On Tue, Oct 1, 2013 at 2:58 PM, Eric <[email protected]> wrote: > Hello, > > I am using OSSEC in a server config with no actual agents. I am having Snare > logs from my Windows servers sent to /var/log/remotesys.log and having OSSEC > monitor that file to trip alerts. This works for the most part but I'm > having a few issues. The main issue is on rules such as 40112 - Multiple > authentication failures followed by a success. This works fine when I test > it with local SSH on the box as the "Src IP" is parsed out and shown > correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows box, > it isn't showing a Src IP section. I see Level, Rule ID, Location (server1's > DNS name -> /var/log/remotesys.log), and user (192.168.10.10\administrator). > I would think it could trip the "from same IP" correlation that rule 40112 > needs from the location or first part of the user field, but it isn't > working. Once I remove the from same IP part of the rule I can get it to > trip on Windows events too. But I have to have that part since I will have > hundreds of Windows servers sending logs to the same location. > > Thanks for the help. > Eric >
Make sure a usable IP address is decoded. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
