Hello, How to make a email alert with ssh login/logout/logfailed event?

[az...@51ecommerce.com]

Hello,

I've install wazuh server in server A, and install ossec agent in server B.

I've chage the ossec config in server A:

  <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>3</email_alert_level>

  </alerts>

and I've open the udp port 1514 and udp port 514 in the security group on server A (in amazon ec2 backend)

then, I use ssh to login into server B, I can see there are have some new alerts in /var/ossec/logs/alerts.json that about the login event in server A

But I can't received the email notification.

And the other question, can I keep the email_alert_level to 12, but I can still recv the ssh login(level 3)/logout(level 3)/login failed(level5) event, is't posibble, if so, how to do it?

Thank you!

[Pedro Sanchez]

Hi Azol,

Let me try to help you here.

Your set up looks nice, if you already have the alert in alerts.json file, I believe your issue is related to email notifications specific configuration, could you share your "email_*" settings?

You could check a detail explanation about how to configure email alerts, levels and granularity here.

Regarding to your second question, I assume you want to set up the level to only receive alerts above level 12, but you want some exceptions in case of ssh login, logout, login failed.. you could do it using a specific setting within your rule:

• <options>alert_by_email</options>
  

Setting that option in your desired rules, will trigger an email_notifications no matter what email_alert_level you have set.

Hope it helps.

Best regards,

Pedro.

--

---
You received this message because you are subscribed to the Google Groups "ossec-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.