Thank you for the help. There is no /var/ossec/etc/local_decoder.xml , do I just create it?
On Mon, Oct 1, 2012 at 10:25 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Oct 1, 2012 at 10:07 AM, thewebbie <theweb...@gmail.com> wrote: >> Hello >> >> >> I currently have Nagios monitoring SSH on my servers which produces a >> login failure. This is picked up by OSSEC as a 1002. I have audit >> logging to syslog via audispd. I have not been able to create a rule >> for this and have been unsuccessful on ignoring ssh requests from my >> Nagios/Monitoring server. Anyone have a rule or anyway to get around >> this problem? I am getting 100's of these alerts per day. I can not >> change the monitoring at this time. >> >> >> >> Received From: hids->/var/log/messages >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XXXXXX.com >> type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 >> auid=4294967295 ses=4294967295 msg='op=login >> acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? >> addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' >> >> >> >> -- >> >> ================= >> Matthew Feinberg > > I'm not sure why you were having problems, but this is a simple fix: > > Add to /var/ossec/etc/local_decoder.xml: > <decoder name="audispd"> > <program_name>audispd</program_name> > <regex>node=(\S+) \.+ addr=(\S+) terminal=</regex> > <order>extra_data,srcip</order> > </decoder> > > Add to /var/ossec/rles/local_rules.xml: > <rule id="110005" level="3"> > <decoded_as>audispd</decoded_as> > <srcip>XXX.XXX.XXX.XXX</srcip> <!-- FIX THIS --> > <description>Blah</description> > </rule> > > Restart OSSEC. Try again. -- ================= Matthew Feinberg
