The email_alert_level is the minimal level for which emails are send. Meaning: a rule with level 7 or above will trigger an email! Levels are severities in ossec: the higher level is the more severe log message (see: http://www.ossec.net/doc/manual/rules-decoders/rule-levels.html).
To suppress a certain rule from sending emails you should decrease the level to below the email_alert_level, which is 6 in your case. The amount of log entries is defined with the rule not the level. In case of rule 5302 there is only one entry needed. See: http://www.ossec.net/doc/syntax/head_rules.html for the syntax of a rule definition. The frequency option is used to tell ossec to invoke the rule after how many log entries (plus 2). Regards Christian Am 15.12.2013 09:43, schrieb evangeline eleanor: > Hi, > > Thank you for the response. I have found the entry you were referring to. I > have one additional level. The email_alert_level is set to level 7, so > email alerts will be sent for every rule matching the level 7, but the su > rule is level 9: > > <rule id="5302" level="9"> > <if_sid>5301</if_sid> > <user>^root</user> > <description>User missed the password to change UID to > root.</description> > <group>authentication_failed,</group> > </rule> > > Therefore by setting this rule to level 7 would definitely change the > amount of emails sent. > > But exactly how many su password failure alerts need to be sent to ossec > for the rule to be triggered and email sent? Basically I would like to know > where the rules for the levels are defined: how many log entries are > required for certain level to be invoked. > > Thank you > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
