Re: [ossec-list] Troubleshooting: Alerts fire, but email not sent

I figured it out. I has the alert set to a number below my email alert threshold. Phil On Wed, Feb 20, 2013 at 1:06 PM, Phil Cox wrote: > Is ossec-maild running? >> Does it try to send the email (you can use tcpdump or the email >> server's logs to find out)? >> >&

Re: [ossec-list] Troubleshooting: Alerts fire, but email not sent

> > Is ossec-maild running? > Does it try to send the email (you can use tcpdump or the email > server's logs to find out)? > > It is running. It does NOT seem to be attempting to send email when the rules fire. I do see the alert in the alert.log file though. Phil -- --- You received this mes

[ossec-list] Troubleshooting: Alerts fire, but email not sent

Having a hard time with this one. I am getting my alerts to fire, and can test with ossec-logtest. Problem is that I seem to only be getting "some" of the alerts via email. yes redacte...@rightscale.com localhost redactedf...@rightscale.com redactedspec...@rightscale

[ossec-list] More detailed parsing of sudo

All, Probably a simple answer, but not for me. I want an alert to fire any time there is a sudo operation with the COMMAND being a shell (/bin/bash in this instance). Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser ; USER=bob ; COMMAND=/bin/bash Any pointers? I am new

[ossec-list] Scanning variable directories in a structure

I have a central sys log server that collects logs under /var/log/ That UniqueID part is fairly random, and will come and go as systems launch and terminate. Is there an easy way to do this. Seems that using > /var/log/\w+/messages > Is the only way I can figure out how to do it, then j

Re: [ossec-list] Large installs.

So here is my plan for a global cloud arch (systems very volitile) - "Local" install - Alert via Syslog to central server on dedicated "facility" - Local Syslog go to central server - Central console (Graylog2?) parsing all syslog for custom correlation Should scale to 10's of thousands. We'll se

[ossec-list] Source to use?

All, Which source do most use: http://www.ossec.net OR https://bitbucket.org/dcid/ossec-hids Or is the latter just a mirror? Thanks, Phil

[ossec-list] Anyway to ship to syslog?

Does anyone have the agentless OSSEC configured to then dump logs to a syslog server for later analysis? Phil

[ossec-list] How to trigger cascading alerts

Anyway to use OSSEC to write a rule that would alert on the following: "If > X failed SSH login attempts, then Success -> Send alert" Any pointers are appreciated. Phil -- Director of Security and Compliance RightScale Inc - http://www.rightscale.com 805-243-0942 Skype: phil.cox.rs Twitter: @se