Setting email
121 views
Skip to first unread message
Evan
Apr 10, 2014, 9:03:53 PM4/10/14
to ossec...@googlegroups.com
Today I installed OSSEC on my server and I have these settings:
<global>
<email_notification>yes</email_notification>
<email_to>my-email...@gmail.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossecm@scaver</email_from>
</global>
<email_alerts>
<email_to>my-email...@gmail.com</email_to>
<level>7</level>
</email_alerts>
Near the end of the file I have these lines as well:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
But with these settings I get an email from OSSEC every 5 seconds and it's a Level 2 alert. What do I need to configure so that I only get an email for level 7 and above?
Thanks,
Evan
<global>
<email_notification>yes</email_notification>
<email_to>my-email...@gmail.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossecm@scaver</email_from>
</global>
<email_alerts>
<email_to>my-email...@gmail.com</email_to>
<level>7</level>
</email_alerts>
Near the end of the file I have these lines as well:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
But with these settings I get an email from OSSEC every 5 seconds and it's a Level 2 alert. What do I need to configure so that I only get an email for level 7 and above?
Thanks,
Evan
Nicolas Zin
Apr 10, 2014, 10:16:13 PM4/10/14
to ossec-list
Which alerts is it?
does the alert has a “alert_by_email” by any chance?
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Evan
Apr 11, 2014, 10:23:40 AM4/11/14
to ossec...@googlegroups.com
All of them are like this one:
OSSEC HIDS Notification.
2014 Apr 11 00:48:55
Received From: my_host_name->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Apr 11 00:48:47 my_host_name kernel: iptables denied: IN=eth0 OUT= MAC=ff:3c:91:70:34:ec:84:38:af:0d:97:c1:09:11 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=57740 PROTO=UDP SPT=455 DPT=123 LEN=56
(I replaced both IPs with x's)
OSSEC HIDS Notification.
2014 Apr 11 00:48:55
Received From: my_host_name->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Apr 11 00:48:47 my_host_name kernel: iptables denied: IN=eth0 OUT= MAC=ff:3c:91:70:34:ec:84:38:af:0d:97:c1:09:11 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=57740 PROTO=UDP SPT=455 DPT=123 LEN=56
(I replaced both IPs with x's)
Jan Andrasko
Apr 16, 2014, 4:28:29 AM4/16/14
to ossec...@googlegroups.com
Hello Evan,
rule 1002 matches every log which contains these words:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
and is by default configured to aler by email
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
You can create new local rule to override this for either only iptables or all events with ID 1002
Jan
dan (ddp)
Apr 24, 2014, 11:32:47 AM4/24/14
to ossec...@googlegroups.com
On Wed, Apr 16, 2014 at 4:28 AM, Jan Andrasko <andr...@gmail.com> wrote:
> Hello Evan,
>
> rule 1002 matches every log which contains these words:
>
> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
>
> and is by default configured to aler by email
>
> <rule id="1002" level="2">
> <match>$BAD_WORDS</match>
> <options>alert_by_email</options>
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
> You can create new local rule to override this for either only iptables or
> all events with ID 1002
>
Which we consider a really bad idea.
> Hello Evan,
>
> rule 1002 matches every log which contains these words:
>
> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
>
> and is by default configured to aler by email
>
> <rule id="1002" level="2">
> <match>$BAD_WORDS</match>
> <options>alert_by_email</options>
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
> You can create new local rule to override this for either only iptables or
> all events with ID 1002
>
Reply all
Reply to author
Forward
0 new messages