I did some further investigation. I've just tried the same setup with 2.7.1 and its the same problem. I was going to try putting export LANG="C" in /etc/init.d/ossec but saw it was already there. I tried en_AU.UTF-8 but still not working.
I configured rsyslog on the client, to send to rsyslog on the ossec server. Now ossec-server's /var/log/secure contain Aug 13 11:14:46 579806-db1 sshd[16479]: Accepted publickey for elias from xxx.xxx.xxx.xxx port 58687 ssh2 Aug 13 11:14:46 579806-db1 sshd[16479]: pam_unix(sshd:session): session opened for user elias by (uid=0) The ossec server is checking its own files locally, so it then picks this up. The rule matches and an alert is fired. So it looks like its something to do with the agent communication. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
