[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: granular email
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: granular email
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Tue, 24 Jul 2007 23:18:43 -0300
- Cc: "John Ives" <jives@xxxxxxxxxxxxxxxxxxxxx>
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KZ7XTMmzkuOs+zyaxr+xru3jhtRs9Sj3A8sVEKWz99GtBjx6lKmmETAg9b/igzSnd7x6r0Qk6v/RewBMK4obIB92OO0Bb0cp0xMi829fHLWKIpWzZRMETULhuztFczCLns4X5LbHo88YtkoE+t95VjkRbRhOhNwNx/eCEF9DBx4=
Hi John,
When using the granular email option, you need to raise the rule level above the
e-mail_alert_level or use the "alert_by_email" option to set it for a
specific rule.
Basically, on the header of the alert you need to have the "mail" in
there for it
to be evaluated by maild:
** Alert 1185249260.298: mail - xx,
Anyway, in my opinion, the best way to accomplish what you are trying
to do is by
creating a local rule that is going to alert on any successful login
to this host:
<rule id="100200" level="3">
<if_group>authentication_success</if_group>
<hostname>system1</hostname>
<options>alert_by_email</options>
<description>Login to secure server.</description>
</rule>
After that, you can create your granular config:
<email_alerts>
<email_to>jives@xxxxxxxxxxxxxxxxxxxxx</email_to>
<rule_id>100200</rule_id>
<do_not_delay />
</email_alerts>
hope it helps...
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/24/07, John Ives <jives@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> If we are using the granular email option to send out email on selected
> items, do we need to raise the rule level to above the email_alert_level
> setting?
>
> I have a few systems, that have access to particularly important data
> and which are actually logged into only a couple times a day (when I
> need to access some of the stored data, for example). I would like to
> devise a system whereby I am notified whenever I log in. While I may
> eventually do this as a active response script (the idea being that if
> anyone ever gets a page when they did not log in they would know to
> initiate emergency response procedures), I am interested in seeing if
> there is a simpler way of accomplishing this.
>
> I have written the appropriate rule to isolate my login (this is a
> viable, though ugly, option for me since there are fewer than 5 accounts
> that will have access to the important systems), and there is an
> appropriate event in alerts.log file, but no email.
>
> The email alert in the ossec.conf file is (I have also tried this as an
> sms alert with no luck):
>
> <email_alerts>
> <email_to>jives@xxxxxxxxxxxxxxxxxxxxx</email_to>
> <rule_id>666011</rule_id>
> <do_not_delay />
> </email_alerts>
>
> and the alert in the log file looks like:
>
> ** Alert 1185311433.1585718: - localauthentication_success,
> 2007 Jul 24 14:10:33 <SYSTEM>->/var/log/auth.log
> Rule: 666011 (level 3) -> 'SSHD authentication success.'
> Src IP: XXX.XXX.XXX.XXX
> User: jives
> Jul 24 14:10:33 <SYSTEM> sshd[55220]: Accepted keyboard-interactive/pam
> for jives from XXX.XXX.XXX.XXX port 62398 ssh2
>
> Thanks.
>
> John
>
>
> --
>
> -------------------------------------------------------------------------
> John Ives Phone (510) 642-7773
> System & Network Security Cell (510) 229-8676
> University of California, Berkeley
> -------------------------------------------------------------------------
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.