I had to accomplish this a few days ago. See my post here, http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/ . I have the exact decoder and rules I used to receive emails upon active- response execution.
- Trey On May 10, 1:56 pm, drin brown <[email protected]> wrote: > Hi, > > Okay, this is probably the dumbest question on earth. I'm really > sorry. The manual for ossec is really sparse. Here goes. > > I want to monitor the active-response log from within my ossec.conf > Somewhere inside these list directives: > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > So that I can get it to email me the changes when the file changes. > > But the log_format option... what do I put???
