The log search the rules should perform to trigger the email. The rules are in the same group, they are in-between the below entries. I have had two emails trigger from the below rules, but I have tested modifications that should have triggered all rules to email.
<group name="group-all-the-new-rules-are-in,"> </group> On Friday, March 28, 2014 10:22:51 AM UTC-5, dan (ddpbsd) wrote: > > On Fri, Mar 28, 2014 at 11:19 AM, Ryan <[email protected] <javascript:>> > wrote: > > Some of the email notifications work, but I think my issue is more with > the > > rule search. Below is the email notification: > > What rule search? > > > <email_alerts> > > <email_to>myemail@mydomain</email_to> > > <group>group-all-the-new-rules-are-in</group> > > Are you sure they're all in this group? Are any of the rules > triggering these emails? > > > <do_not_delay /> > > <do_not_group /> > > </email_alerts> > > > > > > On Friday, March 28, 2014 10:11:38 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Fri, Mar 28, 2014 at 11:08 AM, Ryan <[email protected]> wrote: > >> > In the logs I see that some are triggering. > >> > > >> > >> So, doesn't it seem like the problem is with the email configuration > >> and not the rules? > >> > >> > On Friday, March 28, 2014 9:58:29 AM UTC-5, dan (ddpbsd) wrote: > >> >> > >> >> On Fri, Mar 28, 2014 at 10:53 AM, Ryan <[email protected]> wrote: > >> >> > Hello, > >> >> > I am working on creating rules to email specific groups when a > file > >> >> > changes > >> >> > in a specific directory on a client. I am trying to copy the > below > >> >> > rules, > >> >> > but for a specific directory. I added the specific directories > into > >> >> > the > >> >> > syscheck notation on the client side. I also found and changed > the > >> >> > default > >> >> > setting that the ossec server will ignore file changes after 3 > >> >> > changes. > >> >> > I > >> >> > did not clear any counters after this applying this change. I > think > >> >> > I > >> >> > have > >> >> > the email to the specific group figured out, but I am not getting > the > >> >> > emails > >> >> > on the changes. The logs are showing some of the changes. > >> >> > > >> >> > >> >> Are your rules triggering? > >> >> > >> >> > Rules I am trying to copy: > >> >> > <rule id="550" level="7"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> > >> >> > <description>Integrity checksum changed.</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="551" level="7"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > >> >> > <description>Integrity checksum changed again (2nd > >> >> > time).</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="552" level="7"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > >> >> > <description>Integrity checksum changed again (3rd > >> >> > time).</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="553" level="7"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_deleted</decoded_as> > >> >> > <description>File deleted. Unable to retrieve > >> >> > checksum.</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="554" level="0"> > >> >> > <category>ossec</category> > >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> > <description>File added to the system.</description> > >> >> > <group>syscheck,</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="555" level="7"> > >> >> > <if_sid>500</if_sid> > >> >> > <match>^ossec: agentless: </match> > >> >> > <description>Integrity checksum for agentless device > >> >> > changed.</description> > >> >> > <group>syscheck,agentless</group> > >> >> > </rule> > >> >> > > >> >> > > >> >> > Different trial rules : > >> >> > <rule id="100001" level="13"> > >> >> > <if_sid>550</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>A file has changed in DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100002" level="13"> > >> >> > <if_sid>551</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>A file has changed (2nd time) in > >> >> > DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100003" level="13"> > >> >> > <if_sid>552</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>A file has changed (3rd time) in > >> >> > DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100004" level="13"> > >> >> > <if_sid>553</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>A file was deleted in DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100005" level="13"> > >> >> > <if_sid>554</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>A file was added in DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100006" level="13"> > >> >> > <if_sid>555</if_sid> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum of a file was changed in > >> >> > DIRECTORY</description> > >> >> > </rule> > >> >> > > >> >> > > >> >> > <rule id="100011" level="13"> > >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100012" level="13"> > >> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed again (2nd > >> >> > time).</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100013" level="13"> > >> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed again (3rd > >> >> > time).</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100014" level="13"> > >> >> > <decoded_as>syscheck_deleted</decoded_as> > >> >> > <match>DIRECTORY</match> > >> >> > <description>File deleted. Unable to retrieve > >> >> > checksum.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100015" level="13"> > >> >> > <decoded_as>syscheck_new_entry</decoded_as> > >> >> > <match>DIRECTORY</match> > >> >> > <description>File added to the system.</description> > >> >> > </rule> > >> >> > > >> >> > > >> >> > <rule id="100021" level="13"> > >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100022" level="13"> > >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed again (2nd > >> >> > time).</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100023" level="13"> > >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> > <match>DIRECTORY</match> > >> >> > <description>Integrity checksum changed again (3rd > >> >> > time).</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100024" level="13"> > >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> > <match>DIRECTORY</match> > >> >> > <description>File deleted. Unable to retrieve > >> >> > checksum.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100025" level="13"> > >> >> > <if_matched_group>syscheck</if_matched_group> > >> >> > <match>DIRECTORY</match> > >> >> > <description>File added to the system.</description> > >> >> > </rule> > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
