Hi,
three questions -- I'm using OSSEC HIDS v2.6:
1) I've an email_alerts block like this:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>100005</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
But this mailadmin also gets alerts for other rules. Why?
2) How to setup the global email_to recipient to get only unassigned
rules (all alerts not handled by other email_alerts blocks)?
In this case the alerts important for mailadmin isn't important for
the global OSSEC admin, so receiving all but rule 100005 would be
fine. How to configure this?
3) It looks like something like this won't trigger mail alerts:
<alerts>
<email_alert_level>10</email_alert_level>
</alerts>
<email_alerts>
<email_to>[email protected]</email_to>
<!-- level 3 sudo rule -->
<rule_id>5402</rule_id>
<event_location>watchershost</event_location>
<do_not_delay />
<do_not_group />
</email_alerts>
This still won't send mails even if I add <level>3</level> into the
block.
So I have to overwrite rule 5402 to increase the level to the global
email_alert_level?
Sincerely,
Jürgen Kahnert
