Do you really get ALL alerts? The example Wim posted is not the only rule that has a level below 7 but regardless forces an e-mail alert but there are others, e.g. rule 1002.
Make sure you really get e-mails for alerts triggered by rules that do not contain <options>alert_by_email</options> and have a severity lower than 7. If you dont find one, then the problem is already described by Wim and if you really sure you don't wanna get any emails for alerts < 7 you can just remove every line containing <options>alert_by_email</options> from the rule files located in Ossecdir/rules/. However this might not be the best idea because you might miss stuff that possibly can mean trouble, but is more often not so relevant, as with rule 1002. On Thu, Feb 11, 2010 at 10:42 AM, csirt <[email protected]> wrote: > Hi, > sorry but my problem ist, that i do not want to get any e-mail with level > lower the 7. > At the moment i get all alerts, regardless of the level. > > regards > > 2010/2/10 Wim Remes <[email protected]> > > Hi, >> >> you are partially correct. You can also generate e-mails by using >> <options>alert_by_email</options> as is the case for >> rule 31122. >> >> <rule id="31122" level="5"> >> <if_sid>31120</if_sid> >> <id>^500</id> >> <options>alert_by_email</options> >> <description>Web server 500 error code (Internal Error).</description> >> <group>system_error,</group> >> </rule> >> >> you can either edit this one directly or overrule using local_rules.xml >> >> Cheers, >> >> Wim >> >> On 10 Feb 2010, at 05:44, csirt wrote: >> >> Hi, >> i have a problem with the configuration of ossec running in lokal mode. >> Following is an example of some of the alarms i get in my mailbox, but do >> not want to be alarmed about: >> >> OSSEC HIDS Notification. >>> 2010 Feb 10 03:24:55 >>> >>> Received From: xx->/var/log/apache2/access.log >>> Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal >>> Error)." >>> Portion of the log(s): >>> >>> 67.195.112.246 - - [10/Feb/2010:03:24:54 +0100] "GET >>> /gallery/displayimage.php? >>> album=lastup&cat=0&pos=74 HTTP/1.0" 500 - "-" "Mozilla/5.0 (compatible; >>> Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp >>> >>> )" >>> >>> >>> >>> --END OF NOTIFICATION >>> >> >> This are the (imho) relevant parts of my ossec.conf: >> ... >> <global> >> <email_notification>yes</email_notification> >> <email_to>[email protected]</email_to> >> <smtp_server>localhost</smtp_server> >> <email_from>oss...@ossec</email_from> >> </global> >> ... >> ... >> <alerts> >> <log_alert_level>1</log_alert_level> >> <email_alert_level>7</email_alert_level> >> </alerts> >> ... >> >> My understanding is, that i should only should get emails if the level is >> 7 or above. Am i wrong with that? >> >> regards >> >> >> >
