Rules 5715, 5501 and 5402 are all level 3 alerts. Your ossec.conf says
to only email on alerts that are level 8 and higher. To fix this, add
the following to your local_rules.xml in $OSSEC_DIR/rules
<rule id="105402" level="8">
<if_sid>5402</if_sid>
</rule>
<rule id="105501" level="8">
<if_sid>5501</if_sid>
</rule>
<rule id="105715" level="8">
<if_sid>5715</if_sid>
</rule>
And then restart your server. Give that a try and see what happens. Be
sure to add the rules between the <group></group> tags in local_rules.xml
Tom Banjo wrote:
> I have the following in my ossec.conf file:
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>[EMAIL PROTECTED]</email_to>
> <smtp_server>mail.halogensoftware.com</smtp_server>
> <email_from>[EMAIL PROTECTED]</email_from>
> </global>
>
> <email_alerts>
> <email_to>[EMAIL PROTECTED]</email_to>
> <rule_id>5715, 5501, 5402</rule_id>
> <do_not_delay />
> <do_not_group />
> </email_alerts>
>
> <email_alerts>
> <email_to>[EMAIL PROTECTED]</email_to>
> <level>8</level>
> </email_alerts>
>
>
> What I am trying to accomplish is the following:
>
> 1. Everything with a severity level > 1 is logged to the alert.log
> file
> 2. Everything with a severity <= 8 is e-mailed to
> [EMAIL PROTECTED]
> 3. When rule 5715, 5501, 5402 is logged (access and sudo) an e-mail
> is sent to [EMAIL PROTECTED]
>
> I am running ossec-hids-071129 on the server (1.4 on the agents).
> Since implementing the ossec.conf change and restarting the server I
> am getting level 2 e-mails (access.log warning etc). But no 5715,
> 5501 or 5402 alerts - although they are being logged to the alert.log.
>
> Any help would be appreciated.
