Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote: > > On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > >> >> Is this the only rule in your local_rules.xml that isn't working, or are >> all rules in your local_rules.xml not working? >> >> > So far, this is the only rule

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > > Is this the only rule in your local_rules.xml that isn't working, or are > all rules in your local_rules.xml not working? > > So far, this is the only rule that I just can't seem to stop emailing. I have other rules, and

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 9:59 AM, Daniel Bray wrote: > On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: >> >> And strangely enough, this works just fine for me (ignored when fed >> through logger). >> >> Can you update to the latest OSSEC source from github

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: > > And strangely enough, this works just fine for me (ignored when fed > through logger). > > Can you update to the latest OSSEC source from github and try that? > Updated to latest github update, and issue remains. Logtest

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) wrote: > > > Last idea at the moment: > Copy archives.log. Open the copy in a text editor. Find an entry you > want to test against and delete everything else. > Delete the archives.log header from your chosen entry. > Run that through

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On 11/30/2015 12:21 PM, Daniel Bray wrote: On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote: Last idea at the moment: Copy archives.log. Open the copy in a text editor. Find an entry you want to test against and delete everything else.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Wed, Nov 25, 2015 at 2:19 PM, Daniel Bray wrote: > On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: >> >> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for >> rule 1002, right there towards the top. Note the options element,

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: > > On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for > rule 1002, right there towards the top. Note the options element, which > contains alert_by_email. That option tells OSSEC to ignore your >

RE: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

[ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2 On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule 1002, right there towards the top. Note the options element,

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

y > Sent: Wednesday, November 25, 2015 12:20 PM > To: ossec-list <ossec...@googlegroups.com > > Subject: Re: [ossec-list] ossec-logtest returns Level 0 but still getting > email alerts Level 2 > > On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez > w

RE: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

: Wednesday, November 25, 2015 6:07 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2 Thank you Pedro. I've actually taken a step back from this, and I'm trying to figure out why the emails are getting sent

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Thank you Pedro. I've actually taken a step back from this, and I'm trying to figure out why the emails are getting sent in the first place. If the default level is 7, and I haven't changed that: yes myem...@mydomain.com my.smtp.server os...@mydomain.com 127.0.0.1 yes

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 8:28:27 AM UTC-5, Daniel Bray wrote: > > With the updated alert_by_email settings, this has stopped the email > alerts. I see it hitting the WebUI as alert level 2, but no emails are > coming in. > Unfortunately, with everything put back to the default

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, sorry for late response. I don't know for real what is happening with your alerts but i'll keep giving you some advices, we'll see if we can make this work. Maild read directly from alerts.log, search for "mail" flag and if it is present send the email, that means if your alerts is

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:30:24 PM UTC-5, Pedro S. wrote: > > Okay try this: > > Temporaly remove "alert_by_email" from rule 1002 on > syslog_rules.xml. > Now add "alert_by_email" in your custom rule. > Restart OSSEC and generate the alert. > > What im trying here is to stop OSSEC from

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 7:47:24 AM UTC-5, Daniel Bray wrote: > > OK, I'm a little lost as to what this is trying to prove, but the updated > settings are in place. I'm waiting for an alert to come through. > > With the updated alert_by_email settings, this has stopped the email alerts.

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 10:44 AM, Daniel Bray wrote: > On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: >>> >>> I'm waiting to see if it generates an alert. >> >> > > > Nope, issue remains. Very confusing. > I think if you stat ossec-analysisd in debug

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Sorry about that, it is just a simple typo. I didn't want to copy the actual rule, as it had some semi-private information in it. I copied and pasted my actual rule 15 to a test rule 17, so please just ignore that. Here is the actual updated test rule I'm trying: 1002

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Yes, all my local rules are under the and yes, I made sure to stop and restart everything. On Thursday, November 12, 2015 at 8:37:35 PM UTC-5, Santiago Bassett wrote: > > Hi Daniel, > > not sure if that matters but is your local rule in the same "syslog,errors,">, as rule 1002 is? You sure you

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: > > I'm waiting to see if it generates an alert. >> > > Nope, issue remains. Very confusing. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, The alerts you changed to level 0 it isn't the same that you write some lines before, isn't it? You turn to 0 rule SID 15 but the alert you show us has SID 1002. For testing purposes try to deactivate (change to level 0) rule 1002 and check if it is still generating these

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 11:40 AM, Daniel Bray wrote: > Sorry about that, it is just a simple typo. I didn't want to copy the > actual rule, as it had some semi-private information in it. I copied and > pasted my actual rule 15 to a test rule 17, so please just ignore

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

I'm wondering.. maybe you can activate archives log (logall option) and check if the alert is working, i mean, if the alert shows on archives we will know that the issue is mail related and no about rules decoding. 2015-11-13 8:40 GMT-08:00 Daniel Bray : > Sorry about that,

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 11:16 AM, Pedro S. wrote: > My confusion was the rule he wrote here has SID 15 and the logtest > result has SID 17, sorry about that. > You're right, I totally missed that. Now I'm wondering what 17 is. > Still i'll try to create a generic

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote: > > Or are you sure the manager restarted? Most of the time when I've seen > this behavior on the list analysisd did not actually stop, so it > didn't pickup the new rules. Running `/var/ossec/bin/ossec-control > stop`, then

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

My confusion was the rule he wrote here has SID 15 and the logtest result has SID 17, sorry about that. Still i'll try to create a generic rule to make sure OSSEC is loading new rules. Anyways if Dan already has tested it, the rule is working, it should be your OSSEC is not loading

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote: > > Try setting the rule to level 2 > > > Doing that results in: **Phase 3: Completed filtering (rules). Rule id: '17' Level: '2' Description: 'Ignore MIP Alerts' **Alert to be generated. -- ---

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 2:07 PM, Daniel Bray wrote: > On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote: >> >> Try setting the rule to level 2 >> >> > > Doing that results in: > **Phase 3: Completed filtering (rules). >Rule id: '17' >

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 2:20 PM, Daniel Bray wrote: > On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) wrote: >> >> I was hoping it would help with the production use, but since it was >> working for me I guess that doesn't matter. I'm pretty much stumped at >>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Okay try this: Temporaly remove "alert_by_email" from rule 1002 on syslog_rules.xml. Now add "alert_by_email" in your custom rule. Restart OSSEC and generate the alert. What im trying here is to stop OSSEC from sending 1002 rule email, i think that "alert_by_email" option force OSSEC to send

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) wrote: > I was hoping it would help with the production use, but since it was > working for me I guess that doesn't matter. I'm pretty much stumped at > the moment. > I'm running this on CentOS 6 with

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote: > > Ok, this information is working for me as well. I have tested it on a > local install and an agent/server install (changing the hostname as > appropriate). > > Is the agent name testserver? Do the hostname of the system

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Nov 13, 2015 1:49 PM, "Daniel Bray" wrote: > > On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote: >> >> Ok, this information is working for me as well. I have tested it on a >> local install and an agent/server install (changing the hostname as >>

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Thu, Nov 12, 2015 at 8:37 PM, Santiago Bassett wrote: > Hi Daniel, > > not sure if that matters but is your local rule in the same name="syslog,errors,">, as rule 1002 is? You sure you restarted the manger > right? > Or are you sure the manager restarted? Most of

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, not sure if that matters but is your local rule in the same , as rule 1002 is? You sure you restarted the manger right? Best On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray wrote: > I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) > > I've