Hi Dan,
I've since realised that the cisco alerts get classified in the grouping as
"syslog,cisco-ios,authentication_failed,"; I initially took this as that it
was in multiple groups, not that it was hierarchical. Using the following
config means that the alerts are being sent to account2, as well as
account1:
<global>
<email_notification>yes</email_notification>
<email_to>account1@domain</email_to>
<smtp_server>server</smtp_server>
<email_from>ossec@domain</email_from>
</global>
...snip...
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
...snip...
<email_alerts>
<email_to>account2@domain</email_to>
<group>syslog,cisco-ios</group>
<level>9</level>
</email_alerts>
However, I'm getting all alerts above 6 going to account1@, and cisco
alerts above 9 going to account1@ & account2@; what I really want is only
cisco alerts being emailed, and only to account2@ (although I would settle
for them going to both accounts). Is there a way to have email alerts off
by default and only on for selected alert types?
Here is a sample from alerts.log:
2012 Oct 24 12:04:52 LOG-01->172.19.80.143
Rule: 4724 (level 9) -> 'Failed login to the router.'
886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: Login
failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: Login
Authentication Failed] at 12:04:51 BST Wed Oct 24 2012
Thanks.
On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Oct 24, 2012 at 6:09 AM, Chris H <[email protected]<javascript:>>
> wrote:
> > Hi,
> >
> > I'm trying to configure email alerts. I want to use granular alerting,
> so
> > that specific alerts (i.e. Cisco) go to specific teams. I only want
> > specific alert groups generating emails, not everything. I've enabled
> the
> > global alerts, and tested that it works globally by adding
> > <email_alert_level>9</email_alert_level>. This works fine.
> >
> > What I'm trying to do now is change it to only send alerts that match a
> > single group and level, and no others. I have email_notification,
> email_to
> > and smtp_server set in the global. I have removed email_alert_level,
> and
> > added a new email_alert
> >
> > <global>
> > <email_notification>yes</email_notification>
> > <email_to>account1@domain</email_to>
> > <smtp_server>server</smtp_server>
> > <email_from>ossec@domain</email_from>
> > </global>
> > ...snip...
> > <alerts>
> > <log_alert_level>3</log_alert_level>
> > </alerts>
> > ...snip...
> > <email_alerts>
> > <email_to>account2@domain</email_to>
> > <group>cisco-ios</group>
>
> Are you sure you have rules in a cisco-ios group? Can you provide
> samples of the alerts you are expecting to go to this email address?
>
> > <level>9</level>
> > </email_alerts>
> >
> > emails are being generated, but they are going to account1@domain,
> rather
> > than account2@domain.
> >
> > What am I missing?
> >
> > Thanks,
> >
> > C
>
