is this working on your ossec server: echo foo | mail youremail@yourdomain -s 'test'
could you give example of your mail configuration? Eero 2016-02-24 9:00 GMT+02:00 Fredrik <[email protected]>: > Thanks Eero! > > Anything specific to look for that could conflict with this particular > alert - mail alerts seems to be working fine for other rules? > > I checked the mail.info for anything obvious, but couldn't see anything > suspicious at a first glance... > > Best regards, > Fredrik > > On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen wrote: >> >> Please check your mail server configuration? >> >> 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected]>: >> >>> Thanks Santiago, please find more details below. >>> >>> Best regards, >>> Fredrik >>> >>> Yes, I see the alert written to alerts.log (pulled the alert below out >>> of the archive from yesterday) and email alerts are working for other >>> rules. I also restarted ossec but to no avail. Strange! >>> >>> ossec-alerts-23.log.gz: >>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012- >>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/2013 >>> 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\ >>> cache\6.0\9\748789-14f29c54 Quarantine Succeeded >>> >>> ossec.conf: >>> <alerts> >>> <log_alert_level>1</log_alert_level> >>> <email_alert_level>7</email_alert_level> >>> </alerts> >>> >>> >>> >>> >>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >>> wrote: >>>> >>>> Did you say other alerts are triggering emails correctly? Everything >>>> looks good to me, but here are some questions that might help troubleshoot >>>> the problem. >>>> >>>> Do you see the alert in alerts.log file? >>>> Have you configured other global email settings? >>>> What is your email_alerts_level? >>>> >>>> >>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Another question for all you Ossec gurus. I have another rule set up >>>>> to handle messages in a somewhat strange format (below). I would like this >>>>> to ultimately trigger an email alert - which is working for other rules. >>>>> >>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain.com >>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>>> time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\AppData\ >>>>> LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 Quarantine >>>>> Succeeded >>>>> >>>>> I see that an alert is written to alerts.log, and ossec-logtest >>>>> finished processing with **Alert to be generated. However, no email is >>>>> sent? >>>>> >>>>> <group name="attack,virus"> >>>>> <rule id="100130" level="12"> >>>>> <decoded_as>MSSCEP</decoded_as> >>>>> <options>alert_by_email</options> >>>>> <description>SCEP malware alert</description> >>>>> </rule> >>>>> </group> >>>>> >>>>> As I wasn't sure how to best extract fields from the message above, >>>>> the decoder simply matches on <program_name>, please feel free to suggest >>>>> variants to decode the message and make use of the fields available in >>>>> OSSEC. Perhaps my failure to do so, can have something to do with the >>>>> missing email alert? >>>>> >>>>> <decoder name="MSSCEP"> >>>>> <program_name>SCEP</program_name> >>>>> <type>syslog</type> >>>>> </decoder> >>>>> >>>>> >>>>> Finally, output from ossec-logtest: >>>>> >>>>> **Phase 1: Completed pre-decoding. >>>>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>> Quarantine Succeeded' >>>>> hostname: 'ossec-srv' >>>>> program_name: 'SCEP' >>>>> log: 'Malware alert: client2.domain.com >>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>>> time(UTC time): 8/5/2013 10:42:41 AM >>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>> Quarantine Succeeded' >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'MSSCEP' >>>>> >>>>> **Phase 3: Completed filtering (rules). >>>>> Rule id: '100130' >>>>> Level: '12' >>>>> Description: 'SCEP malware alert' >>>>> **Alert to be generated. >>>>> >>>>> Best regards, >>>>> Fredrik >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
