Email Notifications

[Michael Whitehead]

Hello, each time a go to restart my Ossec, I get a notification


Received From: ossec->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Portion of the log(s):

ossec: Ossec started.

i also get a level 5 notifications:

OSSEC HIDS Notification.
2010 Jun 21 10:03:25

Received From: ossec->/var/log/secure
Rule: 5710 fired (level 5) -> "Attempt to login using a non-existent user"
Portion of the log(s):

Jun 21 10:03:24 ossec sshd[18609]: Failed password for invalid user jimbo from 130.68.4.108 port 50939 ssh2



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Jun 21 10:03:27

Received From: ossec->/var/log/secure
Rule: 5504 fired (level 5) -> "Attempt to login with an invalid user."
Portion of the log(s):

Jun 21 10:03:26 ossec sshd[18609]: pam_unix(sshd:auth): check pass; user unknown



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Jun 21 10:03:27

Received From: ossec->/var/log/secure
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

i have everything set where it should not send me notifications for anything under level 7. and i have
tried the different suggestions with no luck. would the best choice of action be copy these rules, and
then put them into the local_rules.xml files and then add in the do not email?

Michael

[Michael Whitehead]

[Assaf Flatto]

What are your email setting ?
If your email is the one in the
<global>
<email_notification>

you will get notifications about restarts .

Assaf

--

Assaf Flatto
Linux System Administrator
No.9 | 6 Portal Way | London | W3 6RU |
T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067


I am doing a Charity Bike ride On the 27 of June for the
Capital to Coast Charity. Please help by Donating
http://www.justgiving.com/Lovefilm-capital-to-coast

---

LOVEFiLM UK Limited is a company registered in England and Wales.
Registered Number: 06528297.
Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom.

This e-mail is confidential to the ordinary user of the e-mail address to which it was
addressed. If you have received it in error, please delete it from your system and notify
the sender immediately.

This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.co.uk

---

[Michael Whitehead]

that was such a simple fix. Thank you.

[Justin C. Klein Keane]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

try looking at the specific log files for the rules mentioned in the
alerts. For instance if you look in rules/ossec_rules.xml you will find
rule 502 (the alert level 5 quoted below) and notice:

<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
</rule>

The rule specifically states to send an e-mail regardless of your
configuration. There are some syslog rules like this (at alert level 2)
that will send e-mail. You probably want to write some custom rules to
either override or extend this behavior by setting options to not send
e-mail. Hope this helps.

Cheers,

Justin C. Klein Keane

Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)

The digital signature on this e-mail can be confirmed using the public
key at https://www.sas.upenn.edu/computing/user/3.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwiKRMACgkQR4a3EW2yjlTWBwCfe+fyLA/Dp91aGdZrD6DvgrmK
9hUAn1ApGae+kLDqdp0eDGPjW/2nlcJ0
=vmbP
-----END PGP SIGNATURE-----

[tanishk lakhaani]

Hi !!!!

 

Regards

Tanny