I'm running on CentOS 7.3.1611 and using the atomic repo which has ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. I have done more debugging and I'm seeing some things I think are strange. If the condition I'm testing for has happened in the last 15 to 20 minutes before the email is sent, the subject contains the alert message and the body contains the alert message along with other alerts. If the condition is more than 25 to 30 minutes before the email is sent, the subject will still show the alert, but the alert message will not be in the body of the email. Here are some stats from the emails today:
Email Number Earliest reported Arrived of alerts alert 01:00 109 00:36 02:00 110 01:37 03:00 111 02:34 04:00 112 03:39 05:00 113 04:34 06:00 114 05:39 07:00 115 06:36 08:00 116 07:51 09:00 117 08:55 10:00 118 09:56 It seems strange that the number of alerts is incrementing by one each hour. I went back further in the emails and it seems to increment to 186 and then start over at 97. So it's very possible that the rule was working right but just wasn't in the email. This is driving me nuts. On Monday, September 11, 2017 at 1:42:49 PM UTC-4, dan (ddpbsd) wrote: > > On Wed, Sep 6, 2017 at 9:45 AM, Ed Killian <[email protected] > <javascript:>> wrote: > > I fairly new to ossec but I have been writing rules. The issue I have is > > that I have written a rule and tested it with ossec-logtest which seems > to > > work. And the subject of the email I get has the correct hostname and > alert > > level but there is no alert with that hostname or alert level in the > body of > > the email message. I looked in /var/ossec/logs/alerts/alerts.log and > there > > is the alert there with the correct log information, rule information > and > > description, and the line from the logfile. What am I missing? > > > > Which version of OSSEC are you using? > Do you get any alert data in the email? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
