Yep that was it, thanks! -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: 29 April 2010 20:03 To: [email protected] Subject: Re: [ossec-list] User logged in notification for all agents
Your ossec is probably setup to send emails only on higher level events. email_alert_level is set to level 7 by default, that rule is triggering as a level 3. On Thu, Apr 29, 2010 at 12:45 PM, Max Williams <[email protected]> wrote: > Thanks for the reply. > > > > OK so on the OSSEC server I run /opt/ossec/bin/ossec-logtest and paste in > the syslog entry from the OSSEC agent host that I'd like to trigger an > email: > > > > [r...@ossec-server-host ~]# /opt/ossec/bin/ossec-logtest -c > /opt/ossec/etc/ossec.conf > > <pasting now.> > > Apr 29 17:19:45 ossec-agent-host sshd[2798]: pam_unix(sshd:session): session > opened for user max by (uid=0) > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Apr 29 17:19:45 ossec-agent-host sshd[2798]: > pam_unix(sshd:session): session opened for user max by (uid=0)' > > hostname: ' ossec-agent-host ' > > program_name: 'sshd' > > log: 'pam_unix(sshd:session): session opened for user max by (uid=0)' > > > > **Phase 2: Completed decoding. > > decoder: 'pam' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '5501' > > Level: '3' > > Description: 'Login session opened.' > > **Alert to be generated. > > > > But no email when I log in to hosts running the OSSEC agent? > > Do I have to add extra config on the server or the agent to get the agents > syslog entries processed? > > I noticed some syslog entries on the agent do trigger alerts, eg: > > > > Received From: (ossec-agent-host) 10.1.11.122->/var/log/messages > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > Apr 27 22:12:11 ossec-agent-host postgres[24620]: [2-1] ERROR: database > "DB1" already exists > > > > Any ideas where I'm going wrong? It works on the OSSEC server but not on the > agents. > > Cheers, > > Max > > > > >
