Hi Oscar, That's a great way to work around this issue and should work fine. Another suggestion would be to enable alerting only for the levels 10 and above and configure a cron script to run daily sending the others...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Feb 12, 2010 at 8:59 AM, oscar schneider <[email protected]> wrote: > Hi, > > I think the following should work to only receive one e-mail per hour for > alerts of severity between 5 and 9: > > 1) Think about the minimal alert level that you would like to be emailed > about within an hour. Default would be 7 in addition to the rules that have > an <options>alert_by_email</options> tag, like e.g. rule 1002. If you want > that value to be lower, like in your case 5, configure that in your > ossec.conf in the <email_alert_level> section. > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>5</email_alert_level> > </alerts> > > 2) Add the following statement in your ossec.conf <global> section next to > the <email_from> line: > <email_maxperhour>1</email_maxperhour> > This means that the global e-mail notification system will only send out one > e-mail per hour, that means it collects all alerts that would generate an > e-mail until the end of the hour, compiles them into one e-mail and then > sends it. > > 3) Choose an alert level that you want to be informed about immediately, in > your case 10 and add the following lines in your ossec.conf (not within the > <global> section, but as a seperate section within <ossec_config> > > <email_alerts> > <email_to>[email protected]</email_to> > <level>10</level> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > C.f. http://www.ossec.net/wiki/Know_How:GranularEmail for more details and > further configuration options of granular email notification. For > information about other configuration options in ossec.conf, c.f. > http://www.ossec.net/main/manual/configuration-options/ > > This leads to the following outcome: > - you get one e-mail an hour (<email_maxperhour>1</email_maxperhour>) with > all alerts of severity 5-16 (<email_alert_level>5</email_alert_level>, > unfortunately there is no upper boundary for severity that can be set for > e-mail notifications to only get 5-9) > - you get one (<do_not_group />) e-mail for every alert of level 10 and > higher immediately (<do_not_delay />) > > Can't try this out atm but should work. This is the way to do it without > cron jobs imo. Unfortunately this leads to receiving alerts of level 10+ two > times. > > > > On Thu, Feb 11, 2010 at 5:47 PM, Stam <[email protected]> wrote: >> >> Hello, i am new to ossec and since I notice I get huge amount of mails >> with alert reports I was wondering if ossec has the following >> capability built in : to configure it to send a single email with all >> alerts from wanted rules in a time range (ie day/week) instead of a >> single mail for every alert (except level 10 alerts which i want to be >> informed immediately). >> I can think one solution is to disable alert_by_email or set it to >> send only level 10 alerts and form cron jobs with linux commands like >> here : http://www.ossec.net/dcid/?p=153 . >> I just want all alerts between ie level 5 - level 9 to be queued and >> mailed in a single mail message every day and level 10 alerts to be >> mailed immediately. Is there any other solutions/suggestions? >> >> Thanks in advance > >
