Hi Roch,
Chris is right, some rules have additional options to enable the
e-mail alerting even though they
are below the specified level. For example, the rule to alert when OSSEC starts:
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Jan 28, 2008 3:21 PM, Christopher <[EMAIL PROTECTED]> wrote:
> Hi Roch -
>
> The same thing happened to me, but keep in mind, some rules are set to send
> an email alert regardless of the alert level you specified for email. For
> example, the OSSEC server startup rule, and the "unknown problem somewhere
> in the system" rule...
>
> Take a close look at the rules to see for yourself...
>
> Regards,
> Christopher
>
>
> On Jan 28, 2008 10:36 AM, Roch <[EMAIL PROTECTED]> wrote:
>
> >
> > Hi,
> >
> > When I set my ossec.conf to only email me on level 7 alerts, I still
> > get alerts from level 1 and up? Is there another setting I should be
> > checking?
> >
> > Regards,
> >
> > Roch
> >
>
>
