yes,i think this is a Unicode issue,but when i user agent on windows ,that no
this issue,when i use windows event->syslog that is it.
thanks&Best Regards
From: George Ehrhorn
Date: 2013-01-22 19:59
To: ossec-list
Subjec
On Tue, Jan 22, 2013 at 2:34 PM, Phil Cox wrote:
> Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
> ; USER=bob ; COMMAND=/bin/bash
Phil,
You could write a new rule in your local_rules.xml, like following:
5400
COMMAND=/bin/bash
sudo shell execution
I have an issue with ossec server/client ver 2.5.1 , where i have 50+ ossec
agent running on 1 location and it is trying to connect to ossec server
over 10 mb WAN connection , the WAN link is 100% utilize and network comes
to a Halt if i look at logs most of the connection is coming from ossec
All,
Probably a simple answer, but not for me. I want an alert to fire any time
there is a sudo operation with the COMMAND being a shell (/bin/bash in this
instance).
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
Any pointers? I am new
Unicode issue? Sorry, I don't have any experience using this with foreign
language support.
-George
On Tuesday, January 22, 2013 2:10:13 AM UTC-5, root wrote:
>
> hi,all
>
> this is my ossec mail alert
>
>
> OSSEC HIDS Notification.
> 2013 Jan 18 05:30:32
>
> Received From: REC-01->/var/l
hi,all
i write decoder like this
Security-Auditing-failure
(计算机试图验证帐户的凭据)
srcip
but when i test log this
Jan 22 11:49:13 QAD2008PDC Security-Auditing: 4776: 计算机试图验证帐户的凭据。 验证包:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: huihui.hou 源工作站: QS-HOUHUIHUI 错误代码:
0x0
that
