Yes, active responses are enabled, but i haven't configured any myself. What i am using is with default installation. I made some basic changes like adding more log file to be monitored, rest all the default setup.
On Fri, Aug 30, 2013 at 11:23 PM, Ryan Schulze <[email protected]> wrote: > > Do you have any active responses configured that would trigger (i.e. an > unconditional active response for alerts level 7 or higher that is now > active since you bumped 5715 to level 7)? > > > > On 8/30/2013 11:07 AM, sandeep dubey wrote: > > Forgot to mention that DNS has no issue at all. > On Aug 30, 2013 9:36 PM, "sandeep dubey" <[email protected]> wrote: > >> Thanks for the reply dan. >> This issue was observed on both server and all agents. >> On Aug 30, 2013 9:30 PM, "dan (ddp)" <[email protected]> wrote: >> >>> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <[email protected]> >>> wrote: >>> > Hi All, >>> > >>> > Recently, I faced an strange issue with my setup, where ssh login was >>> taking >>> > around 11-12 min for each attempts. I segregated this issue in two >>> parts - >>> > >>> > 1. I was able to login to system using ssh, but not able to perform any >>> > single command on terminal. But after 10-15 min, it becomes normal and >>> able >>> > to do all the tasks. >>> > >>> > 2. Server was throwing "Connection Timeout" error, or it accepts the >>> > key/password on target server (as per auth.log) but session was given >>> after >>> > 10-15 min. >>> > >>> > All the above issue solve by making one recent change in OSSEC, and >>> that is >>> > disabling the ssh rule id 5715. >>> > >>> > What i did with OSSEC eariler ? >>> > I wanted to log the successful ssh attempt so i change the level for >>> rule >>> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, >>> But >>> > after couple of hours i started facing above issue. >>> > >>> > My setup details - >>> > Host OS = Ubuntu 10.04 >>> > OSSEC = 2.7 >>> > Sever / Client setup >>> > AR enabled. >>> > AWS EC2 instances >>> > >>> >>> Was this problem seen on the server or an agent? Was DNS working >>> properly? >>> >>> > I have two question - >>> > >>> > 1. I didn't understand how this change affect the SSH login. >>> > >>> >>> Neither do I. >>> >>> > 2. Is there a way that i can get alerts at sepecific level but can log >>> all >>> > levels starting from level 3 ? >>> > For example - I want to get email alerts at above level 7, but log all >>> > alerts starting from level 3. >>> > >>> >>> Yes, configure ossec to email level 7, and log level 3. >>> >>> http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts >>> >>> > Thanks >>> > Sandeep >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
