On Thu, Jan 3, 2013 at 8:44 AM, sercan acar <[email protected]> wrote: > I've already disabled groupping in internal_options.xml. > > Example of the problem: If IP 192.168.1.1 is brute forcing multiple agents > running ossec, email is sent to one of the agents which also says that other > domains were getting brute force from 192.168.1.1 > > This is obviously a problem if you want to keep agent details private. > > Hope it makes sense >
Oh, ok. So you mean something like sshd rule 5712 "SSHD brute force trying to get access to the system." The details of multiple agents are included in the 1 alert because the alert is based on logs from multiple agents. There is no way to send a partial alert to a granular email. Each email gets the entire alert or no alert. > > On Thursday, 3 January 2013 11:42:12 UTC, dan (ddpbsd) wrote: >> >> >> On Jan 3, 2013 6:41 AM, "sercan acar" <[email protected]> wrote: >> > >> > Hi, >> > >> > How can I stop ossec from sending out emails regarding agents to >> > different agent e-mail addresses >> > >> > Example: >> > >> > OSSEC HIDS Notification. >> > 2013 Jan 01 07:30:55 >> > >> > Received From: (stewart1) XX.XX.XX.XX->/var/log/auth.log >> > Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." >> > Portion of the log(s): >> > >> > Jan 1 07:30:48 ossecagent1 sshd[22620]: Failed password for root from >> > XX.248.16.XX port 40647 ssh2 >> > Jan 1 07:30:45 ossecagent2 sshd[8689]: Failed password for root from >> > XX.248.16.XX port 60038 ssh2 >> > --END OF NOTIFICATION >> > >> > Email above was received by ossecagent1 email address, yet it contains >> > information about host ossecagent2 which I want to stop from happening >> > >> > >> > >> > Regards, >> >> You could configure ossec to not group emails.
