Here's the config is ossec.conf:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100043</rule_id>
<format>sms</format>
<do_not_delay />
<do_not_group />
</email_alerts>
>From local rules.xml:
<rule id="100043" level="6">
<if_sid>100040</if_sid>
<match>010105011000</match>
<description>Arming alarm</description>
</rule>
TIA!
On Sat, Oct 23, 2010 at 1:46 PM, dan (ddp) <[email protected]> wrote:
> On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee <[email protected]> wrote:
> > So even if I setup the <email_alert> to specifically trigger when when a
> > certain rule is hit, if that rule isn't over level 7, it won't fire?
> Because
> > doesn't <email_alert> also have a <level> flag? It seems <email_alert>
> > should be independent of standard <alert> level...?
> >
>
> What <email_alert> option are you talking about? Please paste the
> configuration you're talking about.
>
> For individual rules you can define <options>alert_by_email</options>.
> This will make OSSEC always send an email for that alert.
> http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
>
> > On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold
> > <[email protected]> wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On Oct 23, 2010, at 1:38 AM, jplee3 wrote:
> >> > I have a couple questions:
> >> >
> >> > 1) Is there a way to suppress the body of the OSSEC log so that it
> >> > doesn't necessarily appear in the email? I'm setting up alerting via
> >> > SMS but the long log messages causes the SMS to get cut off.
> >>
> >> There is an sms format option you can use, though I'm not sure what it
> >> does to the message, exactly. You can find info here :
> >>
> >> http://www.ossec.net/doc/manual/output/granular-email-output.html
> >>
> >> > 2) Do the "<alert>" levels in the ossec.conf affect whether emails go
> >> > out if using the "<email_alert>" option? I have the alert levels set
> >> > to the default (1=log and 7=email). I was testing out one of the rules
> >> > and set the alert level to "6" and no emails were sent when it
> >> > tripped. I changed it to alert level "10" and got an email doing that
> >> > though. My understanding was that the email_alert option should be
> >> > independent of the <alert> setting.
> >>
> >> The email setting determines what level alerts are sent via email. So,
> >> the default setting of 7 means that an alert of level 7 or more is sent
> via
> >> email. This is why your level 6 alert did not get emailed. It should
> have
> >> ended up in the log, however.
> >>
> >> > TIA!
> >>
> >> - ---------------------------
> >> Jason 'XenoPhage' Frisvold
> >> [email protected]
> >> - ---------------------------
> >> "Any sufficiently advanced magic is indistinguishable from technology."
> >> - - Niven's Inverse of Clarke's Third Law
> >>
> >>
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> >>
> >> iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF
> >> V9AAnikOD8eviR/DyB6TsxFQUtsROVLf
> >> =YPmH
> >> -----END PGP SIGNATURE-----
> >
> >
>
