Hmm, there are various ways to accomplish this.Since you want alerts from a specific set of alerts, I would suggest the following: add the rules you want to be notified of to a additional group and make sure they will trigger sending an email regardless of their level. Then just have ossec send mails of this additional group to the email address. As an alternative to overwriting the original rule you can also just add new rules to trigger if the old was was called (<if_sid>...</if_sid>) and add the options and group to the new rule. I'm not sure why you think they would get doubled in any statistics.
local_rules.xml:
<rule id="5715" level="3" overwrite="yes">
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<description>SSHD authentication success.</description>
<group>authentication_success,access_notification,</group>
<options>alert_by_email</options>
</rule>
<rule id="5501" level="3" overwrite="yes">
<if_sid>5500</if_sid>
<match>session opened for user </match>
<description>Login session opened.</description>
<group>authentication_success,access_notification,</group>
<options>alert_by_email</options>
</rule>
<rule id="5402" level="3" overwrite="yes">
<if_sid>5400</if_sid>
<match> ; USER=root ; COMMAND=</match>
<description>Successful sudo to ROOT executed</description>
<group>access_notification,</group>
<options>alert_by_email</options>
</rule>
ossec.conf:
<email_alerts>
<email_to> [email protected]</email_to>
<group>access_notification</group>
<do_not_delay />
<do_not_group />
</email_alerts>
On 3/5/2013 11:17 AM, Willen Borges Coelho wrote:
Hi,I'm new using Ossec and I'm trying to configure email alerts, but with no success.I would like to only be notified by email alerts about events id 5715, 5501 and 5402, but after I configure this granular alert editing ossec.conf, it doesn't work.Whenever I edit the email_alert_level to level 3, I get a lot of emails with many events, witch is not expected.I saw in old emails the possibility of rewrite the event_id changing its level in local_rules.xml, but in the statistics they get doubled, so I much rather not go that way.I wouldn't like to get notified by automatic emails, if possible deactivate the email_alert_level, I've tried to set level 0, with no success.My configuration: <global> <email_notification>yes</email_notification> <email_to>[email protected]</email_to> <smtp_server>smtp.email.com</smtp_server> <email_from>[email protected]</email_from> <email_maxperhour>100</email_maxperhour> <prelude_output>yes</prelude_output> </global> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>8</email_alert_level> </alerts> <email_alerts> <email_to> [email protected]</email_to> <level>3</level> <rule_id>5715, 5501, 5402</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> <email_alerts> <email_to>[email protected]</email_to> <rule_id>11402</rule_id> <event_location>webserver.domain.com</event_location> <do_not_delay /> <do_not_group /> </email_alerts> Regards, *Willen Borges Coelho*
smime.p7s
Description: S/MIME Cryptographic Signature
