Having a hard time with this one. I am getting my alerts to fire, and can
test with ossec-logtest. Problem is that I seem to only be getting "some"
of the alerts via email.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>redacte...@rightscale.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>redactedf...@rightscale.com</email_from>
</global>
<email_alerts>
<email_to>redactedspec...@rightscale.com</email_to>
<group>importantgroup</group>
</email_alerts>
....
Here is an entry in the alerts.log file:
** Alert 1361392871.5814: - local,syslog,importantgroup
2013 Feb 20 20:41:11 ossecSRV->/var/log/auth.log
Rule: 101022 (level 6) -> 'sudo shell execution'
Feb 20 20:41:10 ossecSRV sudo: appuser : TTY=pts/1 ; PWD=/home/appuser ;
USER=jack ; COMMAND=/bin/bash
I had been getting email to the "importantgroup" alias, but no longer.
Any ideas on how I can debug this email not heppening? It is maddening, and
all the debug and verbose logtest stuff just shows me the alert fires. I
know that already :(
Thanks,
Phil
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
