On Tue, Apr 12, 2016 at 10:23 AM, <[email protected]> wrote: > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > password. > 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com > (hostname.com[78.131.92.4]): USER testnext: Login successful. >
I forgot to ask which version you're using. 2.8.3? My logtests were on the current code. > root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest > 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file. > 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992). > ossec-testrule: Type one log per line. > > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > password. > > > **Phase 1: Completed pre-decoding. > full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): > Incorrect password.' > hostname: 'next-test' > program_name: '(null)' > log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): > Incorrect password.' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '2501' > Level: '5' > Description: 'User authentication failure.' > **Alert to be generated. > > > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > password. > > > **Phase 1: Completed pre-decoding. > full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): > Incorrect password.' > hostname: 'next-test' > program_name: '(null)' > log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed): > Incorrect password.' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '2501' > Level: '5' > Description: 'User authentication failure.' > **Alert to be generated. > > вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Tue, Apr 12, 2016 at 7:17 AM, <[email protected]> wrote: >> > Sorry, i missed the commit >> > >> > https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801 >> > Now my proftpd logs are not processed by ossec. >> > >> >> Can you provide log samples? >> >> > Also, if possible, please add to apt-repo deb-src packages to help >> > recompile >> > ossec. >> > I tried to rebuild deb packages, but failed. >> > >> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares >> > написал: >> >> >> >> What commit do you mean? >> >> >> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, [email protected] wrote: >> >>> >> >>> Hello! >> >>> I very interested in this commit for support proftpd logs. >> >>> >> >>> Is there're any plans on new ossec deb packages, that will include >> >>> this >> >>> commit ? >> >>> Or better way is build ossec myself ? >> >>> >> >>> Thank you! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
