On Tue, Sep 18, 2012 at 08:56:59AM -0400, dan (ddp) wrote:
> On Tue, Sep 18, 2012 at 8:09 AM, Juergen Kahnert
> <[email protected]> wrote:
> > 1) I've an email_alerts block like this:
> >
> > <email_alerts>
> > <email_to>[email protected]</email_to>
> > <rule_id>100005</rule_id>
> > <do_not_delay />
> > <do_not_group />
> > </email_alerts>
> >
> > But this mailadmin also gets alerts for other rules. Why?
> >
>
> Can you provide more information? Do the alerts get grouped with other
> alerts or are there no instances of 100005 in the emails?
There is always at least one instance of 100005 in the emails.
> Does it seem to happen once an hour at the beginning of the hour?
> Could it be that the max emails limit is reached and this account is
> getting the rollup?
Stupid me, I deleted those mails, but I've written a new test rule to
find it out. I also made a new group and put this single rule inside
it:
<group name="testalert,">
<rule id="100006" level="12">
<if_sid>5402</if_sid>
<hostname>testhost</hostname>
<description>Alert test rule</description>
</rule>
</group>
And inside ossec.conf:
<email_alerts>
<email_to>[email protected]</email_to>
<group>testalert</group>
<do_not_delay />
<do_not_group />
</email_alerts>
First mails were sent out until limit was reached. Than in the beginning
of the hour a grouped mail with alerts was sent to the global email_to
address and also to [email protected] (there was one instance of
100005 inside the mail).
The header looks like this:
From: OSSEC HIDS <[email protected]>
To: [email protected]
To: [email protected]
But there is no "To: [email protected]"...
The global option email_maxperhour would also be very useful inside
email_alerts. My testalert stuff consumed all mails per hour so that
rule 100005 to [email protected] was suppressed (until the end of
hour).
We have > 20000 network devices, many of them sending syslogs to a
loghost where I resend them to the OSSEC server.
The OSSEC server is performing very well with all the events, but I
need a way to send out email alerts without mixing different divisions
together (see below).
> > 2) How to setup the global email_to recipient to get only unassigned
> > rules (all alerts not handled by other email_alerts blocks)?
>
> You can't.
Nobody ever asked for such a feature?
OSSEC is doing well in log analyzing, so having one tool for this task
would make logsurfer or similar obsolete.
But getting all mails (global and via email_alerts) isn't helpful in
this case. Is there any chance to get this feature into OSSEC?
I wonder if there is nobody else who would like it...
Sincerely,
Jürgen Kahnert
