Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Frank Spierings
I have a problem with my OSSEC server.
The ossec.conf is pretty default. I only changed the email to address.
This is the only alerts group in the file:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
Still I'm receiving "ossec agent started" emails from the server,
which are level 3. I checked out the specific rule, but I dont see any
indication why it should send me these mails.
Any idea where I should start my quest?
Thanks,
Frank Spierings
Josh Drummond
Frank Spierings
Clayton Dillard
(defaults) and yet I receive alerts daily that are at levels below 7. I
have a server/agent setup.
Thanks,
- Cheers
Clayton Dillard
Will Froning
On 7/25/07, Will Froning <will.f...@gmail.com> wrote:
> Hello All,
>
> Here's a "me too" message on this. Server/agent with the most recent
> snapshot I could find running on Solaris 10.
>
I just confirmed that this is still happening with
ossec-hids-070722.tar.gz. Any suggestions on tracking this down?
Thanks,
Will
> --
> Will Froning
> Unix SysAdmin
> Will.F...@GMail.com
> MSN: wfro...@angui.sh
> YIM: will_froning
> AIM: willfroning
>
--
Will Froning
Unix SysAdmin
Will.F...@GMail.com
MSN: wfro...@angui.sh
YIM: will_froning
AIM: willfroning
Daniel Cid
If I am not misunderstanding the problem, this is not a bug on ossec,
but it happens because some rules have:
<options>alert_by_email</options>
to bypass the default e-mail alerting level.
Check out:
http://www.ossec.net/ossec-list/2007-July/msg00034.html
http://www.ossec.net/ossec-list/2007-July/msg00035.html
If that's not it, let me know and we can try to figure out what is happening...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Will Froning
On 7/26/07, Daniel Cid <danie...@gmail.com> wrote:
>
> Hey,
>
> If I am not misunderstanding the problem, this is not a bug on ossec,
> but it happens because some rules have:
>
> <options>alert_by_email</options>
>
> to bypass the default e-mail alerting level.
>
> Check out:
> http://www.ossec.net/ossec-list/2007-July/msg00034.html
> http://www.ossec.net/ossec-list/2007-July/msg00035.html
>
> If that's not it, let me know and we can try to figure out what is happening...
>
That was it. My bad. So I found one of the offending rules in
rules/msauth_rules.xml. How would I go about disabling it for just
one server?
The example is, we have a terminal server where potentially over 1000
new users may use it in a semester. For these types of servers it
wouldn't provide any additional information to send me 1000 of the
below messages as it's normal:
Received From: (termsrv1) 192.168.35.40->WinEvtLog
Rule: 18119 fired (level 3) -> "First time this user logged in this system."
This is a Solaris 10 server with W2k3 agent.
The manual and list archives didn't clue me in, so any help would be great.
Thanks,
Will
Will Froning
On 7/26/07, Daniel Cid <danie...@gmail.com> wrote:
>
> Hey,
>
> If I am not misunderstanding the problem, this is not a bug on ossec,
> but it happens because some rules have:
>
> <options>alert_by_email</options>
>
> to bypass the default e-mail alerting level.
>
> Check out:
> http://www.ossec.net/ossec-list/2007-July/msg00034.html
> http://www.ossec.net/ossec-list/2007-July/msg00035.html
>
> If that's not it, let me know and we can try to figure out what is happening...
>
That was it. My bad. So I found one of the offending rules in
rules/msauth_rules.xml. How would I go about disabling it for just
one server?
The example is, we have a terminal server where potentially over 1000
new users may use it in a semester. For these types of servers it
wouldn't provide any additional information to send me 1000 of the
below messages as it's normal:
Received From: (termsrv1) 192.168.35.40->WinEvtLog
Rule: 18119 fired (level 3) -> "First time this user logged in this system."
This is a Solaris 10 server with W2k3 agent.
The manual and list archives didn't clue me in, so any help would be great.
Thanks,
Will
> Thanks,
Will Froning
On 7/26/07, Daniel Cid <danie...@gmail.com> wrote:
>
> Hey,
>
> If I am not misunderstanding the problem, this is not a bug on ossec,
> but it happens because some rules have:
>
> <options>alert_by_email</options>
>
> to bypass the default e-mail alerting level.
>
> Check out:
> http://www.ossec.net/ossec-list/2007-July/msg00034.html
> http://www.ossec.net/ossec-list/2007-July/msg00035.html
>
> If that's not it, let me know and we can try to figure out what is happening...
>
That was it. My bad. So I found one of the offending rules in
rules/msauth_rules.xml. How would I go about disabling it for just
one server?
The example is, we have a terminal server where potentially over 1000
new users may use it in a semester. For these types of servers it
wouldn't provide any additional information to send me 1000 of the
below messages as it's normal:
Received From: (termsrv1) 192.168.35.40->WinEvtLog
Rule: 18119 fired (level 3) -> "First time this user logged in this system."
This is a Solaris 10 server with W2k3 agent.
The manual and list archives didn't clue me in, so any help would be great.
Thanks,
Will
> Thanks,
Daniel Cid
You need to create a local rule to ignore/change it. Our FAQ has
information about it:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
My presentation at AusCERT also helps to understand it:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
A step by step in your case would be:
1- Edit /var/ossec/rules/local_rules.xml and add the following:
<group name="local">
<rule id="100101" level="3">
<if_sid>18119</if_sid>
<hostname>termsrv1</hostname>
<description>First time this user logged in this system -- no email
alert</description>
</rule>
</group>
2- Restart ossec.
By making this change, all "first time" alerts from host termserv1
will have only a
severity of 3, without the "alert_by_email" option...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
oleksandr...@gmail.com
субота, 14 липня 2007 р. 01:13:41 UTC+3 користувач Josh Drummond написав: