Hi Dimitris, 1. Have you looked at the email_maxperhour and do_not_group options? http://www.ossec.net/main/manual/configuration-options http://www.ossec.net/wiki/Know_How:GranularEmail
2. Have you looked at the logall option? http://www.ossec.net/main/manual/configuration-options http://www.ossec.net/doc/faq/ossec.html Hope that helps! Thanks, -- Doug Burks, GSE, CISSP | http://securityonion.blogspot.comPresident, Greater Augusta ISSA | http://augusta.issa.org On Tue, Nov 29, 2011 at 8:47 AM, Dimitris Chontzopoulos <dchontzopou...@euronetworldwide.com> wrote: > Hey guys, > > I was wondering if you guys could help me out with some questions I have > regarding OSSEC... > > Q1. Even though I've changed 'maild.groupping=1' to 'maild.groupping=0' in > the configuration file "internal_options.conf" and > restarted OSSEC, I keep getting grouped events via e-mail. Any ideas what I'm > missing? In my opinion, alerts should be sent out > (emailed) and logged one-by-one and not 'bulk' because we'll lose the plot > sooner or later > Q2. Is there a reason why not every single alert is not written in the > Database [MySQL] and/or written in the logs? I thought that > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>3</email_alert_level> > </alerts> > ,actually means 'log everything with alert level 1 and above and notify via > e-mail for everything with alert level 3 and above'! Am > I missing something? > Q3. Is there a way in order to import alerts/logs from OSSEC log/alert files > into its Database? Because of poor administration on > my-behalf (hey, I'm not a Linux/OSSEC/MySQL Guru, sorry), a lot of > logs/alerts are in log-format and not inside the Database and I > was wondering if there's a tool or something I could do, in order to get > those events (import them) in the Database > Q4. Regarding the Database Structure, is there documentation available so as > to be able to create our Custom Reports in MySQL, or > even better, export the data in our Datawarehouse System and create the > Custom Reports over there? I mean, how are the links working > inside the DB and how is the information organized/categorized inside the DB, > so as to know which table(s) contains which piece of > information I could combine in order to come up with a report? > > More questions to come :-) > > Your help is very much appreciated guys because I'm on the verge of losing my > mind in the effort of trying to 'make' the OSSEC > installation we have to suite our Enterprise. > > > > > > Dimitris > >