Did you restart the ossec processes after adding the new localfile entry? Try running the logs through ossec-logtest.
On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo <[email protected]> wrote: > In the file "/var/log/secure" : > > Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=10.22.130.26 user=SVCWABADMINSUP > Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=10.22.130.26 user=SVCWABADMINSUP For these I get: Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP **Phase 1: Completed pre-decoding. full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP' hostname: 'PCYINTPSEVU001' program_name: 'sshd' log: 'pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP' **Phase 2: Completed decoding. decoder: 'pam' srcip: '10.22.130.26' dstuser: 'SVCWABADMINSUP' **Phase 3: Completed filtering (rules). Rule id: '5503' Level: '5' Description: 'User login failed.' **Alert to be generated. > Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for > SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2 > And for this one: Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2 **Phase 1: Completed pre-decoding. full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2' hostname: 'PCYINTPSEVU001' program_name: 'sshd' log: 'Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2' **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'SVCWABADMINSUP' srcip: '10.22.130.26' **Phase 3: Completed filtering (rules). Rule id: '5715' Level: '3' Description: 'SSHD authentication success.' **Alert to be generated. > So in OSSEC, we must have an alert for the IP 10.22.130.26 > Check /var/ossec/logs/alerts/alerts.log to see if there is anything in there for those logs. > Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit : >> >> Hi! >> >> I have installed OSSEC agents on RedHat VM.But I have not see the >> intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the >> file :"../var/log/secure"". >> This is the config on "ossec.conf": >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> . >> . >> . >> <localfile> >> <log_format>syslog</log_format> >> <location>/var/log/secure</location> >> </localfile> >> >> Regards, >> >> Arthur. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
