Re: [ossec-list] Re: Email alerts are sent hourly

[Jesus Linares]

Finally, you got it!.

I think your conclusion makes sense.

Regards.


On Wednesday, July 12, 2017 at 7:49:36 PM UTC+2, Alexis Lessard wrote:
>
> The issue was indeed the email_maxperhour setting. My guess is, because we 
> basically told OSSEC to send every event to noreply@localhost. The default 
> threshold was reached pretty quickly, so all events until the threshold was 
> reach until the end of the hour were sent back to us in a big email. We 
> changed that setting to its maximum value, , and now we receive all 
> alerte we specified we wanted (altough now we might have some tweaking to 
> do in our local_rules to adjust it to our needs), but at least, it works!
>
> tl;dr: Ensure that the email_maxperhour setting in the global config is 
> set to an appropriate value. Default is 12.
>
> 2017-07-12 7:26 GMT-04:00 Jesus Linares :
>
>> Hi Alexis,
>>
>> So, you are receiving alert with level 3 in ourservice@domain, right?. 
>> That doesn't make sense (I understand that email1, email2 or email3 is not 
>> ourservice@domain).
>>
>> Try to use: do_not_delay and do_not_group. Also, the email_maxperhour 
>> is
>>  
>> 12 by default, maybe you should change it.
>>
>> In order to simplify the debug process, use only 1 custom email alert.
>>
>> Also, you can use the report settings 
>> 
>>  
>> instead of the email settings.
>>
>> OSSEC emails options aren't that good...
>>
>>
>>
>> On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote:
>>>
>>> Thanks for the tip! We tested it, but it doesn't seem to be working. 
>>> Here's what the configuration looks like now:
>>>   
>>> yes
>>> noreply@localhost
>>> smtpserver
>>> ossec@domain
>>>   
>>>
>>>   
>>> email1
>>> email2
>>> email3
>>> several, agents, name
>>>   
>>>
>>>   
>>> ourservice@domain
>>> 9
>>> 
>>> 
>>>   
>>>
>>>
>>> *email_alert_level *was also set to 1. We received one level 10 alert 
>>> email by itself. However, there were several others level 10 alerts that we 
>>> didn't receive any notifications from, even tough they appear in the alert 
>>> log. We then received an email report in ourservice@domain mailbox of about 
>>> 10 minutes worth of  events, with several level 10 alerts in it, but mostly 
>>> a lot of alerts we have no need for, like
>>> Rule: 31101 fired (level 5) -> "Web server 400 error code." 
>>>
>>> I don't think that there's anything in my config that would justify 
>>> alerts of level 3 and 5 being sent. Do you know what could be wrong? We 
>>> will probably go back to having an email_alert_level of 7 with no custom 
>>> alerts and work from there. We receive a lot of events to this server; I'd 
>>> say about one every two or three seconds. Could that be a problem?
>>>
>>> Thanks you for the reply, I'll be sure to keep you updated to document 
>>> the issue if anyone else has that problem,
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/7gS_5wxiI8M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Email alerts are sent hourly

[Alexis Lessard]

The issue was indeed the email_maxperhour setting. My guess is, because we
basically told OSSEC to send every event to noreply@localhost. The default
threshold was reached pretty quickly, so all events until the threshold was
reach until the end of the hour were sent back to us in a big email. We
changed that setting to its maximum value, , and now we receive all
alerte we specified we wanted (altough now we might have some tweaking to
do in our local_rules to adjust it to our needs), but at least, it works!

tl;dr: Ensure that the email_maxperhour setting in the global config is set
to an appropriate value. Default is 12.

2017-07-12 7:26 GMT-04:00 Jesus Linares :

> Hi Alexis,
>
> So, you are receiving alert with level 3 in ourservice@domain, right?.
> That doesn't make sense (I understand that email1, email2 or email3 is not
> ourservice@domain).
>
> Try to use: do_not_delay and do_not_group. Also, the email_maxperhour
> is
> 12 by default, maybe you should change it.
>
> In order to simplify the debug process, use only 1 custom email alert.
>
> Also, you can use the report settings
> 
> instead of the email settings.
>
> OSSEC emails options aren't that good...
>
>
>
> On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote:
>>
>> Thanks for the tip! We tested it, but it doesn't seem to be working.
>> Here's what the configuration looks like now:
>>   
>> yes
>> noreply@localhost
>> smtpserver
>> ossec@domain
>>   
>>
>>   
>> email1
>> email2
>> email3
>> several, agents, name
>>   
>>
>>   
>> ourservice@domain
>> 9
>> 
>> 
>>   
>>
>>
>> *email_alert_level *was also set to 1. We received one level 10 alert
>> email by itself. However, there were several others level 10 alerts that we
>> didn't receive any notifications from, even tough they appear in the alert
>> log. We then received an email report in ourservice@domain mailbox of
>> about 10 minutes worth of  events, with several level 10 alerts in it, but
>> mostly a lot of alerts we have no need for, like
>> Rule: 31101 fired (level 5) -> "Web server 400 error code."
>>
>> I don't think that there's anything in my config that would justify
>> alerts of level 3 and 5 being sent. Do you know what could be wrong? We
>> will probably go back to having an email_alert_level of 7 with no custom
>> alerts and work from there. We receive a lot of events to this server; I'd
>> say about one every two or three seconds. Could that be a problem?
>>
>> Thanks you for the reply, I'll be sure to keep you updated to document
>> the issue if anyone else has that problem,
>>
>> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/7gS_5wxiI8M/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Email alerts are sent hourly

[Jesus Linares]

Hi Alexis,

So, you are receiving alert with level 3 in ourservice@domain, right?. That 
doesn't make sense (I understand that email1, email2 or email3 is not 
ourservice@domain).

