Hi,
I want to get reports for some specific groups of alerts, so I've set
up the following in the ossec.conf
<email_alerts>
<email_to>[email protected]</email_to>
<group>attack|automatic_attack|
authentification_failure|exploit_attempt</group>
<do_not_delay />
<do_not_group />
</email_alerts>
<email_alerts>
<email_to>[email protected]</email_to>
<group>sshd</group>
<level>10</level>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- A web attack returned code 200 (success). -->
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>31106</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
But testing it with an SQL injection from the attack group did not
send me any emails.
- Normal email notifications are received so it's not a mailserver
malconfiguration.
- I also tried commas instead of ORs in the first, but that didn't
bring any success as well.
Can you please tell me what I am doing wrong? The documentation is
quite vague.
Regards,
Lenz Weber
