Did you say other alerts are triggering emails correctly? Everything looks good to me, but here are some questions that might help troubleshoot the problem.
Do you see the alert in alerts.log file? Have you configured other global email settings? What is your email_alerts_level? On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote: > Hi All, > > Another question for all you Ossec gurus. I have another rule set up to > handle messages in a somewhat strange format (below). I would like this to > ultimately trigger an email alert - which is working for other rules. > > Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time > (UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\LocalLow\Sun > \Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded > > I see that an alert is written to alerts.log, and ossec-logtest finished > processing with **Alert to be generated. However, no email is sent? > > <group name="attack,virus"> > <rule id="100130" level="12"> > <decoded_as>MSSCEP</decoded_as> > <options>alert_by_email</options> > <description>SCEP malware alert</description> > </rule> > </group> > > As I wasn't sure how to best extract fields from the message above, the > decoder simply matches on <program_name>, please feel free to suggest > variants to decode the message and make use of the fields available in > OSSEC. Perhaps my failure to do so, can have something to do with the > missing email alert? > > <decoder name="MSSCEP"> > <program_name>SCEP</program_name> > <type>syslog</type> > </decoder> > > > Finally, output from ossec-logtest: > > **Phase 1: Completed pre-decoding. > full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: > client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 > Last detection time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' > hostname: 'ossec-srv' > program_name: 'SCEP' > log: 'Malware alert: client2.domain.com > Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection > time(UTC time): 8/5/2013 10:42:41 AM > file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 > Quarantine Succeeded' > > **Phase 2: Completed decoding. > decoder: 'MSSCEP' > > **Phase 3: Completed filtering (rules). > Rule id: '100130' > Level: '12' > Description: 'SCEP malware alert' > **Alert to be generated. > > Best regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
