Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
