Thanks for the update. On 24-Mar-2016 3:09 PM, "dan (ddp)" <ddp...@gmail.com> wrote:
> > On Mar 24, 2016 12:21 AM, "sandeep dubey" <sandeep.san...@gmail.com> > wrote: > > > > Got it, thanks much. Is it suggested to remove that line for these rules > ? > > > > That's between you and your security policy. I personally like 1002, I > even wrote a faq entry on it. > > > On Wed, Mar 23, 2016 at 7:52 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> On Wed, Mar 23, 2016 at 10:19 AM, sandeep dubey > >> <sandeep.san...@gmail.com> wrote: > >> > Thanks Dan for the reply. > >> > > >> > I couldn't understand your comment - > >> > > >> > Both of these set: > >> > <options>alert_by_email</options> > >> > > >> > >> If you look at /var/ossec/rules/syslog_rules.xml, you can see rule > >> 10100 sets the above option. This means it will always send an email > >> when it is triggered. > >> Rule 1002 has the same option set. So no matter what your minimum rule > >> level is, these rules will trigger emails. > >> > >> > On Wed, Mar 23, 2016 at 7:37 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> >> > >> >> On Wed, Mar 23, 2016 at 10:01 AM, sandeep dubey > >> >> <sandeep.san...@gmail.com> wrote: > >> >> >> Ok, so it works when you use an individual email address, but not > when > >> >> >> you use a group? Which system handles the group email address? > Can > >> >> >> you check the logs there? > >> >> > > >> >> > Yes, when i use group emails are not being relayed. I am using > Google > >> >> > service. In logs i don't find anything except mentioned in previous > >> >> > thread. > >> >> > >> >> Use tcpdump to see if there is any difference between the 2 email > >> >> addresses. > >> >> > >> >> >> > >> >> >> > >> >> >> > One more observation is that, even though email alerts is > configured > >> >> >> > for > >> >> >> > level 8, I am still getting alerts for level 2,3,4 etc. > >> >> >> > > >> >> >> > >> >> >> That's very strange. I trust you've verified that the rules of > level < > >> >> >> 8 that trigger email alerts don't have > >> >> >> "<options>alert_by_email</options>" set. > >> >> >> Which rules with level < 8 are triggering emails? > >> >> > > >> >> > > >> >> > Triggered emails are of level 2,4 and rules id is 1002,10100 > >> >> > > >> >> > >> >> Both of these set: > >> >> <options>alert_by_email</options> > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send an > >> >> email to ossec-list+unsubscr...@googlegroups.com. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > > >> > > >> > > >> > -- > >> > Regards, > >> > Sandeep > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to ossec-list+unsubscr...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > -- > > Regards, > > Sandeep > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
