Re: [ossec-list] ossec with nagios
Why not do a process check for remoted? On Mar 13, 2014 4:41 PM, "Gaurav Rajput" wrote: > Hi, > > I have an ossec-server along with a nagios-server. All i want, is to > monitor the ossec-remoted from nagios. But the main problem is that, > "ossec-remoted" uses UDP protocol, so it never echoes back. So how would I > ensure that my ossec-server is up and running (with or without using > nagios) ? > > Also, i tried nagios-plugin "check_udp", but, while tackling the UDP, we > must pass the "send string" and "expect string" as parameters to this > command. I couldn't find any way to do this. I tried "netcat" too but its > not giving me the desired result (as it was echoing the same thing for all > UDP ports [0-65535]). So is there any specific string that i can send and > receive some expected string ? ( I don't have enough time to open the code > right now ). > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks all for the help. I had another machine laying around, so I installed an 'agent' to the second machine. Once I did that and had it report to the server, everything started working fine and it inserts the blocks in my hosts.deny. I don't know if it's a bug per se, but I believe that the active responses shouldn't make you install an agent if you just have a server running. Then again, if you are just using one machine, you should probably install 'local' anyways. Thanks for the responses and help! On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: > > Please see below for the answers... > > On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski >> wrote: >> > Thanks for the quick response. Please see inline for naswers. >> > >> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski >> wrote: >> >> [...] >> >> >> >> >> >> Are you using active response? >> > >> > >> > Yes, I am trying to use active response. I'm trying to get it to dump >> IP's >> > in /etc/hosts.deny. I am reading logs from another device in a >> directory >> > that doesn't support ossec. It's actually dumping the apache logs and >> I'm >> > trying to get it to add it to the hosts.deny on the server. >> > >> >> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >> sure AR is configured for the server and not just the agents. >> >> > I believe I enabled AR for the 'host-deny' command. Attached is my config > file. > > http://pastebin.com/PY8C10Uc > > ossec-execd is running as well. The alert shows up in the 'alerts.log' > file as well, but doesn't add it to /etc/hosts.deny or the > activeresponse.log. Here's a snip of an alert of me doing a vulnerability > scan against that box. > > ** Alert 1394732302.250449: - apache,invalid_request, > 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log > Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' > Src IP: 10.0.1.9 > [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in > request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd > HTTP/1.1 > > > Thanks for your response and help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec with nagios
Hi, I have an ossec-server along with a nagios-server. All i want, is to monitor the ossec-remoted from nagios. But the main problem is that, "ossec-remoted" uses UDP protocol, so it never echoes back. So how would I ensure that my ossec-server is up and running (with or without using nagios) ? Also, i tried nagios-plugin "check_udp", but, while tackling the UDP, we must pass the "send string" and "expect string" as parameters to this command. I couldn't find any way to do this. I tried "netcat" too but its not giving me the desired result (as it was echoing the same thing for all UDP ports [0-65535]). So is there any specific string that i can send and receive some expected string ? ( I don't have enough time to open the code right now ). Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Please see below for the answers... On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski > > > wrote: > > Thanks for the quick response. Please see inline for naswers. > > > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > wrote: > >> [...] > >> > >> > >> Are you using active response? > > > > > > Yes, I am trying to use active response. I'm trying to get it to dump > IP's > > in /etc/hosts.deny. I am reading logs from another device in a > directory > > that doesn't support ossec. It's actually dumping the apache logs and > I'm > > trying to get it to add it to the hosts.deny on the server. > > > > Make sure AR isn't disabled. Make sure ossec-execd is running. Make > sure AR is configured for the server and not just the agents. > > I believe I enabled AR for the 'host-deny' command. Attached is my config file. http://pastebin.com/PY8C10Uc ossec-execd is running as well. The alert shows up in the 'alerts.log' file as well, but doesn't add it to /etc/hosts.deny or the activeresponse.log. Here's a snip of an alert of me doing a vulnerability scan against that box. ** Alert 1394732302.250449: - apache,invalid_request, 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' Src IP: 10.0.1.9 [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Thanks for your response and help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski wrote: > Thanks for the quick response. Please see inline for naswers. > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> [...] >> >> >> Are you using active response? > > > Yes, I am trying to use active response. I'm trying to get it to dump IP's > in /etc/hosts.deny. I am reading logs from another device in a directory > that doesn't support ossec. It's actually dumping the apache logs and I'm > trying to get it to add it to the hosts.deny on the server. > Make sure AR isn't disabled. Make sure ossec-execd is running. Make sure AR is configured for the server and not just the agents. >> >> >> > and the FAQ says to install the agentbut it's a server that's >> > already >> > being monitored by OSSEC by default. >> > >> >> I'll have to check that out, because it makes no sense. > > > I know one