On Mon, Mar 4, 2013 at 5:58 AM, Chris H <[email protected]> wrote: > Hello. I am running OSSEC 2.6. I am pushing logs from Windows Domain > Controllers > > I only want certain level alerts to generate emails, and different alerts to > go to different groups. For example, all network alerts above 8 go to the > network team, Linux alerts above 8 go to the Linux tea, and ALL alerts above > 11 come to me. I have emails set to go through a local sendmail > instance,with emails by default going to a "blackhole" address. > > >> <global> >> <email_notification>yes</email_notification> >> <email_to>blackhole@localhost</email_to> >> <smtp_server>localhost</smtp_server> >> <email_from>ossec@...</email_from> >> <logall>yes</logall> >> </global> >> >> <alerts> >> <log_alert_level>4</log_alert_level> >> <email_alert_level>6</email_alert_level> >> </alerts> >> >> <email_alerts> >> <email_to>network@...</email_to> >> <group>syslog,cisco_ios</group> >> <level>10</level> >> <do_not_delay /> >> </email_alerts> >> >> <email_alerts> >> <email_to>chris@...</email_to> >> <level>11</level> >> <do_not_delay/> >> <do_not_group /> >> </email_alerts> > > > If a change is made to the Domain Admin group, this triggers a level 12 > alert. However, the email comes through as "OSSEC Notification - (ADS1) > 10.10.10.10 - Alert level 10", and somewhere in this extremely long email is > the actual alert I'm interested in. > > I thought do_not_group was supposed to stop this, or have I misunderstood > that? Is it because too many emails are going to the "blackhole" address? > How can I achieve what I'm trying to do? > > Thanks. > > Chris > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > >
Have you tried turning off the grouping in internal_options.conf? Seems easier. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
