Re: [ossec-list] Not all alerts included in email

Can you provide a link to how to set it up with elastic? On Fri, Sep 29, 2017 at 1:41 PM, dan (ddp) wrote: > On Fri, Sep 29, 2017 at 1:17 PM, Ed Killian > wrote: > > So what is your suggestion? Increase the number of emails per hour? > > > > That's a

Re: [ossec-list] Not all alerts included in email

On Fri, Sep 29, 2017 at 1:17 PM, Ed Killian wrote: > So what is your suggestion? Increase the number of emails per hour? > That's a start. maild isn't really setup to be an "on the hour" summary device. You can script that type of thing up easily, or use something like

Re: [ossec-list] Not all alerts included in email

So what is your suggestion? Increase the number of emails per hour? On Fri, Sep 29, 2017 at 1:11 PM, dan (ddp) wrote: > On Fri, Sep 29, 2017 at 1:03 PM, Ed Killian > wrote: > > I think we have the settings so we only get one email per hour. > > From

Re: [ossec-list] Not all alerts included in email

On Fri, Sep 29, 2017 at 1:03 PM, Ed Killian wrote: > I think we have the settings so we only get one email per hour. > From /var/ossec/etc/ossec.conf: > > 1 > I think expecting maild to handle 4k+ alerts is overestimating its capabilities. > On Fri, Sep 29, 2017 at 12:52

Re: [ossec-list] Not all alerts included in email

I think we have the settings so we only get one email per hour. >From /var/ossec/etc/ossec.conf: 1 On Fri, Sep 29, 2017 at 12:52 PM, dan (ddp) wrote: > On Fri, Sep 29, 2017 at 12:49 PM, Ed Killian > wrote: > > I'm not sure what you mean. I am getting

Re: [ossec-list] Not all alerts included in email

On Fri, Sep 29, 2017 at 12:49 PM, Ed Killian wrote: > I'm not sure what you mean. I am getting an email every hour. > Generally there are emails sent when alerts happen, not just hourly. There is a limit to how many of these emails can be sent per hour (99 maybe?). If you

Re: [ossec-list] Not all alerts included in email

I'm not sure what you mean. I am getting an email every hour. On Fri, Sep 29, 2017 at 12:46 PM, dan (ddp) wrote: > On Fri, Sep 29, 2017 at 11:12 AM, Ed Killian > wrote: > > Yes, and no. Let's say there is one level 10 alert. The subject will have > >

Re: [ossec-list] Not all alerts included in email

On Fri, Sep 29, 2017 at 11:12 AM, Ed Killian wrote: > Yes, and no. Let's say there is one level 10 alert. The subject will have > this in the text. And the email will have it in the body, but only if it has > happened so many minutes before the email was sent. If the event

Re: [ossec-list] Not all alerts included in email

Yes, and no. Let's say there is one level 10 alert. The subject will have this in the text. And the email will have it in the body, but only if it has happened so many minutes before the email was sent. If the event happened at 10:58 AM and the email was sent on the hour at 11:00 AM, it will more

Re: [ossec-list] Not all alerts included in email

On Thu, Sep 28, 2017 at 11:45 AM, Ed Killian wrote: > I'm running on CentOS 7.3.1611 and using the atomic repo which has > ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. > I have done debugging and I'm seeing some things I think are strange. > If the condition I'm