Try to use: do_not_delay and do_not_group. Also, the email_maxperhour 
is
 
12 by default, maybe you should change it.

In order to simplify the debug process, use only 1 custom email alert.

Also, you can use the report settings 

 
instead of the email settings.

OSSEC emails options aren't that good...



On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote:
>
> Thanks for the tip! We tested it, but it doesn't seem to be working. 
> Here's what the configuration looks like now:
>   
> yes
> noreply@localhost
> smtpserver
> ossec@domain
>   
>
>   
> email1
> email2
> email3
> several, agents, name
>   
>
>   
> ourservice@domain
> 9
> 
> 
>   
>
>
> *email_alert_level *was also set to 1. We received one level 10 alert 
> email by itself. However, there were several others level 10 alerts that we 
> didn't receive any notifications from, even tough they appear in the alert 
> log. We then received an email report in ourservice@domain mailbox of about 
> 10 minutes worth of  events, with several level 10 alerts in it, but mostly 
> a lot of alerts we have no need for, like
> Rule: 31101 fired (level 5) -> "Web server 400 error code." 
>
> I don't think that there's anything in my config that would justify alerts 
> of level 3 and 5 being sent. Do you know what could be wrong? We will 
> probably go back to having an email_alert_level of 7 with no custom alerts 
> and work from there. We receive a lot of events to this server; I'd say 
> about one every two or three seconds. Could that be a problem?
>
> Thanks you for the reply, I'll be sure to keep you updated to document the 
> issue if anyone else has that problem,
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Email alerts are sent hourly

[Alexis Lessard]

Thanks for the tip! We tested it, but it doesn't seem to be working. Here's 
what the configuration looks like now:
  
yes
noreply@localhost
smtpserver
ossec@domain
  

  
email1
email2
email3
several, agents, name
  

  
ourservice@domain
9


  


*email_alert_level *was also set to 1. We received one level 10 alert email 
by itself. However, there were several others level 10 alerts that we 
didn't receive any notifications from, even tough they appear in the alert 
log. We then received an email report in ourservice@domain mailbox of about 
10 minutes worth of  events, with several level 10 alerts in it, but mostly 
a lot of alerts we have no need for, like
Rule: 31101 fired (level 5) -> "Web server 400 error code." 

I don't think that there's anything in my config that would justify alerts 
of level 3 and 5 being sent. Do you know what could be wrong? We will 
probably go back to having an email_alert_level of 7 with no custom alerts 
and work from there. We receive a lot of events to this server; I'd say 
about one every two or three seconds. Could that be a problem?

Thanks you for the reply, I'll be sure to keep you updated to document the 
issue if anyone else has that problem,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Email alerts are sent hourly

[Jesus Linares]

Hi Alexis,

I'm not sure about what it is happening. Do a simple test. Set 
*email_alert_level 
*to 1, and configure only one custom alert:


yes
noreply@localhost
smtpserver
*email1*
  


  
*email2*
10


  

Generate an alert with level 10, you will receive:

   - all alerts in email1 (including alerts with level 10)
   - alerts with level 10 in email2
   

That is the theory.
I hope it helps.

Regards.

On Monday, July 10, 2017 at 8:35:26 PM UTC+2, Alexis Lessard wrote:
>
> Hi!
> We are trying to configure more effective notifications for OSSEC for our 
> needs. However, something weird is happening. An hourly report of ALL 
> alerts is being sent to one adress in our config. Here's the email 
> configuration of our ossec.conf file:
>
>  
> yes
> noreply@localhost
> smtpserver
> os...@domain.com 
>   
>
>   
> email1
> email2
> email3
> several, agents, name
>   
>
>   
> our...@domain.com 
> 9
>   
>
>   
> email4
> 10
> 
> 
>   
>
>   
> our...@domain.com 
> 6
> attack
>   
>
>   
> 10100
> our...@domain.com 
>   
>
>
> Basically, here's what I'd like OSSEC to do:
>
>- Send an email for every level 9 or higher alert
>- Send an email for every matchd rule from the attack group of level 6 
>or higher
>- Send an email for the rule 10100 wich shows when a user is logged 
>for the first time.
>- The other rules are for user specific needs. 
>
> I modified the email for this example, but in the file, they are your 
> usual name@domain format. We send every alert to noreply@localhost because 
> we want to control everything with custom alerts. The email_alert_level is 
> set to 0, so every alert is supposed to be sent to this adress. But no 
> alert of a level 3 should be sent to our email box, right? Yet we receive 
> every alerts at the same time (in the same email) every hour, It is being 
> sent at the our...@domain.com  as well as email4 . Am I 
> doing something wrong here? Can OSSEC behave the way I want it to do?
>
> Thanks for the help!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.