I have an email alert set in ossec.config for a specific rule (the global
email settings are working since I get emails for various other alerts)
<email_alerts>
<email_to>m...@myemailaddress.com</email_to>
<rule_id>100007</rule_id>
<level>3</level>
<do_not_delay />
</email_alerts>
The <level> tag was added afterwards, in case that was a limiting feature.
The alert is sent to the ossec server; I see it in alerts/alerts.log. The
rule that triggers the is in local_rules.xml:
<rule id="100007" level="5">
<if_sid>18101</if_sid>
<id>2031</id>
<match>SysmonLog</match>
<description>Windows monitored event.</description>
</rule>
The event in the log is
** Alert 1344451956.2521132: mail - local,syslog,windows,
2012 Aug 08 14:52:36 (**Server name**) 900.0.0.999->WinEvtLog
Rule: 100007 (level 5) -> 'Windows monitored event.'
User: (no user)
WinEvtLog: Application: INFORMATION(2031): SysmonLog: (no user): no domain:
**Server name**: Counter
: \\**Server name**\LogicalDisk(_Total)\% Free Space has tripped its alert
threshold. The counter va
lue of 2.83187761080671 is under the limit value of 10.
Any ideas as to why I don't get email notification? This alert is generated
every 30 minutes; other alerts are emailed, just not this one.
