On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng <daiyuew...@gmail.com> wrote: > Hi, since it is a fresh install of ossec, so I didn't get any emails. The > notification is turn on as >
Try using tcpdump (looking for connections to the email server from the OSSEC system) or check the maillogs on the email server to determine if there is an error when sending. > <alert_new_files>yes</alert_new_files> > > in ossec.conf > > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng <daiyu...@gmail.com> wrote: >> > Hi, I installed ossec local on my cloud server, and configure ossec.conf >> > as >> > follows, I tried to detect new additions using >> > <alert_new_files>yes</alert_new_files>. >> > >> > <global> >> > <email_notification>yes</email_notification> >> > <email_to>my_e...@example.com</email_to> >> > <smtp_server>ns0.bt.net.</smtp_server> >> > <email_from>my_e...@example.com</email_from> >> > </global> >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 >> > hours >> > --> >> > <frequency>79200</frequency> >> > <alert_new_files>yes</alert_new_files> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/bin,/sbin</directories> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/home/user_name</directories> >> > </syscheck> >> > >> > The local_rules.xml is like, >> > >> > <group name="local,syslog,"> >> > >> > <!-- Note that rule id 5711 is defined at the ssh_rules file >> > - as a ssh failed login. This is just an example >> > - since ip 1.1.1.1 shouldn't be used anywhere. >> > - Level 0 means ignore. >> > --> >> > <rule id="100001" level="0"> >> > <if_sid>5711</if_sid> >> > <srcip>1.1.1.1</srcip> >> > <description>Example of rule that will ignore sshd </description> >> > <description>failed logins from IP 1.1.1.1.</description> >> > </rule> >> > >> > <rule id="554" level="7" overwrite="yes"> >> > <category>ossec</category> >> > <decoded_as>syscheck_new_entry</decoded_as> >> > <description>File added to the system.</description> >> > <group>syscheck,</group> >> > </rule> >> > </group> <!-- SYSLOG,LOCAL --> >> > >> > Now, if I added a file in home/user_name, there is no email notification >> > coming through the SMTP server. I am using smtp.bt.net, using >> > >> > dig -t mx smtp.bt.net >> > >> > >> > to get the SMTP server. Whats the possible reasons that I am not getting >> > the >> > email? >> > >> >> Are you getting emails for other alerts? >> Are alerts being triggered for these new files? >> >> > Many thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
