In your alerts file grep for his IP address and it will tell you what alerts were triggered. If the log has been rotated you will need to use zgrep.
On Tue, Jan 24, 2012 at 11:20, jeff jennings <[email protected]> wrote: > A fellow who works for me remotely called me this morning and said he was > accessing one of our servers via ssh and the connection dropped. > > so I looked in the the ossec active-response.log file and saw he had been > blocked. > > here are his lines. > > can someone tell me why he was blocked? > > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/host-deny.sh add > - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > add - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/host-deny.sh > delete - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > delete - 273.9.66.246 1327412771.231959 31106 > > thanks in advance > -- Registered Linux User # 379282
