On 17.09.2013 08:04, Eric wrote:
Thank you very much for your information. The logs are showing as
coming from the correct source, but I didn't know if OSSEC was
treating them correctly. Below is the main example that I've come
across.This is also true for the Windows multiple failed logins. It's
correlating 2 different servers and 2 different user names together
and then in the final alert info, only shows the latest. Does this
look right to you?
This is by design for alerts from composite rules. It would be better
if it just said something like "from multiple IPs" but this is the way
it currently works. If you want to be sure that it's seeing individual
log lines correctly then just copy and past one of them from the alert
into ossec-logtest.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
