On Wed, Jul 3, 2013 at 3:09 PM, Lance Raymond <[email protected]> wrote: > Afternoon all, I am reading my .pdf chapters and have my server setup, > active responses humming along and now introduced my 1st agent. Doc's were > spot on, so he was up rather quickly, this guy is an apache server, and it's > testing some new code, so as I roll out OSSEC to more servers, I hit a > question I am not sure on. I was getting slammed with status 500 error > emails from the server (sending on behalf of the agent) so that was cool > that it's working. > > But I don't want 100+ emails an hour (on just him), I am looking through > this help doc > http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html and I > did test the email max per hour, but that leads me to my question. >
You could write a rule using if_matched_sid the rule IDs that are flooding you, possibly hostname, and frequency to limit the number of alerts triggered. > Can I limit the email from one agent? I don't want 100 emails from just > that apache server, but cap that at 10 or so, then if a mysql box (soon to > be added) has an issue I want that message to come through. (So almost a max > email per client) type thing? > > Reading over a few times, I do see the section where you can add an > email_alerts section > > <email_alerts> > <email_to>[email protected]</email_to> > <event_location>agent007</event_location> > <level>15</level> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > > > so I was thinking I could keep the email max at the global level high, then > create email_alerts, the location I assume is the remote server name, etc. Don't assume, read the docs: http://ossec.net/doc/syntax/head_ossec_config.email_alerts.html#element-event_location > but can you use the email_maxperhour options, etc. But it also doesn't say > where to put the email_alerts. Is it in the server's ossec.conf, after the > global settings, or on the client machine? > The clients do not send email. These settings are only on the ossec server: http://ossec.net/doc/syntax/head_ossec_config.email_alerts.html#supported-types I didn't include it in the global settings documentation, but other than that I'm not sure how to specify where this section of the config goes. I also do not know another way to make it more clear that these settings are for servers/local installs only. Any advice is appreciated. > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
