In the file "/var/log/secure" : Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
So in OSSEC, we must have an alert for the IP 10.22.130.26 Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit : > > Hi! > > I have installed OSSEC agents on RedHat VM.But I have not see the > intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the > file :"../var/log/secure"". > This is the config on "ossec.conf": > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > . > . > . > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > > Regards, > > Arthur. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
