I figured it out. I has the alert set to a number below my email alert
threshold.
Phil
On Wed, Feb 20, 2013 at 1:06 PM, Phil Cox p...@rightscale.com wrote:
Is ossec-maild running?
Does it try to send the email (you can use tcpdump or the email
server's logs to find out)?
It is running
Having a hard time with this one. I am getting my alerts to fire, and can
test with ossec-logtest. Problem is that I seem to only be getting some
of the alerts via email.
ossec_config
global
email_notificationyes/email_notification
email_toredacte...@rightscale.com/email_to
Is ossec-maild running?
Does it try to send the email (you can use tcpdump or the email
server's logs to find out)?
It is running. It does NOT seem to be attempting to send email when the
rules fire. I do see the alert in the alert.log file though.
Phil
--
---
You received this message
All,
Probably a simple answer, but not for me. I want an alert to fire any time
there is a sudo operation with the COMMAND being a shell (/bin/bash in this
instance).
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
Any pointers? I am new
I have a central sys log server that collects logs under /var/log/uniqueID
for client
That UniqueID part is fairly random, and will come and go as systems launch
and terminate. Is there an easy way to do this. Seems that using
localfile
location/var/log/\w+/messages
/localfile
Is the
So here is my plan for a global cloud arch (systems very volitile)
- Local install
- Alert via Syslog to central server on dedicated facility
- Local Syslog go to central server
- Central console (Graylog2?) parsing all syslog for custom correlation
Should scale to 10's of thousands. We'll see.
All,
Which source do most use:
http://www.ossec.net
OR
https://bitbucket.org/dcid/ossec-hids
Or is the latter just a mirror?
Thanks,
Phil
Does anyone have the agentless OSSEC configured to then dump logs to a
syslog server for later analysis?
Phil
Anyway to use OSSEC to write a rule that would alert on the following:
If X failed SSH login attempts, then Success - Send alert
Any pointers are appreciated.
Phil
--
Director of Security and Compliance
RightScale Inc - http://www.rightscale.com
805-243-0942
Skype: phil.cox.rs
Twitter: