Do you have alerts showing up in alerts.log file?
> On Apr 15, 2015, at 3:49 PM, ri...@amcoonline.net wrote:
>
> Thanks @Brent. I added the logall option and temporarily removed the
> whitelist.
>
>
> yes
> root@localhost
> 127.0.0.1
> ossecm@ossec
> yes
>
>
> I'm no
Thanks @Brent. I added the logall option and temporarily removed the
whitelist.
yes
root@localhost
127.0.0.1
ossecm@ossec
yes
I'm now properly getting banned, but nothing is showing up in ossec.log.
Just in active-response.log. Is that the expected behavior? Becaus
Add that logall option right in the section and restart ossec.
On Wednesday, April 15, 2015 at 2:07:02 AM UTC-7, ri...@amcoonline.net
wrote:
>
> @brent Morris
>
> I don't have the option set on either the server or agent. Which
> section does it go in?
>
> Here is the local_rules.xml from the
@brent Morris
I don't have the option set on either the server or agent. Which
section does it go in?
Here is the local_rules.xml from the server.
-
5711
1.1.1.1
Example of rule that will ignore sshd
failed logins from IP 1.1.1.1.