On Tue, Sep 18, 2012 at 10:44 AM, Juergen Kahnert <[email protected]> wrote: > On Tue, Sep 18, 2012 at 08:56:59AM -0400, dan (ddp) wrote: >> On Tue, Sep 18, 2012 at 8:09 AM, Juergen Kahnert >> <[email protected]> wrote: >> > 1) I've an email_alerts block like this: >> > >> > <email_alerts> >> > <email_to>[email protected]</email_to> >> > <rule_id>100005</rule_id> >> > <do_not_delay /> >> > <do_not_group /> >> > </email_alerts> >> > >> > But this mailadmin also gets alerts for other rules. Why? >> > >> >> Can you provide more information? Do the alerts get grouped with other >> alerts or are there no instances of 100005 in the emails? > > There is always at least one instance of 100005 in the emails. > > >> Does it seem to happen once an hour at the beginning of the hour? >> Could it be that the max emails limit is reached and this account is >> getting the rollup? > > Stupid me, I deleted those mails, but I've written a new test rule to > find it out. I also made a new group and put this single rule inside > it: > > <group name="testalert,"> > <rule id="100006" level="12"> > <if_sid>5402</if_sid> > <hostname>testhost</hostname> > <description>Alert test rule</description> > </rule> > </group> > > And inside ossec.conf: > > <email_alerts> > <email_to>[email protected]</email_to> > <group>testalert</group> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > First mails were sent out until limit was reached. Than in the beginning > of the hour a grouped mail with alerts was sent to the global email_to > address and also to [email protected] (there was one instance of > 100005 inside the mail). > > The header looks like this: > > From: OSSEC HIDS <[email protected]> > To: [email protected] > To: [email protected] > > But there is no "To: [email protected]"... > > > The global option email_maxperhour would also be very useful inside > email_alerts. My testalert stuff consumed all mails per hour so that > rule 100005 to [email protected] was suppressed (until the end of > hour). >
So increase the max emails per hour setting. > We have > 20000 network devices, many of them sending syslogs to a > loghost where I resend them to the OSSEC server. > > The OSSEC server is performing very well with all the events, but I > need a way to send out email alerts without mixing different divisions > together (see below). > Use different OSSEC servers (in hybrid mode if you use 2.7) for each division, and funnel all alerts to a single server for the people who need to see everything. > >> > 2) How to setup the global email_to recipient to get only unassigned >> > rules (all alerts not handled by other email_alerts blocks)? >> >> You can't. > > Nobody ever asked for such a feature? > Nope. > OSSEC is doing well in log analyzing, so having one tool for this task > would make logsurfer or similar obsolete. > > But getting all mails (global and via email_alerts) isn't helpful in > this case. Is there any chance to get this feature into OSSEC? > Submit a patch and it should be accepted, after 2.7 anyhow. > I wonder if there is nobody else who would like it... > > > Sincerely, > > Jürgen Kahnert > >
