Many thanks Ryan, that sounds like it will achieve exactly what I'm after.
Chris On Wednesday, October 24, 2012 2:40:57 PM UTC+1, Ryan Schulze wrote: > > Hi Chris, > > the email notification works like this: emails always get sent to the > global <email_to>, and any granular email config is added as an additional > recipient of the email. > Our solution was to just set the global <email_to> to a email address that > discards mail (like blackhole or devnull). And then set up the granular > email notifications for the levels,groups,location, ... you want. that > makes the whole system behave more like you would expect (we use it so that > different departments get mails for their own services). > if you are expecting a lot of emails, you may want to set the global > <email_maxperhour> to a higher number to avoid grouping of multiple alerts > into one email. > > Set up this way your config could look somewhat like this (although alerts > >= level 12 would go to both accounts): > > > <global> > <email_notification>yes</email_notification> > <email_to>devnull@localhost</email_to> > <smtp_server>server</smtp_server> > <email_from>ossec@domain</email_from> > </global> > ...snip... > <alerts> > <log_alert_level>3</log_alert_level> > <email_alert_level>6</email_alert_level> > </alerts> > ...snip... > <email_alerts> > <email_to>account2@domain</email_to> > <group>cisco-ios</group> > <level>9</level> > </email_alerts> > <email_alerts> > <email_to>account1@domain</email_to> > <group>cisco-ios</group> > <level>12</level> > </email_alerts> > > > On 10/24/2012 8:17 AM, Chris H wrote: > > Hi Dan, > > I've since realised that the cisco alerts get classified in the grouping > as "syslog,cisco-ios,authentication_failed,"; I initially took this as that > it was in multiple groups, not that it was hierarchical. Using the > following config means that the alerts are being sent to account2, as well > as account1: > > <global> > <email_notification>yes</email_notification> > <email_to>account1@domain</email_to> > <smtp_server>server</smtp_server> > <email_from>ossec@domain</email_from> > </global> > ...snip... > <alerts> > <log_alert_level>3</log_alert_level> > <email_alert_level>6</email_alert_level> > </alerts> > ...snip... > <email_alerts> > <email_to>account2@domain</email_to> > <group>syslog,cisco-ios</group> > <level>9</level> > </email_alerts> > > However, I'm getting all alerts above 6 going to account1@, and cisco > alerts above 9 going to account1@ & account2@; what I really want is only > cisco alerts being emailed, and only to account2@ (although I would settle > for them going to both accounts). Is there a way to have email alerts off > by default and only on for selected alert types? > > Here is a sample from alerts.log: > > 2012 Oct 24 12:04:52 LOG-01->172.19.80.143 > Rule: 4724 (level 9) -> 'Failed login to the router.' > 886384: 510544: Oct 24 12:04:51.701 BST: %SEC_LOGIN-4-LOGIN_FAILED: Login > failed [user: ] [Source: 172.19.80.13] [localport: 22] [Reason: Login > Authentication Failed] at 12:04:51 BST Wed Oct 24 2012 > > Thanks. > > On Wednesday, October 24, 2012 1:46:01 PM UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Oct 24, 2012 at 6:09 AM, Chris H <[email protected]> wrote: >> > Hi, >> > >> > I'm trying to configure email alerts. I want to use granular alerting, >> so >> > that specific alerts (i.e. Cisco) go to specific teams. I only want >> > specific alert groups generating emails, not everything. I've enabled >> the >> > global alerts, and tested that it works globally by adding >> > <email_alert_level>9</email_alert_level>. This works fine. >> > >> > What I'm trying to do now is change it to only send alerts that match a >> > single group and level, and no others. I have email_notification, >> email_to >> > and smtp_server set in the global. I have removed email_alert_level, >> and >> > added a new email_alert >> > >> > <global> >> > <email_notification>yes</email_notification> >> > <email_to>account1@domain</email_to> >> > <smtp_server>server</smtp_server> >> > <email_from>ossec@domain</email_from> >> > </global> >> > ...snip... >> > <alerts> >> > <log_alert_level>3</log_alert_level> >> > </alerts> >> > ...snip... >> > <email_alerts> >> > <email_to>account2@domain</email_to> >> > <group>cisco-ios</group> >> >> Are you sure you have rules in a cisco-ios group? Can you provide >> samples of the alerts you are expecting to go to this email address? >> >> > <level>9</level> >> > </email_alerts> >> > >> > emails are being generated, but they are going to account1@domain, >> rather >> > than account2@domain. >> > >> > What am I missing? >> > >> > Thanks, >> > >> > C >> > >
