On Tue, Sep 18, 2012 at 8:09 AM, Juergen Kahnert <[email protected]> wrote: > Hi, > > three questions -- I'm using OSSEC HIDS v2.6: > > 1) I've an email_alerts block like this: > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>100005</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > But this mailadmin also gets alerts for other rules. Why? >
Can you provide more information? Do the alerts get grouped with other alerts or are there no instances of 100005 in the emails? Does it seem to happen once an hour at the beginning of the hour? Could it be that the max emails limit is reached and this account is getting the rollup? > > 2) How to setup the global email_to recipient to get only unassigned > rules (all alerts not handled by other email_alerts blocks)? > You can't. > In this case the alerts important for mailadmin isn't important for > the global OSSEC admin, so receiving all but rule 100005 would be > fine. How to configure this? > > > 3) It looks like something like this won't trigger mail alerts: > > <alerts> > <email_alert_level>10</email_alert_level> > </alerts> > > <email_alerts> > <email_to>[email protected]</email_to> > <!-- level 3 sudo rule --> > <rule_id>5402</rule_id> > <event_location>watchershost</event_location> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > This still won't send mails even if I add <level>3</level> into the > block. > > So I have to overwrite rule 5402 to increase the level to the global > email_alert_level? > > The email_alert_level setting is global. If the rule doesn't meet that criteria (or isn't configured to always send email), an email won't be sent. > Sincerely, > > Jürgen Kahnert > >
