I am having somewhat of a similar issue. I have OSSEC 2.7.1 running on a server and one of the agents that I am monitoring is running a zimbra/postfix mail server.
There are two alerts that I am having issue with (Invalid Password and Account Lockout) I tested locking out an account by rapid succession of invalid passwords and OSSEC would generate an email for "Invalid Password" only. I could never get an "Account Lockout" alert. I tested the log file in logtest and it reports the Alert that should be triggered. After reading the above post, I rebooted the Server and I now have two scenerios - 1) If I quickly enter 5 incorrect passwords, it will only generate the Account "Lockout Alert" (The log shows both invalid password and Lockout) 2) If I enter one incorrect password, wait for the email alert (invalid Password), enter four additional incorrect password and wait for each email alert. OSSEC will generate an "Account Lockout" email alert. Is this normal? or am I missing something in the configuration? Thanks for the help. In the Agent.conf file. <localfile> <log_format>syslog</log_format> <location>/opt/zimbra/log/mailbox.log</location> <localfile> I have setup local_decoder.xml <decoder name="zimbra"> <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch> </decoder> <decoder name="zimbra-invalid-password"> <parent>zimbra</parent> <prematch offset="after_parent">invalid password$</prematch> <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex> <order>user, srcip</order> </decoder> <decoder name="zimbra-account-lockout"> <parent>zimbra</parent> <prematch offset="after_parent">account lockout$</prematch> <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex> <order>user, srcip</order> </decoder> and in local_rules.xml <group name="syslog,local,"> <rule id="100100" level="0"> <decoded_as>zimbra</decoded_as> <description>Zimbra Messages Grouped</description> </rule> <rule id="100102" level="5"> <options>alert_by_email</options> <if_sid>100100</if_sid> <match>invalid password$</match> <description>Invalid Password</description> <group>invalid_password,</group> </rule> <rule id="100105" level="5"> <options>alert_by_email</options> <if_sid>100100</if_sid> <match>account lockout$</match> <description>account lockout</description> <group>account_lockout,</group> </rule> </group> Sample - log file from Zimbra 2013-12-04 22:56:34,900 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [[email protected];oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] SoapEngine - handler exception: authentication failed for [XXX], invalid password 2013-12-04 22:56:36,155 INFO [qtp1545357780-13532:http://127.0.0.1:80/service/soap/AuthRequest] [[email protected];oip=10.XX.XX.XX;ua=zclient/8.0.5_GA_5839;] SoapEngine - handler exception: authentication failed for [XXX], account lockout -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
