Got it, thanks much. Is it suggested to remove that line for these rules ? On Wed, Mar 23, 2016 at 7:52 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Mar 23, 2016 at 10:19 AM, sandeep dubey > <sandeep.san...@gmail.com> wrote: > > Thanks Dan for the reply. > > > > I couldn't understand your comment - > > > > Both of these set: > > <options>alert_by_email</options> > > > > If you look at /var/ossec/rules/syslog_rules.xml, you can see rule > 10100 sets the above option. This means it will always send an email > when it is triggered. > Rule 1002 has the same option set. So no matter what your minimum rule > level is, these rules will trigger emails. > > > On Wed, Mar 23, 2016 at 7:37 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> On Wed, Mar 23, 2016 at 10:01 AM, sandeep dubey > >> <sandeep.san...@gmail.com> wrote: > >> >> Ok, so it works when you use an individual email address, but not > when > >> >> you use a group? Which system handles the group email address? Can > >> >> you check the logs there? > >> > > >> > Yes, when i use group emails are not being relayed. I am using Google > >> > service. In logs i don't find anything except mentioned in previous > >> > thread. > >> > >> Use tcpdump to see if there is any difference between the 2 email > >> addresses. > >> > >> >> > >> >> > >> >> > One more observation is that, even though email alerts is > configured > >> >> > for > >> >> > level 8, I am still getting alerts for level 2,3,4 etc. > >> >> > > >> >> > >> >> That's very strange. I trust you've verified that the rules of level > < > >> >> 8 that trigger email alerts don't have > >> >> "<options>alert_by_email</options>" set. > >> >> Which rules with level < 8 are triggering emails? > >> > > >> > > >> > Triggered emails are of level 2,4 and rules id is 1002,10100 > >> > > >> > >> Both of these set: > >> <options>alert_by_email</options> > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > -- > > Regards, > > Sandeep > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Sandeep -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
