I have an alert set up to email certain distributions when a set of files are changed on two hosts. It's emailing the wrong people and I have absolutely no clue why.
It's emailing the two users in the global config, and *only *the distribution list from the email_alerts section. *Simply put*: Instead of sending the email to [email protected], [email protected], and [email protected]; it's sending it to [email protected], [email protected] (defined in global), and [email protected]. See below configuration examples for clarification. The distro defined is also receiving syscheck alerts for other servers outside of the scope of the rule_id but within the syscheck scope (namely, agent.conf). Also, they got blasted with a grouped email for all level 10+ alerts. A colleague and myself are totally perplexed and can't figure out the logic behind this behavior. I have confirmed that the rule is firing correctly, and that the agent/server copies of agent.conf match. To mitigate this issue, I've set the email_alert_level threshold to 12 in the server's ossec.conf. For the sake of clarity, the directory is '/opt/dirx'. */var/ossec/etc/shared/agent.conf:* <agent_config name="server0"> <syscheck> <directories report_changes="yes" check_all="yes" realtime="yes">/opt/dirx/bin</directories> <directories report_changes="yes" check_all="yes">/opt/dirx/diry/file.py</directories> </syscheck> </agent_config> <agent_config name="server1"> <syscheck> <directories report_changes="yes" check_all="yes" realtime="yes">/opt/dirx/bin</directories> </syscheck> </agent_config> Here are my local rules. The second rule is to restart ossec agent in the event of an updated agent.conf file via active response. */var/ossec/rules/local_rules.xml:* <group name="syscheck"> <rule id="100300" level="14"> <if_group>syscheck,</if_group> <description>File Changed in '/opt/dirx/bin'</description> <match>/opt/dirx/bin | </match> <match>/opt/dirx/diry</match> </rule> <rule id="100301" level="10"> <if_sid>550</if_sid> <match>ossec/etc/shared/agent.conf</match> <description>agent.conf has been modified</description> </rule> </group> And finally, here are the global and email directives in the server's ossec.conf file. */var/ossec/etc/ossec.conf (on server):* <ossec_config> <reports> <category>syscheck</category> <title>server: Daily report - File changes</title> <email_to>[email protected]</email_to> <email_to>[email protected]</email_to> </reports> <global> <email_notification>yes</email_notification> <email_to>[email protected]</email_to> <email_to>[email protected]</email_to> <email_from>[email protected]</email_from> <smtp_server>localhost</smtp_server> </global> <email_alerts> <email_to>[email protected]</email_to> <email_to>[email protected]</email_to> <email_to>[email protected]</email_to> <rule_id>100300</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> Any assistance would be *greatly* appreciated! Thanks in advance.
