On Thu, Nov 30, 2017 at 10:46 AM, Francisco Ferrara <[email protected]> wrote: > > Hello, > > I'm seeing that ossec repeats some logs, > I see is that it only changes the id of firedtimes and In addition 1 second > difference for the date in full_log. > > can someone tell me what the "firedtimes" parameter refers to? > and why does the duplication of registration happen, in addition to knowing > if it can be corrected? > > Logs: > >> >> >> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:35 host1 >> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0 >> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 euid:0 >> manager.name:host1 program_name:sudo rule.firedtimes:306 rule.mail:false >> rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, syslog, >> authentication_failed rule.description:PAM: User login failed. rule.id:5503 >> decoder.name:pam source:/var/ossec/logs/alerts/alerts.json type:ossec >> srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 dstuser:user >> host:host1 location:/var/log/secure**** > > >> >> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:34 host1 >> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0 >> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 >> manager.name:host1 euid:0 program_name:sudo rule.firedtimes:303 >> rule.mail:false rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, >> syslog, authentication_failed rule.description:PAM: User login failed. >> rule.id:5503 decoder.name:pam source:/var/ossec/logs/alerts/alerts.json >> type:ossec srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 >> dstuser:user host:host1 location:/var/log/secure**** > >
I don't see that information in OSSEC. There is a "firedtimes" variable, but I don't think it gets printed to the logs. > > > > ****id, ip, host, user were changed for security > > Thanks > > Francisco Ferrara > Italy > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
