Hi Daniel, I'm using Ossec2mySQL to log all alerts to BASE. Also Snorts logs to Base. I want to only log alerts >= 6, so that all logged alerts refer to banned IP's.
How about the <... overwrite="yes"> option? Tnx, Dirk ----- Original Message ----- From: "Daniel Cid" <[EMAIL PROTECTED]> To: [email protected] Verzonden: dinsdag 13 mei 2008 19:50:51 GMT +01:00 Amsterdam / Berlijn / Wenen Subject: [ossec-list] Re: rule 502: Ossec started Hi Dirk, You can not have one and not the other. If you want the email alert you will also need to have it logged (the ossec-maild daemon uses the logged information to generate the alerts). Any reason why you don't want it logged? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, May 10, 2008 at 6:58 AM, Dirk Kissing <[EMAIL PROTECTED]> wrote: > > I want this rule not to be logged, but i do want to receive an e-mail. > > When i use this custom rule: > > <rule id="600103" level="3"> > <if_sid>502</if_sid> > <options>no_log</options> > </rule> > > The no_log function works, but i don't get an email. When i add > > <options>alert_by_email</options> > > the same happens. > > What am i doing wrong? >
