Hello,
I'm seeing that ossec repeats some logs,
I see is that it only changes the id of firedtimes and In addition 1 second
difference for the date in full_log.
can someone tell me what the "firedtimes" parameter refers to?
and why does the duplication of registration happen, in addition to knowing
if it can be corrected?
Logs:
>
> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:35 host1
> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0
> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 euid:0
> manager.name:host1 program_name:sudo rule.firedtimes:306 rule.mail:false
> rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, syslog,
> authentication_failed rule.description:PAM: User login failed. rule.id:5503
> decoder.name:pam source:/var/ossec/logs/alerts/alerts.json type:ossec
> srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 dstuser:user
> host:host1 location:/var/log/secure****
>
> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:34 host1
> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0
> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98
> manager.name:host1 euid:0 program_name:sudo rule.firedtimes:303
> rule.mail:false rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam,
> syslog, authentication_failed rule.description:PAM: User login failed.
> rule.id:5503 decoder.name:pam source:/var/ossec/logs/alerts/alerts.json
> type:ossec srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000
> dstuser:user host:host1 location:/var/log/secure****
****id, ip, host, user were changed for security
Thanks
Francisco Ferrara
Italy
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
