pam_rules.xml is set as:
<rule id="5500" level="0" noalert="1">
<decoded_as>pam</decoded_as>
<description>Grouping of the pam_unix rules.</description>
</rule>
<rule id="5501" level="3">
<if_sid>5500</if_sid>
<match>session opened for user </match>
<description>Login session opened.</description>
<group>authentication_success,</group>
</rule>
<rule id="5502" level="3">
<if_sid>5500</if_sid>
<match>session closed for user </match>
<description>Login session closed.</description>
</rule>
<rule id="5503" level="5">
<if_sid>5500</if_sid>
<match>authentication failure; logname=</match>
<description>User login failed.</description>
<group>authentication_failed,</group>
</rule>
What should be modified for rule 5503 to be included in local_rules.xml?
On Tuesday, May 26, 2015 at 6:34:38 AM UTC-7, Abdul Baqui wrote:
>
> Hi,
>
> I've this rule in local_rules.xml,
>
> <rule id="5551" level="5" frequency="6" timeframe="180" overwrite="yes">
>
> <options>alert_by_email</options>
>
> <if_matched_sid>5503</if_matched_sid>
>
> <same_source_ip />
>
> <description>Multiple failed logins in a small period of time.
> </description>
>
> <group>authentication_failures,</group>
>
> </rule>
>
> I tried a user with a wrong password. The error is logged in
> /var/ossec/logs/alerts/alerts.log
>
> ** Alert 1432334325.49295: mail - pam,syslog,authentication_failed,
>
> 2015 May 22 22:38:45 ip-10-234-9-150->/var/log/secure
>
> Rule: 5503 (level 5) -> 'User login failed.'
>
> May 22 22:38:45 ip-10-234-9-150 su: pam_unix(su-l:auth): authentication
> failure; logname=xxx uid=511 euid=0 tty=pts/1 ruser=xxx rhost= user=root
>
> But email is not being sent. What am I doing wrong?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
