[ossec-list] Re: Separate email_to addresses per agent?

[Michael Starks <ossec@xxxxxxxxxxxxxxxxx>]

Daniel Cid wrote:
> Version 1.1 will have this feature and you can try it out on our latest
> beta:

I've been waiting for this one.  I'll be excited to try it out.

> How to configure it? Examples below:
> 
> -Send only levels >= 10 to xx@xxxxxx:
> 
>  <email_alerts>
>    <email_to>xx@xxxxxx</email_to>
>    <level>10</level>
>  </email_alerts>

Are mutiple <e-mail_alerts> tags supported?  For example, can I send it
to two addresses if greater than level 10?

> -Send only alerts from agent xyz123 to abc@xxxxxxx:
> 
>  <email_alerts>
>     <email_to>abc@xxxxxxx</email_to>
>      <event_location>xyz123</event_location>
>  </email_alerts>

Similar to above, are multiple locations supported?  So, can I have
alerts for 10 hosts sent to two addresses if they are greater than level
10?  How about wildcards within a tag?

Two other things which would make this useful is a "short version" for
pagers, and a more granularity (by rule ID, time, etc).  I might, for
example, want alerts that are greater than level ten to go to pager one
for a set of ten hosts, and pager 2 for another set of 10, but only on
weekdays after five and on weekends.  The short version of the alert
could have enough info in the subject to determine the criticality.

I know this is asking a lot but I see that as being integral to incident
response.  Only bug me on weekends if it's a big problem, and if I'm
likely sleeping, it had better be a real big problem! :)