On 08/08/2011 03:25 PM, Swartz, Patrick H wrote: > Is there not a way to verify from the Ossec collector server? The > bureaucratic layers to the email server logs are deep and wide such that no > man can cross... In this cases, I prefer to install a local sendmail or postfix and configure it as smart host and relay through your mail server, this way you can check your local mail server logs.
Best regards. > Patrick Swartz > UNIX Planning & Engineering (DSUSSE) > First Data > 402-777-7337 desk > 402-201-1192 Company cell > 402-871-8981 Personal cell > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, August 08, 2011 1:29 PM > To: [email protected] > Subject: Re: [ossec-list] Changed file alerts and emails > > Check your email server's logs? > > On Fri, Aug 5, 2011 at 8:32 AM, Patrick Swartz <[email protected]> wrote: >> We recently had several files get changed and using syscheck_control >> we can see that Ossec did alert on the change. However, we can't >> verify that the email was sent. Our <email_alert_level> is set at 7 >> and our <log_alert_level> is set at 5. But in this example this would >> have been at least a 7, yes? >> How do I go back to verify if an email notification was sent or not? >> >> /syscheck_control -i 647 -f /bin/setfont >> Integrity changes for agent 'srvlx001(647) - 10.16.10.244': >> Detailed information for entries matching: '/bin/setfont' >> >> 62949500 Dec 26 ,0 - /bin/setfont >> File added to the database. >> Integrity checking values: >> Size: 118456 >> Perm: rwxr-xr-x >> Uid: 0 >> Gid: 0 >> Md5: 1b93a9014f95b1a4ffd6a7c01e77efc1 >> Sha1: f36ddf4c07a4379ea6a7d3783bf5b351faef030e >> >> 112418531 Jul 01 á*],0 - /bin/setfont >> File changed. - 1st time modified. >> Integrity checking values: >> Size: >11448 >> Perm: rwxr-xr-x >> Uid: 0 >> Gid: 0 >> Md5: >c5cd9f082926e07453ee01fb16122f10 >> Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b >> > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer. -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: [email protected] GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632
