RE: [ossec-list] Newish to Ossec with question

[Rhoads, Robert W.]

Here is an example of an alert I would think would be emailed out given its 
alert level (substitutions made to protect data):

** Alert 1363025973.366006859: mail  - ids,fts,
2013 Mar 11 14:19:33 (SNORTsvr) <ip address> ->/var/snort/logs/alerts
Rule: 20100 (level 8) -> 'First time this IDS alert is generated.'
Src IP: <ip address>
Dst IP: <ip address>
03/11-13:19:30.519963  [**] [1:2000488:7] ET EXPLOIT MS-SQL SQL Injection 
closing string plus line comment [**] [Classification: Attempted User Privilege 
Gain] [Priority: 1] {TCP <ip address>:63836 -> <ip address>:1433


The ossec.conf section for email is:

  <global>
    <email_notification>yes</email_notification>
    <email_to>rhoa...@location.va.us</email_to>
    <email_to>grav...@location.va.us</email_to>
    <smtp_server>1.2.3.4</smtp_server>
    <email_from>oss...@svr.location.tld</email_from>
  </global>


Rob

-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of dan (ddp)
Sent: Monday, March 11, 2013 4:06 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Newish to Ossec with question

On Mon, Mar 11, 2013 at 3:48 PM, Rhoads, Robert W.
<rhoa...@ci.danville.va.us> wrote:
> Hello to everyone.  I am fairly new to OSSEC and need a little 
> assistance or nudge in the right direction.
>
>
>
> I have installed the OSSEC agent on a Linux system running SNORT, and 
> have configured the OSSEC agent to look at and read the SNORT alert 
> file.  I have confirmed that this does work, and according to the 
> OSSEC alert log on the server, OSSEC server sees and generates an 
> alert on IDS events...however, these alerts OSSEC sees and generates in its 
> log file are not emailed out.
> The setting for email alerts is set to level 7, and while the majority 
> are at level six, several level 8 and level 10 alerts do appear in the 
> log file and email was never generated.  I am receiving email alerts 
> for other type alerts generated by OSSEC.
>
>
>
> Do I need to create my own rule to get OSSEC to email the alerts to 
> me?  If not, where might I go poking around to solve this?
>
>
>
> Respectfully,
>
>
>
> Robert Rhoads
>
>
>

What alerts are you seeing in your ossec alerts.log that you expect emails on? 
How do you have email setup in ossec?

> --
>
> ---
> You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

-- 

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.