[ossec-list] Email alerts are sent hourly

Mon, 10 Jul 2017 11:35:54 -0700 

Hi!
We are trying to configure more effective notifications for OSSEC for our 
needs. However, something weird is happening. An hourly report of ALL 
alerts is being sent to one adress in our config. Here's the email 
configuration of our ossec.conf file:

 <global>
    <email_notification>yes</email_notification>
    <email_to>noreply@localhost</email_to>
    <smtp_server>smtpserver</smtp_server>
    <email_from>os...@domain.com</email_from>
  </global>

  <email_alerts>
    <email_to>email1</email_to>
    <email_to>email2</email_to>
    <email_to>email3</email_to>
    <event_location>several, agents, name</event_location>
  </email_alerts>

  <email_alerts>
    <email_to>ourt...@domain.com</email_to>
    <level>9</level>
  </email_alerts>

  <email_alerts>
    <email_to>email4</email_to>
    <level>10</level>
    <do_not_delay />
    <do_not_group />
  </email_alerts>

  <email_alerts>
    <email_to>ourt...@domain.com</email_to>
    <level>6</level>
    <group>attack</group>
  </email_alerts>

  <email_alerts>
    <rule_id>10100</rule_id>
    <email_to>ourt...@domain.com</email_to>
  </email_alerts>


Basically, here's what I'd like OSSEC to do:

   - Send an email for every level 9 or higher alert
   - Send an email for every matchd rule from the attack group of level 6 
   or higher
   - Send an email for the rule 10100 wich shows when a user is logged for 
   the first time.
   - The other rules are for user specific needs. 

I modified the email for this example, but in the file, they are your usual 
name@domain format. We send every alert to noreply@localhost because we 
want to control everything with custom alerts. The email_alert_level is set 
to 0, so every alert is supposed to be sent to this adress. But no alert of 
a level 3 should be sent to our email box, right? Yet we receive every 
alerts at the same time (in the same email) every hour, It is being sent at 
the ourt...@domain.com as well as email4 . Am I doing something wrong here? 
Can OSSEC behave the way I want it to do?

Thanks for the help!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to