Hello, I am using OSSEC in a server config with no actual agents. I am having Snare logs from my Windows servers sent to /var/log/remotesys.log and having OSSEC monitor that file to trip alerts. This works for the most part but I'm having a few issues. The main issue is on rules such as 40112 - Multiple authentication failures followed by a success. This works fine when I test it with local SSH on the box as the "Src IP" is parsed out and shown correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows box, it isn't showing a Src IP section. I see Level, Rule ID, Location (server1's DNS name -> /var/log/remotesys.log), and user (192.168.10.10\administrator). I would think it could trip the "from same IP" correlation that rule 40112 needs from the location or first part of the user field, but it isn't working. Once I remove the from same IP part of the rule I can get it to trip on Windows events too. But I have to have that part since I will have hundreds of Windows servers sending logs to the same location.
Thanks for the help. Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
