Hi Dan
Had you looked into this issue?
On Wednesday, September 19, 2018 at 11:04:36 AM UTC+5:30, Chinmay Pandya
wrote:
>
> This is the alert from alert.log file
>
> ** Alert 1536818415.3348561390: - syslog,sshd,recon,
> 2018 Sep 13 06:00:15 east1001->10.88.10.114
> Rule: 5706 (level 6) -> 'SSH insecure connection attempt (scan).'
> Src IP: 10.14.158.11
>
>
> Sep 13 06:00:15 east1001 sshd[14453]: Did not receive identification
> string from 10.14.158.11
>
> and this is what I got in syslog JSON output from ossec
>
>
> ossec-box ossec: {"crit":6,"id":5706,"component":"east1001->10.88.10.114",
> "classification":" syslog,sshd,recon,","description":"SSH insecure
> connection attempt (scan).","message":"","src_ip":"10.14.158.11"}
>
> So looks like there is some code error in writing message body for this
> rule id.
>
>
>
> On Friday, September 14, 2018 at 4:33:07 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Fri, Sep 14, 2018 at 6:12 AM Chinmay Pandya
>> <[email protected]> wrote:
>> >
>> > I have set ossec to forward alerts in JSON format to my alerting
>> server.
>> >
>> > But sometimes I am getting blank message object in json.
>> >
>> > Here is a sample log
>> >
>> > ossec-box ossec:
>> {"crit":6,"id":5706,"component":"east1001->10.88.10.114","classification":"
>> syslog,sshd,recon,","description":"SSH insecure connection attempt
>> (scan).","message":"","src_ip":"10.14.158.11"}
>> >
>> > It mostly happens with ssh related alert.
>> >
>>
>> What's usually in that field, the full log?
>>
>> >
>> > Any clue where should I see for error cause I am not getting any errors
>> in ossec logs.
>> >
>> > _____________________________________________________________
>> > The information contained in this communication is intended solely for
>> the use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. The firm is neither liable for the proper and complete transmission
>> of the information contained in this communication nor for any delay in its
>> receipt.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
_____________________________________________________________
The
information contained in this communication is intended solely for the use
of the individual or entity to whom it is addressed and others authorized
to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. The firm is neither liable for the proper and complete transmission
of the information contained in this communication nor for any delay in its
receipt.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