thing is to check to see if 'ossec-analysis' is running, which it > is. > Yeah, I checked out the FAQ and explained it in a second email. > > Thanks all for the help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks for the quick response. Please see inline for naswers. On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > > > wrote: > [...] > > Are you using active response? > Yes, I am trying to use active response. I'm trying to get it to dump IP's in /etc/hosts.deny. I am reading logs from another device in a directory that doesn't support ossec. It's actually dumping the apache logs and I'm trying to get it to add it to the hosts.deny on the server. > > > and the FAQ says to install the agentbut it's a server that's > already > > being monitored by OSSEC by default. > > > > I'll have to check that out, because it makes no sense. > I know one thing is to check to see if 'ossec-analysis' is running, which it is. Thanks all for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:57 PM, dan (ddp) wrote: > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> Simple question... Do I have to install an OSSEC agent on the Server? If >> so, should I specify a different default directory? >> > > No, you do not need to install an OSSEC agent on the OSSEC manager. > The server installation performs those functions for that system > already. > >> Something makes me think I don't think so because the server already >> monitors files, but I'm seeing this message... >> >> 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to >> '/queue/alerts/execq' (exec queue) >> > > Are you using active response? > >> and the FAQ says to install the agentbut it's a server that's already >> being monitored by OSSEC by default. >> > > I'll have to check that out, because it makes no sense. > Ok, the FAQ (http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#check-queue-alerts-ar) actually says to add an agent with manage_agents, not to perform an agent installation on the OSSEC manager. >> Thanks in advanced. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: > Simple question... Do I have to install an OSSEC agent on the Server? If > so, should I specify a different default directory? > No, you do not need to install an OSSEC agent on the OSSEC manager. The server installation performs those functions for that system already. > Something makes me think I don't think so because the server already > monitors files, but I'm seeing this message... > > 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > Are you using active response? > and the FAQ says to install the agentbut it's a server that's already > being monitored by OSSEC by default. > I'll have to check that out, because it makes no sense. > Thanks in advanced. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Install Agent on OSSEC Server?
Simple question... Do I have to install an OSSEC agent on the Server? If so, should I specify a different default directory? Something makes me think I don't think so because the server already monitors files, but I'm seeing this message... 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'. 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) and the FAQ says to install the agentbut it's a server that's already being monitored by OSSEC by default. Thanks in advanced. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] strange error message from ossec-keepalive
All, I'm getting this alert also in 2.7.1. I tried writing a rule to filter them, but it caused remoted to not want to work properly. I'd welcome a hack at this point, if not a proper fix. --Josh On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam wrote: > Hello, > > I'm using OSSEC 2.7 but i get still this alert!! > Please, how to resolve this issue ? > > Thank you in advance > > On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: >> >> Yes, a bug on OSSEC. These messages are randomly generated and should not >> reach >> analysisd. >> >> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ >> >> thanks, >> >> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) wrote: >> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby wrote: >> >> That leaves only a memory / buffer overflow kind of error . If it only >> >> happened once I would not sweat it. >> >> It is also "possible" that the log data got corrupted in transit (look >> at >> >> netstat -s for host and client interfaces) >> >> If it repeats, then I would relook at the logs, possibly with a >> different >> >> tool. >> >> Binary data in a log file can hide from editors so cat, grep and >> strings are >> >> better tools. >> >> I think it is unlikely that OSSEC bug can cause this but you could >> >> re-install as a last resort. >> >> >> >> >> > >> > Or it could be part of the keep alive messages in OSSEC: >> > (from src/logcollector/logcollector.c) >> > char *rand_keepalive_str(char *dst, int size) >> > { >> >static const char text[] = "abcdefghijklmnopqrstuvwxyz" >> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >> > "0123456789" >> > "!@#$%^&*()_+-=;'[],./?"; >> >int i, len = rand() % (size - 10); >> >strncpy(dst, "--MARK--: ", 12); >> >for ( i = 10; i < len; ++i ) >> >{ >> >dst[i] = text[rand() % (sizeof text - 1)]; >> >} >> >dst[i] = '\0'; >> >return dst; >> > } >> > >> > >> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: >> >>> >> >>> I don't find this log entry in any of my logs. That means that there >> was >> >>> no syslog message with this text. Smart didn't detect anything strange >> >>> either. >> >>> >> >>> Andre Pawlowski >> >>> >> >>> --- >> >>> >> >>> Poor is the pupil who does not surpass his master. >> >>>-Leonardo da Vinci >> >>> >> >>> On 12/02/2010 07:54 PM, loyd.darby wrote: >> >>> >> >> It means that a syslog message had one of these words in it: >> core_dumped|failure|error|attack|bad |illegal >> |denied|refused|unauthorized|fatal|failed|Segmentation >> Fault|Corrupted >> MARK and the string of characters is actually part of the message >> and it >> is likely a disk error. >> It definitely should be looked at. >> >> On 12/02/2010 12:10 PM, dan (ddp) wrote: >> >> > >> > On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski >> > wrote: >> > >> > >> >> >> >> Hi list, >> >> >> >> I've got a strange error message from my ossec server that I don't >> >> understand: >> >> >> >> OSSEC HIDS Notification. >> >> 2010 Dec 02 09:48:40 >> >> >> >> Received From: kokyt0s->ossec-keepalive >> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> >> system." >> >> Portion of the log(s): >> >> >> >> --MARK--: >> >> >> >> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=] >> IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH) >> 4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G% >> 7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/ >> kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+ >> buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?