Try it with 1 group per <group>.
On Mon, Apr 11, 2011 at 9:47 PM, Lenz Weber <[email protected]> wrote: > Hi, > I want to get reports for some specific groups of alerts, so I've set > up the following in the ossec.conf > > <email_alerts> > <email_to>[email protected]</email_to> > <group>attack|automatic_attack| > authentification_failure|exploit_attempt</group> > <do_not_delay /> > <do_not_group /> > </email_alerts> > <email_alerts> > <email_to>[email protected]</email_to> > <group>sshd</group> > <level>10</level> > <do_not_delay /> > <do_not_group /> > </email_alerts> > <!-- A web attack returned code 200 (success). --> > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>31106</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > But testing it with an SQL injection from the attack group did not > send me any emails. > - Normal email notifications are received so it's not a mailserver > malconfiguration. > - I also tried commas instead of ORs in the first, but that didn't > bring any success as well. > > Can you please tell me what I am doing wrong? The documentation is > quite vague. > > Regards, > Lenz Weber
