On 13 Aug 2014, at 11:25 am, Elias Lopez <[email protected]> wrote:
> I did some further investigation.
>
> I've just tried the same setup with 2.7.1 and its the same problem. I was
> going to try putting export LANG="C" in /etc/init.d/ossec but saw it was
> already there. I tried en_AU.UTF-8 but still not working.
>
> I configured rsyslog on the client, to send to rsyslog on the ossec server.
> Now ossec-server's /var/log/secure contain
>
> Aug 13 11:14:46 579806-db1 sshd[16479]: Accepted publickey for elias from
> xxx.xxx.xxx.xxx port 58687 ssh2
> Aug 13 11:14:46 579806-db1 sshd[16479]: pam_unix(sshd:session): session
> opened for user elias by (uid=0)
>
> The ossec server is checking its own files locally, so it then picks this up.
> The rule matches and an alert is fired.
>
> So it looks like its something to do with the agent communication.
Ok, I finally understand what is going on.
The documentation says:
hostname
* Any hostname (decoded as the syslog hostname) or log file.
* Allowed: any OS_Match/sregex Syntax
This confused me because I thought it would always be the hostname as decoded
from the log file. When the incoming line comes from one of the agents, this is
not the case.
I used the custom_alert_output global option and sure enough, it looks
something like:
ELO TEST
Timestamp: '1407908461'
Hostname: '(db1) xxx.xxx.xxx.xxx ->/var/log/secure'
Rule Id: 100132
rule level: 3
rulecomment: PHC POLICY - Login to server
Aug 13 15:41:00 579806-db1 sshd[42409]: Accepted publickey for elias from
xxx.xxx.xxx.xxx port 61007 ssh2
At least now, I know which string to look for.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
