Hi,
I want to get reports for some specific groups of alerts, so I've set
up the following in the ossec.conf

        <email_alerts>
                <email_to>[email protected]</email_to>
                <group>attack|automatic_attack|
authentification_failure|exploit_attempt</group>
                <do_not_delay />
                <do_not_group />
        </email_alerts>
        <email_alerts>
                <email_to>[email protected]</email_to>
                <group>sshd</group>
                <level>10</level>
                <do_not_delay />
                <do_not_group />
        </email_alerts>
        <!-- A web attack returned code 200 (success). -->
        <email_alerts>
                <email_to>[email protected]</email_to>
                <rule_id>31106</rule_id>
                <do_not_delay />
                <do_not_group />
        </email_alerts>

But testing it with an SQL injection from the attack group did not
send me any emails.
- Normal email notifications are received so it's not a mailserver
malconfiguration.
- I also tried commas instead of ORs in the first, but that didn't
bring any success as well.

Can you please tell me what I am doing wrong? The documentation is
quite vague.

Regards,
Lenz Weber

Reply via email to