Looks like an oversight in the new documentation. Thanks for bringing it up.
Try setting <level>6</level> in your email_alerts section. On Sat, Oct 23, 2010 at 11:27 PM, Jeremy Lee <[email protected]> wrote: > It shows it is here: > http://www.ossec.net/wiki/Know_How:GranularEmail > > example: > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>123, 124</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > Was that a mistake in the older doc? > > BTW: is there a way to get OSSEC to log/email alerts in a specific time > window (i.e. between 8am-5pm) ? > > Thanks! > On Sat, Oct 23, 2010 at 8:18 PM, dan (ddp) <[email protected]> wrote: >> >> On Sat, Oct 23, 2010 at 10:42 PM, Jeremy Lee <[email protected]> wrote: >> > Here's the config is ossec.conf: >> > >> > <email_alerts> >> > <email_to>[email protected]</email_to> >> > <rule_id>100043</rule_id> >> > <format>sms</format> >> > <do_not_delay /> >> > <do_not_group /> >> > </email_alerts> >> > >> >> I don't know if <rule_id> is valid there: >> http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html >> >> > From local rules.xml: >> > <rule id="100043" level="6"> >> > <if_sid>100040</if_sid> >> > <match>010105011000</match> >> > <description>Arming alarm</description> >> > </rule> >> > >> > TIA! >> > >> > >> > On Sat, Oct 23, 2010 at 1:46 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Sat, Oct 23, 2010 at 1:52 PM, Jeremy Lee <[email protected]> wrote: >> >> > So even if I setup the <email_alert> to specifically trigger when >> >> > when a >> >> > certain rule is hit, if that rule isn't over level 7, it won't fire? >> >> > Because >> >> > doesn't <email_alert> also have a <level> flag? It seems >> >> > <email_alert> >> >> > should be independent of standard <alert> level...? >> >> > >> >> >> >> What <email_alert> option are you talking about? Please paste the >> >> configuration you're talking about. >> >> >> >> For individual rules you can define <options>alert_by_email</options>. >> >> This will make OSSEC always send an email for that alert. >> >> http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 >> >> >> >> > On Sat, Oct 23, 2010 at 7:12 AM, Jason 'XenoPhage' Frisvold >> >> > <[email protected]> wrote: >> >> >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> >> Hash: SHA1 >> >> >> >> >> >> On Oct 23, 2010, at 1:38 AM, jplee3 wrote: >> >> >> > I have a couple questions: >> >> >> > >> >> >> > 1) Is there a way to suppress the body of the OSSEC log so that it >> >> >> > doesn't necessarily appear in the email? I'm setting up alerting >> >> >> > via >> >> >> > SMS but the long log messages causes the SMS to get cut off. >> >> >> >> >> >> There is an sms format option you can use, though I'm not sure what >> >> >> it >> >> >> does to the message, exactly. You can find info here : >> >> >> >> >> >> http://www.ossec.net/doc/manual/output/granular-email-output.html >> >> >> >> >> >> > 2) Do the "<alert>" levels in the ossec.conf affect whether emails >> >> >> > go >> >> >> > out if using the "<email_alert>" option? I have the alert levels >> >> >> > set >> >> >> > to the default (1=log and 7=email). I was testing out one of the >> >> >> > rules >> >> >> > and set the alert level to "6" and no emails were sent when it >> >> >> > tripped. I changed it to alert level "10" and got an email doing >> >> >> > that >> >> >> > though. My understanding was that the email_alert option should be >> >> >> > independent of the <alert> setting. >> >> >> >> >> >> The email setting determines what level alerts are sent via email. >> >> >> So, >> >> >> the default setting of 7 means that an alert of level 7 or more is >> >> >> sent >> >> >> via >> >> >> email. This is why your level 6 alert did not get emailed. It >> >> >> should >> >> >> have >> >> >> ended up in the log, however. >> >> >> >> >> >> > TIA! >> >> >> >> >> >> - --------------------------- >> >> >> Jason 'XenoPhage' Frisvold >> >> >> [email protected] >> >> >> - --------------------------- >> >> >> "Any sufficiently advanced magic is indistinguishable from >> >> >> technology." >> >> >> - - Niven's Inverse of Clarke's Third Law >> >> >> >> >> >> >> >> >> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> >> Version: GnuPG/MacGPG2 v2.0.14 (Darwin) >> >> >> >> >> >> iEYEARECAAYFAkzC7U8ACgkQ8CjzPZyTUTSO/ACfUqTWMfD0RhZFsCwTzLjg1fzF >> >> >> V9AAnikOD8eviR/DyB6TsxFQUtsROVLf >> >> >> =YPmH >> >> >> -----END PGP SIGNATURE----- >> >> > >> >> > >> > >> > > >
