On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng <[email protected]> wrote: > Hi, I installed ossec local on my cloud server, and configure ossec.conf as > follows, I tried to detect new additions using > <alert_new_files>yes</alert_new_files>. > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>ns0.bt.net.</smtp_server> > <email_from>[email protected]</email_from> > </global> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>79200</frequency> > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > <directories report_changes="yes" realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" realtime="yes" > check_all="yes">/bin,/sbin</directories> > <directories report_changes="yes" realtime="yes" > check_all="yes">/home/user_name</directories> > </syscheck> > > The local_rules.xml is like, > > <group name="local,syslog,"> > > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_sid>5711</if_sid> > <srcip>1.1.1.1</srcip> > <description>Example of rule that will ignore sshd </description> > <description>failed logins from IP 1.1.1.1.</description> > </rule> > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > </group> <!-- SYSLOG,LOCAL --> > > Now, if I added a file in home/user_name, there is no email notification > coming through the SMTP server. I am using smtp.bt.net, using > > dig -t mx smtp.bt.net > > > to get the SMTP server. Whats the possible reasons that I am not getting the > email? >
Are you getting emails for other alerts? Are alerts being triggered for these new files? > Many thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
