Hi Warren,
The e-mail alert option can also be specified on a rule-by-rule base. If you
look at your rules directory, I set the "alert_by_email" option on some rules
that are not high in severity, but are useful to receive an e-mail. It includes
ossec startup, shutdown, fts, etc. Example of rule:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
</rule>
If you want to disable this behavior, just create a local rule to override this
option:
<rule id="100024" level="3">
<if_sid>10100</if_sid>
<description>First time user logged in (email disabled).</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/18/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I am seeing the same behavior.
I have:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
but I am seeing alerts as low as 3 and 4:
OSSEC HIDS Notification.
2006 Oct 15 22:02:05
Received From: ...>/var/log/secure
Rule: 10100 fired (level 4) -> "First time user logged in."
Portion of the log(s):
sshd[8064]: Accepted publickey for ... from ... port 49727 ssh2
--END OF NOTIFICATION
Any suggestions on how to limit email notifications?
Thanks,
Warren
