Re: [ossec-list] Help with setting up email alerts
On Thu, Mar 3, 2016 at 1:28 PM, jkrewwrote: > Ok, this is the agent. I thought one could configure the agent to fire off > emails because of this bit in the doc: > (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html) > > Supported types > > Global options are available in the the following installation types: > > server > local > Neither of those are 'agent.' > So that helps me understand why it doesn't work, for sure. My purpose is to > measure how long it takes for the server to alert on an issue compared to > when it is first reported. I guess I won't use the email option for this. > I believe there's a rule for agents restarting, which could be sent out by the ossec server. > Thanks much - I can't believe I didn't catch this. > > On Thursday, March 3, 2016 at 1:12:25 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 3, 2016 at 1:09 PM, jkrew wrote: >> > Greetings, >> > >> > We are using OSSEC as provided by CloudAware. I'm in the process of >> > setting >> > up some custom alerts for testing, alerts I would like to receive via >> > email. >> > >> > I am able to send email from the Linux host via the following: >> > echo "test" | mail -s "subject line" mye...@domain.name >> > >> > To help troubleshoot, I've set the following debug options in >> > internal_options.conf: >> > syscheck.debug=1 >> > agent.debug=1 >> > >> > And here is what I've configured in ossec.conf: >> > >> > >> > >> > >> > cloud aware server >> >> Is this an agent or the server? >> >> > >> > >> > >> > yes >> > my email address >> > 127.0.0.1 >> > ro...@dns.name >> > >> > >> > >> >1 >> > >> > >> > >> > I see no errors in the ossec.log file that indicates that it's even >> > attempting to send mail. Am I correct that it should attempt to send me >> > an >> > email each time I restart OSSEC - that looks to be a level 7 alert. >> > >> > Any suggestions for troubleshooting would be MUCH appreciated - it feels >> > like there might be an override setting that I'm simply not aware of, >> > but I >> > have yet to find anything of that nature. >> > >> >> agents do not send email, just the ossec server. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Help with setting up email alerts
Ok, this is the agent. I thought one could configure the agent to fire off emails because of this bit in the doc: (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html) Supported types Global options are available in the the following installation types: - server - local So that helps me understand why it doesn't work, for sure. My purpose is to measure how long it takes for the server to alert on an issue compared to when it is first reported. I guess I won't use the email option for this. Thanks much - I can't believe I didn't catch this. On Thursday, March 3, 2016 at 1:12:25 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 3, 2016 at 1:09 PM, jkrew> wrote: > > Greetings, > > > > We are using OSSEC as provided by CloudAware. I'm in the process of > setting > > up some custom alerts for testing, alerts I would like to receive via > email. > > > > I am able to send email from the Linux host via the following: > > echo "test" | mail -s "subject line" mye...@domain.name > > > > To help troubleshoot, I've set the following debug options in > > internal_options.conf: > > syscheck.debug=1 > > agent.debug=1 > > > > And here is what I've configured in ossec.conf: > > > > > > > > > > cloud aware server > > Is this an agent or the server? > > > > > > > > > yes > > my email address > > 127.0.0.1 > > ro...@dns.name > > > > > > > >1 > > > > > > > > I see no errors in the ossec.log file that indicates that it's even > > attempting to send mail. Am I correct that it should attempt to send me > an > > email each time I restart OSSEC - that looks to be a level 7 alert. > > > > Any suggestions for troubleshooting would be MUCH appreciated - it feels > > like there might be an override setting that I'm simply not aware of, > but I > > have yet to find anything of that nature. > > > > agents do not send email, just the ossec server. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Help with setting up email alerts
On Thu, Mar 3, 2016 at 1:09 PM, jkrewwrote: > Greetings, > > We are using OSSEC as provided by CloudAware. I'm in the process of setting > up some custom alerts for testing, alerts I would like to receive via email. > > I am able to send email from the Linux host via the following: > echo "test" | mail -s "subject line" myem...@domain.name > > To help troubleshoot, I've set the following debug options in > internal_options.conf: > syscheck.debug=1 > agent.debug=1 > > And here is what I've configured in ossec.conf: > > > > > cloud aware server Is this an agent or the server? > > > > yes > my email address > 127.0.0.1 > r...@dns.name > > > >1 > > > > I see no errors in the ossec.log file that indicates that it's even > attempting to send mail. Am I correct that it should attempt to send me an > email each time I restart OSSEC - that looks to be a level 7 alert. > > Any suggestions for troubleshooting would be MUCH appreciated - it feels > like there might be an override setting that I'm simply not aware of, but I > have yet to find anything of that nature. > agents do not send email, just the ossec server. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Help with setting up email alerts
Greetings, We are using OSSEC as provided by CloudAware. I'm in the process of setting up some custom alerts for testing, alerts I would like to receive via email. I am able to send email from the Linux host via the following: echo "test" | mail -s "subject line" myem...@domain.name To help troubleshoot, I've set the following debug options in internal_options.conf: syscheck.debug=1 agent.debug=1 And here is what I've configured in ossec.conf: cloud aware server yes my email address 127.0.0.1 r...@dns.name 1 I see no errors in the ossec.log file that indicates that it's even attempting to send mail. Am I correct that it should attempt to send me an email each time I restart OSSEC - that looks to be a level 7 alert. Any suggestions for troubleshooting would be MUCH appreciated - it feels like there might be an override setting that I'm simply not aware of, but I have yet to find anything of that nature. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.