Hi Alexis,
I'm not sure about what it is happening. Do a simple test. Set
*email_alert_level
*to 1, and configure only one custom alert:
<global>
<email_notification>yes</email_notification>
<email_to>noreply@localhost</email_to>
<smtp_server>smtpserver</smtp_server>
<email_from>*email1*</email_from>
</global>
<email_alerts>
<email_to>*email2*</email_to>
<level>10</level>
<do_not_delay />
<do_not_group />
</email_alerts>
Generate an alert with level 10, you will receive:
- all alerts in email1 (including alerts with level 10)
- alerts with level 10 in email2
That is the theory.
I hope it helps.
Regards.
On Monday, July 10, 2017 at 8:35:26 PM UTC+2, Alexis Lessard wrote:
>
> Hi!
> We are trying to configure more effective notifications for OSSEC for our
> needs. However, something weird is happening. An hourly report of ALL
> alerts is being sent to one adress in our config. Here's the email
> configuration of our ossec.conf file:
>
> <global>
> <email_notification>yes</email_notification>
> <email_to>noreply@localhost</email_to>
> <smtp_server>smtpserver</smtp_server>
> <email_from>[email protected] <javascript:></email_from>
> </global>
>
> <email_alerts>
> <email_to>email1</email_to>
> <email_to>email2</email_to>
> <email_to>email3</email_to>
> <event_location>several, agents, name</event_location>
> </email_alerts>
>
> <email_alerts>
> <email_to>[email protected] <javascript:></email_to>
> <level>9</level>
> </email_alerts>
>
> <email_alerts>
> <email_to>email4</email_to>
> <level>10</level>
> <do_not_delay />
> <do_not_group />
> </email_alerts>
>
> <email_alerts>
> <email_to>[email protected] <javascript:></email_to>
> <level>6</level>
> <group>attack</group>
> </email_alerts>
>
> <email_alerts>
> <rule_id>10100</rule_id>
> <email_to>[email protected] <javascript:></email_to>
> </email_alerts>
>
>
> Basically, here's what I'd like OSSEC to do:
>
> - Send an email for every level 9 or higher alert
> - Send an email for every matchd rule from the attack group of level 6
> or higher
> - Send an email for the rule 10100 wich shows when a user is logged
> for the first time.
> - The other rules are for user specific needs.
>
> I modified the email for this example, but in the file, they are your
> usual name@domain format. We send every alert to noreply@localhost because
> we want to control everything with custom alerts. The email_alert_level is
> set to 0, so every alert is supposed to be sent to this adress. But no
> alert of a level 3 should be sent to our email box, right? Yet we receive
> every alerts at the same time (in the same email) every hour, It is being
> sent at the [email protected] <javascript:> as well as email4 . Am I
> doing something wrong here? Can OSSEC behave the way I want it to do?
>
> Thanks for the help!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
