ossec.conf
___________
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>my email</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@fcappiee</email_from>
<logall>yes</logall>
</global>
<email_alerts>
<email_to>my email</email_to>
<rule_id>550, 553, 554</rule_id>
<do_not_delay />
</email_alerts>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>apparmor_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>opensmtpd_rules.xml</include>
<include>exim_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>60</frequency>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/data/helpkit/shared/log</ignore>
<ignore>/data/haystack-shipper/logs</ignore>
<ignore>/data/haystack-shipper/data</ignore>
<ignore>/data/helpkit/shared/tmp/cache</ignore>
<ignore>/data/helpkit/current/log</ignore>
<ignore>/dev/pts</ignore>
<ignore>/dev/null</ignore>
<ignore>/dev/tty</ignore>
<ignore>/etc/blkid/blkid.tab</ignore>
<ignore>/etc/sudoers</ignore>
<ignore>/opt/confd/confd.txt</ignore>
<ignore>/var/log</ignore>
<ignore>/opt/SumoCollector/config</ignore>
<ignore>/opt/SumoCollector/logs</ignore>
<ignore>/var/lib</ignore>
<ignore>/var/run</ignore>
<ignore>/var/spool</ignore>
<ignore>/var/cache</ignore>
<ignore>/tmp</ignore>
<ignore>/var/log</ignore>
<ignore>/var/ossec</ignore>
<ignore type="sregex">/home/^/.ssh</ignore>
<ignore type="sregex">/home/^/.bash_history</ignore>
<ignore>/opt/aws/opsworks/releases</ignore>
<ignore>/root/.bash_history</ignore>
<ignore>/root/.monit.state</ignore>
<ignore>/root/.viminfo</ignore>
<ignore>/root/.viminfo.tmp</ignore>
<ignore>/dev/char</ignore>
</syscheck>
<rootcheck>
<frequency>60</frequency>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<alerts>
<log_alert_level>7</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
</ossec_config>
******************************************************
local_rules.xml
_______________
<group name="local,syslog,">
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
</group>
I am not getting email alert if a file is modified / added to my sysytem