On Wed, Dec 23, 2015 at 10:26 AM, Maxim Surdu <maxsu...@gmail.com> wrote: > yes the rule is work > > > Alert 1450884351.34521849: mail - policy_violation,login_time, > 2015 Dec 23 15:25:51 localhost->/var/log/secure > Rule: 17101 (level 9) -> 'Successful login during non-business hours.' > Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session opened > for user msurdu by (uid=0) >
By default OSSEC will group alerts together in emails. So double check your emails to make sure it wasn't included with other alerts. This behavior can be changed in /var/ossec/etc/internal_options.conf (I think copying it to local_internal_options.conf and modifying that new file should work). > > miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: >> >> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com> wrote: >> > yes, i change and all rules are loaded when ossec is started >> > >> >> Is the rule firing (can you see entries for it in the >> /var/ossec/logs/alerts/alerts.log)? >> >> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: >> >> >> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> wrote: >> >> > This rule is locate in /var/ossec/rules/policy_rules.xml >> >> > >> >> >> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is >> >> commented out in a default installation. >> >> >> >> > >> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: >> >> >> >> >> >> yes i want for a specific mail, but i not recieve mail form this >> >> >> alert >> >> >> >> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: >> >> >>> >> >> >>> Hi everyone, >> >> >>> >> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is >> >> >>> working >> >> >>> fine, can i do to ossec mail me for specific rule? >> >> >>> for example for this rule >> >> >>> >> >> >>> >> >> >>> <group name="policy_violation,"> >> >> >>> <rule id="17101" level="9"> >> >> >>> <if_group>authentication_success</if_group> >> >> >>> <time>06:00 pm - 09:00 am</time> >> >> >>> <description>Successful login during non-business >> >> >>> hours.</description> >> >> >>> <group>login_time,</group> >> >> >>> </rule> >> >> >>> >> >> >>> >> >> >>> >> >> >>> Any help would be greatly appreciated >> >> >>> >> >> >>> Thanks, >> >> >>> Maxim >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.