separate email address for agents

5 views
Skip to first unread message

Jason Vitz

unread,
Sep 13, 2007, 10:35:07 AM9/13/07
to ossec...@ossec.net
Hi,

I am wondering if there has been any thought given to allowing a
notification email address to be defined at the agent level. I like the
centralized maintenance of the server-agent, but if I have two server,
each belonging to a different department, each having their own admin,
then it would be great to have the department's admin email address
defined at the agent level and the global IT admin email address defined
at the server level. That way IT would get the alert notifications for
all the agents, but the department admins would only get the alerts
pertaining to their specific agent.

BTW... I love the product, especially active-response.

Best Regards,
--
Jason R. Vitz
Director, Client Services
Mindbridge
610-666-5262 ext.770
http://www.mindbridge.com

Peter M. Abraham

unread,
Sep 13, 2007, 3:46:20 PM9/13/07
to ossec-list
Greetings Jason:

This is a very good idea.

In the mean time since the alerts do include the server host name and
IP address in the email notification, would it be possible to have the
email go to a distribution list which is then parsed to determine the
actual distribution?

I.e. if your mail server is qmail, you can have shell code or calls to
Perl within your .qmail forward files where the email is examined, and
then sent to the right department / person.

Thank you.

Daniel Cid

unread,
Sep 13, 2007, 9:26:12 PM9/13/07
to ossec...@googlegroups.com, Jason Vitz
Hi Jason,

This feature is already implemented (granular e-mail alerting). Take a look at:

http://www.ossec.net/wiki/index.php/Know_How:GranularEmail

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Jason Vitz

unread,
Sep 14, 2007, 11:42:50 AM9/14/07
to Daniel Cid, ossec...@googlegroups.com
Daniel,

Your granular options for the e-mail alerting are great! That was
exactly what I needed.

I just added the following to the OSSEC server ossec.conf file:
<email_alerts>
<email_to>firstde...@mycompany.com</email_to>
<event_location>192.168.0.1</event_location>
</email_alerts>

<email_alerts>
<email_to>secondd...@mycompany.com</email_to>
<event_location>192.168.0.2</event_location>
</email_alerts>

... and the <global> email address received all notifications, but the
"ip specific" addresses only received the alerts pertaining to their
machine.

You made my morning.

Thank you,


Jason R. Vitz
Director, Client Services
Mindbridge
610-666-5262 ext.770
http://www.mindbridge.com

Reply all
Reply to author
Forward
0 new messages