Ossec don't send messages about system audit events. But I can see the events when run 'rootcheck_control -i XXX'. And there is no records about that events in alert.log file. It worked before, i recieved the email about system audit events from ossec. I don't know why it not work now.
среда, 12 декабря 2012 г., 1:56:26 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Dec 10, 2012 at 10:12 AM, orfan <a.ul...@gmail.com <javascript:>> > wrote: > > I have ossec-hids-server-2.6_2. > > > > <rule id="509" level="0"> > > <category>ossec</category> > > <decoded_as>rootcheck</decoded_as> > > <description>Rootcheck event.</description> > > <group>rootcheck,</group> > > </rule> > > > > Decoded as "rootcheck", but i can't find rootcheck decoder in > decoder.xml. > > Is it normal? > > > > > > I believe that decoder is actually coded inside of rootcheck for speed > reasons. >
