First of all thank you for your reply.
> Did you restart OSSEC after the change? This is necessary when adding
> agents.
I installed ossec in directory /home/ossec. After adding a client
restarted ossec by /home/ossec/bin/ossec-control restart command.
Result as follows:
Killing ossec-monitord
Is there anyway to see what has changed in the snapshots for the Windows Agent
and the Server? I dont see any changelog with some good detail in it.
-Derek
I just tried your decoder with the rule in your original email, and no matter
where I put it, the pam event fires.
If you put the following above the pam rules you get the desired result:
^su$
The ossec-logtest application can help you debug issues like this in the future.
It's what I used t
Where do I get the ossec-logtest application and how is it used? It
isn't in the src directory when I download OSSEC from the website.
As I noted in my second-mail, I wrote a decoder like this:
^su$
^\(pam_unix\)
I discovered much the same as you: the decoder has to be placed ahead
of th
The ossec-logtest application is in the source tarball, just not built
by default
(hopefully that will change for server installs in the future). Check
Daniel Cid's
blog entry at http://www.ossec.net/dcid/?p=136
I'm not sure why the rule would be firing in that case, haven't run
into that type
of