It shows it is here: http://www.ossec.net/wiki/Know_How:GranularEmail
<http://www.ossec.net/wiki/Know_How:GranularEmail>example: <email_alerts> <email_to>[email protected]</email_to> <rule_id>123, 124</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> Was that a mistake in the older doc? BTW: is there a way to get OSSEC to log/email alerts in a specific time window (i.e. between 8am-5pm) ? Thanks! On Sat, Oct 23, 2010 at 8:18 PM, dan (ddp) <[email protected]> wrote: > On Sat, Oct 23, 2010 at 10:42 PM, Jeremy Lee <[email protected]> wrote: > > Here's the config is ossec.conf: > > > > <email_alerts> > > <email_to>[email protected]</email_to> > > <rule_id>100043</rule_id> > > <format>sms</format> > > <do_not_delay /> > > <do_not_group /> > > </email_alerts> > > > > I don't know if <rule_id> is valid there: > http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html > > > From local rules.xml: > > <rule id="100043" level="6"> > > <if_sid>100040</if_sid> > > <match>010105011000</match> > > <description>Arming alarm</description> > > </rule> > > > > TIA! > > > > > > On Sat, Oct 23, 2010 at 1:46 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee <[email protected]> wrote: > >> > So even if I setup the <email_alert> to specifically trigger when when > a > >> > certain rule is hit, if that rule isn't over level 7, it won't fire? > >> > Because > >> > doesn't <email_alert> also have a <level> flag? It seems <email_alert> > >> > should be independent of standard <alert> level...? > >> > > >> > >> What <email_alert> option are you talking about? Please paste the > >> configuration you're talking about. > >> > >> For individual rules you can define <options>alert_by_email</options>. > >> This will make OSSEC always send an email for that alert. > >> http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 > >> > >> > On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold > >> > <[email protected]> wrote: > >> >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- > >> >> Hash: SHA1 > >> >> > >> >> On Oct 23, 2010, at 1:38 AM, jplee3 wrote: > >> >> > I have a couple questions: > >> >> > > >> >> > 1) Is there a way to suppress the body of the OSSEC log so that it > >> >> > doesn't necessarily appear in the email? I'm setting up alerting > via > >> >> > SMS but the long log messages causes the SMS to get cut off. > >> >> > >> >> There is an sms format option you can use, though I'm not sure what > it > >> >> does to the message, exactly. You can find info here : > >> >> > >> >> http://www.ossec.net/doc/manual/output/granular-email-output.html > >> >> > >> >> > 2) Do the "<alert>" levels in the ossec.conf affect whether emails > go > >> >> > out if using the "<email_alert>" option? I have the alert levels > set > >> >> > to the default (1=log and 7=email). I was testing out one of the > >> >> > rules > >> >> > and set the alert level to "6" and no emails were sent when it > >> >> > tripped. I changed it to alert level "10" and got an email doing > that > >> >> > though. My understanding was that the email_alert option should be > >> >> > independent of the <alert> setting. > >> >> > >> >> The email setting determines what level alerts are sent via email. > So, > >> >> the default setting of 7 means that an alert of level 7 or more is > sent > >> >> via > >> >> email. This is why your level 6 alert did not get emailed. It > should > >> >> have > >> >> ended up in the log, however. > >> >> > >> >> > TIA! > >> >> > >> >> - --------------------------- > >> >> Jason 'XenoPhage' Frisvold > >> >> [email protected] > >> >> - --------------------------- > >> >> "Any sufficiently advanced magic is indistinguishable from > technology." > >> >> - - Niven's Inverse of Clarke's Third Law > >> >> > >> >> > >> >> > >> >> -----BEGIN PGP SIGNATURE----- > >> >> Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > >> >> > >> >> iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF > >> >> V9AAnikOD8eviR/DyB6TsxFQUtsROVLf > >> >> =YPmH > >> >> -----END PGP SIGNATURE----- > >> > > >> > > > > > >
