According to that log (unless you've removed the IP from the message instead of obscuring it) there is no recorded IP. "Mar 22 11:21:18 server sshd[4012]: pam_unix(sshd:session): session opened for user xxxx by (uid=0)" If ossec doesn't get the IP in the log, then it will not know about the IP. What OS/distro are you using? Are there any logs surrounding the ones that set off the alerts here that might be more useful? We can create rules around those logs to do what you want, if there are.
On Mon, Mar 22, 2010 at 8:18 AM, Ozgur Ozdemircili <ozgur.ozdemirc...@gmail.com> wrote: > Hi, > I still seem to get the same messages: > 2010 Mar 22 10:08:15 Rule Id: 5502 level: 3 > Location: (server) yyyy->/var/log/secure > Login session closed. > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session closed > for user xxxx > > 2010 Mar 22 10:08:15 Rule Id: 5501 level: 3 > Location: (server) 94.125.143.164->/var/log/secure > Login session opened. > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session opened > for user xxxx by (uid=0) > > 2010 Mar 22 10:08:13 Rule Id: 5502 level: 3 > Location: (server) yyyy->/var/log/secure > Login session closed. > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session closed > for user xxxx > > 2010 Mar 22 10:08:13 Rule Id: 5501 level: 3 > Location: (server) yyyy->/var/log/secure > Login session opened. > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session opened > for user xxxx by (uid=0) > > I need somehow not to receive alerts if the user xxx is conecting from ip > yyyy. > Can be done? > Just an update. Now looking at the alert.log I have seen that Src ip is not > written. We are using public key auth to connect to servers is there any > reasonf for src ip not to be written to alert log? > ** Alert 1269253279.90719: - pam,syslog,authentication_success, > 2010 Mar 22 11:21:19 (server) yyyy->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Src IP: (none) > User: (none) > Mar 22 11:21:18 server sshd[4012]: pam_unix(sshd:session): session opened > for user xxxx by (uid=0) > > Thanks > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
