Thanks for the reply dan. This issue was observed on both server and all agents. On Aug 30, 2013 9:30 PM, "dan (ddp)" <[email protected]> wrote:
> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <[email protected]> > wrote: > > Hi All, > > > > Recently, I faced an strange issue with my setup, where ssh login was > taking > > around 11-12 min for each attempts. I segregated this issue in two parts > - > > > > 1. I was able to login to system using ssh, but not able to perform any > > single command on terminal. But after 10-15 min, it becomes normal and > able > > to do all the tasks. > > > > 2. Server was throwing "Connection Timeout" error, or it accepts the > > key/password on target server (as per auth.log) but session was given > after > > 10-15 min. > > > > All the above issue solve by making one recent change in OSSEC, and that > is > > disabling the ssh rule id 5715. > > > > What i did with OSSEC eariler ? > > I wanted to log the successful ssh attempt so i change the level for rule > > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But > > after couple of hours i started facing above issue. > > > > My setup details - > > Host OS = Ubuntu 10.04 > > OSSEC = 2.7 > > Sever / Client setup > > AR enabled. > > AWS EC2 instances > > > > Was this problem seen on the server or an agent? Was DNS working properly? > > > I have two question - > > > > 1. I didn't understand how this change affect the SSH login. > > > > Neither do I. > > > 2. Is there a way that i can get alerts at sepecific level but can log > all > > levels starting from level 3 ? > > For example - I want to get email alerts at above level 7, but log all > > alerts starting from level 3. > > > > Yes, configure ossec to email level 7, and log level 3. > > http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts > > > Thanks > > Sandeep > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
