On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee <[email protected]> wrote: > So even if I setup the <email_alert> to specifically trigger when when a > certain rule is hit, if that rule isn't over level 7, it won't fire? Because > doesn't <email_alert> also have a <level> flag? It seems <email_alert> > should be independent of standard <alert> level...? >
What <email_alert> option are you talking about? Please paste the configuration you're talking about. For individual rules you can define <options>alert_by_email</options>. This will make OSSEC always send an email for that alert. http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 > On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold > <[email protected]> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Oct 23, 2010, at 1:38 AM, jplee3 wrote: >> > I have a couple questions: >> > >> > 1) Is there a way to suppress the body of the OSSEC log so that it >> > doesn't necessarily appear in the email? I'm setting up alerting via >> > SMS but the long log messages causes the SMS to get cut off. >> >> There is an sms format option you can use, though I'm not sure what it >> does to the message, exactly. You can find info here : >> >> http://www.ossec.net/doc/manual/output/granular-email-output.html >> >> > 2) Do the "<alert>" levels in the ossec.conf affect whether emails go >> > out if using the "<email_alert>" option? I have the alert levels set >> > to the default (1=log and 7=email). I was testing out one of the rules >> > and set the alert level to "6" and no emails were sent when it >> > tripped. I changed it to alert level "10" and got an email doing that >> > though. My understanding was that the email_alert option should be >> > independent of the <alert> setting. >> >> The email setting determines what level alerts are sent via email. So, >> the default setting of 7 means that an alert of level 7 or more is sent via >> email. This is why your level 6 alert did not get emailed. It should have >> ended up in the log, however. >> >> > TIA! >> >> - --------------------------- >> Jason 'XenoPhage' Frisvold >> [email protected] >> - --------------------------- >> "Any sufficiently advanced magic is indistinguishable from technology." >> - - Niven's Inverse of Clarke's Third Law >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.14 (Darwin) >> >> iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF >> V9AAnikOD8eviR/DyB6TsxFQUtsROVLf >> =YPmH >> -----END PGP SIGNATURE----- > >
