On Thu, Aug 9, 2012 at 8:18 AM, p...@biciunas.com <paul.biciu...@comcast.net> wrote: > ----- Original Message ----- >> h >> >> On Wed, Aug 8, 2012 at 3:39 PM, p...@biciunas.com >> >> You restarted the OSSEC processes after setting it to that? >> >> Can you check the maillog on the mail server to see if the email is >> attempted to be delivered? You could try running the OSSEC processes >> on the server in debug mode, maybe ossec-maild will log something >> useful. > > I did restart the OSSEC processes. > After restarting the processes with debug (./ossec-control enable debug), I > didn't see any interesting log entries from ossec-maild, but no email was > getting through. Since I knew that I can get email through from the ossec > server (I get other alerts), I scrutinized the email-alerts stanza to make > sure I didn't fat finger anything. There being no errors, I started removing > entries that were not present in other email-alerts stanzas, and after > removing <do not delay />, the alert email for rule id 100007 was sent, and I > received it aggregated with other alerts. I can live with that, but it would > be nice to be able to send it without delay. Thanks for all your help - > awesome product.
Interesting. I'll try to play with this later, but I don't do much with that option...
