The core of the problem seems to be <email_to>. If you don't have an <email_to> in the <global> section, ossec can not send email to anyone. And as soon as I add an entry with <email_to> to the global section, my <email_alerts> start working. I.e. you can not use <email_alerts> unless you have an <email_to> in the <global> section. Cheers /Martin
On Jan 8, 10:30 am, "McClinton, Rick" <[email protected]> wrote: > Sorry Martin, I'm not sure what you're running into there. > > I have this working in my production system: (1.6.1) > <global> > <email_notification>yes</email_notification> > <email_to>m...@email</email_to> > <smtp_server>my.server.net.</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>999</email_maxperhour> > </global> > > <email_alerts> > <email_to>[email protected]</email_to> > <event_location>customerweb1|customerweb2</event_location> > <level>13</level> > </email_alerts> > > It does send alerts to them on their servers based on the level. I have a > custom rule triggering at that level for them. I don't know why I have a > terminating . on my smtp_server. > > While collecting this I notice there is also this section: > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > I don't know what levels you're looking at for your test messages, but you > have '5' in your examples -- have you reduced email_alert_level to 5? > > HTH > Rick McClinton > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Martin > Sent: Wednesday, January 07, 2009 3:37 PM > To: ossec-list > Subject: [ossec-list] Re: Unable to send email to remote exchange server. > > Importance: Low > > Thank you both for your feedback. > Yes, the telnet was from the same server. > I have followed the wiki to setup granular alert notification but it > looks like it is > buggy.http://www.ossec.net/wiki/index.php/Know_How:GranularEmail > This config does _not_ work: (Used in the initial post I did.) > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <smtp_server>dns name of server</smtp_server> > <email_from>[email protected]</email_from> > <stats>4</stats> > <white_list>dns name of mail server</white_list> > <level>5</level> > </global> > <email_alerts> > <email_to>my email address</email_to> > <level>5</level> > <do_not_delay /> > </email_alerts> > > However, when I change the config to the following, I'm receiving > emails. > <ossec_config> > <global> > <email_notification>yes</email_notification> > <smtp_server>dns name of server</smtp_server> > <email_from>[email protected]</email_from> > <stats>4</stats> > <white_list>dns name of mail server</white_list> > <email_to>My email address</email_to> > <level>5</level> > </global> > > I.e. Standard email setup in the global section works, but not using > granular configuration with <email_alerts>. > Any ideas? > Cheers > Martin > > This message contains TMA Resources confidential information and is intended > only for the individual named. If you are not the named addressee you should > not disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. The sender > therefore does not accept liability for any errors or omissions in the > contents of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version.
