Hi All, I am very new to OSSEC and I need some help with a simple issue. I need an example rule for the following:
I have a user that have a granular password policy applied to him, this policy says that this account cannot be locked out like all the other domain accounts. But because he is then vulnerable to password guessing I need to know when an authentication attempt fails. I cannot deploy OSSEC agent to all domain users machines so I restricted where this user can login, which I have done via ADUC, in the user's profile I configured the "Log onto" setting and it now contains only the computers he is allowed to log onto. So on those computers, I have the OSSEC agent running and when there are multiple invalid authentication attempts on them with that specific user of any sort I need to know about it. I configured email alerts and set the global option to go nowhere because I don't want all the "noise", then I want to specify only the alerts I want one by one under <email alerts>. I got it from here https://www.ryanschulze.net/archives/1666. So it's under <email alerts> that I want to specify that I want to specify the custom rule that will fire when this special user has a failed logon. Please help me with building this rule <ossec_config> <global> <email_notification>yes</email_notification> <smtp_server>127.0.0.1</smtp_server> <email_to>dev-null@email.domain</email_to> <email_from>ossec@ossec.server</email_from> </global> <email_alerts> <email_to>ossec-admins@email.domain</email_to> <level>7</level> </email_alerts> </ossec_config> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
