Re: [ossec-list] Troubleshooting: Alerts fire, but email not sent

I figured it out. I has the alert set to a number below my email alert threshold. Phil On Wed, Feb 20, 2013 at 1:06 PM, Phil Cox p...@rightscale.com wrote: Is ossec-maild running? Does it try to send the email (you can use tcpdump or the email server's logs to find out)? It is running

[ossec-list] Troubleshooting: Alerts fire, but email not sent

Having a hard time with this one. I am getting my alerts to fire, and can test with ossec-logtest. Problem is that I seem to only be getting some of the alerts via email. ossec_config global email_notificationyes/email_notification email_toredacte...@rightscale.com/email_to

Re: [ossec-list] Troubleshooting: Alerts fire, but email not sent

Is ossec-maild running? Does it try to send the email (you can use tcpdump or the email server's logs to find out)? It is running. It does NOT seem to be attempting to send email when the rules fire. I do see the alert in the alert.log file though. Phil -- --- You received this message

[ossec-list] More detailed parsing of sudo

All, Probably a simple answer, but not for me. I want an alert to fire any time there is a sudo operation with the COMMAND being a shell (/bin/bash in this instance). Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser ; USER=bob ; COMMAND=/bin/bash Any pointers? I am new

[ossec-list] Scanning variable directories in a structure

I have a central sys log server that collects logs under /var/log/uniqueID for client That UniqueID part is fairly random, and will come and go as systems launch and terminate. Is there an easy way to do this. Seems that using localfile location/var/log/\w+/messages /localfile Is the

Re: [ossec-list] Large installs.

So here is my plan for a global cloud arch (systems very volitile) - Local install - Alert via Syslog to central server on dedicated facility - Local Syslog go to central server - Central console (Graylog2?) parsing all syslog for custom correlation Should scale to 10's of thousands. We'll see.

[ossec-list] Source to use?

All, Which source do most use: http://www.ossec.net OR https://bitbucket.org/dcid/ossec-hids Or is the latter just a mirror? Thanks, Phil

[ossec-list] Anyway to ship to syslog?

Does anyone have the agentless OSSEC configured to then dump logs to a syslog server for later analysis? Phil

[ossec-list] How to trigger cascading alerts

Anyway to use OSSEC to write a rule that would alert on the following: If X failed SSH login attempts, then Success - Send alert Any pointers are appreciated. Phil -- Director of Security and Compliance RightScale Inc - http://www.rightscale.com 805-243-0942 Skype: phil.cox.rs Twitter: