Is there not a way to verify from the Ossec collector server? The bureaucratic layers to the email server logs are deep and wide such that no man can cross...
Patrick Swartz UNIX Planning & Engineering (DSUSSE) First Data 402-777-7337 desk 402-201-1192 Company cell 402-871-8981 Personal cell -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, August 08, 2011 1:29 PM To: [email protected] Subject: Re: [ossec-list] Changed file alerts and emails Check your email server's logs? On Fri, Aug 5, 2011 at 8:32 AM, Patrick Swartz <[email protected]> wrote: > We recently had several files get changed and using syscheck_control > we can see that Ossec did alert on the change. However, we can't > verify that the email was sent. Our <email_alert_level> is set at 7 > and our <log_alert_level> is set at 5. But in this example this would > have been at least a 7, yes? > How do I go back to verify if an email notification was sent or not? > > /syscheck_control -i 647 -f /bin/setfont > Integrity changes for agent 'srvlx001(647) - 10.16.10.244': > Detailed information for entries matching: '/bin/setfont' > > 62949500 Dec 26 ,0 - /bin/setfont > File added to the database. > Integrity checking values: > Size: 118456 > Perm: rwxr-xr-x > Uid: 0 > Gid: 0 > Md5: 1b93a9014f95b1a4ffd6a7c01e77efc1 > Sha1: f36ddf4c07a4379ea6a7d3783bf5b351faef030e > > 112418531 Jul 01 á*],0 - /bin/setfont > File changed. - 1st time modified. > Integrity checking values: > Size: >11448 > Perm: rwxr-xr-x > Uid: 0 > Gid: 0 > Md5: >c5cd9f082926e07453ee01fb16122f10 > Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b > ----------------------------------------- The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
