You should also point your ossec mail configuration to local smtp instance.
-- Eero 2016-02-24 9:34 GMT+02:00 Fredrik <[email protected]>: > Thanks Eero! > > Yes, this works in my setup :) Tried it to make sure. Sendmail is > installed on this particular box, so changed mail into sendmail and fired > away :) > > Best regards, > Fredrik > > On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: >> >> is this working on your ossec server: >> >> echo foo | mail youremail@yourdomain -s 'test' >> >> could you give example of your mail configuration? >> >> Eero >> >> 2016-02-24 9:00 GMT+02:00 Fredrik <[email protected]>: >> >>> Thanks Eero! >>> >>> Anything specific to look for that could conflict with this particular >>> alert - mail alerts seems to be working fine for other rules? >>> >>> I checked the mail.info for anything obvious, but couldn't see anything >>> suspicious at a first glance... >>> >>> Best regards, >>> Fredrik >>> >>> On Wednesday, February 24, 2016 at 7:54:43 AM UTC+1, Eero Volotinen >>> wrote: >>>> >>>> Please check your mail server configuration? >>>> >>>> 2016-02-24 8:28 GMT+02:00 Fredrik <[email protected]>: >>>> >>>>> Thanks Santiago, please find more details below. >>>>> >>>>> Best regards, >>>>> Fredrik >>>>> >>>>> Yes, I see the alert written to alerts.log (pulled the alert below out >>>>> of the archive from yesterday) and email alerts are working for other >>>>> rules. I also restarted ossec but to no avail. Strange! >>>>> >>>>> ossec-alerts-23.log.gz: >>>>> Rule: 100130 (level 12) -> 'SCEP malware alert' Feb 23 20:37:00 ossec-svr >>>>> SCEP[26715]: Malware alert: client2.domain.com Exploit:Java/CVE-2012- >>>>> 1723!jar Number of infections: 1 Last detection time(UTC time): 8/5/ >>>>> 2013 10:42:41 AM file:_C:\Users\toho\AppData\LocalLow\Sun\Java\ >>>>> Deployment\cache\6.0\9\748789-14f29c54 Quarantine Succeeded >>>>> >>>>> ossec.conf: >>>>> <alerts> >>>>> <log_alert_level>1</log_alert_level> >>>>> <email_alert_level>7</email_alert_level> >>>>> </alerts> >>>>> >>>>> >>>>> >>>>> >>>>> On Wednesday, February 24, 2016 at 2:46:31 AM UTC+1, Santiago Bassett >>>>> wrote: >>>>>> >>>>>> Did you say other alerts are triggering emails correctly? Everything >>>>>> looks good to me, but here are some questions that might help >>>>>> troubleshoot >>>>>> the problem. >>>>>> >>>>>> Do you see the alert in alerts.log file? >>>>>> Have you configured other global email settings? >>>>>> What is your email_alerts_level? >>>>>> >>>>>> >>>>>> On Tue, Feb 23, 2016 at 12:11 PM, Fredrik <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Another question for all you Ossec gurus. I have another rule set up >>>>>>> to handle messages in a somewhat strange format (below). I would like >>>>>>> this >>>>>>> to ultimately trigger an email alert - which is working for other rules. >>>>>>> >>>>>>> Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert: client2.domain >>>>>>> .com Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last >>>>>>> detection time(UTC time): 8/5/2013 10:42:41 AM file:_C:\Users\user1\ >>>>>>> AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>>> Quarantine Succeeded >>>>>>> >>>>>>> I see that an alert is written to alerts.log, and ossec-logtest >>>>>>> finished processing with **Alert to be generated. However, no email is >>>>>>> sent? >>>>>>> >>>>>>> <group name="attack,virus"> >>>>>>> <rule id="100130" level="12"> >>>>>>> <decoded_as>MSSCEP</decoded_as> >>>>>>> <options>alert_by_email</options> >>>>>>> <description>SCEP malware alert</description> >>>>>>> </rule> >>>>>>> </group> >>>>>>> >>>>>>> As I wasn't sure how to best extract fields from the message above, >>>>>>> the decoder simply matches on <program_name>, please feel free to >>>>>>> suggest >>>>>>> variants to decode the message and make use of the fields available in >>>>>>> OSSEC. Perhaps my failure to do so, can have something to do with the >>>>>>> missing email alert? >>>>>>> >>>>>>> <decoder name="MSSCEP"> >>>>>>> <program_name>SCEP</program_name> >>>>>>> <type>syslog</type> >>>>>>> </decoder> >>>>>>> >>>>>>> >>>>>>> Finally, output from ossec-logtest: >>>>>>> >>>>>>> **Phase 1: Completed pre-decoding. >>>>>>> full event: 'Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware >>>>>>> alert: client2.domain.com Exploit:Java/CVE-2012-1723!jar Number of >>>>>>> infections: 1 Last detection time(UTC time): 8/5/2013 10:42:41 AM >>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>>> Quarantine Succeeded' >>>>>>> hostname: 'ossec-srv' >>>>>>> program_name: 'SCEP' >>>>>>> log: 'Malware alert: client2.domain.com >>>>>>> Exploit:Java/CVE-2012-1723!jar Number of infections: 1 Last detection >>>>>>> time(UTC time): 8/5/2013 10:42:41 AM >>>>>>> file:_C:\Users\toho\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\748789-14f29c54 >>>>>>> Quarantine Succeeded' >>>>>>> >>>>>>> **Phase 2: Completed decoding. >>>>>>> decoder: 'MSSCEP' >>>>>>> >>>>>>> **Phase 3: Completed filtering (rules). >>>>>>> Rule id: '100130' >>>>>>> Level: '12' >>>>>>> Description: 'SCEP malware alert' >>>>>>> **Alert to be generated. >>>>>>> >>>>>>> Best regards, >>>>>>> Fredrik >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
