Hello. I am running OSSEC 2.6. I am pushing logs from Windows Domain Controllers
I only want certain level alerts to generate emails, and different alerts to go to different groups. For example, all network alerts above 8 go to the network team, Linux alerts above 8 go to the Linux tea, and ALL alerts above 11 come to me. I have emails set to go through a local sendmail instance,with emails by default going to a "blackhole" address. <global> > <email_notification>yes</email_notification> > <email_to>blackhole@localhost</email_to> > <smtp_server>localhost</smtp_server> > <email_from>ossec@...</email_from> > <logall>yes</logall> > </global> > > <alerts> > <log_alert_level>4</log_alert_level> > <email_alert_level>6</email_alert_level> > </alerts> > > <email_alerts> > <email_to>network@...</email_to> > <group>syslog,cisco_ios</group> > <level>10</level> > <do_not_delay /> > </email_alerts> > > <email_alerts> > <email_to>chris@...</email_to> > <level>11</level> > <do_not_delay/> > <do_not_group /> > </email_alerts> > If a change is made to the Domain Admin group, this triggers a level 12 alert. However, the email comes through as "OSSEC Notification - (ADS1) 10.10.10.10 - Alert level 10", and somewhere in this extremely long email is the actual alert I'm interested in. I thought do_not_group was supposed to stop this, or have I misunderstood that? Is it because too many emails are going to the "blackhole" address? How can I achieve what I'm trying to do? Thanks. Chris -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
