Having a hard time with this one. I am getting my alerts to fire, and can test with ossec-logtest. Problem is that I seem to only be getting "some" of the alerts via email.
<ossec_config> <global> <email_notification>yes</email_notification> <email_to>redacte...@rightscale.com</email_to> <smtp_server>localhost</smtp_server> <email_from>redactedf...@rightscale.com</email_from> </global> <email_alerts> <email_to>redactedspec...@rightscale.com</email_to> <group>importantgroup</group> </email_alerts> .... Here is an entry in the alerts.log file: ** Alert 1361392871.5814: - local,syslog,importantgroup 2013 Feb 20 20:41:11 ossecSRV->/var/log/auth.log Rule: 101022 (level 6) -> 'sudo shell execution' Feb 20 20:41:10 ossecSRV sudo: appuser : TTY=pts/1 ; PWD=/home/appuser ; USER=jack ; COMMAND=/bin/bash I had been getting email to the "importantgroup" alias, but no longer. Any ideas on how I can debug this email not heppening? It is maddening, and all the debug and verbose logtest stuff just shows me the alert fires. I know that already :( Thanks, Phil -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.