On Wed, Oct 5, 2016 at 10:37 AM, Adiel Navarro <[email protected]> wrote: > No, the rule is not commented. > Meanwhile, I delete the --> sign... >
Did you restart the OSSEC processes on the server? You can try turning the log_all option on and check the archives.log to make sure your match will actually match the log messages sent over. I usually use aliases to make this easier. Also, make sure the output changes. If there are no changes, there will be no alert. > > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] En > nombre de dan (ddp) > Enviado el: miércoles, 05 de octubre de 2016 09:25 a.m. > Para: [email protected] > Asunto: Re: [ossec-list] last -10 > > On Wed, Oct 5, 2016 at 10:15 AM, Adiel Navarro > <[email protected]> wrote: >> Sure, >> I configured the next rule in local_rules.xml on the ossec server: >> >> <rule id="140126" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'last -10 </match> >> <check_diff /> >> <description>Last connections. </description> </rule> --> >> > > The "-->" marks the end of a comment. Could you possibly have the rule > currently commented out? > >> >> L.I. Adiel Jesús Navarro Rosado >> Analista OyM Seguridad Operativa >> A: [email protected] >> '. Ext. 5179 >> È: 5510101509 >> >> >> -----Mensaje original----- >> De: [email protected] [mailto:[email protected]] >> En nombre de dan (ddp) Enviado el: miércoles, 05 de octubre de 2016 06:22 >> a.m. >> Para: [email protected] >> Asunto: Re: [ossec-list] last -10 >> >> On Tue, Oct 4, 2016 at 6:21 PM, Aj Navarro <[email protected]> wrote: >>> i want to monitoring the last connections on a server. >>> >>> I configuring last -10 command on a ossec.conf client >>> >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>last 10</command> >>> <frequency>60</frequency> >>> </localfile> >>> I need that the output of this command will send to the ossec server, >>> but I not watching any alert on the ossec wui. >>> >>> can i need to configure anything else on the client or on the ossec server? >>> >>> >> >> Did you create a rule to look for the information coming from the command? >> >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
