[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] single mail reports
From:       Daniel Cid <daniel.cid () gmail ! com>
Date:       2010-02-15 11:32:57
Message-ID: b92e6f201002150332g729567f0pc560947c6819867f () mail ! gmail ! com
[Download RAW message or body]

Hi Oscar,

That's a great way to work around this issue and should work fine.
Another suggestion
would be to enable alerting only for the levels 10 and above and
configure a cron script
to run daily sending the others...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On Fri, Feb 12, 2010 at 8:59 AM, oscar schneider <os4839@googlemail.com> wrote:
> Hi,
>
> I think the following should work to only receive one e-mail per hour for
> alerts of severity between 5 and 9:
>
> 1) Think about the minimal alert level that you would like to be emailed
> about within an hour. Default would be 7 in addition to the rules that have
> an <options>alert_by_email</options> tag, like e.g. rule 1002. If you want
> that value to be lower, like in your case 5, configure that in your
> ossec.conf in the <email_alert_level> section.
>  <alerts>
>    <log_alert_level>1</log_alert_level>
>    <email_alert_level>5</email_alert_level>
>  </alerts>
>
> 2) Add the following statement in your ossec.conf <global> section next to
> the <email_from> line:
>       <email_maxperhour>1</email_maxperhour>
> This means that the global e-mail notification system will only send out one
> e-mail per hour, that means it collects all alerts that would generate an
> e-mail until the end of the hour, compiles them into one e-mail and then
> sends it.
>
> 3) Choose an alert level that you want to be informed about immediately, in
> your case 10 and add the following lines in your ossec.conf (not within the
> <global> section, but as a seperate section within <ossec_config>
>
>   <email_alerts>
>    <email_to>your@email.adress</email_to>
>    <level>10</level>
>    <do_not_delay />
>    <do_not_group />
>   </email_alerts>
>
> C.f. http://www.ossec.net/wiki/Know_How:GranularEmail for more details and
> further configuration options of granular email notification. For
> information about other configuration options in ossec.conf, c.f.
> http://www.ossec.net/main/manual/configuration-options/
>
> This leads to the following outcome:
> - you get one e-mail an hour (<email_maxperhour>1</email_maxperhour>) with
> all alerts of severity 5-16 (<email_alert_level>5</email_alert_level>,
> unfortunately there is no upper boundary for severity that can be set for
> e-mail notifications to only get 5-9)
> - you get one (<do_not_group />) e-mail for every alert of level 10 and
> higher immediately (<do_not_delay />)
>
> Can't try this out atm but should work. This is the way to do it without
> cron jobs imo. Unfortunately this leads to receiving alerts of level 10+ two
> times.
>
>
>
> On Thu, Feb 11, 2010 at 5:47 PM, Stam <sebolani@gmail.com> wrote:
>>
>> Hello, i am new to ossec and since I notice I get huge amount of mails
>> with alert reports I was wondering if ossec has the following
>> capability built in : to configure it to send a single email with all
>> alerts from wanted rules in a time range (ie day/week) instead of a
>> single mail for every alert (except level 10 alerts which i want to be
>> informed immediately).
>> I can think one solution is to disable alert_by_email or set it to
>> send only level 10 alerts and form cron jobs with linux commands like
>> here : http://www.ossec.net/dcid/?p=153 .
>> I just want all alerts between ie level 5 - level 9 to be queued and
>> mailed in a single mail message every day and level 10 alerts to be
>> mailed immediately. Is there any other solutions/suggestions?
>>
>> Thanks in advance
>
>
[prev in list] [next in list] [prev in thread] [next in thread]