On Tue, May 26, 2015 at 9:42 AM, Abdul Baqui <[email protected]> wrote: > pam_rules.xml is set as: > > <rule id="5500" level="0" noalert="1"> > > <decoded_as>pam</decoded_as> > > <description>Grouping of the pam_unix rules.</description> > > </rule> > > > <rule id="5501" level="3"> > > <if_sid>5500</if_sid> > > <match>session opened for user </match> > > <description>Login session opened.</description> > > <group>authentication_success,</group> > > </rule> > > > <rule id="5502" level="3"> > > <if_sid>5500</if_sid> > > <match>session closed for user </match> > > <description>Login session closed.</description> > > </rule> > > > <rule id="5503" level="5"> > > <if_sid>5500</if_sid> > > <match>authentication failure; logname=</match> > > <description>User login failed.</description> > > <group>authentication_failed,</group> > > </rule> > > What should be modified for rule 5503 to be included in local_rules.xml? >
Either use the alert_by_email option, or raise the level to at least the minimum email alert level. > > On Tuesday, May 26, 2015 at 6:34:38 AM UTC-7, Abdul Baqui wrote: >> >> Hi, >> >> I've this rule in local_rules.xml, >> >> <rule id="5551" level="5" frequency="6" timeframe="180" overwrite="yes"> >> >> <options>alert_by_email</options> >> >> <if_matched_sid>5503</if_matched_sid> >> >> <same_source_ip /> >> >> <description>Multiple failed logins in a small period of >> time.</description> >> >> <group>authentication_failures,</group> >> >> </rule> >> >> I tried a user with a wrong password. The error is logged in >> /var/ossec/logs/alerts/alerts.log >> >> ** Alert 1432334325.49295: mail - pam,syslog,authentication_failed, >> >> 2015 May 22 22:38:45 ip-10-234-9-150->/var/log/secure >> >> Rule: 5503 (level 5) -> 'User login failed.' >> >> May 22 22:38:45 ip-10-234-9-150 su: pam_unix(su-l:auth): authentication >> failure; logname=xxx uid=511 euid=0 tty=pts/1 ruser=xxx rhost= user=root >> >> But email is not being sent. What am I doing wrong? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
