[ossec-list] Email notification to a specific group for a specific direcotry file change on a client.

[Ryan]

Hello,
I am working on creating rules to email specific groups when a file changes 
in a specific directory on a client.  I am trying to copy the below rules, 
but for a specific directory.  I added the specific directories into the 
syscheck notation on the client side.  I also found and changed the default 
setting that the ossec server will ignore file changes after 3 changes.  I 
did not clear any counters after this applying this change.  I think I have 
the email to the specific group figured out, but I am not getting the 
emails on the changes.  The logs are showing some of the changes.

Rules I am trying to copy:
  <rule id="550" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed</decoded_as>
    <description>Integrity checksum changed.</description>
    <group>syscheck,</group>
  </rule>

  <rule id="551" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
    <description>Integrity checksum changed again (2nd time).</description>
    <group>syscheck,</group>
  </rule>

  <rule id="552" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
    <description>Integrity checksum changed again (3rd time).</description>
    <group>syscheck,</group>
  </rule>

  <rule id="553" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_deleted</decoded_as>
    <description>File deleted. Unable to retrieve checksum.</description>
    <group>syscheck,</group>
  </rule>

  <rule id="554" level="0">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
  </rule>

  <rule id="555" level="7">
    <if_sid>500</if_sid>
    <match>^ossec: agentless: </match>
    <description>Integrity checksum for agentless device 
changed.</description>
    <group>syscheck,agentless</group>
  </rule>


Different trial rules :
  <rule id="100001" level="13">
    <if_sid>550</if_sid>
    <match>DIRECTORY</match>
    <description>A file has changed in DIRECTORY</description>
  </rule>

  <rule id="100002" level="13">
    <if_sid>551</if_sid>
    <match>DIRECTORY</match>
    <description>A file has changed (2nd time) in DIRECTORY</description>
  </rule>

  <rule id="100003" level="13">
    <if_sid>552</if_sid>
    <match>DIRECTORY</match>
    <description>A file has changed (3rd time) in DIRECTORY</description>
  </rule>

  <rule id="100004" level="13">
    <if_sid>553</if_sid>
    <match>DIRECTORY</match>
    <description>A file was deleted in DIRECTORY</description>
  </rule>

  <rule id="100005" level="13">
    <if_sid>554</if_sid>
    <match>DIRECTORY</match>
    <description>A file was added in DIRECTORY</description>
  </rule>

  <rule id="100006" level="13">
    <if_sid>555</if_sid>
    <match>DIRECTORY</match>
    <description>Integrity checksum of a file was changed in 
DIRECTORY</description>
  </rule>


  <rule id="100011" level="13">
    <decoded_as>syscheck_integrity_changed</decoded_as>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed.</description>
  </rule>

  <rule id="100012" level="13">
    <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed again (2nd time).</description>
  </rule>

  <rule id="100013" level="13">
    <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed again (3rd time).</description>
  </rule>

  <rule id="100014" level="13">
    <decoded_as>syscheck_deleted</decoded_as>
    <match>DIRECTORY</match>
    <description>File deleted. Unable to retrieve checksum.</description>
  </rule>

  <rule id="100015" level="13">
    <decoded_as>syscheck_new_entry</decoded_as>
    <match>DIRECTORY</match>
    <description>File added to the system.</description>
  </rule>


  <rule id="100021" level="13">
    <if_matched_group>syscheck</if_matched_group>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed.</description>
  </rule>

  <rule id="100022" level="13">
    <if_matched_group>syscheck</if_matched_group>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed again (2nd time).</description>
  </rule>

  <rule id="100023" level="13">
    <if_matched_group>syscheck</if_matched_group>
    <match>DIRECTORY</match>
    <description>Integrity checksum changed again (3rd time).</description>
  </rule>

  <rule id="100024" level="13">
    <if_matched_group>syscheck</if_matched_group>
    <match>DIRECTORY</match>
    <description>File deleted. Unable to retrieve checksum.</description>
  </rule>

  <rule id="100025" level="13">
    <if_matched_group>syscheck</if_matched_group>
    <match>DIRECTORY</match>
    <description>File added to the system.</description>
  </rule>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.