On Tue, Jul 31, 2012 at 11:49 AM, ChristianB <[email protected]> wrote: > Hello all, > > I now have my local installation of OSSEC working and integrated with my > running services. So far it's working really good. There is still one thing > that is not really working. I set up email notifications for active response > rules in my ossec.conf like this: > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>601, 602</rule_id> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > I also tried using the <rule_group> tag but this also didn't work. Every > other notification is correctly send (ossec start and everything above level > 7). For the meantime I want to have all active_response action send to me > immediately to finetune the system. > > And before you ask. Yes I checked with analogi that there where indeed > alerts triggering rules 601 and 602. I also have a minimal local_rules.xml > (Listen ports warning and load average warning) and an extended ar_log > decoder in my local_decoder.xml (added German weekdays to the regex). > > Regards > Christian
What is your email_alert_level set to? 601 is only a level 3, so if it's set higher than that you shouldn't expect email notification.
