Do you have any active responses configured that would trigger (i.e. an unconditional active response for alerts level 7 or higher that is now active since you bumped 5715 to level 7)?
On 8/30/2013 11:07 AM, sandeep dubey wrote:
Forgot to mention that DNS has no issue at all.On Aug 30, 2013 9:36 PM, "sandeep dubey" <[email protected] <mailto:[email protected]>> wrote:Thanks for the reply dan. This issue was observed on both server and all agents. On Aug 30, 2013 9:30 PM, "dan (ddp)" <[email protected] <mailto:[email protected]>> wrote: On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <[email protected] <mailto:[email protected]>> wrote: > Hi All, > > Recently, I faced an strange issue with my setup, where ssh login was taking > around 11-12 min for each attempts. I segregated this issue in two parts - > > 1. I was able to login to system using ssh, but not able to perform any > single command on terminal. But after 10-15 min, it becomes normal and able > to do all the tasks. > > 2. Server was throwing "Connection Timeout" error, or it accepts the > key/password on target server (as per auth.log) but session was given after > 10-15 min. > > All the above issue solve by making one recent change in OSSEC, and that is > disabling the ssh rule id 5715. > > What i did with OSSEC eariler ? > I wanted to log the successful ssh attempt so i change the level for rule > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But > after couple of hours i started facing above issue. > > My setup details - > Host OS = Ubuntu 10.04 > OSSEC = 2.7 > Sever / Client setup > AR enabled. > AWS EC2 instances > Was this problem seen on the server or an agent? Was DNS working properly? > I have two question - > > 1. I didn't understand how this change affect the SSH login. > Neither do I. > 2. Is there a way that i can get alerts at sepecific level but can log all > levels starting from level 3 ? > For example - I want to get email alerts at above level 7, but log all > alerts starting from level 3. > Yes, configure ossec to email level 7, and log level 3. http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts > Thanks > Sandeep > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <mailto:ossec-list%[email protected]>. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:ossec-list%[email protected]>. For more options, visit https://groups.google.com/groups/opt_out. -- ---You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].For more options, visit https://groups.google.com/groups/opt_out.
smime.p7s
Description: S/MIME Cryptographic Signature
