On Sat, Oct 23, 2010 at 10:42 PM, Jeremy Lee <[email protected]> wrote: > Here's the config is ossec.conf: > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>100043</rule_id> > <format>sms</format> > <do_not_delay /> > <do_not_group /> > </email_alerts> >
I don't know if <rule_id> is valid there: http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html > From local rules.xml: > <rule id="100043" level="6"> > <if_sid>100040</if_sid> > <match>010105011000</match> > <description>Arming alarm</description> > </rule> > > TIA! > > > On Sat, Oct 23, 2010 at 1:46 PM, dan (ddp) <[email protected]> wrote: >> >> On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee <[email protected]> wrote: >> > So even if I setup the <email_alert> to specifically trigger when when a >> > certain rule is hit, if that rule isn't over level 7, it won't fire? >> > Because >> > doesn't <email_alert> also have a <level> flag? It seems <email_alert> >> > should be independent of standard <alert> level...? >> > >> >> What <email_alert> option are you talking about? Please paste the >> configuration you're talking about. >> >> For individual rules you can define <options>alert_by_email</options>. >> This will make OSSEC always send an email for that alert. >> http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 >> >> > On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold >> > <[email protected]> wrote: >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA1 >> >> >> >> On Oct 23, 2010, at 1:38 AM, jplee3 wrote: >> >> > I have a couple questions: >> >> > >> >> > 1) Is there a way to suppress the body of the OSSEC log so that it >> >> > doesn't necessarily appear in the email? I'm setting up alerting via >> >> > SMS but the long log messages causes the SMS to get cut off. >> >> >> >> There is an sms format option you can use, though I'm not sure what it >> >> does to the message, exactly. You can find info here : >> >> >> >> http://www.ossec.net/doc/manual/output/granular-email-output.html >> >> >> >> > 2) Do the "<alert>" levels in the ossec.conf affect whether emails go >> >> > out if using the "<email_alert>" option? I have the alert levels set >> >> > to the default (1=log and 7=email). I was testing out one of the >> >> > rules >> >> > and set the alert level to "6" and no emails were sent when it >> >> > tripped. I changed it to alert level "10" and got an email doing that >> >> > though. My understanding was that the email_alert option should be >> >> > independent of the <alert> setting. >> >> >> >> The email setting determines what level alerts are sent via email. So, >> >> the default setting of 7 means that an alert of level 7 or more is sent >> >> via >> >> email. This is why your level 6 alert did not get emailed. It should >> >> have >> >> ended up in the log, however. >> >> >> >> > TIA! >> >> >> >> - --------------------------- >> >> Jason 'XenoPhage' Frisvold >> >> [email protected] >> >> - --------------------------- >> >> "Any sufficiently advanced magic is indistinguishable from technology." >> >> - - Niven's Inverse of Clarke's Third Law >> >> >> >> >> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> Version: GnuPG/MacGPG2 v2.0.14 (Darwin) >> >> >> >> iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF >> >> V9AAnikOD8eviR/DyB6TsxFQUtsROVLf >> >> =YPmH >> >> -----END PGP SIGNATURE----- >> > >> > > >
