On Tue, Dec 10, 2013 at 11:39 PM, evangeline eleanor <[email protected]> wrote: > Hi, > > I don't know; that's what I'm trying to figure out; can you tell me where to > look for the info you're asking about? >
email_alert_level would be in the /var/ossec/etc/ossec.conf of the OSSEC server. The rules are all stored in /var/ossec/rules It looks like the rules would be 530[12] for failed su. They're levels 5 and 9 respectively (5302 being attempts to su to root). > > On Tuesday, December 10, 2013 3:33:22 AM UTC+1, dan (ddpbsd) wrote: >> >> On Sun, Dec 8, 2013 at 2:57 AM, evangeline eleanor >> <[email protected]> wrote: >> > Hi, >> > >> > I'm trying to figure out when the rule for invalid su attempts is >> > generated >> > and email dispatched. Whenever my client attempts to login to root >> > account >> > by using su, an alert is triggered in the >> > /var/ossec/logs/alerts/alerts.log. >> > >> > I would like to know the threshold when an email alert is being sent: >> > how >> > many invalid login attempts does it take in certain time to send en >> > email. >> > And how to change that to send an email on every invalid attempt. >> > >> > Thank you >> > >> >> What is your email_alert_level? What level is the su rule? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
