Am 31.07.2012 17:56, schrieb dan (ddp):
On Tue, Jul 31, 2012 at 11:49 AM, ChristianB
<[email protected]> wrote:
Hello all,
I now have my local installation of OSSEC working and integrated with my
running services. So far it's working really good. There is still one thing
that is not really working. I set up email notifications for active response
rules in my ossec.conf like this:
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>601, 602</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
I also tried using the<rule_group> tag but this also didn't work. Every
other notification is correctly send (ossec start and everything above level
7). For the meantime I want to have all active_response action send to me
immediately to finetune the system.
And before you ask. Yes I checked with analogi that there where indeed
alerts triggering rules 601 and 602. I also have a minimal local_rules.xml
(Listen ports warning and load average warning) and an extended ar_log
decoder in my local_decoder.xml (added German weekdays to the regex).
Regards
Christian
What is your email_alert_level set to? 601 is only a level 3, so if
it's set higher than that you shouldn't expect email notification.
email_alert_level is set to 7. But I don't really want to lower this
just get the ar notifications on top. I thought that for individual
email notifications this alert level is ignored. As it is a global
setting I will overwrite the rules in question and set the level to 7
for the meantime.
