Found my error:
email_alerts just filters mail that would be sent anyway (and adds
additional recipients) - if no mail would be sent to the main email
address, email_alerts will not send any as well.
I solved this by sending all alerts above 6 to a local user that pipes
his email into /bin/true .
The | as OR works just fine.
I hope this helps somebody.
Am 12.04.2011 03:53, schrieb dan (ddp):
Try it with 1 group per<group>.
On Mon, Apr 11, 2011 at 9:47 PM, Lenz Weber<[email protected]> wrote:
Hi,
I want to get reports for some specific groups of alerts, so I've set
up the following in the ossec.conf
<email_alerts>
<email_to>[email protected]</email_to>
<group>attack|automatic_attack|
authentification_failure|exploit_attempt</group>
<do_not_delay />
<do_not_group />
</email_alerts>
<email_alerts>
<email_to>[email protected]</email_to>
<group>sshd</group>
<level>10</level>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- A web attack returned code 200 (success). -->
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>31106</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
But testing it with an SQL injection from the attack group did not
send me any emails.
- Normal email notifications are received so it's not a mailserver
malconfiguration.
- I also tried commas instead of ORs in the first, but that didn't
bring any success as well.
Can you please tell me what I am doing wrong? The documentation is
quite vague.
Regards,
Lenz Weber
