[ossec-list] granular email

[John Ives <jives@xxxxxxxxxxxxxxxxxxxxx>]

If we are using the granular email option to send out email on selected 
items, do we need to raise the rule level to above the email_alert_level 
setting? 

I have a few systems, that have access to particularly important data 
and which are actually logged into only a couple times a day (when I 
need to access some of the stored data, for example).  I would like to 
devise a system whereby I am notified whenever I log in.  While I may 
eventually do this as a active response script (the idea being that if 
anyone ever gets a page when they did not log in they would know to 
initiate emergency response procedures), I am interested in seeing if 
there is a simpler way of accomplishing this.

I have written the appropriate rule to isolate my login (this is a 
viable, though ugly, option for me since there are fewer than 5 accounts 
that will have access to the important systems), and there is an 
appropriate event in alerts.log file, but no email.

The email alert in the ossec.conf file is (I have also tried this as an 
sms alert with no luck):

  <email_alerts>
    <email_to>jives@xxxxxxxxxxxxxxxxxxxxx</email_to>
    <rule_id>666011</rule_id>
    <do_not_delay />
  </email_alerts>

and the alert in the log file looks like:

** Alert 1185311433.1585718: - localauthentication_success,
2007 Jul 24 14:10:33 <SYSTEM>->/var/log/auth.log
Rule: 666011 (level 3) -> 'SSHD authentication success.'
Src IP: XXX.XXX.XXX.XXX
User: jives
Jul 24 14:10:33 <SYSTEM> sshd[55220]: Accepted keyboard-interactive/pam 
for jives from XXX.XXX.XXX.XXX port 62398 ssh2

Thanks.

John


-- 

-------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
-------------------------------------------------------------------------