Re: [ossec-list] Re: Email alerts below certain level

Tue, 11 Aug 2015 12:21:49 -0700 

On 8/11/2015 6:17 AM, C0rn123 wrote:



Am Dienstag, 11. August 2015 12:47:25 UTC+2 schrieb C0rn123:

    Hello,

    I want to turn off ANY emails below a certain alert level.
    Unfortunately the alert_by_email option in a lot of rules
    overwrites the minimum alert level set in the ossec.conf. The
    documentation of OSSEC says you can either overwrite every rule
    with the no_email_option or write an own rule to not receive
    emails of that levels anymore. However its nowhere in the
    documentation (as far as i have seen) stated how to do this and i
    couldnt find it anywhere else. Hope you can help me.

    greets,
    corn



For clarification -  i dont want to overwrite every rule that has 
alert_by_email option, but write a rule to not receive emails of that 
levels.



Since OSSEC always sends the mails to the recipient in the "global" 
config, I'd suggest just entering an email address there that is 
nullrouted/blackholed by the MTA. Then you can add a granular email 
config for alerts above a certain level that goes to you (or any other 
criteria you want).



The result is that OSSEC sends the alerts you don't want to the email 
address that discards them; and alerts you want to both email addresses. 
Probably not the most elegant or nicest looking solution (since your MTA 
still has to process incoming mails that no one will read since it will 
blackhole them), but it does what you want. If you are grouping mails 
together (either because you activated it, or because you hit the max 
emails per hour limit) you will still get alerts you don't want, so you 
may want to bump up the max-per-hour too while you are at it.


Config would look somewhat similar to this:

  <global>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_to>dev-null@localhost</email_to>
    <email_from>[email protected]</email_from>
    <email_maxperhour>9000</email_maxperhour>
  </global>

  <email_alerts>
    <email_to>[email protected]</email_to>
    <level>7</level>
  </email_alerts>

--


--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to