Best way to do this is to check out what logs are being generated when you
login as root.
On my system, I see the following:
Jun 30 08:42:26 ossec sshd[26600]: pam_unix(sshd:session): session opened
for user root by (uid=0)
I usually just paste the actual log into ossec-logtest to see what rule is
triggered.
run /var/ossec/bin/ossec-logtest and paste the log entry from your system
when root login occurs.
On my system, I see the following.
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
To accomplish your goal of being alerted when root logs into the server,
you'll want to edit the local_rules.xml file and rewrite that rule and
change it to both <match>root</match> and also change the level to one that
will generate an alert on your specific configuration.
Test this by making the changes in local_rules.xml and restarting
ossec-logtest to verify the results - and then once you're satisfied with
the results, restart ossec.
HTH!
On Monday, June 29, 2015 at 6:10:24 PM UTC-7, 長谷川真 wrote:
>
> Hi,there.
>
> I have two quetions for OSSEC for configuration.
>
>
> 1. I want to notice whether there was a root login for Server.OSSEC can
> notice the root logoin ?
> 2. If OSSEC can notice the root login for Server,how do I configure OSSEC ?
>
> Best Regards.
>
> Shin
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
