On Fri, Aug 30, 2013 at 2:47 PM, sandeep dubey <[email protected]> wrote: > Hello Dan, > > I made the change as per the suggested in document. Below is the config > sample. But now i am getting alerts starting from level 3, which was not my > intention. After making changes in ossec.conf i restarted the service on > server. > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <smtp_server>alt1.aspmx.l.google.com.</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>3</email_maxperhour> > <logall>yes</logall> > </global> > > <alerts> > <log_alert_level>3</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > Am i missing something here ? >
Do these level 3 alerts contain the alert_by_email option? You didn't mention which alerts you're seeing, so I couldn't look them up myself. > > On Fri, Aug 30, 2013 at 9:28 PM, dan (ddp) <[email protected]> wrote: >> >> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey <[email protected]> >> wrote: >> > Hi All, >> > >> > Recently, I faced an strange issue with my setup, where ssh login was >> > taking >> > around 11-12 min for each attempts. I segregated this issue in two parts >> > - >> > >> > 1. I was able to login to system using ssh, but not able to perform any >> > single command on terminal. But after 10-15 min, it becomes normal and >> > able >> > to do all the tasks. >> > >> > 2. Server was throwing "Connection Timeout" error, or it accepts the >> > key/password on target server (as per auth.log) but session was given >> > after >> > 10-15 min. >> > >> > All the above issue solve by making one recent change in OSSEC, and that >> > is >> > disabling the ssh rule id 5715. >> > >> > What i did with OSSEC eariler ? >> > I wanted to log the successful ssh attempt so i change the level for >> > rule >> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But >> > after couple of hours i started facing above issue. >> > >> > My setup details - >> > Host OS = Ubuntu 10.04 >> > OSSEC = 2.7 >> > Sever / Client setup >> > AR enabled. >> > AWS EC2 instances >> > >> >> Was this problem seen on the server or an agent? Was DNS working properly? >> >> > I have two question - >> > >> > 1. I didn't understand how this change affect the SSH login. >> > >> >> Neither do I. >> >> > 2. Is there a way that i can get alerts at sepecific level but can log >> > all >> > levels starting from level 3 ? >> > For example - I want to get email alerts at above level 7, but log all >> > alerts starting from level 3. >> > >> >> Yes, configure ossec to email level 7, and log level 3. >> >> http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts >> >> > Thanks >> > Sandeep >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
