how to set up multiple e-mail?

[hxh...@gmail.com]

There are a number of servers, several administrators, how to set up multiple e-mail?

THANKS

[dan (ddp)]

On Mon, Jun 30, 2014 at 3:08 AM, <hxh...@gmail.com> wrote:
> There are a number of servers, several administrators, how to set up
> multiple e-mail?
>

Your email isn't detailed enough for me to be sure what you're asking.
Maybe granular email?
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html

> THANKS
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Christian Hettler]

After some tests and readthedocs and looking into the source there are
some differences between the docs and the source and between
<email_alerts> and <reports>.

1. email_alerts

(a) from the docs
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-email_alerts

"email_to

E-Mail recipients of alerts

Allowed: Any valid e-mail address"

The plural is misleading. You can specify exactly one email address
within <email_to></email_to>. It's later passed to "RCPT TO: <%s>" which
handles exactly one email address.

(b) from the src
src/config/email-alerts-config.c (~ line 120):

else if(strcmp(node[i]->element, xml_email_to) == 0)
{
os_strdup(node[i]->content, Mail->gran_to[granto_size -1]);
}

If you specify multiple <email_to></email_to> the last one wins.

(c) from the tests
(b) wins

2. reports

(a) from the docs
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.reports.html#element-email_to

"email_to

The email address to send the completed report.

This is a required field for a report to function.

Allowed: Any email address"

You can specify exactly one email address within <email_to></email_to>.
You can use <email_to></email_to> more then once which isn't documented here.
But look at the code.

(b) from the src
src/config/reports-config.c (~ line 213):

else if(strcmp(node[i]->element, xml_email) == 0)
{
mon_config->reports[s]->emailto = os_AddStrArray(node[i]->content, mon_config->reports[s]->emailto);
}

Multiple <email_to></email_to> are copied to an array and multiple
"RCPT TO" fields are generated in src/os_maild/sendcustomemail.c (~ line 159).

(c) from the tests
(b) wins


Conclusion:
one email address for email_alerts
multiple email adresses for reports

A workaround would be an entry for (every) email_alerts in /etc/aliases.
A better solution will be a code consolidation.

Christian

[BBcan177]

You can also setup a "Distribution Email List" if you have your own mail server and forward to the admins of your choice from there. 

[dan (ddp)]

Great idea! https://github.com/ossec/ossec-hids

> Christian

[hxh...@gmail.com]

在 2014年7月6日星期日UTC+8下午12时55分21秒，BBcan177写道：

You can also setup a "Distribution Email List" if you have your own mail server and forward to the admins of your choice from there. 

 

Please, what software to achieve? I now use a filter to send gmail do meet, but google is very unstable in China, the government is often blocked 

[hxh...@gmail.com]

Level 15 alerts from agent007 without delay or grouping:

<email_alerts>
  <email_to>email_address</email_to>
  <event_location>001</event_location>
  <level>15</level>
  <do_not_delay />
  <do_not_group />
</email_alerts>

It not work!  

what's wrong ?

[dan (ddp)]

On Thu, Jul 10, 2014 at 11:46 PM, <hxh...@gmail.com> wrote:
> Level 15 alerts from agent007 without delay or grouping:
>
> <email_alerts>
> <email_to>email_address</email_to>
> <event_location>001</event_location>
> <level>15</level>
> <do_not_delay />
> <do_not_group />
> </email_alerts>
>
> It not work!
>
> what's wrong ?
>

What happens when the agent with id 001 triggers a level 15 alert? Are
you sure that agent triggered a level 15 alert? Did you restart the
OSSEC processes on the manager after adding the above? Try restarting
them again, make sure the ossec-maild process actually restarts.