On 12-01-06 03:09 PM, dan (ddp) wrote: > On Fri, Jan 6, 2012 at 5:51 PM, Ross Lawrie <[email protected]> wrote: >> Hi, >> >> I've been trying to get this to work, but I'm obviously missing >> something or not understanding something. What I'd like to do issue an >> alert to an alternate email address should a file change occur within a >> particular directory. >> >> From my reading, it seemed like the method to do this would be to create >> a custom rule, and then have an alert based on it in the ossec.conf. >> Unfortunately nothing seems to be happening... >> >> In local_rules.xml I've created a custom rule: >> >> <group name="syscheck,"> >> ... >> <rule id="100023" level="10"> >> <description>Change to a custom directory</description> >> <match>/home/ross</match> >> </rule> > Does this rule get triggered?
Good question, I hadn't thought to track down the appropriate log file (alerts.log right?). It doesn't appear to be triggered, I'm only seeing the usual (550/554) ids being triggered, for example: ** Alert 1325894109.26688: mail - ossec,syscheck, 2012 Jan 06 15:55:09 myhost->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/home/ross/ross-test' Size changed from '47' to '13' Old md5sum was: 'c3fbbd59f074b47bcdc99ddbb4af329a' New md5sum is : '3ebfdcf378cc6221db90e4d6f11900f3' Old sha1sum was: '491150eb08a96cd1baf222df1e4173d21800457f' New sha1sum is : '76951d7c9d6b27d972c12866095cef8fca25b4e6' Does the match/regex not work against the line containing the file name? I have other custom rules that seem to work (and that I've disabled as part of my efforts to get this one to work, just in case they were conflicting somehow) so I think I've got it in the right place. I've changed the match/regex to only be against the word 'ross', just to try and increase my chances, but still no luck. > >> ... >> </group> >> >> (I've also tried <regex> rather than <match>) >> >> In ossec.conf, I've set this up: >> >> <ossec_config> >> ... >> <email_alerts> >> <email_to>[email protected]</email_to> >> <rule_id>100023</rule_id> >> <do_not_delay /> >> <do_not_group /> >> </email_alerts> >> ... >> </ossec_config> >> >> Now, alerting to the email address defined globally is working, and I'm >> seeing alerts on file changes/creation/deletion that I make within the >> directory I'm watching (/home/ross for example), but I'm not seeing >> alerts going to the email address shown above - nor alerts to either >> address with the description set in the custom rule. >> >> Perhaps I'm going about this the wrong way, or there's an easier way to >> do this, but my search engine results haven't helped me, so hopefully >> someone here can point me in the right direction. >> >> Ross. > Is the working address also an @riverstyx.net email address? Have you > checked your maillogs to see if they provide a hint? The working address is also a riverstyx.net address, I've even tried the same address (since the description identifier and rule-id ought to make it distinguishable). As noted above though, I'm not seeing it trigger in the alerts.log, so obviously I've done something wrong with the actual rule at this point, and the email address isn't even getting a chance to be an issue at this point.
