On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <[email protected]> wrote: > Hi, > > I've been trying to get this to work, but I'm obviously missing > something or not understanding something. What I'd like to do issue an > alert to an alternate email address should a file change occur within a > particular directory. > > From my reading, it seemed like the method to do this would be to create > a custom rule, and then have an alert based on it in the ossec.conf. > Unfortunately nothing seems to be happening... > > In local_rules.xml I've created a custom rule: > > <group name="syscheck,"> > ... > <rule id="100023" level="10"> > <description>Change to a custom directory</description> > <match>/home/ross</match> > </rule>
Does this rule get triggered? > ... > </group> > > (I've also tried <regex> rather than <match>) > > In ossec.conf, I've set this up: > > <ossec_config> > ... > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>100023</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > ... > </ossec_config> > > Now, alerting to the email address defined globally is working, and I'm > seeing alerts on file changes/creation/deletion that I make within the > directory I'm watching (/home/ross for example), but I'm not seeing > alerts going to the email address shown above - nor alerts to either > address with the description set in the custom rule. > > Perhaps I'm going about this the wrong way, or there's an easier way to > do this, but my search engine results haven't helped me, so hopefully > someone here can point me in the right direction. > > Ross. Is the working address also an @riverstyx.net email address? Have you checked your maillogs to see if they provide a hint?
