Yes, and no. Let's say there is one level 10 alert. The subject will have this in the text. And the email will have it in the body, but only if it has happened so many minutes before the email was sent. If the event happened at 10:58 AM and the email was sent on the hour at 11:00 AM, it will more than likely be included. But if the event happened at 10:05AM and the email was sent at 11:00AM then it won't be included. And even if there are lots of any level alerts being sensed, only a certain number in the last so many minutes are in the email. Let me give an example. Now maybe I'm looking at this wrong so please enlighten me. If I look at the email sent last night at 06:00 PM, or 18:00, in the subject of the email is "Alert level 10", but that alert is no where in the body of the email. There are 321 notifications with the earliest being at 17:55:42. There is nothing dated before that. If I go look at the alerts.log file from yesterday, there is an entry in there for a level 10 alert on a host at 17:17:28. In total there are 4634 alerts in the file, mostly level 2, but only 321 in the email. The earliest one is at 17:00:05.
On Fri, Sep 29, 2017 at 9:42 AM, dan (ddp) <[email protected]> wrote: > On Thu, Sep 28, 2017 at 11:45 AM, Ed Killian <[email protected]> > wrote: > > I'm running on CentOS 7.3.1611 and using the atomic repo which has > > ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. > > I have done debugging and I'm seeing some things I think are strange. > > If the condition I'm testing for has happened in the last 15 to 20 > minutes > > before the > > email is sent, the subject contains the alert message and the body > contains > > the > > alert message along with other alerts. If the condition is more than 25 > to > > 30 minutes > > before the email is sent, the subject will still show the alert, but the > > alert message will > > not be in the body of the email. Here are some stats from the emails > today: > > > > Basically, the subject and body don't match? > > > Email Number Earliest reported > > Arrived of alerts alert > > 01:00 109 00:36 > > 02:00 110 01:37 > > 03:00 111 02:34 > > 04:00 112 03:39 > > 05:00 113 04:34 > > 06:00 114 05:39 > > 07:00 115 06:36 > > 08:00 116 07:51 > > 09:00 117 08:55 > > 10:00 118 09:56 > > > > It seems strange that the number of alerts is incrementing by one each > hour. > > I went back further in the emails and it seems to increment to 186 and > then > > start over at 97. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/aRO-OxOTDjU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
