Some of the email notifications work, but I think my issue is more with the
rule search. Below is the email notification:
<email_alerts>
<email_to>myemail@mydomain</email_to>
<group>group-all-the-new-rules-are-in</group>
<do_not_delay />
<do_not_group />
</email_alerts>
On Friday, March 28, 2014 10:11:38 AM UTC-5, dan (ddpbsd) wrote:
>
> On Fri, Mar 28, 2014 at 11:08 AM, Ryan <[email protected] <javascript:>>
> wrote:
> > In the logs I see that some are triggering.
> >
>
> So, doesn't it seem like the problem is with the email configuration
> and not the rules?
>
> > On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote:
> >>
> >> On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected]> wrote:
> >> > Hello,
> >> > I am working on creating rules to email specific groups when a file
> >> > changes
> >> > in a specific directory on a client. I am trying to copy the below
> >> > rules,
> >> > but for a specific directory. I added the specific directories into
> the
> >> > syscheck notation on the client side. I also found and changed the
> >> > default
> >> > setting that the ossec server will ignore file changes after 3
> changes.
> >> > I
> >> > did not clear any counters after this applying this change. I think
> I
> >> > have
> >> > the email to the specific group figured out, but I am not getting the
> >> > emails
> >> > on the changes. The logs are showing some of the changes.
> >> >
> >>
> >> Are your rules triggering?
> >>
> >> > Rules I am trying to copy:
> >> > <rule id="550" level="7">
> >> > <category>ossec</category>
> >> > <decoded_as>syscheck_integrity_changed</decoded_as>
> >> > <description>Integrity checksum changed.</description>
> >> > <group>syscheck,</group>
> >> > </rule>
> >> >
> >> > <rule id="551" level="7">
> >> > <category>ossec</category>
> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
> >> > <description>Integrity checksum changed again (2nd
> >> > time).</description>
> >> > <group>syscheck,</group>
> >> > </rule>
> >> >
> >> > <rule id="552" level="7">
> >> > <category>ossec</category>
> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
> >> > <description>Integrity checksum changed again (3rd
> >> > time).</description>
> >> > <group>syscheck,</group>
> >> > </rule>
> >> >
> >> > <rule id="553" level="7">
> >> > <category>ossec</category>
> >> > <decoded_as>syscheck_deleted</decoded_as>
> >> > <description>File deleted. Unable to retrieve
> >> > checksum.</description>
> >> > <group>syscheck,</group>
> >> > </rule>
> >> >
> >> > <rule id="554" level="0">
> >> > <category>ossec</category>
> >> > <decoded_as>syscheck_new_entry</decoded_as>
> >> > <description>File added to the system.</description>
> >> > <group>syscheck,</group>
> >> > </rule>
> >> >
> >> > <rule id="555" level="7">
> >> > <if_sid>500</if_sid>
> >> > <match>^ossec: agentless: </match>
> >> > <description>Integrity checksum for agentless device
> >> > changed.</description>
> >> > <group>syscheck,agentless</group>
> >> > </rule>
> >> >
> >> >
> >> > Different trial rules :
> >> > <rule id="100001" level="13">
> >> > <if_sid>550</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>A file has changed in DIRECTORY</description>
> >> > </rule>
> >> >
> >> > <rule id="100002" level="13">
> >> > <if_sid>551</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>A file has changed (2nd time) in
> >> > DIRECTORY</description>
> >> > </rule>
> >> >
> >> > <rule id="100003" level="13">
> >> > <if_sid>552</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>A file has changed (3rd time) in
> >> > DIRECTORY</description>
> >> > </rule>
> >> >
> >> > <rule id="100004" level="13">
> >> > <if_sid>553</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>A file was deleted in DIRECTORY</description>
> >> > </rule>
> >> >
> >> > <rule id="100005" level="13">
> >> > <if_sid>554</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>A file was added in DIRECTORY</description>
> >> > </rule>
> >> >
> >> > <rule id="100006" level="13">
> >> > <if_sid>555</if_sid>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum of a file was changed in
> >> > DIRECTORY</description>
> >> > </rule>
> >> >
> >> >
> >> > <rule id="100011" level="13">
> >> > <decoded_as>syscheck_integrity_changed</decoded_as>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed.</description>
> >> > </rule>
> >> >
> >> > <rule id="100012" level="13">
> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed again (2nd
> >> > time).</description>
> >> > </rule>
> >> >
> >> > <rule id="100013" level="13">
> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed again (3rd
> >> > time).</description>
> >> > </rule>
> >> >
> >> > <rule id="100014" level="13">
> >> > <decoded_as>syscheck_deleted</decoded_as>
> >> > <match>DIRECTORY</match>
> >> > <description>File deleted. Unable to retrieve
> >> > checksum.</description>
> >> > </rule>
> >> >
> >> > <rule id="100015" level="13">
> >> > <decoded_as>syscheck_new_entry</decoded_as>
> >> > <match>DIRECTORY</match>
> >> > <description>File added to the system.</description>
> >> > </rule>
> >> >
> >> >
> >> > <rule id="100021" level="13">
> >> > <if_matched_group>syscheck</if_matched_group>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed.</description>
> >> > </rule>
> >> >
> >> > <rule id="100022" level="13">
> >> > <if_matched_group>syscheck</if_matched_group>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed again (2nd
> >> > time).</description>
> >> > </rule>
> >> >
> >> > <rule id="100023" level="13">
> >> > <if_matched_group>syscheck</if_matched_group>
> >> > <match>DIRECTORY</match>
> >> > <description>Integrity checksum changed again (3rd
> >> > time).</description>
> >> > </rule>
> >> >
> >> > <rule id="100024" level="13">
> >> > <if_matched_group>syscheck</if_matched_group>
> >> > <match>DIRECTORY</match>
> >> > <description>File deleted. Unable to retrieve
> >> > checksum.</description>
> >> > </rule>
> >> >
> >> > <rule id="100025" level="13">
> >> > <if_matched_group>syscheck</if_matched_group>
> >> > <match>DIRECTORY</match>
> >> > <description>File added to the system.</description>
> >> > </rule>
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
