Hi, i have a problem with the configuration of ossec running in lokal mode. Following is an example of some of the alarms i get in my mailbox, but do not want to be alarmed about:
OSSEC HIDS Notification. > 2010 Feb 10 03:24:55 > > Received From: xx->/var/log/apache2/access.log > Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal > Error)." > Portion of the log(s): > > 67.195.112.246 - - [10/Feb/2010:03:24:54 +0100] "GET > /gallery/displayimage.php? > album=lastup&cat=0&pos=74 HTTP/1.0" 500 - "-" "Mozilla/5.0 (compatible; > Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp > > )" > > > > --END OF NOTIFICATION > This are the (imho) relevant parts of my ossec.conf: ... <global> <email_notification>yes</email_notification> <email_to>[email protected]</email_to> <smtp_server>localhost</smtp_server> <email_from>oss...@ossec</email_from> </global> ... ... <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> ... My understanding is, that i should only should get emails if the level is 7 or above. Am i wrong with that? regards
