On Wed, Oct 24, 2012 at 9:17 AM, Chris H <[email protected]> wrote: > Hi Dan, > > I've since realised that the cisco alerts get classified in the grouping as > "syslog,cisco-ios,authentication_failed,"; I initially took this as that it > was in multiple groups, not that it was hierarchical. Using the following > config means that the alerts are being sent to account2, as well as > account1: > > <global> > <email_notification>yes</email_notification> > <email_to>account1@domain</email_to> > <smtp_server>server</smtp_server> > <email_from>ossec@domain</email_from> > </global> > ...snip... > <alerts> > <log_alert_level>3</log_alert_level> > <email_alert_level>6</email_alert_level> > </alerts> > ...snip... > <email_alerts> > <email_to>account2@domain</email_to> > <group>syslog,cisco-ios</group> > <level>9</level> > </email_alerts> > > However, I'm getting all alerts above 6 going to account1@, and cisco alerts > above 9 going to account1@ & account2@; what I really want is only cisco > alerts being emailed, and only to account2@ (although I would settle for > them going to both accounts). Is there a way to have email alerts off by > default and only on for selected alert types? >
Not that I'm aware of. > Here is a sample from alerts.log: > > 2012 Oct 24 12:04:52 LOG-01->172.19.80.143 > Rule: 4724 (level 9) -> 'Failed login to the router.' > 886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: Login > failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: Login > Authentication Failed] at 12:04:51 BST Wed Oct 24 2012 > > Thanks. > > On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Oct 24, 2012 at 6:09 AM, Chris H <[email protected]> wrote: >> > Hi, >> > >> > I'm trying to configure email alerts. I want to use granular alerting, >> > so >> > that specific alerts (i.e. Cisco) go to specific teams. I only want >> > specific alert groups generating emails, not everything. I've enabled >> > the >> > global alerts, and tested that it works globally by adding >> > <email_alert_level>9</email_alert_level>. This works fine. >> > >> > What I'm trying to do now is change it to only send alerts that match a >> > single group and level, and no others. I have email_notification, >> > email_to >> > and smtp_server set in the global. I have removed email_alert_level, >> > and >> > added a new email_alert >> > >> > <global> >> > <email_notification>yes</email_notification> >> > <email_to>account1@domain</email_to> >> > <smtp_server>server</smtp_server> >> > <email_from>ossec@domain</email_from> >> > </global> >> > ...snip... >> > <alerts> >> > <log_alert_level>3</log_alert_level> >> > </alerts> >> > ...snip... >> > <email_alerts> >> > <email_to>account2@domain</email_to> >> > <group>cisco-ios</group> >> >> Are you sure you have rules in a cisco-ios group? Can you provide >> samples of the alerts you are expecting to go to this email address? >> >> > <level>9</level> >> > </email_alerts> >> > >> > emails are being generated, but they are going to account1@domain, >> > rather >> > than account2@domain. >> > >> > What am I missing? >> > >> > Thanks, >> > >> > C
