[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Suggested addition to default shipping syslog rules

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] Re: Suggested addition to default shipping syslog rules
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Fri, 15 Sep 2006 14:02:06 -0300
Cc: "Jess Bromley" <j.bromley@xxxxxxxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Jess,

Great suggestion. I just added them to CVS. Btw, do you have a few
log samples of these messages to share? Just to do a quick testing..

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/15/06, Jess Bromley <j.bromley@xxxxxxxxxxxxx> wrote:



Quick suggestion.  The useradd that ships with SuSE linux sends:

... useradd[123456]: new account added ...

instead of "new user".  It might be a good idea to add a regex for this to
rule 5902 in the default shipping syslog_rules.xml.  (I know how to do
this myself, but it seems to me important enough that it should be done
already in the default install...)

Similarly SuSE reports "account deleted" rather than "user deleted".

I'm not on the list so email me direct if you would like any further info.

J Bromley

References:
- [ossec-dev] Suggested addition to default shipping syslog rules
  - From: Jess Bromley

Prev by Date: [ossec-dev] Suggested addition to default shipping syslog rules
Next by Date: [ossec-dev] ossec-hids: exec.c (HEAD) [dcid]
Previous by thread: [ossec-dev] Suggested addition to default shipping syslog rules
Next by thread: [ossec-dev] ossec-hids: exec.c (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.