Finally, you got it!. I think your conclusion makes sense.
Regards. On Wednesday, July 12, 2017 at 7:49:36 PM UTC+2, Alexis Lessard wrote: > > The issue was indeed the email_maxperhour setting. My guess is, because we > basically told OSSEC to send every event to noreply@localhost. The default > threshold was reached pretty quickly, so all events until the threshold was > reach until the end of the hour were sent back to us in a big email. We > changed that setting to its maximum value, 9999, and now we receive all > alerte we specified we wanted (altough now we might have some tweaking to > do in our local_rules to adjust it to our needs), but at least, it works! > > tl;dr: Ensure that the email_maxperhour setting in the global config is > set to an appropriate value. Default is 12. > > 2017-07-12 7:26 GMT-04:00 Jesus Linares <je...@wazuh.com <javascript:>>: > >> Hi Alexis, >> >> So, you are receiving alert with level 3 in ourservice@domain, right?. >> That doesn't make sense (I understand that email1, email2 or email3 is not >> ourservice@domain). >> >> Try to use: do_not_delay and do_not_group. Also, the email_maxperhour >> <https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html?highlight=email_maxperhour#email-maxperhour>is >> >> 12 by default, maybe you should change it. >> >> In order to simplify the debug process, use only 1 custom email alert. >> >> Also, you can use the report settings >> <https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-email-report/index.html> >> >> instead of the email settings. >> >> OSSEC emails options aren't that good... >> >> >> >> On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote: >>> >>> Thanks for the tip! We tested it, but it doesn't seem to be working. >>> Here's what the configuration looks like now: >>> <global> >>> <email_notification>yes</email_notification> >>> <email_to>noreply@localhost</email_to> >>> <smtp_server>smtpserver</smtp_server> >>> <email_from>ossec@domain</email_from> >>> </global> >>> >>> <email_alerts> >>> <email_to>email1</email_to> >>> <email_to>email2</email_to> >>> <email_to>email3</email_to> >>> <event_location>several, agents, name</event_location> >>> </email_alerts> >>> >>> <email_alerts> >>> <email_to>ourservice@domain</email_to> >>> <level>9</level> >>> <do_not_delay /> >>> <do_not_group /> >>> </email_alerts> >>> >>> >>> *email_alert_level *was also set to 1. We received one level 10 alert >>> email by itself. However, there were several others level 10 alerts that we >>> didn't receive any notifications from, even tough they appear in the alert >>> log. We then received an email report in ourservice@domain mailbox of about >>> 10 minutes worth of events, with several level 10 alerts in it, but mostly >>> a lot of alerts we have no need for, like >>> Rule: 31101 fired (level 5) -> "Web server 400 error code." >>> >>> I don't think that there's anything in my config that would justify >>> alerts of level 3 and 5 being sent. Do you know what could be wrong? We >>> will probably go back to having an email_alert_level of 7 with no custom >>> alerts and work from there. We receive a lot of events to this server; I'd >>> say about one every two or three seconds. Could that be a problem? >>> >>> Thanks you for the reply, I'll be sure to keep you updated to document >>> the issue if anyone else has that problem, >>> >>> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7gS_5wxiI8M/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
