On Fri, Sep 29, 2017 at 11:12 AM, Ed Killian <[email protected]> wrote: > Yes, and no. Let's say there is one level 10 alert. The subject will have > this in the text. And the email will have it in the body, but only if it has > happened so many minutes before the email was sent. If the event happened at > 10:58 AM and the email was sent on the hour at 11:00 AM, it will more than > likely be included. But if the event happened at 10:05AM and the email was > sent at 11:00AM then it won't be included. And even if there are lots of any > level alerts being sensed, only a certain number in the last so many minutes > are in the email. Let me give an example. Now maybe I'm looking at this > wrong so please enlighten me. If I look at the email sent last night at > 06:00 PM, or 18:00, in the subject of the email is "Alert level 10", but > that alert is no where in the body of the email. There are 321 notifications > with the earliest being at 17:55:42. There is nothing dated before that. If > I go look at the alerts.log file from yesterday, there is an entry in there > for a level 10 alert on a host at 17:17:28. In total there are 4634 alerts > in the file, mostly level 2, but only 321 in the email. The earliest one is > at 17:00:05. >
Are you hitting the hourly email limits? > On Fri, Sep 29, 2017 at 9:42 AM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Sep 28, 2017 at 11:45 AM, Ed Killian <[email protected]> >> wrote: >> > I'm running on CentOS 7.3.1611 and using the atomic repo which has >> > ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. >> > I have done debugging and I'm seeing some things I think are strange. >> > If the condition I'm testing for has happened in the last 15 to 20 >> > minutes >> > before the >> > email is sent, the subject contains the alert message and the body >> > contains >> > the >> > alert message along with other alerts. If the condition is more than 25 >> > to >> > 30 minutes >> > before the email is sent, the subject will still show the alert, but the >> > alert message will >> > not be in the body of the email. Here are some stats from the emails >> > today: >> > >> >> Basically, the subject and body don't match? >> >> > Email Number Earliest reported >> > Arrived of alerts alert >> > 01:00 109 00:36 >> > 02:00 110 01:37 >> > 03:00 111 02:34 >> > 04:00 112 03:39 >> > 05:00 113 04:34 >> > 06:00 114 05:39 >> > 07:00 115 06:36 >> > 08:00 116 07:51 >> > 09:00 117 08:55 >> > 10:00 118 09:56 >> > >> > It seems strange that the number of alerts is incrementing by one each >> > hour. >> > I went back further in the emails and it seems to increment to 186 and >> > then >> > start over at 97. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
