On May 26, 2015 9:34 AM, "Abdul Baqui" <[email protected]> wrote: > > Hi, > > I've this rule in local_rules.xml, > > <rule id="5551" level="5" frequency="6" timeframe="180" overwrite="yes"> > > <options>alert_by_email</options> > > <if_matched_sid>5503</if_matched_sid> > > <same_source_ip /> > > <description>Multiple failed logins in a small period of time.</description> > > <group>authentication_failures,</group> > > </rule> > > I tried a user with a wrong password. The error is logged in /var/ossec/logs/alerts/alerts.log > > ** Alert 1432334325.49295: mail - pam,syslog,authentication_failed, > > 2015 May 22 22:38:45 ip-10-234-9-150->/var/log/secure > > Rule: 5503 (level 5) -> 'User login failed.' >
Is rule 5503 configured to always send email? > May 22 22:38:45 ip-10-234-9-150 su: pam_unix(su-l:auth): authentication failure; logname=xxx uid=511 euid=0 tty=pts/1 ruser=xxx rhost= user=root > > But email is not being sent. What am I doing wrong? > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
