Thanks, *dan* (ddpbsd) *.*
El domingo, 3 de diciembre de 2017, 22:08:18 (UTC+1), dan (ddpbsd) escribió: > > On Sun, Dec 3, 2017 at 4:04 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Thu, Nov 30, 2017 at 10:46 AM, Francisco Ferrara > > <[email protected] <javascript:>> wrote: > >> > >> Hello, > >> > >> I'm seeing that ossec repeats some logs, > >> I see is that it only changes the id of firedtimes and In addition 1 > second > >> difference for the date in full_log. > >> > >> can someone tell me what the "firedtimes" parameter refers to? > >> and why does the duplication of registration happen, in addition to > knowing > >> if it can be corrected? > >> > >> Logs: > >> > >>> > >>> > >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:35 host1 > >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 > euid=0 > >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 > euid:0 > >>> manager.name:host1 program_name:sudo rule.firedtimes:306 > rule.mail:false > >>> rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, syslog, > >>> authentication_failed rule.description:PAM: User login failed. > rule.id:5503 > >>> decoder.name:pam source:/var/ossec/logs/alerts/alerts.json type:ossec > >>> srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 dstuser:user > >>> host:host1 location:/var/log/secure**** > >> > >> > >>> > >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:34 host1 > >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 > euid=0 > >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 > >>> manager.name:host1 euid:0 program_name:sudo rule.firedtimes:303 > >>> rule.mail:false rule.pci_dss:10.2.4, 10.2.5 rule.level:5 > rule.groups:pam, > >>> syslog, authentication_failed rule.description:PAM: User login failed. > >>> rule.id:5503 decoder.name:pam > source:/var/ossec/logs/alerts/alerts.json > >>> type:ossec srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 > >>> dstuser:user host:host1 location:/var/log/secure**** > >> > >> > > > > I don't see that information in OSSEC. There is a "firedtimes" > > variable, but I don't think it gets printed to the logs. > > > > It looks like it's only for the stats logs. It should be tracking the > number of times each rule fires. > > >> > >> > >> > >> ****id, ip, host, user were changed for security > >> > >> Thanks > >> > >> Francisco Ferrara > >> Italy > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > El domingo, 3 de diciembre de 2017, 22:08:18 (UTC+1), dan (ddpbsd) escribió: > > On Sun, Dec 3, 2017 at 4:04 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Thu, Nov 30, 2017 at 10:46 AM, Francisco Ferrara > > <[email protected] <javascript:>> wrote: > >> > >> Hello, > >> > >> I'm seeing that ossec repeats some logs, > >> I see is that it only changes the id of firedtimes and In addition 1 > second > >> difference for the date in full_log. > >> > >> can someone tell me what the "firedtimes" parameter refers to? > >> and why does the duplication of registration happen, in addition to > knowing > >> if it can be corrected? > >> > >> Logs: > >> > >>> > >>> > >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:35 host1 > >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 > euid=0 > >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 > euid:0 > >>> manager.name:host1 program_name:sudo rule.firedtimes:306 > rule.mail:false > >>> rule.pci_dss:10.2.4, 10.2.5 rule.level:5 rule.groups:pam, syslog, > >>> authentication_failed rule.description:PAM: User login failed. > rule.id:5503 > >>> decoder.name:pam source:/var/ossec/logs/alerts/alerts.json type:ossec > >>> srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 dstuser:user > >>> host:host1 location:/var/log/secure**** > >> > >> > >>> > >>> 17-11-29 16:39:36.000 agent.name:host1 full_log:Nov 29 16:39:34 host1 > >>> sudo: pam_unix(sudo:auth): authentication failure; logname= uid=2580 > euid=0 > >>> tty= ruser=user rhost= user=user agent.id:065 agent.ip:5.132.42.98 > >>> manager.name:host1 euid:0 program_name:sudo rule.firedtimes:303 > >>> rule.mail:false rule.pci_dss:10.2.4, 10.2.5 rule.level:5 > rule.groups:pam, > >>> syslog, authentication_failed rule.description:PAM: User login failed. > >>> rule.id:5503 decoder.name:pam > source:/var/ossec/logs/alerts/alerts.json > >>> type:ossec srcuser:user uid:2580 @timestamp:17-11-29 16:39:36.000 > >>> dstuser:user host:host1 location:/var/log/secure**** > >> > >> > > > > I don't see that information in OSSEC. There is a "firedtimes" > > variable, but I don't think it gets printed to the logs. > > > > It looks like it's only for the stats logs. It should be tracking the > number of times each rule fires. > > >> > >> > >> > >> ****id, ip, host, user were changed for security > >> > >> Thanks > >> > >> Francisco Ferrara > >> Italy > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
