Hi,
Thank you for the response. I have found the entry you were referring to. I
have one additional level. The email_alert_level is set to level 7, so
email alerts will be sent for every rule matching the level 7, but the su
rule is level 9:
<rule id="5302" level="9">
<if_sid>5301</if_sid>
<user>^root</user>
<description>User missed the password to change UID to
root.</description>
<group>authentication_failed,</group>
</rule>
Therefore by setting this rule to level 7 would definitely change the
amount of emails sent.
But exactly how many su password failure alerts need to be sent to ossec
for the rule to be triggered and email sent? Basically I would like to know
where the rules for the levels are defined: how many log entries are
required for certain level to be invoked.
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
