On Friday, November 13, 2015 at 2:30:24 PM UTC-5, Pedro S. wrote: > > Okay try this: > > Temporaly remove "<options>alert_by_email</options>" from rule 1002 on > syslog_rules.xml. > Now add "<options>alert_by_email</options>" in your custom rule. > Restart OSSEC and generate the alert. > > What im trying here is to stop OSSEC from sending 1002 rule email, i think > that "alert_by_email" option force OSSEC to send an email alert and stop > him to keep looking to reach 100007 rule. Just guessing. > > > Btw, sorry for my english, as you would imagine, it is not my mother > language. >
OK, I'm a little lost as to what this is trying to prove, but the updated settings are in place. I'm waiting for an alert to come through. Interesting discovery that I just noticed, within the WebUI. For every alert that comes in, I'm seeing two entries now. The new one that Dan had me update, which changes it to Alert level 1 (not sending an email). The other that I'm used to seeing is Alert level 2 (sending en email). So, it would appear that my local_rule is working, but it is not overwriting the default rules. This is very confusing. I've changed the local_rule back to level 2 along with the requested "<options>alert_by_email</options>" update. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
