We recently had several files get changed and using syscheck_control we can see that Ossec did alert on the change. However, we can't verify that the email was sent. Our <email_alert_level> is set at 7 and our <log_alert_level> is set at 5. But in this example this would have been at least a 7, yes? How do I go back to verify if an email notification was sent or not?
/syscheck_control -i 647 -f /bin/setfont Integrity changes for agent 'srvlx001(647) - 10.16.10.244': Detailed information for entries matching: '/bin/setfont' 62949500 Dec 26 ,0 - /bin/setfont File added to the database. Integrity checking values: Size: 118456 Perm: rwxr-xr-x Uid: 0 Gid: 0 Md5: 1b93a9014f95b1a4ffd6a7c01e77efc1 Sha1: f36ddf4c07a4379ea6a7d3783bf5b351faef030e 112418531 Jul 01 á*],0 - /bin/setfont File changed. - 1st time modified. Integrity checking values: Size: >11448 Perm: rwxr-xr-x Uid: 0 Gid: 0 Md5: >c5cd9f082926e07453ee01fb16122f10 Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b
