So what is your suggestion? Increase the number of emails per hour? On Fri, Sep 29, 2017 at 1:11 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Sep 29, 2017 at 1:03 PM, Ed Killian <edtechnog...@gmail.com> > wrote: > > I think we have the settings so we only get one email per hour. > > From /var/ossec/etc/ossec.conf: > > > > <email_maxperhour>1</email_maxperhour> > > > > I think expecting maild to handle 4k+ alerts is overestimating its > capabilities. > > > On Fri, Sep 29, 2017 at 12:52 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> On Fri, Sep 29, 2017 at 12:49 PM, Ed Killian <edtechnog...@gmail.com> > >> wrote: > >> > I'm not sure what you mean. I am getting an email every hour. > >> > > >> > >> Generally there are emails sent when alerts happen, not just hourly. > >> There is a limit to how many of these emails can be sent per hour (99 > >> maybe?). > >> If you reach that limit, I think an email is sent at the top of the > >> next hour collecting some/most/all of the previous hour's overage. > >> > >> > On Fri, Sep 29, 2017 at 12:46 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> >> > >> >> On Fri, Sep 29, 2017 at 11:12 AM, Ed Killian <edtechnog...@gmail.com > > > >> >> wrote: > >> >> > Yes, and no. Let's say there is one level 10 alert. The subject > will > >> >> > have > >> >> > this in the text. And the email will have it in the body, but only > if > >> >> > it > >> >> > has > >> >> > happened so many minutes before the email was sent. If the event > >> >> > happened at > >> >> > 10:58 AM and the email was sent on the hour at 11:00 AM, it will > more > >> >> > than > >> >> > likely be included. But if the event happened at 10:05AM and the > >> >> > email > >> >> > was > >> >> > sent at 11:00AM then it won't be included. And even if there are > lots > >> >> > of > >> >> > any > >> >> > level alerts being sensed, only a certain number in the last so > many > >> >> > minutes > >> >> > are in the email. Let me give an example. Now maybe I'm looking at > >> >> > this > >> >> > wrong so please enlighten me. If I look at the email sent last > night > >> >> > at > >> >> > 06:00 PM, or 18:00, in the subject of the email is "Alert level > 10", > >> >> > but > >> >> > that alert is no where in the body of the email. There are 321 > >> >> > notifications > >> >> > with the earliest being at 17:55:42. There is nothing dated before > >> >> > that. > >> >> > If > >> >> > I go look at the alerts.log file from yesterday, there is an entry > in > >> >> > there > >> >> > for a level 10 alert on a host at 17:17:28. In total there are 4634 > >> >> > alerts > >> >> > in the file, mostly level 2, but only 321 in the email. The > earliest > >> >> > one > >> >> > is > >> >> > at 17:00:05. > >> >> > > >> >> > >> >> Are you hitting the hourly email limits? > >> >> > >> >> > On Fri, Sep 29, 2017 at 9:42 AM, dan (ddp) <ddp...@gmail.com> > wrote: > >> >> >> > >> >> >> On Thu, Sep 28, 2017 at 11:45 AM, Ed Killian > >> >> >> <edtechnog...@gmail.com> > >> >> >> wrote: > >> >> >> > I'm running on CentOS 7.3.1611 and using the atomic repo which > has > >> >> >> > ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. > >> >> >> > I have done debugging and I'm seeing some things I think are > >> >> >> > strange. > >> >> >> > If the condition I'm testing for has happened in the last 15 to > 20 > >> >> >> > minutes > >> >> >> > before the > >> >> >> > email is sent, the subject contains the alert message and the > body > >> >> >> > contains > >> >> >> > the > >> >> >> > alert message along with other alerts. If the condition is more > >> >> >> > than > >> >> >> > 25 > >> >> >> > to > >> >> >> > 30 minutes > >> >> >> > before the email is sent, the subject will still show the alert, > >> >> >> > but > >> >> >> > the > >> >> >> > alert message will > >> >> >> > not be in the body of the email. Here are some stats from the > >> >> >> > emails > >> >> >> > today: > >> >> >> > > >> >> >> > >> >> >> Basically, the subject and body don't match? > >> >> >> > >> >> >> > Email Number Earliest reported > >> >> >> > Arrived of alerts alert > >> >> >> > 01:00 109 00:36 > >> >> >> > 02:00 110 01:37 > >> >> >> > 03:00 111 02:34 > >> >> >> > 04:00 112 03:39 > >> >> >> > 05:00 113 04:34 > >> >> >> > 06:00 114 05:39 > >> >> >> > 07:00 115 06:36 > >> >> >> > 08:00 116 07:51 > >> >> >> > 09:00 117 08:55 > >> >> >> > 10:00 118 09:56 > >> >> >> > > >> >> >> > It seems strange that the number of alerts is incrementing by > one > >> >> >> > each > >> >> >> > hour. > >> >> >> > I went back further in the emails and it seems to increment to > 186 > >> >> >> > and > >> >> >> > then > >> >> >> > start over at 97. > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+unsubscr...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> >> > >> >> >> -- > >> >> >> > >> >> >> --- > >> >> >> You received this message because you are subscribed to a topic in > >> >> >> the > >> >> >> Google Groups "ossec-list" group. > >> >> >> To unsubscribe from this topic, visit > >> >> >> > >> >> >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/ > unsubscribe. > >> >> >> To unsubscribe from this group and all its topics, send an email > to > >> >> >> ossec-list+unsubscr...@googlegroups.com. > >> >> >> For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+unsubscr...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to a topic in > the > >> >> Google Groups "ossec-list" group. > >> >> To unsubscribe from this topic, visit > >> >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe > . > >> >> To unsubscribe from this group and all its topics, send an email to > >> >> ossec-list+unsubscr...@googlegroups.com. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+unsubscr...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/aRO-OxOTDjU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
