Hi Chris,
the email notification works like this: emails always get sent to the
global <email_to>, and any granular email config is added as an
additional recipient of the email.
Our solution was to just set the global <email_to> to a email address
that discards mail (like blackhole or devnull). And then set up the
granular email notifications for the levels,groups,location, ... you
want. that makes the whole system behave more like you would expect (we
use it so that different departments get mails for their own services).
if you are expecting a lot of emails, you may want to set the global
<email_maxperhour> to a higher number to avoid grouping of multiple
alerts into one email.
Set up this way your config could look somewhat like this (although
alerts >= level 12 would go to both accounts):
<global>
<email_notification>yes</email_notification>
<email_to>devnull@localhost</email_to>
<smtp_server>server</smtp_server>
<email_from>ossec@domain</email_from>
</global>
...snip...
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
...snip...
<email_alerts>
<email_to>account2@domain</email_to>
<group>cisco-ios</group>
<level>9</level>
</email_alerts>
<email_alerts>
<email_to>account1@domain</email_to>
<group>cisco-ios</group>
<level>12</level>
</email_alerts>
On 10/24/2012 8:17 AM, Chris H wrote:
Hi Dan,
I've since realised that the cisco alerts get classified in the
grouping as "syslog,cisco-ios,authentication_failed,"; I initially
took this as that it was in multiple groups, not that it was
hierarchical. Using the following config means that the alerts are
being sent to account2, as well as account1:
<global>
<email_notification>yes</email_notification>
<email_to>account1@domain</email_to>
<smtp_server>server</smtp_server>
<email_from>ossec@domain</email_from>
</global>
...snip...
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
...snip...
<email_alerts>
<email_to>account2@domain</email_to>
<group>syslog,cisco-ios</group>
<level>9</level>
</email_alerts>
However, I'm getting all alerts above 6 going to account1@, and cisco
alerts above 9 going to account1@ & account2@; what I really want is
only cisco alerts being emailed, and only to account2@ (although I
would settle for them going to both accounts). Is there a way to have
email alerts off by default and only on for selected alert types?
Here is a sample from alerts.log:
2012 Oct 24 12:04:52 LOG-01->172.19.80.143
Rule: 4724 (level 9) -> 'Failed login to the router.'
886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED:
Login failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason:
Login Authentication Failed] at 12:04:51 BST Wed Oct 24 2012
Thanks.
On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote:
On Wed, Oct 24, 2012 at 6:09 AM, Chris H <[email protected]
<javascript:>> wrote:
> Hi,
>
> I'm trying to configure email alerts. I want to use granular
alerting, so
> that specific alerts (i.e. Cisco) go to specific teams. I only
want
> specific alert groups generating emails, not everything. I've
enabled the
> global alerts, and tested that it works globally by adding
> <email_alert_level>9</email_alert_level>. This works fine.
>
> What I'm trying to do now is change it to only send alerts that
match a
> single group and level, and no others. I have
email_notification, email_to
> and smtp_server set in the global. I have removed
email_alert_level, and
> added a new email_alert
>
> <global>
> <email_notification>yes</email_notification>
> <email_to>account1@domain</email_to>
> <smtp_server>server</smtp_server>
> <email_from>ossec@domain</email_from>
> </global>
> ...snip...
> <alerts>
> <log_alert_level>3</log_alert_level>
> </alerts>
> ...snip...
> <email_alerts>
> <email_to>account2@domain</email_to>
> <group>cisco-ios</group>
Are you sure you have rules in a cisco-ios group? Can you provide
samples of the alerts you are expecting to go to this email address?
> <level>9</level>
> </email_alerts>
>
> emails are being generated, but they are going to
account1@domain, rather
> than account2@domain.
>
> What am I missing?
>
> Thanks,
>
> C
