On Nov 29, 2011 8:52 AM, "Dimitris Chontzopoulos" < [email protected]> wrote: > > Hey guys, > > I was wondering if you guys could help me out with some questions I have regarding OSSEC... > > Q1. Even though I've changed 'maild.groupping=1' to 'maild.groupping=0' in the configuration file "internal_options.conf" and > restarted OSSEC, I keep getting grouped events via e-mail. Any ideas what I'm missing? In my opinion, alerts should be sent out > (emailed) and logged one-by-one and not 'bulk' because we'll lose the plot sooner or later
Does this happen at the beginning of the hour? Try upping your max emails per hour, the default is kind of low. > Q2. Is there a reason why not every single alert is not written in the Database [MySQL] and/or written in the logs? I thought that > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>3</email_alert_level> > </alerts> > ,actually means 'log everything with alert level 1 and above and notify via e-mail for everything with alert level 3 and above'! Am > I missing something? What isn't getting logged? You seem to understand the config, although I don't use the mysql support. > Q3. Is there a way in order to import alerts/logs from OSSEC log/alert files into its Database? Because of poor administration on > my-behalf (hey, I'm not a Linux/OSSEC/MySQL Guru, sorry), a lot of logs/alerts are in log-format and not inside the Database and I > was wondering if there's a tool or something I could do, in order to get those events (import them) in the Database Nope, but if you write one please share :-) > Q4. Regarding the Database Structure, is there documentation available so as to be able to create our Custom Reports in MySQL, or > even better, export the data in our Datawarehouse System and create the Custom Reports over there? I mean, how are the links working > inside the DB and how is the information organized/categorized inside the DB, so as to know which table(s) contains which piece of > information I could combine in order to come up with a report? > > More questions to come :-) > > Your help is very much appreciated guys because I'm on the verge of losing my mind in the effort of trying to 'make' the OSSEC > installation we have to suite our Enterprise. > > > > > > Dimitris > >
