Hello all,
I now have my local installation of OSSEC working and integrated with my
running services. So far it's working really good. There is still one thing
that is not really working. I set up email notifications for active
response rules in my ossec.conf like this:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>601, 602</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
I also tried using the <rule_group> tag but this also didn't work. Every
other notification is correctly send (ossec start and everything above
level 7). For the meantime I want to have all active_response action send
to me immediately to finetune the system.
And before you ask. Yes I checked with analogi that there where indeed
alerts triggering rules 601 and 602. I also have a minimal local_rules.xml
(Listen ports warning and load average warning) and an extended ar_log
decoder in my local_decoder.xml (added German weekdays to the regex).
Regards
Christian
