Forgot to mention that DNS has no issue at all. On Aug 30, 2013 9:36 PM, "sandeep dubey" <sandeep.san...@gmail.com> wrote:
> Thanks for the reply dan. > This issue was observed on both server and all agents. > On Aug 30, 2013 9:30 PM, "dan (ddp)" <ddp...@gmail.com> wrote: > >> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <sandeep.san...@gmail.com> >> wrote: >> > Hi All, >> > >> > Recently, I faced an strange issue with my setup, where ssh login was >> taking >> > around 11-12 min for each attempts. I segregated this issue in two >> parts - >> > >> > 1. I was able to login to system using ssh, but not able to perform any >> > single command on terminal. But after 10-15 min, it becomes normal and >> able >> > to do all the tasks. >> > >> > 2. Server was throwing "Connection Timeout" error, or it accepts the >> > key/password on target server (as per auth.log) but session was given >> after >> > 10-15 min. >> > >> > All the above issue solve by making one recent change in OSSEC, and >> that is >> > disabling the ssh rule id 5715. >> > >> > What i did with OSSEC eariler ? >> > I wanted to log the successful ssh attempt so i change the level for >> rule >> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But >> > after couple of hours i started facing above issue. >> > >> > My setup details - >> > Host OS = Ubuntu 10.04 >> > OSSEC = 2.7 >> > Sever / Client setup >> > AR enabled. >> > AWS EC2 instances >> > >> >> Was this problem seen on the server or an agent? Was DNS working properly? >> >> > I have two question - >> > >> > 1. I didn't understand how this change affect the SSH login. >> > >> >> Neither do I. >> >> > 2. Is there a way that i can get alerts at sepecific level but can log >> all >> > levels starting from level 3 ? >> > For example - I want to get email alerts at above level 7, but log all >> > alerts starting from level 3. >> > >> >> Yes, configure ossec to email level 7, and log level 3. >> >> http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts >> >> > Thanks >> > Sandeep >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
