[ossec-list] Different alerts for single host.

To: <ossec-list@xxxxxxxxx>

Subject: [ossec-list] Different alerts for single host.

From: "Pankaj P. Pawar" <Pankajpa@xxxxxxxxxx>

Date: Tue, 17 Apr 2007 09:05:44 +0530

Cc: "Daniel Cid" <daniel.cid@xxxxxxxxx>

Content-class: urn:content-classes:message

Thread-index: AceAoXrPfHYNg3JlRmePl44iNO/wag==

Thread-topic: Different alerts for single host.

***********************
Your mail has been scanned by InterScan.
***********-***********

Hi,

I have configured ossec on my server named as “ossec”

Although the setup works fine, I receive alerts from the server with 2 different hostnames.

I.e. I am getting the checksum and other alerts with hostname as “localhost” and alerts related to ssh such as the below from “ossec”

Received From: ossec->/var/log/messages

Rule: 5501 fired (level 3) -> "Login session opened."

Portion of the log(s):

Apr 17 05:01:01 ossec crond (pam_unix) [10674]: session opened for user root by (uid=0)

Also this alert seems to be firing even though there are no active connections to the server.

Is this some kind of a bug??

Thanks,

Pankaj P.

***********************************************************************************
This message is for the named addressees' use only. It may contain NSDL

confidential, proprietary or legally privileged information. If you receive

this message in error, please immediately delete it. You must not, directly

or indirectly, use, disclose, distribute, print, or copy any part of this message

if you are not the intended recipient.Unless otherwise stated, any commercial

information given in this message does not constitute an offer to deal on

any terms quoted. Any reference to the terms of executed transactions

should be treated as preliminary only and subject to our formal written

confirmation.
***********************************************************************************

www.ossec.net

http://www.ossec.net/en/mailing_lists.html