[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: AIX 5.3 sshd logins and sudo

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: AIX 5.3 sshd logins and sudo
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 11 Oct 2007 20:01:16 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.230 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ptM3u+lsD0ePJtiOhanTRiAEuMW0LmX3vxrMRUMNDiY=; b=qtiTvltjpKA2uiTDeTUsWpZqeD0b0CoiCkTCxo/VXaPCfGQ3GbPk/RC0GXMOVDsGyBPz9JEDpvI5cK+sFEIWRzNYNv/4Ooue2d4PcK8J0lU/xEJ4bX7zfc4fL6ELRA8A2gbN8czmtJzAauLMUxIf3tDjBXzkQpJhXpGIv9bUebU=

Hi Nerijus (and Carlos),

I made some changes to the pre-decoders within ossec to support the
syslog format
from AIX. If you can try it out from:

http://www.ossec.net/files/snapshots/ossec-hids-071011.tar.gz

It should parse properly all these messages.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 10/11/07, Nerijus Krukauskas <nkrukauskas@xxxxxxxxx> wrote:
>
> Hi,
>
> On 11/10/2007, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > We expect:
> > Oct  9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from
> > 172.29.14.41 port 55839 ssh2
> >
> > While you have:
> > Oct  9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted
> > password for USER from 172.29.14.41 port 55839 ssh2
> >
> >
> > Is this something special to your AIX config? Can you change it to the
> > standard format?
> > Any other AIX user in here with more information on this?
>
>   Yep. AIX 5.3 that I am testing ossec on generates this:
> Oct 11 08:05:46 <machine> auth|security:info sshd[323808]: Accepted
> publickey for <user> from <host> port 37909 ssh2
>
> --
> http://nk99.org/
>

Follow-Ups:
- [ossec-list] Re: AIX 5.3 sshd logins and sudo
  - From: Nerijus Krukauskas

References:
- [ossec-list] AIX 5.3 sshd logins and sudo
  - From: Carlos Eduardo Pedroza Santiviago
- [ossec-list] Re: AIX 5.3 sshd logins and sudo
  - From: Daniel Cid
- [ossec-list] Re: AIX 5.3 sshd logins and sudo
  - From: Nerijus Krukauskas

Prev by Date: [ossec-list] Re: Centralized configuration on the server side
Next by Date: [ossec-list] Re: Re-installing OSSEC as an agent
Previous by thread: [ossec-list] Re: AIX 5.3 sshd logins and sudo
Next by thread: [ossec-list] Re: AIX 5.3 sshd logins and sudo
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.