I don't receive any email alerts for anything in the "active_response" group. The rules are triggered correctly because they are logged to logs/alerts/alerts.log. However no emails go out.
I restated the rules and that did not work either. That problem has it's own post http://groups.google.com/group/ossec-list/browse_thread/thread/24f6a1bb56500378/e759c17b28e458c3. I restated the rules and added the option to email_alerts, but upon testing with ossec-logtest, the built-in rules are still being triggered. The only way I've been able to make my local rules work in place of the built-in was to comment out rules 600-606, which isn't exactly ideal but it works. Thanks - Trey On Jun 26, 9:27 am, Jason Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Jun 21, 2011, at 11:12 PM, treydock wrote: > > > Is the purpose of the granular email options to specify additional > > contacts, or can it also be used to override the global > > "email_alert_level"? > > - From what I understand, it's only to modify the addresses to which alerts > are sent. > > > I have the "email_alert_level" set to 7, however I'd like to receive > > notifications on particular alerts below level 7. Will the > > <email_alerts> specific options be able to override that? > > Nope. Though if there are only a few lower level alerts you want, you can > override those alerts and tell them to always send mail. > > > I have found that this is not working in 2.6-beta > > > <email_alerts> > > <email_to>treydock@xxxxx</email_to> > > <group>active_response</group> > > </email_alerts> > > What's not working about it? > > > Would the alternative be to override all the active_response rules and > > add the <options>alert_by_email</options> ? This leads me to another > > question...when overriding built in rules using local_rules.xml should > > the entire rule be re-stated or can I simply put in the parts I'd like > > to override and they will be merged with the built-in rules? > > Your re-state the entire rule. That way you can add/remove as necessary. > > > Thanks > > - Trey > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > iEYEARECAAYFAk4HQdcACgkQ8CjzPZyTUTSmnQCeO8A7rBC4NRgyX4EcPhXNtVzC > PDIAoKOt9s7bI5BtzmaOX7LjZjEo/BLy > =IA+B > -----END PGP SIGNATURE-----
