On Sun, Dec 3, 2017 at 4:04 PM, dan (ddp) <[email protected]> wrote: > On Thu, Nov 30, 2017 at 10:46 AM, Francisco Ferrara > <[email protected]> wrote: >> >> Hello, >> >> I'm seeing that ossec repeats some logs, >> I see is that it only changes the id of firedtimes and In addition 1 second >> difference for the date in full_log. >> >> can someone tell me what the "firedtimes" parameter refers to? >> and why does the duplication of registration happen, in addition to knowing >> if it can be corrected? >> >> Logs: >> >>> >>> >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:35 host1 >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0 >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 euid:0 >>> manager.name:host1 program_name:sudo rule.firedtimes:306 rule.mail:false >>> rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, syslog, >>> authentication_failed rule.description:PAM: User login failed. rule.id:5503 >>> decoder.name:pam source:/var/ossec/logs/alerts/alerts.json type:ossec >>> srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 dstuser:user >>> host:host1 location:/var/log/secure**** >> >> >>> >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:34 host1 >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 euid=0 >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 >>> manager.name:host1 euid:0 program_name:sudo rule.firedtimes:303 >>> rule.mail:false rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, >>> syslog, authentication_failed rule.description:PAM: User login failed. >>> rule.id:5503 decoder.name:pam source:/var/ossec/logs/alerts/alerts.json >>> type:ossec srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 >>> dstuser:user host:host1 location:/var/log/secure**** >> >> > > I don't see that information in OSSEC. There is a "firedtimes" > variable, but I don't think it gets printed to the logs. >
It looks like it's only for the stats logs. It should be tracking the number of times each rule fires. >> >> >> >> ****id, ip, host, user were changed for security >> >> Thanks >> >> Francisco Ferrara >> Italy >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
