Some rules in ossec are designed to notify you regardless. Rule 1002
is one of them. You'd have to overwrite the rule (use your
local_rules.xml).
<rule id="1002" level="2" overwrite="yes">
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</
description>
</rule>
Just make sure you define $BAD_WORDS at the top of your
local_rules.xml too. Problem is that you might miss something
worthwhile because of a bad decoder or rule. Thats why 1002 is set to
alert by default.
On Jan 21, 10:51 am, Hugo Deprez <[email protected]> wrote:
> yes that's right.
> So this rule will always send e-mail ?
>
> I'll try to correct all the error reported by this rule, but it's not
> always easy thing to do.
>
> Thank you for the answer !
>
> Hugo
>
> On 21 January 2012 18:18, dan (ddp) <[email protected]> wrote:
>
>
>
>
>
>
>
> > On Sat, Jan 21, 2012 at 8:30 AM, Hugo Deprez <[email protected]> wrote:
> >> Dear community,
>
> >> I just setup a ossec server with the following e-mail alerting settings :
>
> >> <ossec_config>
> >> <global>
> >> <email_notification>yes</email_notification>
> >> <email_to>[email protected]</email_to>
> >> <smtp_server>smtp.domain.com</smtp_server>
> >> <email_from>[email protected]</email_from>
> >> </global>
>
> >> <alerts>
> >> <log_alert_level>1</log_alert_level>
> >> <email_alert_level>7</email_alert_level>
> >> </alerts>
>
> >> I am still receinving e-mail alerts for level 2 for example.
> >> Does the log_alert_level parameter doing this ?
>
> >> Regards,
>
> >> Hugo
>
> > Rule 1002 perhaps? It has an option set to always email.
