I am seeing the same behavior. I have:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
but I am seeing alerts as low as 3 and 4:
OSSEC HIDS Notification.
2006 Oct 15 22:02:05
Received From: ...>/var/log/secure
Rule: 10100 fired (level 4) -> "First time user logged in."
Portion of the log(s):
sshd[8064]: Accepted publickey for ... from ... port 49727 ssh2
--END OF NOTIFICATION
Any suggestions on how to limit email notifications?
Thanks,
Warren
