[ossec-list] Automatic Daily Report Failure

Discussion:

Bummi

2018-10-25 19:41:47 UTC

Hello!

I am not getting daily reports emailed to me. Regular email alerts seems to work just fine.

Here is my current configuration:

<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>

<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<email_to>***@mymail.com</email_to>
<group>syscheck</group>
<title>Daily report: File changes</title>
<email_to>***@mymail.com</email_to>
<rule>554</rule>
<title>Daily report: File added to system</title>
<email_to>***@mymail.com</email_to>
</reports>

I see this in my ossec-monitord logs for the level 10 report but nothing for the SYSCHECK or 554 report. I don't have any alerts higher than level 10 so I understand that this particular report will not be sent.

2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts with level higher than 10' completed and zero alerts post-filter.
2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting for 'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run them for testing purposes?

Thanks,

-r

--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

j***@wazuh.com

2018-10-27 02:30:39 UTC

Permalink

Hello Bummi,
I would say you need to create different* <reports>* tags for your
different needs:

*<reports> <level>10</level> <title>Daily report: Alerts with level
higher than 10</title> <email_to>***@mymail.com
<***@mymail.com></email_to></reports> *

*<reports> <group>syscheck</group> <title>Daily report: File
changes</title> <email_to>***@mymail.com <***@mymail.com></email_to>
<rule>550</rule>*
*</reports>*

*<reports>*

* <group>syscheck</group> <title>Daily report: File added to
system</title> <email_to>***@mymail.com <***@mymail.com></email_to>*

* <rule>554</rule> *
*</reports> *

Hope that helps.
Regards,

*Javier Castro*
IT Security Engineer â *Wazuh, Inc.*

Post by Bummi
Hello!
I am not getting daily reports emailed to me. Regular email alerts seems to work just fine.
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<group>syscheck</group>
<title>Daily report: File changes</title>
<rule>554</rule>
<title>Daily report: File added to system</title>
</reports>
I see this in my ossec-monitord logs for the level 10 report but nothing
for the SYSCHECK or 554 report. I don't have any alerts higher than level
10 so I understand that this particular report will not be sent.
2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts
with level higher than 10' completed and zero alerts post-filter.
2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts
with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting for
'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run
them for testing purposes?
Thanks,
-r

Rigoberto Avila Jr

2018-10-29 15:19:42 UTC

Permalink

Thanks so much for the response, Javier.

I will give it a try.

-b

Post by j***@wazuh.com
Hello Bummi,
I would say you need to create different* <reports>* tags for your
*<reports> <level>10</level> <title>Daily report: Alerts with level
*<reports> <group>syscheck</group> <title>Daily report: File
<rule>550</rule>*
*</reports>*
*<reports>*
* <group>syscheck</group> <title>Daily report: File added to
* <rule>554</rule> *
*</reports> *
Hope that helps.
Regards,
*Javier Castro*
IT Security Engineer â *Wazuh, Inc.*

Post by Bummi
Hello!
I am not getting daily reports emailed to me. Regular email alerts seems
to work just fine.
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<group>syscheck</group>
<title>Daily report: File changes</title>
<rule>554</rule>
<title>Daily report: File added to system</title>
</reports>
I see this in my ossec-monitord logs for the level 10 report but nothing
for the SYSCHECK or 554 report. I don't have any alerts higher than level
10 so I understand that this particular report will not be sent.
Alerts with level higher than 10' completed and zero alerts
post-filter.
Alerts with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting
for 'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run
them for testing purposes?
Thanks,
-r
--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.

Bummi

2018-11-13 13:21:13 UTC

Permalink

Thank you, Javier. Your suggestion worked perfectly.

