Thanks Santiago, please find more details below. Best regards, Fredrik
Yes, I see the alert written to alerts.log (pulled the alert below out of the archive from yesterday) and email alerts are working for other rules. I also restarted ossec but to no avail. Strange! ossec-alerts-23.log.gz: Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789- 14f29c54 Quarantine Succeeded ossec.conf: <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett wrote: > > Did you say other alerts are triggering emails correctly? Everything looks > good to me, but here are some questions that might help troubleshoot the > problem. > > Do you see the alert in alerts.log file? > Have you configured other global email settings? > What is your email_alerts_level? > > > On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected] > <javascript:>> wrote: > >> Hi All, >> >> Another question for all you Ossec gurus. I have another rule set up to >> handle messages in a somewhat strange format (below). I would like this to >> ultimately trigger an email alert - which is working for other rules. >> >> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >> Succeeded >> >> I see that an alert is written to alerts.log, and ossec-logtest finished >> processing with **Alert to be generated. However, no email is sent? >> >> <group name="attack,virus"> >> <rule id="100130" level="12"> >> <decoded_as>MSSCEP</decoded_as> >> <options>alert_by_email</options> >> <description>SCEP malware alert</description> >> </rule> >> </group> >> >> As I wasn't sure how to best extract fields from the message above, the >> decoder simply matches on <program_name>, please feel free to suggest >> variants to decode the message and make use of the fields available in >> OSSEC. Perhaps my failure to do so, can have something to do with the >> missing email alert? >> >> <decoder name="MSSCEP"> >> <program_name>SCEP</program_name> >> <type>syslog</type> >> </decoder> >> >> >> Finally, output from ossec-logtest: >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: >> client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of infections: >> 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >> hostname: 'ossec-srv' >> program_name: 'SCEP' >> log: 'Malware alert: client2.domain.com >> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >> time(UTC time): 8/5/2013 10:42:41 AM >> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >> >> Quarantine Succeeded' >> >> **Phase 2: Completed decoding. >> decoder: 'MSSCEP' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100130' >> Level: '12' >> Description: 'SCEP malware alert' >> **Alert to be generated. >> >> Best regards, >> Fredrik >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
