Aleksander I install the program and I edit the file local_rules.xml under /var/log/ossec/rules/
In the /var/log/ossec/logs/alerts I found this line ** Alert 1277506046.174479: - syslog,vpopmail,authentication_success, 2010 Jun 25 16:47:26 mailserver->/var/log/maillog But I cannot view the squirrelmail logins. The local_rules.xml has this information: <!-- @(#) $Id: local_rules.xml,v 1.7 2010/03/04 20:12:33 dcid Exp $ - Example of local rules for OSSEC. - - Copyright (C) 2009 Trend Micro Inc. - All rights reserved. - - This program is a free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License (version 2) as published by the FSF - Free Software - Foundation. - - License details: http://www.ossec.net/en/licensing.html --> <!-- Modify it at your will. --> <group name="local,syslog,"> <!-- Note that rule id 5711 is defined at the ssh_rules file - as a ssh failed login. This is just an example - since ip 1.1.1.1 shouldn't be used anywhere. - Level 0 means ignore. --> <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> <!-- This example will ignore ssh failed logins for the user name XYZABC. --> <!-- <rule id="100020" level="0"> <if_sid>5711</if_sid> <user>XYZABC</user> <description>Example of rule that will ignore sshd </description> <description>failed logins for user XYZABC.</description> </rule> --> <!-- Specify here a list of rules to ignore. --> <!-- <rule id="100030" level="0"> <if_sid>12345, 23456, xyz, abc</if_sid> <description>List of rules to be ignored.</description> </rule> --> </group> <!-- SYSLOG,LOCAL --> <group name="squirrelmail,"> <rule id="131100" level="0"> <if_sid>31108</if_sid> <url>/webmail/src/redirect.php</url> <description>Squirrelmail logins grouped.</description> </rule> <rule id="131101" level="1"> <if_sid>131100</if_sid> <id>^302</id> <description>Squirrelmail: successfull login.</description> <group>authentication_success,</group> </rule> <rule id="131102" level="5"> <if_sid>131100</if_sid> <id>^200</id> <description>Squirrelmail: authentication failed.</description> <group>authentication_failures,</group> </rule> <rule id="131103" level="10" frequency="6" timeframe="300"> <if_matched_sid>131102</if_matched_sid> <same_source_ip /> <description>Squirrelmail brute force attack.</description> <group>attack, authentication_failures,</group> </rule> </group> <!-- SQUIRRELMAIL --> <!-- EOF --> Thanks for your Help Saludos. Borderless Consulting Group SA de CV. Noel Alban Rivera Rivera Jefe de Redes y Telecomunicaciones Tel. (915) 633-61-04 Nextel 62*142650*2 Por favor considera el medio ambiente antes de imprimir este e-mail. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and /or privileged material. Any review, use, disclosure or distribution of such confidential information without the written authorization of Borderless Consulting Group is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. By receiving this e-mail you acknowledge that any breach by you and/or your representatives of the above provisions may entitle Borderless Consulting Group to seek for damages. AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su caso, los archivos adjuntos al mismo, pueden contener información de carácter confidencial y/o privilegiada, y se envían a la atención única y exclusivamente de la persona y/o entidad a quien va dirigido. La copia, revisión, uso, revelación y/o distribución de dicha información confidencial sin la autorización por escrito de Borderless Consulting Group está prohibida. Si usted no es el destinatario a quien se dirige el presente correo, favor de contactar al remitente respondiendo al presente correo y eliminar el correo original incluyendo sus archivos, así como cualesquiera copia del mismo. Mediante la recepción del presente correo usted reconoce y acepta que en caso de incumplimiento de su parte y/o de sus representantes a los términos antes mencionados, Borderless Consulting Group tendrá derecho a los daños y perjuicios que esto le cause. -----Original Message----- From: Aleksander Podsiadły [mailto:a...@westside.kielce.pl] Sent: Friday, June 25, 2010 12:54 PM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] question Dnia 2010-06-25, pią o godzinie 12:39 -0600, Noel Rivera (Border Less) pisze: > Aleksander I don't have this folder in my qmail server. > > Saludos. This file is in: http://www.ossec.net/ :) -- Pozdrawiam / Regards, Aleksander Podsiadły mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578 --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com