Hi Maxim, does this rule only fire on the manager and not on the agents in general? Are you even watching these commands on the agents through the shared agent.conf ?!
br, theresa Am Mittwoch, 6. April 2016 09:38:26 UTC+2 schrieb Maxim Surdu: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of > users, i need to monitoring when they are working or drink coffee > > in ossec_rules.xml > > i have next rules > > <rule id="534" level="1"> > <if_sid>530</if_sid> > <match>ossec: output: 'w'</match> > <check_diff /> > <options>alert_by_email</options> > <description>List of logged in users. It will not be alerted by > default.</description> > </rule> > > <rule id="535" level="1"> > <if_sid>530</if_sid> > <match>ossec: output: 'last -n </match> > <check_diff /> > <options>alert_by_email</options> > <description>List of the last logged in users.</description> > </rule> > > i have linux and windows machines but mail is coming just from one > machine(linux) how about the rest > what i did wrong? > > i appreciate your help, and a lot of respect for developers and community! > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
