Hello Dan,
I made the change as per the suggested in document. Below is the config
sample. But now i am getting alerts starting from level 3, which was not my
intention. After making changes in ossec.conf i restarted the service on
server.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>alt1.aspmx.l.google.com.</smtp_server>
<email_from>oss...@xxx.xxx.org</email_from>
<email_maxperhour>3</email_maxperhour>
<logall>yes</logall>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
Am i missing something here ?
On Fri, Aug 30, 2013 at 9:28 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <sandeep.san...@gmail.com>
> wrote:
> > Hi All,
> >
> > Recently, I faced an strange issue with my setup, where ssh login was
> taking
> > around 11-12 min for each attempts. I segregated this issue in two parts
> -
> >
> > 1. I was able to login to system using ssh, but not able to perform any
> > single command on terminal. But after 10-15 min, it becomes normal and
> able
> > to do all the tasks.
> >
> > 2. Server was throwing "Connection Timeout" error, or it accepts the
> > key/password on target server (as per auth.log) but session was given
> after
> > 10-15 min.
> >
> > All the above issue solve by making one recent change in OSSEC, and that
> is
> > disabling the ssh rule id 5715.
> >
> > What i did with OSSEC eariler ?
> > I wanted to log the successful ssh attempt so i change the level for rule
> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But
> > after couple of hours i started facing above issue.
> >
> > My setup details -
> > Host OS = Ubuntu 10.04
> > OSSEC = 2.7
> > Sever / Client setup
> > AR enabled.
> > AWS EC2 instances
> >
>
> Was this problem seen on the server or an agent? Was DNS working properly?
>
> > I have two question -
> >
> > 1. I didn't understand how this change affect the SSH login.
> >
>
> Neither do I.
>
> > 2. Is there a way that i can get alerts at sepecific level but can log
> all
> > levels starting from level 3 ?
> > For example - I want to get email alerts at above level 7, but log all
> > alerts starting from level 3.
> >
>
> Yes, configure ossec to email level 7, and log level 3.
>
> http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts
>
> > Thanks
> > Sandeep
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
