Blocking certain alerts from certain server

[Alan Steel]

Hello,

We are a very new Wazuh implementation, and are just learning our way around.

We are getting a lot of emailed Level 4 alerts from one of our webservers of the sort =

Received From: (webserverX) 0.0.0.0->/var/log/httpd/access_log

Rule: 31123 fired (level 4) -> "Web server 503 error code (Service unavailable)."

Src IP: 0.0.0.0

We don't need to get these emails.

What is the best way to stop these particular emails from being sent?

Thank you!

[Daniel Melgarejo]

Hello Alan,

Firstly, thank you for using Wazuh. 

There is a configuration option that sets the minimum severity level for an alert to generate an email notification.

You can find it in var/ossec/etc/ossec.conf, within alerts configuration. The default configuration is:

<alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
</alerts>

Check the <email_alert_level> options is not set to 4. If it is, you can modify the value, save the file and then restart Wazuh:

# /var/ossec/bin/ossec-control restart

You can find more information in our documentation: https://documentation.wazuh.com/3.11/user-manual/manager/manual-email-report/#generic-email-options

Also, there are granular email options that allow very interesting configurations: https://documentation.wazuh.com/3.11/user-manual/manager/manual-email-report/#granular-email-options

I hope you find this information useful.

Regards,

                Daniel

[Alan Steel]

Thank you for your response Daniel!

Currently, our config =

<ossec_config>

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>x.x.x.x</smtp_server>

    <email_from>wa...@company.com</email_from>

    <email_to>ossec.not...@company.com</email_to>

    <email_maxperhour>500</email_maxperhour>

    <email_log_source>alerts.log</email_log_source>

  </global>

  <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>10</email_alert_level>

  </alerts>

I'm not sure in what way " <email_alert_level>10</email_alert_level>" in the <alerts> block is taking effect, because we are getting emails for lower levels.

If we set up a bunch of statements like the one below, would they over-ride that setting, or are they separate/additive?

<email_alerts>

  <email_to>y...@example.com</email_to>

  <event_location>server1</event_location>

  <do_not_delay />

</email_alerts>

Can one combine parameters, such as <event_location>, <rule_id>, <group> and <level> in one <email_alerts> block?

Thanks again!

[Daniel Melgarejo]

Hi Alan,

I think you are getting those emails due to this option that some rules have: <options>alert_by_email</options>. 

You have more information here: https://documentation.wazuh.com/3.6/user-manual/manager/manual-email-report/index.html#force-forwarding-an-alert-by-email

Can you tell me the rule IDs of those rules that you are not interested in? 

If that is the case, I think you can delete that option in the rule but I recommend you do it in this way: https://documentation.wazuh.com/3.8/user-manual/ruleset/custom.html#changing-an-existing-rule

I can help you with that if you tell me the IDs.

For example, you can add this rule to /var/ossec/etc/rules/local_rules.xml to avoid receiving a level 3 alert (ID:502)

<rule id="502" level="3" overwrite="yes">
    <if_sid>500</if_sid>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <group>pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>

Now, moving on to the email_alerts options. Yes, you can combine the parameters in one <email_alerts> block. If you did, you will receive alerts if one of the parameters is true.

Also, you can use more than one <email_alerts> block. 

Note: if the alert level is lower than <email_alert_level> value, you will not receive it (if the rule does not have 'alert_by_email' option). 

Sorry for the delay.

Regards,

                Daniel.

On Monday, February 10, 2020 at 8:38:55 PM UTC+1, Alan Steel wrote:

Thank you for your response Daniel!

Currently, our config =

<ossec_config>

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>x.x.x.x</smtp_server>

    <email_from>wa...@company.com</email_from>

    <email_to>ossec.notifications@company.com</email_to>