Hi,
I think the following should work to only receive one e-mail per hour for
alerts of severity between 5 and 9:
1) Think about the minimal alert level that you would like to be emailed
about within an hour. Default would be 7 in addition to the rules that have
an <options>alert_by_email</options> tag, like e.g. rule 1002. If you want
that value to be lower, like in your case 5, configure that in your
ossec.conf in the <email_alert_level> section.
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>*5*</email_alert_level>
</alerts>
2) Add the following statement in your ossec.conf <global> section next to
the <email_from> line:
*<email_maxperhour>1</email_maxperhour>*
This means that the global e-mail notification system will only send out one
e-mail per hour, that means it collects all alerts that would generate an
e-mail until the end of the hour, compiles them into one e-mail and then
sends it.
3) Choose an alert level that you want to be informed about immediately, in
your case 10 and add the following lines in your ossec.conf (*not* within
the <global> section, but as a seperate section within <ossec_config>
<email_alerts>
<email_to>[email protected]</email_to>
<level>10</level>
<do_not_delay />
<do_not_group />
</email_alerts>
C.f. http://www.ossec.net/wiki/Know_How:GranularEmail for more details and
further configuration options of granular email notification. For
information about other configuration options in ossec.conf, c.f.
http://www.ossec.net/main/manual/configuration-options/
This leads to the following outcome:
- you get one e-mail an hour (<email_maxperhour>1</email_maxperhour>) with
all alerts of severity 5-16 (<email_alert_level>*5*</email_alert_level>,
unfortunately there is no upper boundary for severity that can be set for
e-mail notifications to only get 5-9)
- you get one (<do_not_group />) e-mail for every alert of level 10 and
higher immediately (<do_not_delay />)
Can't try this out atm but should work. This is the way to do it without
cron jobs imo. Unfortunately this leads to receiving alerts of level 10+ two
times.
On Thu, Feb 11, 2010 at 5:47 PM, Stam <[email protected]> wrote:
> Hello, i am new to ossec and since I notice I get huge amount of mails
> with alert reports I was wondering if ossec has the following
> capability built in : to configure it to send a single email with all
> alerts from wanted rules in a time range (ie day/week) instead of a
> single mail for every alert (except level 10 alerts which i want to be
> informed immediately).
> I can think one solution is to disable alert_by_email or set it to
> send only level 10 alerts and form cron jobs with linux commands like
> here : http://www.ossec.net/dcid/?p=153 .
> I just want all alerts between ie level 5 - level 9 to be queued and
> mailed in a single mail message every day and level 10 alerts to be
> mailed immediately. Is there any other solutions/suggestions?
>
> Thanks in advance
>
