Hi Daniel, Thanks for your explanation, once again !
For part 2, what I had understood is what you explain. But for part 1, that was absolutly not the case !!! So, I think that could explain why I never received an integrity checking alert...:-) Long life to Ossec. Fred PS: Daniel, maybe that could be a good idea to add your explanation in FAQ or manual. -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Friday, September 22, 2006 11:39 PM To: [email protected] Subject: [ossec-list] Re: Another question about alert levels in OSSEC... Hi Fred, This is not well explained in our manual, so I will try to explain this "levels" thing here. Part 1 (setting the levels): Every rule has a level, which basically means the severity of it. In addition to that, ossec has also some internal rules for syscheck, rootcheck, stats and host information. Since these rules are not in any rules.xml file, we set the severity of them at the global section: integrity_checking - Alerting level for the events generated by syscheck. rootkit_detection - Alerting level for the events generated by rootcheck. stats - Alerting level for the events generated by the statistical analysis. host_information - Alerting level for the events generated by the host change monitor. So, these are places where we set the severity of a specific event. For example, if you change the value of "integrity_checking" to 10, every syscheck message about a file change will have this severity. Part 2 (reading the levels): Three parts of ossec execute actions based on the levels (severity). The first one is logging, the second one is e-mail alerts and the third one is active responses. For example, if you set "log_alert_level" to 6, ossec will only log the alerts with severity >=6. If you configure your active response with level 10, it will only be executed for alerts with severity >=10. email_alert_level - Minimum alert level to send e-mail notifications. log_alert_level - Minimum alert level to store the log messages. http://www.ossec.net/en/manual.html#active-response-config Hope it clears this topic a bit.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/22/06, Fred <[EMAIL PROTECTED]> wrote: > > > Hello (again !), > > In Ossec Server config, we have: > > - alert level for Syscheck/Stats/Host (in "global") > - log_alert_level and email_alert_leve in "alerts" > > So, that's not very clear for me: > > - do alert levels in "global" change alerts emails regarding > Syscheck/Stats/... ? > - do parameters in "alerts" change alerts emails regarding > Syscheck/Stats/... ? > > Thanks ! And excuse me if that's a silly question ;-) > > Fred
