[Ossec-list] email questions

[ossec-list at ossec.net (OSSEC HIDS Maillist)]

Hi Jim,

Sorry by the delay answering you. I have been without internet access
for the last 2 weeks (sorry for everyone else who sent me an e-mail
also, I will get back to everyone as soon as I can).

Now to your questions. I will give some background information to make it
easy to understand. Sorry if I'm complicating things a little bit...

- The e-mail notification daemon (ossec-maild) listen for messages from
the analsis server. When it receives a message (an e-mail alert), it adds
this message to a internal list. Every 5 seconds it checks to see if there
is any message available. If there is more than 1, it will concatanate all
the messages and send them together. I added this feature, to avoid
an excessive number of e-mails being sent in a small period of time.
Unfortunately, this number is not easy to modify, but I will add a configuration
option for that on the next release.

In addition to that, you can set the maximum number of e-mails to be
sent per hour. By default it is 12. So, if within an hour the number of
e-mails is more than 12, it will save all the additional e-mails in memory and
send them all together as just one e-mail at the end of the hour.
The configuration option to change that is "mail-maxperhour" on the
"global" element.

<global>
..
<mail-maxperhour>30</mail-maxperhour>
</global>



2- It sets in the subject the alert level of the first e-mail in the list
(as explained above).  I will change that to be more clear. Probably  to
be the highest level of all the messages.


3- I will add a configuration option for that. If you need this urgently,
let me know and I can provide a small patch to fix this for you.


Thanks and sorry for the loong e-mail (if you read until here :) )


Daniel


On 12/6/05, OSSEC HIDS Maillist <ossec-list at ossec.net> wrote:
> Hello,
>
>      I have a question about the emailing of log files.  OSSEC runs
> fine, when it detects a problem/issue it will fire off an email.
>
> When there are multiple issues, within the timeframe it all gets sent
> as one email.
>
> I get an email like this:
>
>   OSSEC HIDS Notification - Alert level 7
>
> Authenication failure trap
> .......
> Bad su
> .........
> Rule: 15 fired (level 4) -> "Rootkit detection engine message"
>
>
> Here are the problems I have with that:
>
> 1.)  I don't understand the timeframe system checks are made
>
> 2.)  The email subject was OSSEC HIDS Notification - Alert level 7,
> this was not the case for everything in the email though.
>
> is there a way to tweak the time it takes for email to be sent?  Can
> we have it fire off email, for each seperate event??  The email with
> multiple problems is really not good for me.
>
> Thanks,
> Jim
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>