yes the rule is work
Alert 1450884351.34521849: mail - policy_violation,login_time, 2015 Dec 23 15:25:51 localhost->/var/log/secure Rule: 17101 (level 9) -> 'Successful login during non-business hours.' Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session opened for user msurdu by (uid=0) miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: > > On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com > <javascript:>> wrote: > > yes, i change and all rules are loaded when ossec is started > > > > Is the rule firing (can you see entries for it in the > /var/ossec/logs/alerts/alerts.log)? > > > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: > >> > >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> > wrote: > >> > This rule is locate in /var/ossec/rules/policy_rules.xml > >> > > >> > >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is > >> commented out in a default installation. > >> > >> > > >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: > >> >> > >> >> yes i want for a specific mail, but i not recieve mail form this > alert > >> >> > >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: > >> >>> > >> >>> Hi everyone, > >> >>> > >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is > >> >>> working > >> >>> fine, can i do to ossec mail me for specific rule? > >> >>> for example for this rule > >> >>> > >> >>> > >> >>> <group name="policy_violation,"> > >> >>> <rule id="17101" level="9"> > >> >>> <if_group>authentication_success</if_group> > >> >>> <time>06:00 pm - 09:00 am</time> > >> >>> <description>Successful login during non-business > >> >>> hours.</description> > >> >>> <group>login_time,</group> > >> >>> </rule> > >> >>> > >> >>> > >> >>> > >> >>> Any help would be greatly appreciated > >> >>> > >> >>> Thanks, > >> >>> Maxim > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
