Hi, sorry but my problem ist, that i do not want to get any e-mail with level lower the 7. At the moment i get all alerts, regardless of the level.
regards 2010/2/10 Wim Remes <[email protected]> > Hi, > > you are partially correct. You can also generate e-mails by using > <options>alert_by_email</options> as is the case for > rule 31122. > > <rule id="31122" level="5"> > <if_sid>31120</if_sid> > <id>^500</id> > <options>alert_by_email</options> > <description>Web server 500 error code (Internal Error).</description> > <group>system_error,</group> > </rule> > > you can either edit this one directly or overrule using local_rules.xml > > Cheers, > > Wim > > On 10 Feb 2010, at 05:44, csirt wrote: > > Hi, > i have a problem with the configuration of ossec running in lokal mode. > Following is an example of some of the alarms i get in my mailbox, but do > not want to be alarmed about: > > OSSEC HIDS Notification. >> 2010 Feb 10 03:24:55 >> >> Received From: xx->/var/log/apache2/access.log >> Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal >> Error)." >> Portion of the log(s): >> >> 67.195.112.246 - - [10/Feb/2010:03:24:54 +0100] "GET >> /gallery/displayimage.php? >> album=lastup&cat=0&pos=74 HTTP/1.0" 500 - "-" "Mozilla/5.0 (compatible; >> Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp >> >> )" >> >> >> >> --END OF NOTIFICATION >> > > This are the (imho) relevant parts of my ossec.conf: > ... > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>localhost</smtp_server> > <email_from>oss...@ossec</email_from> > </global> > ... > ... > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > ... > > My understanding is, that i should only should get emails if the level is 7 > or above. Am i wrong with that? > > regards > > >
