On Sep 8, 2013 11:20 PM, "sandeep dubey" <[email protected]> wrote: > > Hello Dan, > > Sorry for late reply. > > No, alert_by_email option is not set for level 3 (but for level 7). I am getting emails, if ossec service gets restated which is level3 alert. This is ok to me. Other alerts from level 7 are working fine. We can ignore this question for now. The only thing i noticed that all level 3 alerts are for my all nodes are not logging. >
Rule 502, the one for ossec starting DOES have alert_by_email set. If you are talking about a rule other than 502, you will have to tell me which one. I guess I shouldn't have hinted at the fact I wanted to know which level 3 rules were triggering emails. I apologize for this oversight. > For example, if i login to one instance, i can see the alerts logged, but if i login to another instance alerts are not logged. Configuration files are also same. > Instance? Are the agent's logs making it to the server? > > Sandeep > > > On Wed, Sep 4, 2013 at 7:23 PM, dan (ddp) <[email protected]> wrote: >> >> On Fri, Aug 30, 2013 at 2:47 PM, sandeep dubey <[email protected]> wrote: >> > Hello Dan, >> > >> > I made the change as per the suggested in document. Below is the config >> > sample. But now i am getting alerts starting from level 3, which was not my >> > intention. After making changes in ossec.conf i restarted the service on >> > server. >> > >> > <ossec_config> >> > <global> >> > <email_notification>yes</email_notification> >> > <smtp_server>alt1.aspmx.l.google.com.</smtp_server> >> > <email_from>[email protected]</email_from> >> > <email_maxperhour>3</email_maxperhour> >> > <logall>yes</logall> >> > </global> >> > >> > <alerts> >> > <log_alert_level>3</log_alert_level> >> > <email_alert_level>7</email_alert_level> >> > </alerts> >> > >> > Am i missing something here ? >> > >> >> Do these level 3 alerts contain the alert_by_email option? You didn't >> mention which alerts you're seeing, so I couldn't look them up myself. >> >> > >> > On Fri, Aug 30, 2013 at 9:28 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Fri, Aug 30, 2013 at 3:41 AM, sandeep dubey < [email protected]> >> >> wrote: >> >> > Hi All, >> >> > >> >> > Recently, I faced an strange issue with my setup, where ssh login was >> >> > taking >> >> > around 11-12 min for each attempts. I segregated this issue in two parts >> >> > - >> >> > >> >> > 1. I was able to login to system using ssh, but not able to perform any >> >> > single command on terminal. But after 10-15 min, it becomes normal and >> >> > able >> >> > to do all the tasks. >> >> > >> >> > 2. Server was throwing "Connection Timeout" error, or it accepts the >> >> > key/password on target server (as per auth.log) but session was given >> >> > after >> >> > 10-15 min. >> >> > >> >> > All the above issue solve by making one recent change in OSSEC, and that >> >> > is >> >> > disabling the ssh rule id 5715. >> >> > >> >> > What i did with OSSEC eariler ? >> >> > I wanted to log the successful ssh attempt so i change the level for >> >> > rule >> >> > 5715 to 7 from 3 and restarted ossec service. It worked as expected, But >> >> > after couple of hours i started facing above issue. >> >> > >> >> > My setup details - >> >> > Host OS = Ubuntu 10.04 >> >> > OSSEC = 2.7 >> >> > Sever / Client setup >> >> > AR enabled. >> >> > AWS EC2 instances >> >> > >> >> >> >> Was this problem seen on the server or an agent? Was DNS working properly? >> >> >> >> > I have two question - >> >> > >> >> > 1. I didn't understand how this change affect the SSH login. >> >> > >> >> >> >> Neither do I. >> >> >> >> > 2. Is there a way that i can get alerts at sepecific level but can log >> >> > all >> >> > levels starting from level 3 ? >> >> > For example - I want to get email alerts at above level 7, but log all >> >> > alerts starting from level 3. >> >> > >> >> >> >> Yes, configure ossec to email level 7, and log level 3. >> >> >> >> http://www.ossec.net/doc/syntax/head_ossec_config.alerts.html#element-alerts >> >> >> >> > Thanks >> >> > Sandeep >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
