On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu <[email protected]> wrote: > ossec show me logs and rule is working for /var/log/maillog > and var/log/secure > > but ossec send me mail just from /var/log/maillog >
I don't understand what you mean. The only emails you get are related to entries in /var/log/maillog? > > miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris: >> >> yes the rule is work >> >> >> Alert 1450884351.34521849: mail - policy_violation,login_time, >> 2015 Dec 23 15:25:51 localhost->/var/log/secure >> Rule: 17101 (level 9) -> 'Successful login during non-business hours.' >> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session >> opened for user msurdu by (uid=0) >> >> >> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: >>> >>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <[email protected]> wrote: >>> > yes, i change and all rules are loaded when ossec is started >>> > >>> >>> Is the rule firing (can you see entries for it in the >>> /var/ossec/logs/alerts/alerts.log)? >>> >>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: >>> >> >>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <[email protected]> >>> >> wrote: >>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml >>> >> > >>> >> >>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is >>> >> commented out in a default installation. >>> >> >>> >> > >>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: >>> >> >> >>> >> >> yes i want for a specific mail, but i not recieve mail form this >>> >> >> alert >>> >> >> >>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: >>> >> >>> >>> >> >>> Hi everyone, >>> >> >>> >>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is >>> >> >>> working >>> >> >>> fine, can i do to ossec mail me for specific rule? >>> >> >>> for example for this rule >>> >> >>> >>> >> >>> >>> >> >>> <group name="policy_violation,"> >>> >> >>> <rule id="17101" level="9"> >>> >> >>> <if_group>authentication_success</if_group> >>> >> >>> <time>06:00 pm - 09:00 am</time> >>> >> >>> <description>Successful login during non-business >>> >> >>> hours.</description> >>> >> >>> <group>login_time,</group> >>> >> >>> </rule> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> Any help would be greatly appreciated >>> >> >>> >>> >> >>> Thanks, >>> >> >>> Maxim >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
