I've already disabled groupping in internal_options.xml. Example of the problem: If IP 192.168.1.1 is brute forcing multiple agents running ossec, email is sent to one of the agents which also says that other domains were getting brute force from 192.168.1.1
This is obviously a problem if you want to keep agent details private. Hope it makes sense On Thursday, 3 January 2013 11:42:12 UTC, dan (ddpbsd) wrote: > > > On Jan 3, 2013 6:41 AM, "sercan acar" <[email protected] <javascript:>> > wrote: > > > > Hi, > > > > How can I stop ossec from sending out emails regarding agents to > different agent e-mail addresses > > > > Example: > > > > OSSEC HIDS Notification. > > 2013 Jan 01 07:30:55 > > > > Received From: (stewart1) XX.XX.XX.XX->/var/log/auth.log > > Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." > > Portion of the log(s): > > > > Jan 1 07:30:48 ossecagent1 sshd[22620]: Failed password for root from > XX.248.16.XX port 40647 ssh2 > > Jan 1 07:30:45 ossecagent2 sshd[8689]: Failed password for root from > XX.248.16.XX port 60038 ssh2 > > --END OF NOTIFICATION > > > > Email above was received by ossecagent1 email address, yet it contains > information about host ossecagent2 which I want to stop from happening > > > > > > > > Regards, > > You could configure ossec to not group emails. >
