On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule 1002, right there towards the top. Note the options element, which contains alert_by_email. That option tells OSSEC to ignore your email_alert_level and just send an email every time this rule matches. As you have seen, rule 1002 is a catch-all heuristics rule that attempts to identify problems in logs based on certain keywords.
If you are still attempting to troubleshoot your 100007 rule and you can’t seem to figure it out using ossec-logtest, an alternative approach would be selectively eliminating rule filters to see which element is causing 100007 to not match. For example, remove the hostname element, restart ossec, then trigger the error condition and see if the filtering works. If that doesn’t help, restore the hostname element and repeat those steps with the program_name element removed, then with the regex element removed and so on. I’ve got a few 1002 filter rules in local_rules.xml and there’s no magic to it. Just have to make sure all your rule filters are setup correctly. From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Bray Sent: Wednesday, November 25, 2015 6:07 AM To: [email protected] Subject: Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2 Thank you Pedro. I've actually taken a step back from this, and I'm trying to figure out why the emails are getting sent in the first place. If the default level is 7, and I haven't changed that: <global> <email_notification>yes</email_notification> <email_to>[email protected] <mailto:[email protected]> </email_to> <smtp_server>my.smtp.server</smtp_server> <email_from>[email protected] <mailto:[email protected]> </email_from> <white_list>127.0.0.1</white_list> <logall>yes</logall> </global> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> ....then I do not understand why level 2 emails are coming in: Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." On Mon, Nov 23, 2015 at 12:24 PM, Pedro S. <[email protected] <mailto:[email protected]> > wrote: Hi Daniel, sorry for late response. I don't know for real what is happening with your alerts but i'll keep giving you some advices, we'll see if we can make this work. Maild read directly from alerts.log, search for "mail" flag and if it is present send the email, that means if your alerts is printing out into alerts.log file it should be sent by email. So, first try to locate the alert 10005 (or 100007) in your alerts.log file. Second, in your ossec.conf file between <email_alerts> tags include the following for better testing: <do_not_delay /> and do_not_group It is very important that the alert your looking to be send via email actually be present on alerts.log file. Good luck! Keep us up to date. El lunes, 23 de noviembre de 2015, 5:03:18 (UTC-8), Daniel Bray escribió: On Monday, November 16, 2015 at 8:28:27 AM UTC-5, Daniel Bray wrote: With the updated alert_by_email settings, this has stopped the email alerts. I see it hitting the WebUI as alert level 2, but no emails are coming in. Unfortunately, with everything put back to the default settings, this issue remains. I'm seeing other issues with some filters as well. Not sure what else to do. It must be a bad install or version I'm running. -- --- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
