On Fri, Sep 29, 2017 at 1:17 PM, Ed Killian <[email protected]> wrote: > So what is your suggestion? Increase the number of emails per hour? >
That's a start. maild isn't really setup to be an "on the hour" summary device. You can script that type of thing up easily, or use something like elastic to make it pretty. > On Fri, Sep 29, 2017 at 1:11 PM, dan (ddp) <[email protected]> wrote: >> >> On Fri, Sep 29, 2017 at 1:03 PM, Ed Killian <[email protected]> >> wrote: >> > I think we have the settings so we only get one email per hour. >> > From /var/ossec/etc/ossec.conf: >> > >> > <email_maxperhour>1</email_maxperhour> >> > >> >> I think expecting maild to handle 4k+ alerts is overestimating its >> capabilities. >> >> > On Fri, Sep 29, 2017 at 12:52 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Fri, Sep 29, 2017 at 12:49 PM, Ed Killian <[email protected]> >> >> wrote: >> >> > I'm not sure what you mean. I am getting an email every hour. >> >> > >> >> >> >> Generally there are emails sent when alerts happen, not just hourly. >> >> There is a limit to how many of these emails can be sent per hour (99 >> >> maybe?). >> >> If you reach that limit, I think an email is sent at the top of the >> >> next hour collecting some/most/all of the previous hour's overage. >> >> >> >> > On Fri, Sep 29, 2017 at 12:46 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Fri, Sep 29, 2017 at 11:12 AM, Ed Killian >> >> >> <[email protected]> >> >> >> wrote: >> >> >> > Yes, and no. Let's say there is one level 10 alert. The subject >> >> >> > will >> >> >> > have >> >> >> > this in the text. And the email will have it in the body, but only >> >> >> > if >> >> >> > it >> >> >> > has >> >> >> > happened so many minutes before the email was sent. If the event >> >> >> > happened at >> >> >> > 10:58 AM and the email was sent on the hour at 11:00 AM, it will >> >> >> > more >> >> >> > than >> >> >> > likely be included. But if the event happened at 10:05AM and the >> >> >> > email >> >> >> > was >> >> >> > sent at 11:00AM then it won't be included. And even if there are >> >> >> > lots >> >> >> > of >> >> >> > any >> >> >> > level alerts being sensed, only a certain number in the last so >> >> >> > many >> >> >> > minutes >> >> >> > are in the email. Let me give an example. Now maybe I'm looking at >> >> >> > this >> >> >> > wrong so please enlighten me. If I look at the email sent last >> >> >> > night >> >> >> > at >> >> >> > 06:00 PM, or 18:00, in the subject of the email is "Alert level >> >> >> > 10", >> >> >> > but >> >> >> > that alert is no where in the body of the email. There are 321 >> >> >> > notifications >> >> >> > with the earliest being at 17:55:42. There is nothing dated before >> >> >> > that. >> >> >> > If >> >> >> > I go look at the alerts.log file from yesterday, there is an entry >> >> >> > in >> >> >> > there >> >> >> > for a level 10 alert on a host at 17:17:28. In total there are >> >> >> > 4634 >> >> >> > alerts >> >> >> > in the file, mostly level 2, but only 321 in the email. The >> >> >> > earliest >> >> >> > one >> >> >> > is >> >> >> > at 17:00:05. >> >> >> > >> >> >> >> >> >> Are you hitting the hourly email limits? >> >> >> >> >> >> > On Fri, Sep 29, 2017 at 9:42 AM, dan (ddp) <[email protected]> >> >> >> > wrote: >> >> >> >> >> >> >> >> On Thu, Sep 28, 2017 at 11:45 AM, Ed Killian >> >> >> >> <[email protected]> >> >> >> >> wrote: >> >> >> >> > I'm running on CentOS 7.3.1611 and using the atomic repo which >> >> >> >> > has >> >> >> >> > ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. >> >> >> >> > I have done debugging and I'm seeing some things I think are >> >> >> >> > strange. >> >> >> >> > If the condition I'm testing for has happened in the last 15 to >> >> >> >> > 20 >> >> >> >> > minutes >> >> >> >> > before the >> >> >> >> > email is sent, the subject contains the alert message and the >> >> >> >> > body >> >> >> >> > contains >> >> >> >> > the >> >> >> >> > alert message along with other alerts. If the condition is more >> >> >> >> > than >> >> >> >> > 25 >> >> >> >> > to >> >> >> >> > 30 minutes >> >> >> >> > before the email is sent, the subject will still show the >> >> >> >> > alert, >> >> >> >> > but >> >> >> >> > the >> >> >> >> > alert message will >> >> >> >> > not be in the body of the email. Here are some stats from the >> >> >> >> > emails >> >> >> >> > today: >> >> >> >> > >> >> >> >> >> >> >> >> Basically, the subject and body don't match? >> >> >> >> >> >> >> >> > Email Number Earliest reported >> >> >> >> > Arrived of alerts alert >> >> >> >> > 01:00 109 00:36 >> >> >> >> > 02:00 110 01:37 >> >> >> >> > 03:00 111 02:34 >> >> >> >> > 04:00 112 03:39 >> >> >> >> > 05:00 113 04:34 >> >> >> >> > 06:00 114 05:39 >> >> >> >> > 07:00 115 06:36 >> >> >> >> > 08:00 116 07:51 >> >> >> >> > 09:00 117 08:55 >> >> >> >> > 10:00 118 09:56 >> >> >> >> > >> >> >> >> > It seems strange that the number of alerts is incrementing by >> >> >> >> > one >> >> >> >> > each >> >> >> >> > hour. >> >> >> >> > I went back further in the emails and it seems to increment to >> >> >> >> > 186 >> >> >> >> > and >> >> >> >> > then >> >> >> >> > start over at 97. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> --- >> >> >> >> You received this message because you are subscribed to a topic >> >> >> >> in >> >> >> >> the >> >> >> >> Google Groups "ossec-list" group. >> >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. >> >> >> >> To unsubscribe from this group and all its topics, send an email >> >> >> >> to >> >> >> >> [email protected]. >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "ossec-list" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/aRO-OxOTDjU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
