[ossec-list] ossec email notification not working

Mon, 05 Sep 2016 07:34:01 -0700 

Hi, I installed ossec local on my cloud server, and configure ossec.conf as 
follows, I tried to detect new additions using 
<alert_new_files>yes</alert_new_files>.

<global>
     <email_notification>yes</email_notification>
     <email_to>my_em...@example.com</email_to>
     <smtp_server>ns0.bt.net.</smtp_server>
     <email_from>my_em...@example.com</email_from>
   </global>
<syscheck>
     <!-- Frequency that syscheck is executed - default to every 22 hours 
-->
     <frequency>79200</frequency>
     <alert_new_files>yes</alert_new_files>

     <!-- Directories to check  (perform all possible verifications) -->
     <directories report_changes="yes" realtime="yes" 
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
     <directories report_changes="yes" realtime="yes" 
check_all="yes">/bin,/sbin</directories>
     <directories report_changes="yes" realtime="yes" 
check_all="yes">/home/user_name</directories>
 </syscheck>

The local_rules.xml is like,

 <group name="local,syslog,">

    <!-- Note that rule id 5711 is defined at the ssh_rules file
      -  as a ssh failed login. This is just an example
      -  since ip 1.1.1.1 shouldn't be used anywhere.
      -  Level 0 means ignore.
      -->
    <rule id="100001" level="0">
      <if_sid>5711</if_sid>
      <srcip>1.1.1.1</srcip>
      <description>Example of rule that will ignore sshd </description>
      <description>failed logins from IP 1.1.1.1.</description>
    </rule>

    <rule id="554" level="7" overwrite="yes">
      <category>ossec</category>
      <decoded_as>syscheck_new_entry</decoded_as>
      <description>File added to the system.</description>
      <group>syscheck,</group>
    </rule>
</group> <!-- SYSLOG,LOCAL -->

Now, if I added a file in home/user_name, there is no email notification 
coming through the SMTP server. I am using smtp.bt.net, using

dig -t mx smtp.bt.net


to get the SMTP server. Whats the possible reasons that I am not getting 
the email?

Many thanks 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to