Hi, could you give me an example of using tcpdump in this case? cheers
On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > > On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <[email protected] > <javascript:>> wrote: > > Hi, since it is a fresh install of ossec, so I didn't get any emails. > The > > notification is turn on as > > > > Try using tcpdump (looking for connections to the email server from > the OSSEC system) > or check the maillogs on the email server to determine if there is an > error when sending. > > > <alert_new_files>yes</alert_new_files> > > > > in ossec.conf > > > > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: > >> > >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng <[email protected]> > wrote: > >> > Hi, I installed ossec local on my cloud server, and configure > ossec.conf > >> > as > >> > follows, I tried to detect new additions using > >> > <alert_new_files>yes</alert_new_files>. > >> > > >> > <global> > >> > <email_notification>yes</email_notification> > >> > <email_to>[email protected]</email_to> > >> > <smtp_server>ns0.bt.net.</smtp_server> > >> > <email_from>[email protected]</email_from> > >> > </global> > >> > <syscheck> > >> > <!-- Frequency that syscheck is executed - default to every 22 > >> > hours > >> > --> > >> > <frequency>79200</frequency> > >> > <alert_new_files>yes</alert_new_files> > >> > > >> > <!-- Directories to check (perform all possible verifications) > --> > >> > <directories report_changes="yes" realtime="yes" > >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> > <directories report_changes="yes" realtime="yes" > >> > check_all="yes">/bin,/sbin</directories> > >> > <directories report_changes="yes" realtime="yes" > >> > check_all="yes">/home/user_name</directories> > >> > </syscheck> > >> > > >> > The local_rules.xml is like, > >> > > >> > <group name="local,syslog,"> > >> > > >> > <!-- Note that rule id 5711 is defined at the ssh_rules file > >> > - as a ssh failed login. This is just an example > >> > - since ip 1.1.1.1 shouldn't be used anywhere. > >> > - Level 0 means ignore. > >> > --> > >> > <rule id="100001" level="0"> > >> > <if_sid>5711</if_sid> > >> > <srcip>1.1.1.1</srcip> > >> > <description>Example of rule that will ignore sshd > </description> > >> > <description>failed logins from IP 1.1.1.1.</description> > >> > </rule> > >> > > >> > <rule id="554" level="7" overwrite="yes"> > >> > <category>ossec</category> > >> > <decoded_as>syscheck_new_entry</decoded_as> > >> > <description>File added to the system.</description> > >> > <group>syscheck,</group> > >> > </rule> > >> > </group> <!-- SYSLOG,LOCAL --> > >> > > >> > Now, if I added a file in home/user_name, there is no email > notification > >> > coming through the SMTP server. I am using smtp.bt.net, using > >> > > >> > dig -t mx smtp.bt.net > >> > > >> > > >> > to get the SMTP server. Whats the possible reasons that I am not > getting > >> > the > >> > email? > >> > > >> > >> Are you getting emails for other alerts? > >> Are alerts being triggered for these new files? > >> > >> > Many thanks > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
