Ok, this is the agent. I thought one could configure the agent to fire off emails because of this bit in the doc: (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html) Supported types
Global options are available in the the following installation types: - server - local So that helps me understand why it doesn't work, for sure. My purpose is to measure how long it takes for the server to alert on an issue compared to when it is first reported. I guess I won't use the email option for this. Thanks much - I can't believe I didn't catch this. On Thursday, March 3, 2016 at 1:12:25 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 3, 2016 at 1:09 PM, jkrew <[email protected] <javascript:>> > wrote: > > Greetings, > > > > We are using OSSEC as provided by CloudAware. I'm in the process of > setting > > up some custom alerts for testing, alerts I would like to receive via > email. > > > > I am able to send email from the Linux host via the following: > > echo "test" | mail -s "subject line" [email protected] <javascript:> > > > > To help troubleshoot, I've set the following debug options in > > internal_options.conf: > > syscheck.debug=1 > > agent.debug=1 > > > > And here is what I've configured in ossec.conf: > > > > > > <ossec_config> > > <client> > > <server-hostname>cloud aware server</server-hostname> > > Is this an agent or the server? > > > </client> > > > > <global> > > <email_notification>yes</email_notification> > > <email_to>my email address</email_to> > > <smtp_server>127.0.0.1</smtp_server> > > <email_from>[email protected] <javascript:></email_from> > > </global> > > > > <email_alerts> > > <level>1</level> > > <do_not_delay /> > > </email_alerts> > > > > I see no errors in the ossec.log file that indicates that it's even > > attempting to send mail. Am I correct that it should attempt to send me > an > > email each time I restart OSSEC - that looks to be a level 7 alert. > > > > Any suggestions for troubleshooting would be MUCH appreciated - it feels > > like there might be an override setting that I'm simply not aware of, > but I > > have yet to find anything of that nature. > > > > agents do not send email, just the ossec server. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
