So even if I setup the <email_alert> to specifically trigger when when a certain rule is hit, if that rule isn't over level 7, it won't fire? Because doesn't <email_alert> also have a <level> flag? It seems <email_alert> should be independent of standard <alert> level...?
On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Oct 23, 2010, at 1:38 AM, jplee3 wrote: > > I have a couple questions: > > > > 1) Is there a way to suppress the body of the OSSEC log so that it > > doesn't necessarily appear in the email? I'm setting up alerting via > > SMS but the long log messages causes the SMS to get cut off. > > There is an sms format option you can use, though I'm not sure what it does > to the message, exactly. You can find info here : > > http://www.ossec.net/doc/manual/output/granular-email-output.html > > > 2) Do the "<alert>" levels in the ossec.conf affect whether emails go > > out if using the "<email_alert>" option? I have the alert levels set > > to the default (1=log and 7=email). I was testing out one of the rules > > and set the alert level to "6" and no emails were sent when it > > tripped. I changed it to alert level "10" and got an email doing that > > though. My understanding was that the email_alert option should be > > independent of the <alert> setting. > > The email setting determines what level alerts are sent via email. So, the > default setting of 7 means that an alert of level 7 or more is sent via > email. This is why your level 6 alert did not get emailed. It should have > ended up in the log, however. > > > TIA! > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF > V9AAnikOD8eviR/DyB6TsxFQUtsROVLf > =YPmH > -----END PGP SIGNATURE----- >
