I figured it out. I has the alert set to a number below my email alert
threshold.
Phil
On Wed, Feb 20, 2013 at 1:06 PM, Phil Cox wrote:
> Is ossec-maild running?
>> Does it try to send the email (you can use tcpdump or the email
>> server's logs to find out)?
>>
>&
>
> Is ossec-maild running?
> Does it try to send the email (you can use tcpdump or the email
> server's logs to find out)?
>
>
It is running. It does NOT seem to be attempting to send email when the
rules fire. I do see the alert in the alert.log file though.
Phil
--
---
You received this mes
Having a hard time with this one. I am getting my alerts to fire, and can
test with ossec-logtest. Problem is that I seem to only be getting "some"
of the alerts via email.
yes
redacte...@rightscale.com
localhost
redactedf...@rightscale.com
redactedspec...@rightscale
All,
Probably a simple answer, but not for me. I want an alert to fire any time
there is a sudo operation with the COMMAND being a shell (/bin/bash in this
instance).
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
Any pointers? I am new
I have a central sys log server that collects logs under /var/log/
That UniqueID part is fairly random, and will come and go as systems launch
and terminate. Is there an easy way to do this. Seems that using
> /var/log/\w+/messages
>
Is the only way I can figure out how to do it, then j
So here is my plan for a global cloud arch (systems very volitile)
- "Local" install
- Alert via Syslog to central server on dedicated "facility"
- Local Syslog go to central server
- Central console (Graylog2?) parsing all syslog for custom correlation
Should scale to 10's of thousands. We'll se
All,
Which source do most use:
http://www.ossec.net
OR
https://bitbucket.org/dcid/ossec-hids
Or is the latter just a mirror?
Thanks,
Phil
Does anyone have the agentless OSSEC configured to then dump logs to a
syslog server for later analysis?
Phil
Anyway to use OSSEC to write a rule that would alert on the following:
"If > X failed SSH login attempts, then Success -> Send alert"
Any pointers are appreciated.
Phil
--
Director of Security and Compliance
RightScale Inc - http://www.rightscale.com
805-243-0942
Skype: phil.cox.rs
Twitter: @se