[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
From: "Will Froning" <will.froning@xxxxxxxxx>
Date: Thu, 26 Jul 2007 09:45:36 +0400
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XnkLcPc86R7Y5H8TL2a5UyLefwIBY/NYKpCSxmV+atJOrUkorcvMpi8l+fgbT0qu6DLKIGXSzWVFYtrI5WoROrqWx5RzrITzrRi/y3czEK9rWeFjfwaAd/JNq90FF8bIroKFsbElJrSUoyU2ZW3jhTTlx5L20X1Q8yhf8KeXRsE=

Hello Daniel,

On 7/26/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hey,
>
> If I am not misunderstanding the problem, this is not a bug on ossec,
> but it happens because some rules have:
>
> <options>alert_by_email</options>
>
> to bypass the default e-mail alerting level.
>
> Check out:
> http://www.ossec.net/ossec-list/2007-July/msg00034.html
> http://www.ossec.net/ossec-list/2007-July/msg00035.html
>
> If that's not it, let me know and we can try to figure out what is happening...
>

That was it.  My bad.  So I found one of the offending rules in
rules/msauth_rules.xml.  How would I go about disabling it for just
one server?

The example is, we have a terminal server where potentially over 1000
new users may use it in a semester.  For these types of servers it
wouldn't provide any additional information to send me 1000 of the
below messages as it's normal:

Received From: (termsrv1) 192.168.35.40->WinEvtLog
Rule: 18119 fired (level 3) -> "First time this user logged in this system."

This is a Solaris 10 server with W2k3 agent.

The manual and list archives didn't clue me in, so any help would be great.

Thanks,
Will

> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On 7/25/07, Will Froning <will.froning@xxxxxxxxx> wrote:
> >
> > Hello All,
> >
> > On 7/25/07, Will Froning <will.froning@xxxxxxxxx> wrote:
> > > Hello All,
> > >
> > > Here's a "me too" message on this.  Server/agent with the most recent
> > > snapshot I could find running on Solaris 10.
> > >
> >
> > I just confirmed that this is still happening with
> > ossec-hids-070722.tar.gz.  Any suggestions on tracking this down?
> >
> > Thanks,
> > Will
> >
> >
> > > On 7/25/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:
> > > >
> > > > I too have this issue.  My ossec.conf file is the same as Frank's
> > > > (defaults) and yet I receive alerts daily that are at levels below 7.  I
> > > > have a server/agent setup.
> > > >
> > > > Thanks,
> > > >
> > > > - Cheers
> > > > Clayton Dillard
> > > >
> > > > Frank Spierings wrote:
> > > > > Hi people,
> > > > >
> > > > > I have a problem with my OSSEC server.
> > > > > The ossec.conf is pretty default. I only changed the email to address.
> > > > >
> > > > > This is the only alerts group in the file:
> > > > >   <alerts>
> > > > >     <log_alert_level>1</log_alert_level>
> > > > >     <email_alert_level>7</email_alert_level>
> > > > >   </alerts>
> > > > >
> > > > > Still I'm receiving "ossec agent started" emails from the server,
> > > > > which are level 3. I checked out the specific rule, but I dont see any
> > > > > indication why it should send me these mails.
> > > > > Any idea where I should start my quest?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Frank Spierings
> > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > > Will Froning
> > > Unix SysAdmin
> > > Will.Froning@xxxxxxxxx
> > > MSN: wfroning@xxxxxxxx
> > > YIM: will_froning
> > > AIM: willfroning
> > >
> >
> >
> > --
> > Will Froning
> > