change alerts to only forward level => 4

[SR]

I have changed the alert level to 4 but still getting alerts 4 and above. Is the alerts fire 4 and above for this setting?

 <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>4</email_alert_level>

  </alerts>

Can we try something .will that work? Please let me know

 <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level> =>4 </email_alert_level>

  </alerts>

[Victor Fernandez]

Hi,

following the documentation (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#email-alert-level) the option <email_alert_level> sets the minimum level of an alert to produce an email. So if you set this option to 4, you'll get alerts of level 4 and above.

Unfortunately, that option does not support a formula. Could you tell us what you need?

Best regards,

Victor M Fernandez-Castro 
IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c60c8975-016a-4037-91c3-62f401f4fab7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[SR]

Hi Victor,

Thank you for details. I want to set the alert level to alert only level 4 and less. Currently I am not able to make it work.Is there any way we can do?

This is the current setting and getting alerts above level 4.

 <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level> 4 </email_alert_level>

  </alerts>

[Victor Fernandez]

Hi,

unfortunately, there is no such option for this case. Those options set the minimum level to trigger an alert.

But, if you want to ignore completely alerts with level 5 or above (even in the alert log), I suggest you create custom rules to ignore alerts by level.

For instance, adding this rule into /var/ossec/etc/rules/local_rules.xml:

<rule id="100005" level="0">

  <if_level>5</if_level>

  <description>Silenced level-5 rule.</description>

</rule>

Wazuh will ignore every alert with level 5. You may simply add more rules to ignore alerts with level 5 to 15.

I hope it help. Nevertheless, I'm curious, what is exactly your case of use?

Best regards,

Victor M Fernandez-Castro 
IT Engineer — Wazuh, Inc.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cbfcf57e-ac6e-4675-8290-f19c3cc3b6fe%40googlegroups.com.

[Sowmya.R]

Hi Victor,

Will try to set this configuration and get back to you.

Use case is to forward alerts => 4 to #security-alerts channel in slack to avoid too much noise.

Thanks,

SR

[Sowmya.R]

Hi Victor,

I tried setting the above configuration and I still see it alert received for  level 8. As per the below doc it should not alert right? 

Thanks,

SR

[Dmitriy]

Hi. For decisions problems with alerts into different channels and different parameters I setuped ElastAlert, it very good tool for searching and recive alerts into slack from elastic. I don't know how do you use wazuh but I did it into Docker.

четверг, 25 января 2018 г., 2:37:42 UTC+3 пользователь SR написал:

[alberto....@wazuh.com]

Hello SR

  You still having alerts with level 8 because applying the configuration provided by Victor allows you to have silenced only the level 5. You need to include the configuration also for levels 6, 7 and 8 (or whatever you want). 

So, in order to provide you a configuration that works, are you comfortable having no alerts above level 4? It's something that we don't recommend but a possibility: 

- Having alerts only from level 1 to 4. 

- Send all alerts by email. 

This allows reaching the goal of having in email alerts of level <= 4. 

Best regards, 

Alberto R. 

[SR]

Hi,

Once again me :)

<alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>4</email_alert_level>

  </alerts>

I am using wazuh puppet module for setting up wazuh in my system.  I see that in module log_alert_level is hard coded to 3.

Is the same way I can override this <log_alert_level>

/var/ossec/etc/rules/local_rules.xml:

<rule id="100005" level="0">

  <if_level>3</if_level>

  <description>Silenced level-3 rule.</description>

</rule>

Please confirm.

Thanks,

SR

[Miguelangel Freitas]

Hi SR,

The <log_alert_level> is used configure from what severity level the manager will generate alerts. By default is set to 3, but you can change it as your needs, for example:

<log_alert_level>4</log_alert_level>

This will populate the alerts.log or alerts.json with alerts from level 4 and above. The rule of your email will have similar behavior and will suppress all events only with level 3.

I hope it helps.

Miguelangel Freitas

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50742df0-2d20-401b-b8fc-1ec742326bea%40googlegroups.com.

