That particular alert only fires the first time a user logs into a server (or it's supposed to anyways). If you want notifications of when users log in, find a log entry for the user logging in and create a rule for it. Use /var/ossec/bin/ossec-logtest to see how the alert is decoded and if there is currently a rule for it. If there is a rule, you can either overwrite that rule (using overwrite="yes" in the rule), or create a rule that uses the <if_sid> parameter.
If you need help, send an example of the logs you are trying to alert on, along with the ossec-logtest output. On Thu, Apr 29, 2010 at 5:52 AM, Max Williams <[email protected]> wrote: > Hi OSSEC List, > > I am new to OSSEC. I have it running on a few Linux and Windows hosts with > more or less the default settings and I am very happy with it. > > I notice that when I log in to the OSSEC server I immediately receive an > email notifying me that someone has logged in: > > > > Received From: [email protected]>/var/log/secure > > Rule: 10100 fired (level 4) -> "First time user logged in." > > > > I’d like to receive these notifications for all Linux agents, not just the > server. How can I achieve this? > > “/var/log/secure” is specified for monitoring on both the server and the > agents already but I only get the email notifications for the server. > > TIA and best regards, > > Max Williams
