On Wed, Dec 23, 2015 at 10:48 AM, Maxim Surdu <[email protected]> wrote: > yes, sorry for my bad english >
That's very odd then. I don't know if I've ever gotten an alert on a maillog entry. Did you check your alert emails? Was this alert tucked away into one of them? > miercuri, 23 decembrie 2015, 17:44:37 UTC+2, dan (ddpbsd) a scris: >> >> On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu <[email protected]> wrote: >> > ossec show me logs and rule is working for /var/log/maillog >> > and var/log/secure >> > >> > but ossec send me mail just from /var/log/maillog >> > >> >> I don't understand what you mean. The only emails you get are related >> to entries in /var/log/maillog? >> >> > >> > miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris: >> >> >> >> yes the rule is work >> >> >> >> >> >> Alert 1450884351.34521849: mail - policy_violation,login_time, >> >> 2015 Dec 23 15:25:51 localhost->/var/log/secure >> >> Rule: 17101 (level 9) -> 'Successful login during non-business hours.' >> >> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session >> >> opened for user msurdu by (uid=0) >> >> >> >> >> >> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: >> >>> >> >>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <[email protected]> >> >>> wrote: >> >>> > yes, i change and all rules are loaded when ossec is started >> >>> > >> >>> >> >>> Is the rule firing (can you see entries for it in the >> >>> /var/ossec/logs/alerts/alerts.log)? >> >>> >> >>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: >> >>> >> >> >>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <[email protected]> >> >>> >> wrote: >> >>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml >> >>> >> > >> >>> >> >> >>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry >> >>> >> is >> >>> >> commented out in a default installation. >> >>> >> >> >>> >> > >> >>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: >> >>> >> >> >> >>> >> >> yes i want for a specific mail, but i not recieve mail form this >> >>> >> >> alert >> >>> >> >> >> >>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a >> >>> >> >> scris: >> >>> >> >>> >> >>> >> >>> Hi everyone, >> >>> >> >>> >> >>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all >> >>> >> >>> is >> >>> >> >>> working >> >>> >> >>> fine, can i do to ossec mail me for specific rule? >> >>> >> >>> for example for this rule >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> <group name="policy_violation,"> >> >>> >> >>> <rule id="17101" level="9"> >> >>> >> >>> <if_group>authentication_success</if_group> >> >>> >> >>> <time>06:00 pm - 09:00 am</time> >> >>> >> >>> <description>Successful login during non-business >> >>> >> >>> hours.</description> >> >>> >> >>> <group>login_time,</group> >> >>> >> >>> </rule> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> Any help would be greatly appreciated >> >>> >> >>> >> >>> >> >>> Thanks, >> >>> >> >>> Maxim >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> >>> >> > Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to [email protected]. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