[SR]

Yes in  server  directly I can set to 4 for <log_alert_level>

But in puppet code upstream module it's hardcoded not parameterized file are the value :) 

<alerts> <log_alert_level>3</log_alert_level> <email_alert_level><%= @ossec_email_alert_level %></email_alert_level> </alerts> 'ossec.conf_header': order => 00, content => "<ossec_config>\n"; 'ossec.conf_agent': order => 10, content => template('wazuh/wazuh_manager.conf.erb'); 'ossec.conf_footer': order => 99, content => '</ossec_config>'; To overcome this I was thinking to have <log_alert_level> of 3 alerts to silence in local_rules.xml:

<rule id="100005" level="0">   <if_level>3</if_level>   <description>Silenced level-3 rule.</description> </rule>

So wazuh-manager should not log alert of level 3. So is this server my purpose? Please let me know. I want to automate in puppet.

[Miguelangel Freitas]

Hi,

Yes, as you say with that rule you will suppress event of level 3.

Regards,

Miguelangel Freitas

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/acd71c05-dccb-4790-bc97-f6d4c44f9d28%40googlegroups.com.

[SR]

Hi ,

Thank you for confirming. After setting up of below setting  -

I have set  <log_alert_level> of 3 alerts to silence in local_rules.xml:

<rule id="100005" level="0">

  <if_level>3</if_level>

  <description>Silenced level-3 rule.</description>

</rule>

Email received looks below where I see the alert level 3 in the content of the email but not in the email subject

---------- Forwarded message ----------

From: Wazuh <wa...@xx.xx.xx.xx>

Date: Wed, Apr 11, 2018 at 5:07 PM

Subject: OSSEC Notification - (test02.dev.xxx.xxxx.com) any - Alert level 7

To: em...@xxx.com

Wazuh Notification.

2018 Apr 12 00:06:54

Received From: (test02.dev.xxx.xxxx.com) any->ossec

Rule: 503 fired (level 3) -> "Ossec agent started."

Portion of the log(s):

ossec: Agent started: 'test02.dev.xxx.xxxx.com->any'.

 --END OF NOTIFICATION

Wazuh Notification.

2018 Apr 12 00:06:54

Received From: (test02.dev.xxx.xxxx.com) any->syscheck

Rule: 550 fired (level 7) -> "Integrity checksum changed."

Portion of the log(s):

Integrity checksum changed for: '/var/ossec/etc/ossec.conf'

Old md5sum was: 'fe45d954beb6082a289eaa3c9375866f'

New md5sum is : '97b62464e9fda184bf4976300144c4c5'

Old sha1sum was: 'aae0242375ff2c4e975105b9e397e037146d2e2a'

New sha1sum is : '9b111dfb1cdaf67fbd3ce0aff58401cf9de1de32'

This alert triggered on the same time for two alert levels inside the email content.

Thanks,

SR

[Miguelangel Freitas]

Hi SR,

They some rules that independent of the email or global configuration will trigger a notification email, for example in your case rule 503 is configured to send a notification email when it's triggered:

<rule id="503" level="3">

  <if_sid>500</if_sid>

  <options>alert_by_email</options>

  <match>Agent started</match>

  <description>Ossec agent started.</description>

  <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>

</rule>

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0015-ossec_rules.xml#L33-L39

An option is to create a new rule to overwrite that one:

<rule id="503" level="3" overwrite="yes">

  <if_sid>500</if_sid>

  <options>no_email_alert</options>

  <match>Agent started</match>

  <description>Ossec agent started.</description>

  <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>

</rule>

In addition, the manager will group several alerts into the same email at least you configure the do_not_group setting: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/email_alerts.html#do-not-group

I hope it helps,

Best Regards,

Miguelangel Freitas

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/30f4cda0-b85b-433a-a687-5d3bc3877158%40googlegroups.com.

[SR]

Hi Miguelangel,

Thank you for sharing the details.

