Hi Alexis, So, you are receiving alert with level 3 in ourservice@domain, right?. That doesn't make sense (I understand that email1, email2 or email3 is not ourservice@domain).
Try to use: do_not_delay and do_not_group. Also, the email_maxperhour <https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html?highlight=email_maxperhour#email-maxperhour>is 12 by default, maybe you should change it. In order to simplify the debug process, use only 1 custom email alert. Also, you can use the report settings <https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-email-report/index.html> instead of the email settings. OSSEC emails options aren't that good... On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote: > > Thanks for the tip! We tested it, but it doesn't seem to be working. > Here's what the configuration looks like now: > <global> > <email_notification>yes</email_notification> > <email_to>noreply@localhost</email_to> > <smtp_server>smtpserver</smtp_server> > <email_from>ossec@domain</email_from> > </global> > > <email_alerts> > <email_to>email1</email_to> > <email_to>email2</email_to> > <email_to>email3</email_to> > <event_location>several, agents, name</event_location> > </email_alerts> > > <email_alerts> > <email_to>ourservice@domain</email_to> > <level>9</level> > <do_not_delay /> > <do_not_group /> > </email_alerts> > > > *email_alert_level *was also set to 1. We received one level 10 alert > email by itself. However, there were several others level 10 alerts that we > didn't receive any notifications from, even tough they appear in the alert > log. We then received an email report in ourservice@domain mailbox of about > 10 minutes worth of events, with several level 10 alerts in it, but mostly > a lot of alerts we have no need for, like > Rule: 31101 fired (level 5) -> "Web server 400 error code." > > I don't think that there's anything in my config that would justify alerts > of level 3 and 5 being sent. Do you know what could be wrong? We will > probably go back to having an email_alert_level of 7 with no custom alerts > and work from there. We receive a lot of events to this server; I'd say > about one every two or three seconds. Could that be a problem? > > Thanks you for the reply, I'll be sure to keep you updated to document the > issue if anyone else has that problem, > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
