Hi Tony, OSSEC by default will only alert by email if the severity is >= 7. Take a look at /var/ossec/logs/alerts/alerts.log and see you have them (and compare with the ammount of emails you got).
# cat /var/ossec/logs/alerts/alerts.log | grep ": mail " | wc -l Also, look at /var/ossec/logs/ossec.log for errors... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 9, 2008 9:50 PM, <[EMAIL PROTECTED]> wrote: > > Hi Bill and David, > > I'm using OSSEC with the 071129 update on CentOS 4.5. Received email > alerts began to diminish in frequency at about 1 week after I applied > the 071129 upgrade. By "diminish" I mean that while some of the alerts > still came through, they numbered quite few. The server may receive 20 > to 50 or more alerts per day that are above level 3, and if I'm lucky > I'll only see one or two email notifications, each typically reporting > a single suspicious event. This certainly doesn't represent the alerts > log file very adequately. > > One possibly significant aspect of this issue is that after stopping, > then restarting OSSEC, I immediately receive the "Ossec server > started." email notification but nearly every other alert posted to > the alerts log fails to arrive as an email notification. > > Do either of you, or anyone else here, have an opinion what may be > causing this issue. > > Tony > > > On Dec 9 2007, 11:54am, David Williams <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I believe this is a known bug and Daniel provided this note with a > > snapshot which fixes it: > > > > Hi Pierre, > > > > Thanks for the information. I was able to find out where the bug is > > and the fix is available at: > > > > http://www.ossec.net/files/snapshots/ossec-hids-071129.tar.gz > > > > Just update to this new version and the problem should go away. > > > > Thanks, > > > > - -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > Bill Mathews wrote: > > > I have a couple of of OSSEC v.1.4 running on Debian and every few weeks > > > email alerts just stop. The alert log keeps seeing the alerts but they > > > never go out via email. Packet captures never show the ossec machine > > > even trying to send the message. Has anyone ever run across this before? > > > On my older ( 1.2) OSSEC server I've not run across this. Thanks. > > > > > Bill > > > > > -- > > > > > This is my gmail account, there are many like it > > > but this one is mine. > > > > - -- > > _______________________________________________ > > GPG (http://www.gnupg.org/) key available > > from:http://www.kayakero.net/per/david/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.6 (GNU/Linux) > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org > > > > iD8DBQFHXEfhCzuSgviBh00RAsb0AKCPzuud78nMijn/INhl7wjry7dMMwCfS1s7 > > feF6j6ItZ4rawmcFf5rDiBs= > > =j5EF > > -----END PGP SIGNATURE----- >