I need to basically overwrite the rule which we don't need email notification.

In my below setting , do you think I need to set level="3" ?

<rule id="100005" level="0">

  <if_level>3</if_level>

  <description>Silenced level-3 rule.</description>

</rule>

For do_not_group setting I tried to add this block of code in ossec.conf  after the <alerts> but facing issue in wazuh manager startup

<email_alerts>
  <do_not_group/>
</email_alerts>

Thanks,

SR

[Miguelangel Freitas]

Hi SR,

In that case, as you want to suppress the email notification for the rules where alert_by_email is enabled, you must overwrite those rules like the example in my last email:

<rule id="503" level="3" overwrite="yes">

  <if_sid>500</if_sid>

  <options>no_email_alert</options>

  <match>Agent started</match>

  <description>Ossec agent started.</description>

  <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>

</rule>

​

In addition, the do_not_group affect the granular email setting, means that, it should be set in the same context, for example:

<email_alerts>

  <email_to>reci...@example.wazuh.com</email_to>

  <email_to>recip...@example.wazuh.com</email_to>

  <level>12</level>

  <group>sshd,</group>

  <do_not_delay/>

</email_alerts>

​

I hope this helps.

Best Regards,

Miguelangel Freitas

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5d643ccc-1381-42b0-baac-7322a5122af6%40googlegroups.com.

[jesus.g...@wazuh.com]

Hello again @SR,

As you suggested on our other thread (https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/wazuh/jTXfqDD5Ihw/JzHO9nVGBgAJ)

I think we didn't explain the alert level problem as well as you need, or maybe you didn't understand as well as we thought. Any case what I understand

from your last message is you want to ignore all alerts with level 3?

You could simply increase your minimum level on the ossec.conf file as follow:

  <alerts>
    <log_alert_level>4</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

Look at the log_alert_level tag, I've replaced 3 by 4, this way we are ignoring level 3 alerts. Once done,

please restart the Wazuh manager:

# /var/ossec/bin/ossec-control restart

From now and onwards you shouldn't see any more a level 3 alert.

If this is not what you meant, please let us know and we'll try to give you a better solution.

Hope it helps.

Regards,

Jesús

El sábado, 14 de abril de 2018, 18:36:46 (UTC+2), Miguelangel Freitas escribió:

Hi SR,

In that case, as you want to suppress the email notification for the rules where alert_by_email is enabled, you must overwrite those rules like the example in my last email:

<rule id="503" level="3" overwrite="yes">

  <if_sid>500</if_sid>

  <options>no_email_alert</options>

  <match>Agent started</match>

  <description>Ossec agent started.</description>

  <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>

</rule>

​

In addition, the do_not_group affect the granular email setting, means that, it should be set in the same context, for example:

<email_alerts>

  <email_to>recipient@example.wazuh.com</email_to>

  <email_to>recipient2@example.wazuh.com</email_to>

[SR]

Hi Jesus,

Yes I am aware that increasing  <log_alert_level>4</log_alert_level> to 4 will fix the problem.

 But in my case I am using puppet module for setting up and the value 3 of log_alert_level is not parametrized . So I can't override directly from the upstream module. That is where I was asking for any way we can override this alert level instead of touching in ossec.conf file. 

Thanks,

SR

[jesus.g...@wazuh.com]

Hello again @SR,

Maybe you didn't know, but there is a command which could help you:

sed -i 's:<log_alert_level>3</log_alert_level>:<log_alert_level>4</log_alert_level>:g' /var/ossec/etc/ossec.conf

If you are able to execute it on your Puppet deployment process, it will do the work for you. For a better understanding I'm going to explain a bit the above command:

The command sed is a stream editor. The flag -i means we need persist changes on the file. Now we have 's:old_string:new_string:g' and finally, we have the target file,

this case is the ossec.conf from the Wazuh manager.

If you can't use it on your deployment we can find a different solution. Also remember you need to restart the Wazuh manager whenever you modify the ossec.conf file.

Best regards,

Jesús