On Fri, Mar 28, 2014 at 11:33 AM, Ryan <[email protected]> wrote: > The log search the rules should perform to trigger the email. The rules are > in the same group, they are in-between the below entries. I have had two > emails trigger from the below rules, but I have tested modifications that > should have triggered all rules to email. >
Make sure the modifications trigger an alert. If the (correct) alert is triggered, check for an email. If an alert is not triggered, you have 1 problem. If the (correct) alert is triggered, but you have no email you have a second problem. It's important to find out which problem you are having. Beyond that, I don't think I have anything else to offer. I feel like getting to this point (basically the beginning) has been enough work. > <group name="group-all-the-new-rules-are-in,"> > </group> > > On Friday, March 28, 2014 10:22:51 AM UTC-5, dan (ddpbsd) wrote: >> >> On Fri, Mar 28, 2014 at 11:19 AM, Ryan <[email protected]> wrote: >> > Some of the email notifications work, but I think my issue is more with >> > the >> > rule search. Below is the email notification: >> >> What rule search? >> >> > <email_alerts> >> > <email_to>myemail@mydomain</email_to> >> > <group>group-all-the-new-rules-are-in</group> >> >> Are you sure they're all in this group? Are any of the rules >> triggering these emails? >> >> > <do_not_delay /> >> > <do_not_group /> >> > </email_alerts> >> > >> > >> > On Friday, March 28, 2014 10:11:38 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Fri, Mar 28, 2014 at 11:08 AM, Ryan <[email protected]> wrote: >> >> > In the logs I see that some are triggering. >> >> > >> >> >> >> So, doesn't it seem like the problem is with the email configuration >> >> and not the rules? >> >> >> >> > On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected]> wrote: >> >> >> > Hello, >> >> >> > I am working on creating rules to email specific groups when a >> >> >> > file >> >> >> > changes >> >> >> > in a specific directory on a client. I am trying to copy the >> >> >> > below >> >> >> > rules, >> >> >> > but for a specific directory. I added the specific directories >> >> >> > into >> >> >> > the >> >> >> > syscheck notation on the client side. I also found and changed >> >> >> > the >> >> >> > default >> >> >> > setting that the ossec server will ignore file changes after 3 >> >> >> > changes. >> >> >> > I >> >> >> > did not clear any counters after this applying this change. I >> >> >> > think >> >> >> > I >> >> >> > have >> >> >> > the email to the specific group figured out, but I am not getting >> >> >> > the >> >> >> > emails >> >> >> > on the changes. The logs are showing some of the changes. >> >> >> > >> >> >> >> >> >> Are your rules triggering? >> >> >> >> >> >> > Rules I am trying to copy: >> >> >> > <rule id="550" level="7"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="551" level="7"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> > time).</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="552" level="7"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> > time).</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="553" level="7"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> > checksum.</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="554" level="0"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >> > <description>File added to the system.</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="555" level="7"> >> >> >> > <if_sid>500</if_sid> >> >> >> > <match>^ossec: agentless: </match> >> >> >> > <description>Integrity checksum for agentless device >> >> >> > changed.</description> >> >> >> > <group>syscheck,agentless</group> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > Different trial rules : >> >> >> > <rule id="100001" level="13"> >> >> >> > <if_sid>550</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>A file has changed in DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100002" level="13"> >> >> >> > <if_sid>551</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>A file has changed (2nd time) in >> >> >> > DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100003" level="13"> >> >> >> > <if_sid>552</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>A file has changed (3rd time) in >> >> >> > DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100004" level="13"> >> >> >> > <if_sid>553</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>A file was deleted in DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100005" level="13"> >> >> >> > <if_sid>554</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>A file was added in DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100006" level="13"> >> >> >> > <if_sid>555</if_sid> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum of a file was changed in >> >> >> > DIRECTORY</description> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > <rule id="100011" level="13"> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100012" level="13"> >> >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> > time).</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100013" level="13"> >> >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> > time).</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100014" level="13"> >> >> >> > <decoded_as>syscheck_deleted</decoded_as> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> > checksum.</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100015" level="13"> >> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>File added to the system.</description> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > <rule id="100021" level="13"> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100022" level="13"> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed again (2nd >> >> >> > time).</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100023" level="13"> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>Integrity checksum changed again (3rd >> >> >> > time).</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100024" level="13"> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>File deleted. Unable to retrieve >> >> >> > checksum.</description> >> >> >> > </rule> >> >> >> > >> >> >> > <rule id="100025" level="13"> >> >> >> > <if_matched_group>syscheck</if_matched_group> >> >> >> > <match>DIRECTORY</match> >> >> >> > <description>File added to the system.</description> >> >> >> > </rule> >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
