[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Redirecting alerts to different recipients

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: Redirecting alerts to different recipients
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Tue, 8 May 2007 18:52:01 -0300
Cc: "paul sery" <pgsery@xxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Paul and Gustav,

The idea of the list is good, but if I am understanding you correctly,
you can do
it inside ossec.

From your e-mail:

That's a great new capability, but unless I can assign arbitrary groups
to arbitrary recipients it's not quite what I need.
Let's say Alice manages machine A and Bob manages  B, then Alice

needs to get A's >alert messages and Bob gets B's;

To solve this case, you can do:

<email_alerts>
  <email_to>A@xxxxxxxxxxx</email_to>
  <event_location>machineA</event_location>
</email_alerts>

<email_alerts>
  <email_to>B@xxxxxxxxxxx</email_to>
  <event_location>machineB</event_location>
</email_alerts>

So, A would get the alerts from machineA and B from machineB. Note that the
event_location supports the IP address, the agent name and "|" to divide between
multiple entries.

or if Bob manages both A & B, then Alice still gets A's but Bob gets A & B's.



Also feasible:

<email_alerts>
  <email_to>A@xxxxxxxxxxx</email_to>
  <event_location>machineA</event_location>
</email_alerts>

<email_alerts>
  <email_to>B@xxxxxxxxxxx</email_to>
  <event_location>machineB|machineA</event_location>
</email_alerts>

Hope this helps to clarify.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/7/07, paul sery <pgsery@xxxxxxxx> wrote:

Gustav H Meyer wrote:
>
> Hi Paul,
>
> On 07/05/2007 00:21, paul sery wrote:
>> Daniel Cid wrote:
>>> Is that what you are looking for (granular e-mail alerting)?
>>> http://www.ossec.net/dcid/?p=75
>>
>> That's a great new capability, but unless I can assign arbitrary
>> groups to arbitrary recipients it's not quite what I need. Let's
>> say Alice manages machine A and Bob manages  B, then Alice needs
>> to get A's alert messages and Bob gets B's; or if Bob manages both A
>> & B, then Alice still gets A's but Bob gets A & B's.
>
> I think you can achieve what you're trying to do by letting the alerts
> go to a local mailing list in stead of to one or more specific
> individual's e-mail address. Then you can add and remove members from
> the mailing list as much as you like without affecting the ossec
> configs. And the nice thing about a mailing list (e.g.: mailman) is
> that you can let it archive all alerts for reference purposes.
>
> Regards,
> Gustav
That sounds like a reasonable way of doing it. Thanks.

-Paul

Follow-Ups:
- [ossec-dev] Re: Redirecting alerts to different recipients
  - From: Paul Sery

References:
- [ossec-dev] Redirecting alerts to different recipients
  - From: paul sery
- [ossec-dev] Re: Redirecting alerts to different recipients
  - From: Daniel Cid
- [ossec-dev] Re: Redirecting alerts to different recipients
  - From: paul sery
- [ossec-dev] Re: Redirecting alerts to different recipients
  - From: Gustav H Meyer
- [ossec-dev] Re: Redirecting alerts to different recipients
  - From: paul sery

Prev by Date: [ossec-dev] Re: Redirecting alerts to different recipients
Next by Date: [ossec-dev] Re: Redirecting alerts to different recipients
Previous by thread: [ossec-dev] Re: Redirecting alerts to different recipients
Next by thread: [ossec-dev] Re: Redirecting alerts to different recipients
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.