Hi,
you are partially correct. You can also generate e-mails by using
<options>alert_by_email</options> as is the case for
rule 31122.
<rule id="31122" level="5">
<if_sid>31120</if_sid>
<id>^500</id>
<options>alert_by_email</options>
<description>Web server 500 error code (Internal Error).</description>
<group>system_error,</group>
</rule>
you can either edit this one directly or overrule using local_rules.xml
Cheers,
Wim
On 10 Feb 2010, at 05:44, csirt wrote:
> Hi,
> i have a problem with the configuration of ossec running in lokal mode.
> Following is an example of some of the alarms i get in my mailbox, but do not
> want to be alarmed about:
>
> OSSEC HIDS Notification.
> 2010 Feb 10 03:24:55
>
> Received From: xx->/var/log/apache2/access.log
> Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
> Portion of the log(s):
>
> 67.195.112.246 - - [10/Feb/2010:03:24:54 +0100] "GET
> /gallery/displayimage.php?
> album=lastup&cat=0&pos=74 HTTP/1.0" 500 - "-" "Mozilla/5.0 (compatible;
> Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp )"
>
>
>
> --END OF NOTIFICATION
>
> This are the (imho) relevant parts of my ossec.conf:
> ...
> <global>
> <email_notification>yes</email_notification>
> <email_to>[email protected]</email_to>
> <smtp_server>localhost</smtp_server>
> <email_from>oss...@ossec</email_from>
> </global>
> ...
> ...
> <alerts>
> <log_alert_level>1</log_alert_level>
> <email_alert_level>7</email_alert_level>
> </alerts>
> ...
>
> My understanding is, that i should only should get emails if the level is 7
> or above. Am i wrong with that?
>
> regards
>
