On Sun, Dec 15, 2013 at 3:43 AM, evangeline eleanor <[email protected]> wrote: > Hi, > > Thank you for the response. I have found the entry you were referring to. I > have one additional level. The email_alert_level is set to level 7, so email > alerts will be sent for every rule matching the level 7, but the su rule is > level 9: >
The email_alert_level is the minimum, so all alerts level 7 and above will be emailed. > <rule id="5302" level="9"> > <if_sid>5301</if_sid> > <user>^root</user> > <description>User missed the password to change UID to > root.</description> > <group>authentication_failed,</group> > </rule> > This is only for people attempting to su to root. If you attempted to su to a non-root user and the attempt failed it would not trigger this rule. > Therefore by setting this rule to level 7 would definitely change the amount > of emails sent. > > But exactly how many su password failure alerts need to be sent to ossec for > the rule to be triggered and email sent? Basically I would like to know 1. There is no thresholding in the rule you posted. > where the rules for the levels are defined: how many log entries are > required for certain level to be invoked. > > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
