Monday, August 01, 2005

sending tripwire reports to multiple email addresses

Intrusion Detection with Tripwire:

"Do this by adding a comma after the severity= line and putting emailto= on the next line, followed by the email addresses to send the violation reports for that rule. Multiple emails will be sent if more than one email address is specified and they are separated by a semi-colon."

It took me forever to find how to add a second email address to the list of email addresses that tripwire sends its report to. And the first link I found said the email addresses have to be delimited by semi-colons, which didn't work.

Then I found this link which says:
To specify more than one address with the emailto rule attribute, the entire space-delimited list of addresses must be quoted:

emailto="one@machine.com two@machine.com"


The above did not work either. It might be meant for another version of Tripwire or something. As far as I remember most MTA's will expect a comma delimited string containing the email addresses so I tried the following:

emailto="one@machine.com,two@machine.com"

and it works.