-b

Post by j***@wazuh.com
Hello Bummi,
I would say you need to create different* <reports>* tags for your
*<reports> <level>10</level> <title>Daily report: Alerts with level
<javascript:></email_to></reports> *
*<reports> <group>syscheck</group> <title>Daily report: File
<rule>550</rule>*
*</reports>*
*<reports>*
* <group>syscheck</group> <title>Daily report: File added to
* <rule>554</rule> *
*</reports> *
Hope that helps.
Regards,
*Javier Castro*
IT Security Engineer â *Wazuh, Inc.*

Post by Bummi
Hello!
I am not getting daily reports emailed to me. Regular email alerts seems
to work just fine.
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<group>syscheck</group>
<title>Daily report: File changes</title>
<rule>554</rule>
<title>Daily report: File added to system</title>
</reports>
I see this in my ossec-monitord logs for the level 10 report but nothing
for the SYSCHECK or 554 report. I don't have any alerts higher than level
10 so I understand that this particular report will not be sent.
Alerts with level higher than 10' completed and zero alerts
post-filter.
Alerts with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting
for 'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run
them for testing purposes?
Thanks,
-r

Zack Vanderbilt

2018-11-08 00:10:07 UTC

Permalink

The daily reporting functionality is being removed. I suggest you implement
via script and cron.

ie

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f
group syscheck -r location filename -n "File Modifications" >
/tmp/daily_syscheck.txt 2>&1

Bummi

2018-11-13 13:24:01 UTC

Permalink

Thank you, Zack.

When is the daily reporting functionality being removed?

-b

Post by Zack Vanderbilt
The daily reporting functionality is being removed. I suggest you
implement via script and cron.
ie
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f
group syscheck -r location filename -n "File Modifications" >
/tmp/daily_syscheck.txt 2>&1
mail -s "Daily Syscheck Report" -a /tmp/daily_syscheck.txt

Post by Bummi
Hello!
I am not getting daily reports emailed to me. Regular email alerts seems
to work just fine.
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<group>syscheck</group>
<title>Daily report: File changes</title>
<rule>554</rule>
<title>Daily report: File added to system</title>
</reports>
I see this in my ossec-monitord logs for the level 10 report but nothing
for the SYSCHECK or 554 report. I don't have any alerts higher than level
10 so I understand that this particular report will not be sent.
Alerts with level higher than 10' completed and zero alerts
post-filter.
Alerts with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting
for 'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run
them for testing purposes?
Thanks,
-r

dan (ddp)

2018-11-13 13:46:30 UTC

Permalink

Post by Bummi
Thank you, Zack.
When is the daily reporting functionality being removed?

It's not official yet. The pull request hasn't been accepted. I
imagine we'll have 3.2 before (if) it gets removed.

Post by Bummi
-b

The daily reporting functionality is being removed. I suggest you implement via script and cron.
ie
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename -n "File Modifications" > /tmp/daily_syscheck.txt 2>&1

Post by Bummi
Hello!
I am not getting daily reports emailed to me. Regular email alerts seems to work just fine.
<alerts>
<log_alert_level>2</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<reports>
<level>10</level>
<title>Daily report: Alerts with level higher than 10</title>
<group>syscheck</group>
<title>Daily report: File changes</title>
<rule>554</rule>
<title>Daily report: File added to system</title>
</reports>
I see this in my ossec-monitord logs for the level 10 report but nothing for the SYSCHECK or 554 report. I don't have any alerts higher than level 10 so I understand that this particular report will not be sent.
2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts with level higher than 10' completed and zero alerts post-filter.
2018-10-25 00:00:16 | ossec-monitord | info | Report 'Daily report: Alerts with level higher than 10' empty.
2018-10-25 00:00:11 | ossec-monitord | info | Starting new log after rotation.
2018-10-25 00:00:11 | ossec-monitord | info | Starting daily reporting for 'Daily report: Alerts with level higher than 10'
I understand that reports run at midnight. Is there a way to force run them for testing purposes?
Thanks,
-r

--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.

Bummi

2018-11-13 13:18:06 UTC

Permalink

Thank you., Javier.

Your suggestion worked perfectly.

-b

Bummi

2018-11-13 13:19:17 UTC

Permalink

Hello, Zach.

Thank you for the tip.

Do we know when the report functionality will be removed?

-b