On Mon, Oct 25, 2010 at 4:46 PM, Jeremy Lee <[email protected]> wrote: > I just tested <weekday>weekday</weekday> and it threw an error upon > restarting OSSEC. I tried with "weekdays" and it seemed to go through fine. > I'm testing out a rule now. I guess I'll leave "weekdays" in and post > another update if there are no alerts on the weekend! >
Please let us know. I'll make a note to try and check the source tomorrow. > On Mon, Oct 25, 2010 at 1:41 PM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Oct 25, 2010 at 4:31 PM, Jeremy Lee <[email protected]> wrote: >> > Nevermind, I think that's it... one question on the "<weekday>" flag >> > though. >> > What parameter would I use for the actual weekdays? Just "weekday" or >> > "weekdays" ? In the example, it lists specific days and "weekends" >> > >> >> It looks like "weekday": >> http://www.ossec.net/doc/syntax/head_rules.html#element-group.rule.weekday >> I'd have to check the source to get more information. >> >> >> > On Mon, Oct 25, 2010 at 1:21 PM, Jeremy Lee <[email protected]> wrote: >> >> >> >> Thanks Dan... btw, is the option to have a rule fire at a specific time >> >> just "<time>" within the rule ID itself? >> >> >> >> http://www.mail-archive.com/[email protected]/msg07544.html >> >> >> >> >> >> >> >> >> >> On Sun, Oct 24, 2010 at 1:09 PM, dan (ddp) <[email protected]> wrote: >> >>> >> >>> On Sat, Oct 23, 2010 at 11:27 PM, Jeremy Lee <[email protected]> wrote: >> >>> > It shows it is here: >> >>> > http://www.ossec.net/wiki/Know_How:GranularEmail >> >>> > >> >>> > example: >> >>> > >> >>> > <email_alerts> >> >>> > <email_to>[email protected]</email_to> >> >>> > <rule_id>123, 124</rule_id> >> >>> > <do_not_delay /> >> >>> > <do_not_group /> >> >>> > </email_alerts> >> >>> > >> >>> > Was that a mistake in the older doc? >> >>> > >> >>> > BTW: is there a way to get OSSEC to log/email alerts in a specific >> >>> > time >> >>> > window (i.e. between 8am-5pm) ? >> >>> > >> >>> >> >>> In my other email I meant set <email_alert_level> to a lower number to >> >>> see if that helps. It looks like analysisd only compares the rule's >> >>> level to <email_alert_level> to decide whether to send out an email or >> >>> not. I'm going to ask for confirmation before updating the docs with >> >>> this information. >> >>> >> >>> I don't see an option to email during a certain time, but there are >> >>> options for the rules to only fire during certain times. >> >> >> > >> > > >
