1. I want to change text for the alert, my users can't understand what is checksum, they want to know only list of changed files :) 2. Some of users want to receive notifications via slack. At the moment, i work on active-responce script, that receive information from logs and send some notifications to users. 3. So my question is: What is the best way to collect all syscheck alerts and send them it one message by my active-responce (or integration script)
i see this scenario: 1. create temp file on "Starting syscheck scan" event 2. on each 550-554 rule filename of changed files to temp file 3. On "Ending syscheck scan" event send file to a customer. Is it good solution, or there is better way. Thank you for your answers, Pedro! Pedro S: > > Hi, > > Let me know if I understood right, do you want OSSEC to only send emails > related to syscheck notifications? If it is so, try to add a granular > option on email notifications, you can use "group" setting in your email > alerts configuration. > Open and modify ossec.conf file at OSSEC Manager and add the following > lines: > > <email_alerts> <email_to>[email protected] <javascript:></email_to> > <group>syscheck</group></email_alerts> > > > Restart your manager to apply changes. Now OSSEC will only forward > "syscheck" alerts. > > More info: > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html > > > I do not understand what you mean with rule 515 and "Ending rootcheck > scan", please be more specific. > > Regards, > > Pedro S. > > On Monday, February 22, 2016 at 3:37:18 PM UTC+1, [email protected] wrote: >> >> Hello! >> I want to send only changed filenames, like it in email(see below) ? >> >> Is there're any way, to avoid waiting rule 515 with "Ending syscheck scan" >> and parse all logs by hands ? >> >> Thank you! >> >> ---------- email message with aggregation multiple events to a single >> email ---------------- >> OSSEC HIDS Notification. >> 2016 Feb 22 06:10:15 >> >> Received From: serv-10244->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/home/woodwork/public_html/ >> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >> 4e/%%10^10D^10D3B5F4%%import_export.tpl.php' >> Old md5sum was: 'dceb399d30e95119919656e661204554' >> New md5sum is : '81245ed3dd02f3406eb8a2fed54d9942' >> Old sha1sum was: '7d76c4a8134f64290c14706f15e7c7a28256fc51' >> New sha1sum is : '539cf636a958d88a3e8f1f8fbb468716a9a0a6d1' >> >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2016 Feb 22 06:10:15 >> >> Received From: serv-10244->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/home/woodwork/public_html/ >> xc4dev/var/templates_c/c7659adfadb0a34875da46831ecaa5 >> 4e/%%C3^C39^C3917CB7%%zipcode.tpl.php.md5' >> Old md5sum was: '893a40c51c7f8bf5be98319a30c05a18' >> New md5sum is : '94a2aab9fc50d05b6838e2bff772ee75' >> Old sha1sum was: '092003613f24ac04e5214dc24d1dcb0494dbca03' >> New sha1sum is : 'ed5607668955e07bedc7529f1f18843e174fdcf1' >> >> >> >> --END OF NOTIFICATION >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
