Hello Dan, Sorry for late reply.
No, alert_by_email option is not set for level 3 (but for level 7). I am getting emails, if ossec service gets restated which is level3 alert. This is ok to me. Other alerts from level 7 are working fine. We can ignore this question for now. The only thing i noticed that all level 3 alerts are for my all nodes are not logging. For example, if i login to one instance, i can see the alerts logged, but if i login to another instance alerts are not logged. Configuration files are also same. Sandeep On Wed, Sep 4, 2013 at 7:23 PM, dan (ddp) <[email protected]> wrote: > On Fri, Aug 30, 2013 at 2:47 PM, sandeep dubey <[email protected]> > wrote: > > Hello Dan, > > > > I made the change as per the suggested in document. Below is the config > > sample. But now i am getting alerts starting from level 3, which was not > my > > intention. After making changes in ossec.conf i restarted the service on > > server. > > > > <ossec_config> > > <global> > > <email_notification>yes</email_notification> > > <smtp_server>alt1.aspmx.l.google.com.</smtp_server> > > <email_from>[email protected]</email_from> > > <email_maxperhour>3</email_maxperhour> > > <logall>yes</logall> > > </global> > > > > <alerts> > > <log_alert_level>3</log_alert_level> > > <email_alert_level>7</email_alert_level> > > </alerts> > > > > Am i missing something here ? > > > > Do these level 3 alerts contain the alert_by_email option? You didn't > mention which alerts you're seeing, so I couldn't look them up myself. > > > > > On Fri, Aug 30, 2013 at 9:28 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey < > [email protected]> > >> wrote: > >> > Hi All, > >> > > >> > Recently, I faced an strange issue with my setup, where ssh login was > >> > taking > >> > around 11-12 min for each attempts. I segregated this issue in two > parts > >> > - > >> > > >> > 1. I was able to login to system using ssh, but not able to perform > any > >> > single command on terminal. But after 10-15 min, it becomes normal and > >> > able > >> > to do all the tasks. > >> > > >> > 2. Server was throwing "Connection Timeout" error, or it accepts the > >> > key/password on target server (as per auth.log) but session was given > >> > after > >> > 10-15 min. > >> > > >> > All the above issue solve by making one recent change in OSSEC, and > that > >> > is > >> > disabling the ssh rule id 5715. > >> > > >> > What i did with OSSEC eariler ? > >> > I wanted to log the successful ssh attempt so i change the level for > >> > rule > >> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, > But > >> > after couple of hours i started facing above issue. > >> > > >> > My setup details - > >> > Host OS = Ubuntu 10.04 > >> > OSSEC = 2.7 > >> > Sever / Client setup > >> > AR enabled. > >> > AWS EC2 instances > >> > > >> > >> Was this problem seen on the server or an agent? Was DNS working > properly? > >> > >> > I have two question - > >> > > >> > 1. I didn't understand how this change affect the SSH login. > >> > > >> > >> Neither do I. > >> > >> > 2. Is there a way that i can get alerts at sepecific level but can log > >> > all > >> > levels starting from level 3 ? > >> > For example - I want to get email alerts at above level 7, but log all > >> > alerts starting from level 3. > >> > > >> > >> Yes, configure ossec to email level 7, and log level 3. > >> > >> > http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts > >> > >> > Thanks > >> > Sandeep > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
