Hi Michael,
Reply inline. On 2/24/07, Michael Starks <[EMAIL PROTECTED]> wrote:
Are mutiple <e-mail_alerts> tags supported? For example, can I send it to two addresses if greater than level 10?
Yes, you can have as many email_alerts tags as you wish.
Similar to above, are multiple locations supported? So, can I have alerts for 10 hosts sent to two addresses if they are greater than level 10? How about wildcards within a tag?
Yes, the same applies for locations. You can have as many entries as you want. We use the os_match library for the event_location, so the following options are supported: http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme
Two other things which would make this useful is a "short version" for pagers, and a more granularity (by rule ID, time, etc). I might, for example, want alerts that are greater than level ten to go to pager one for a set of ten hosts, and pager 2 for another set of 10, but only on weekdays after five and on weekends. The short version of the alert could have enough info in the subject to determine the criticality. I know this is asking a lot but I see that as being integral to incident response. Only bug me on weekends if it's a big problem, and if I'm likely sleeping, it had better be a real big problem! :)
We will keep this in mind for the next version... One feature at a time :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
