I had a client call in today and say they couldn't access the server and the first thing I thought of was that they got shunned by ossec. Looking through the logs I do see that they got blocked, but I was wondering what the lines in the log file mean and how to use this to trace down to the reason why they were blocked with out having to grep through every access_log or security audit file. Eventually I did find it by doing a grep through the audit logs but I was wondering if there is an easier way to find this out using the data in this log file.
Code: Select all
Mon Jun 17 07:30:36 PDT 2013 /var/ossec/active-response/bin/asl-shun.pl add - xx.xx.xx.xx 1371479436.3327886 60118
Mon Jun 17 07:30:36 PDT 2013 /var/ossec/active-response/bin/host-deny.sh add - xx.xx.xx.xx 1371479436.3327886 60118
Mon Jun 17 08:19:16 PDT 2013 /var/ossec/active-response/bin/asl-shun.pl delete - xx.xx.xx.xx 1371479436.3327886 60118
Mon Jun 17 08:19:16 PDT 2013 /var/ossec/active-response/bin/host-deny.sh delete - xx.xx.xx.xx 1371479436.3327886 60118
Mon Jun 17 08:34:05 PDT 2013 /var/ossec/active-response/bin/asl-shun.pl add - xx.xx.xx.xx 1371483245.3777287 60118
Mon Jun 17 08:34:05 PDT 2013 /var/ossec/active-response/bin/host-deny.sh add - xx.xx.xx.xx 1371483245.3777287 60118