ossec test notifications do not generate ossec alerts #4339

emkll · 2019-04-12T16:25:13Z

Description

Errors in Apache logs no longer trigger an ossec alert / email notification.

Navigate to a Journalist Interface on a SecureDrop instance that has email notifications set up
Click on Admin, and navigate to Instance Config
Click on "Send Test OSSEC Alert"
Observe no emails are sent to the admin mailbox

Email should be sent shortly after the button is clicked.

Test ossec notification relies on triggering an app error, that is caught by apache logs and then sent to ossec.

Default rule is set to 0, which mean it won't appear in alerts.log (requires level 1) or in emails (requires level 7)

redshiftzero · 2019-04-12T16:49:34Z

More extensive testing of OSSEC rules could help us catch issues like this (relevant: #2134 #2137)

emkll added the OSSEC label Apr 12, 2019

emkll added this to the 0.12.2 milestone Apr 12, 2019

emkll self-assigned this Apr 12, 2019

emkll added the urgent off-sprint issue label Apr 12, 2019

emkll mentioned this issue Apr 12, 2019

Override level of apache error log in ossec config #4340

Merged

4 tasks

redshiftzero closed this as completed in #4340 Apr 16, 2019