Hi Dan, On Mon, Jun 13, 2011 at 8:53 AM, 2secureit <[email protected]> wrote: > <rule id="514" level="2" overwrite="yes"> > <if_sid>510</if_sid> > <match>^Application Found</match> > <options>alert_by_email</options> > <description>Windows application monitor event.</description> > <group>rootcheck,</group> > </rule> > > This is in my local rules and has not sent an email, however if I look > at rootcheck there is data/matches in there. \ >
Did you restart the ossec processes after adding the rule? I can't see a reason for it not to be emailed out if it fires. Is there a 514 alert in the alerts log? > Also in the msauth rules when an application is installed or > uninstalled the config alert_by_email, however that does not email > either. Can someone point me in the right direction? Thanks. > > Dan What are your email settings? Any chance the email server is rejecting the mails? Do you have instances of 18146 or 18147. dan
