Hi,
I've been trying to get this to work, but I'm obviously missing
something or not understanding something. What I'd like to do issue an
alert to an alternate email address should a file change occur within a
particular directory.
>From my reading, it seemed like the method to do this would be to create
a custom rule, and then have an alert based on it in the ossec.conf.
Unfortunately nothing seems to be happening...
In local_rules.xml I've created a custom rule:
<group name="syscheck,">
...
<rule id="100023" level="10">
<description>Change to a custom directory</description>
<match>/home/ross</match>
</rule>
...
</group>
(I've also tried <regex> rather than <match>)
In ossec.conf, I've set this up:
<ossec_config>
...
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100023</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
...
</ossec_config>
Now, alerting to the email address defined globally is working, and I'm
seeing alerts on file changes/creation/deletion that I make within the
directory I'm watching (/home/ross for example), but I'm not seeing
alerts going to the email address shown above - nor alerts to either
address with the description set in the custom rule.
Perhaps I'm going about this the wrong way, or there's an easier way to
do this, but my search engine results haven't helped me, so hopefully
someone here can point me in the right direction.
Ross.
