[ossec-list] Re: Granular Email Alerting, alert for a certain host

[Nathan Fowler <nathan.fowler@xxxxxxxxxxxxxx>]

Resolved by using this syntax:


   <email_alerts>
    <email_to>recipient2@xxxxxxxxxxxx</email_to>
    <level>0</level>
    <event_location>mastersyslog|10.0.0.1|172.16.0.1</event_location>
    <do_not_delay />
   </email_alerts>

evilghost wrote:
> I've got a question regarding OSSEC 1.2 with the granular email alerting capability.  I'm struggling with the configuration options; ideally I want to be able to alert a certain recipient for any 
> event that occurs on a certain server/IP address.  I'm not using any remote agents, instead, I've got OSSEC pointed at log files collected by syslog-ng.  This solution works great and I've been quite 
> pleased with OSSEC, however, I'd love to get the granular option working.
> 
> I've tried creating a rule in local_rules.xml that matches on hostname and then binding email_alerts to that rule, however, it doesn't work.  Below is that configuration, with recipient and domain 
> intentionally obfuscated.  I'm open to any solution that would enable me to alert recipient2@xxxxxxxxxxxx on alerts affecting hostname 10.125.110.2.
> 
> [ossec.conf snippet]
> <global>
>      <email_notification>yes</email_notification>
>      <email_to>recipient1@xxxxxxxxxxxx</email_to>
>      <smtp_server>smtp_relay.mydomain.com</smtp_server>
>      <email_from>ossecm@xxxxxxxxxxxx</email_from>
>      <!-- Disable Stats, "We got X alerts more than hour Y" -->
>      <stats>0</stats>
>      <!--
>      <email_alerts>
>          <email_to>recipient2@xxxxxxxxxxxx</email_to>
>          <rule_id>20000000</rule_id>
>      </email_alerts>
>      -->
>    </global>
> 
> [local_rules.xml snippet]
> <!-- Email alert groups -->
> <group name="syslog">
>          <rule id="20000000" level="7">
>                  <hostname>10.125.110.2</hostname>
>          </rule>
> </group>