Hi Dan, Things are working fine now. But I have another problem, now I am getting most of the alert for FTP activity excluding file upload and download alert. The rule which you have given works fine but when I restart Ossec I am getting the following error :
2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: 'pure-transfer'. 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the rules: 'local_rules.xml'. 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. So there is two problem I am facing currently : 1 Not getting alert for upload and download since this is getting logged into another file and not into syslog file. 2 facing the issue with restart of ossec server. Thanks for your input and help so far. On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> wrote: > On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh <[email protected]> > wrote: > > All fixed but I am not getting alert to my mail box for FTP activity as > > other alerts. > > > > Are you getting other alerts in your email? > Do you have access to the maillogs? If so, check to see if the mail is > being rejected or something. > If not, use tcpdump or something similar to watch mail traffic to see > if OSSEC even attempts to send the message. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards, Pratap Singh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
