This is kinda jumbled, so if I missed something let me know. On Wed, Aug 1, 2012 at 4:29 PM, mcrane0 <[email protected]> wrote: > I have an alert set up to email certain distributions when a set of files > are changed on two hosts. It's emailing the wrong people and I have > absolutely no clue why. > > It's emailing the two users in the global config, and only the distribution > list from the email_alerts section. > Simply put: Instead of sending the email to [email protected], > [email protected], and [email protected]; it's sending it to > [email protected], [email protected] (defined in global), and > [email protected]. See below configuration examples for clarification. > > The distro defined is also receiving syscheck alerts for other servers > outside of the scope of the rule_id but within the syscheck scope (namely, > agent.conf). Also, they got blasted with a grouped email for all level 10+ > alerts. A colleague and myself are totally perplexed and can't figure out > the logic behind this behavior. >
Did the 10+ contain a 100300 alert? > I have confirmed that the rule is firing correctly, and that the > agent/server copies of agent.conf match. To mitigate this issue, I've set > the email_alert_level threshold to 12 in the server's ossec.conf. > > For the sake of clarity, the directory is '/opt/dirx'. > > /var/ossec/etc/shared/agent.conf: > <agent_config name="server0"> > <syscheck> > <directories report_changes="yes" check_all="yes" > realtime="yes">/opt/dirx/bin</directories> > <directories report_changes="yes" > check_all="yes">/opt/dirx/diry/file.py</directories> > </syscheck> > </agent_config> > > <agent_config name="server1"> > <syscheck> > <directories report_changes="yes" check_all="yes" > realtime="yes">/opt/dirx/bin</directories> > </syscheck> > </agent_config> > > Here are my local rules. The second rule is to restart ossec agent in the > event of an updated agent.conf file via active response. > > /var/ossec/rules/local_rules.xml: > <group name="syscheck"> > <rule id="100300" level="14"> > <if_group>syscheck,</if_group> > <description>File Changed in '/opt/dirx/bin'</description> > <match>/opt/dirx/bin | </match> > <match>/opt/dirx/diry</match> > </rule> > > <rule id="100301" level="10"> > <if_sid>550</if_sid> > <match>ossec/etc/shared/agent.conf</match> > <description>agent.conf has been modified</description> > </rule> > </group> > > And finally, here are the global and email directives in the server's > ossec.conf file. > > /var/ossec/etc/ossec.conf (on server): > <ossec_config> > > <reports> > <category>syscheck</category> > <title>server: Daily report - File changes</title> > <email_to>[email protected]</email_to> > <email_to>[email protected]</email_to> > </reports> > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <email_to>[email protected]</email_to> > <email_from>[email protected]</email_from> > <smtp_server>localhost</smtp_server> > </global> > These above should get all email alerts. > <email_alerts> > <email_to>[email protected]</email_to> > <email_to>[email protected]</email_to> > <email_to>[email protected]</email_to> > <rule_id>100300</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > Perhaps the granular email configurations can't handle multiple email_to entries? I haven't tried it, but I guess I can figure it out, > Any assistance would be greatly appreciated! Thanks in advance. > > >
