Changed file alerts and emails

28 views
Skip to first unread message

Patrick Swartz

unread,
Aug 5, 2011, 8:32:13 AM8/5/11
to ossec...@googlegroups.com
We recently had several files get changed and using syscheck_control
we can see that Ossec did alert on the change. However, we can't
verify that the email was sent.  Our <email_alert_level> is set at 7
and our <log_alert_level> is set at 5.  But in this example this would
have been at least a 7, yes?
How do I go back to verify if an email notification was sent or not?

/syscheck_control -i 647 -f /bin/setfont
Integrity changes for agent 'srvlx001(647) - 10.16.10.244':
Detailed information for entries matching: '/bin/setfont'

62949500 Dec 26 ,0 - /bin/setfont
File added to the database.
Integrity checking values:
   Size: 118456
   Perm: rwxr-xr-x
   Uid:  0
   Gid:  0
   Md5:  1b93a9014f95b1a4ffd6a7c01e77efc1
   Sha1: f36ddf4c07a4379ea6a7d3783bf5b351faef030e

112418531 Jul 01 á*],0 - /bin/setfont
File changed. - 1st time modified.
Integrity checking values:
   Size: >11448
   Perm: rwxr-xr-x
   Uid:  0
   Gid:  0
   Md5:  >c5cd9f082926e07453ee01fb16122f10
   Sha1: >1cc841366200b35f756db0f61fce03fabd16e97b

dan (ddp)

unread,
Aug 8, 2011, 2:29:01 PM8/8/11
to ossec...@googlegroups.com
Check your email server's logs?

Swartz, Patrick H

unread,
Aug 8, 2011, 4:25:48 PM8/8/11
to ossec...@googlegroups.com
Is there not a way to verify from the Ossec collector server? The bureaucratic layers to the email server logs are deep and wide such that no man can cross...

Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data
402-777-7337 desk
402-201-1192 Company cell
402-871-8981 Personal cell
-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.

Jorge Armando Medina

unread,
Aug 8, 2011, 5:00:14 PM8/8/11
to ossec...@googlegroups.com
On 08/08/2011 03:25 PM, Swartz, Patrick H wrote:
> Is there not a way to verify from the Ossec collector server? The bureaucratic layers to the email server logs are deep and wide such that no man can cross...
In this cases, I prefer to install a local sendmail or postfix and
configure it as smart host and relay through your mail server, this way
you can check your local mail server logs.

Best regards.


--
Jorge Armando Medina
Computación Gráfica de México
Web: http://www.e-compugraf.com
Tel: 55 51 40 72, Ext: 124
Email: jme...@e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632


Reply all
Reply to author
Forward
0 new messages