- >> TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU >> >> >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> >> >> Has anyone an idea what this means? >> >> >> >> Regards >> >> >> >> -- >> >> >> >> Andre Pawlowski >> >> >> >> >> --- >> >> >> >> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. >> >> -Albert Einstein >> >> >> >> >> >> >> > >> > I think it's "normal" (although I didn't think these messages were >> > going to be logged). It's definitely nothing to worry about. I think >> > the random text in the message is just padding to make the keep >> alives >> > indistinguishable from other messages based on packet size. >> > >> > >> >> >> >> >> >> -- >> >> R. Loyd Darby, OSSIM-OCSE >> >> Project Manager DOC/NOAA/NMFS >> >> Infrastructure coordinator >> >> Southeast Fisheries Science Center >> >> 305-361-4297 >> >> >> >> >> > >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" g
Re: [ossec-list] strange error message from ossec-keepalive
Hello, I'm using OSSEC 2.7 but i get still this alert!! Please, how to resolve this issue ? Thank you in advance On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: > > Yes, a bug on OSSEC. These messages are randomly generated and should not > reach > analysisd. > > Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ > > thanks, > > On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) > > wrote: > > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby > > wrote: > >> That leaves only a memory / buffer overflow kind of error . If it only > >> happened once I would not sweat it. > >> It is also "possible" that the log data got corrupted in transit (look > at > >> netstat -s for host and client interfaces) > >> If it repeats, then I would relook at the logs, possibly with a > different > >> tool. > >> Binary data in a log file can hide from editors so cat, grep and > strings are > >> better tools. > >> I think it is unlikely that OSSEC bug can cause this but you could > >> re-install as a last resort. > >> > >> > > > > Or it could be part of the keep alive messages in OSSEC: > > (from src/logcollector/logcollector.c) > > char *rand_keepalive_str(char *dst, int size) > > { > >static const char text[] = "abcdefghijklmnopqrstuvwxyz" > > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" > > "0123456789" > > "!@#$%^&*()_+-=;'[],./?"; > >int i, len = rand() % (size - 10); > >strncpy(dst, "--MARK--: ", 12); > >for ( i = 10; i < len; ++i ) > >{ > >dst[i] = text[rand() % (sizeof text - 1)]; > >} > >dst[i] = '\0'; > >return dst; > > } > > > > > >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: > >>> > >>> I don't find this log entry in any of my logs. That means that there > was > >>> no syslog message with this text. Smart didn't detect anything strange > >>> either. > >>> > >>> Andre Pawlowski > >>> > >>> --- > >>> > >>> Poor is the pupil who does not surpass his master. > >>>-Leonardo da Vinci > >>> > >>> On 12/02/2010 07:54 PM, loyd.darby wrote: > >>> > > It means that a syslog message had one of these words in it: > core_dumped|failure|error|attack|bad |illegal > |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted > MARK and the string of characters is actually part of the message and > it > is likely a disk error. > It definitely should be looked at. > > On 12/02/2010 12:10 PM, dan (ddp) wrote: > > > > > On Thu, Dec 2, 2010 at 11:27 AM, Andre > > Pawlowski > > > > wrote: > > > > > >> > >> Hi list, > >> > >> I've got a strange error message from my ossec server that I don't > >> understand: > >> > >> OSSEC HIDS Notification. > >> 2010 Dec 02 09:48:40 > >> > >> Received From: kokyt0s->ossec-keepalive > >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > >> system." > >> Portion of the log(s): > >> > >> --MARK--: > >> > >> > &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU > >> > >> > >> > >> > >> --END OF NOTIFICATION > >> > >> > >> Has anyone an idea what this means? > >> > >> Regards > >> > >> -- > >> > >> Andre Pawlowski > >> > >> --- > >> > >> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. > >> -Albert Einstein > >> > >> > >> > > > > I think it's "normal" (although I didn't think these messages were > > going to be logged). It's definitely nothing to worry about. I think > > the random text in the message is just padding to make the keep > alives > > indistinguishable from other messages based on packet size. > > > > > > > >> > >> -- > >> R. Loyd Darby, OSSIM-OCSE > >> Project Manager DOC/NOAA/NMFS > >> Infrastructure coordinator > >> Southeast Fisheries Science Center > >> 305-361-4297 > >> > >> > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-maild tags
Hi, I have 3 different infrastructures (Development, Production and Testing), running the same configuration (with same ip-address and subnet) and nodes. I have 3 ossec-servers running. Each ossec-server is sending the mails to a central gmail account. All I want is, to categorize the mails from each infrastructure. In other words I want to tag the emails with Dev, Prod or Test. Is there any way to do this, as I searched a lot in the configuration file ??? Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.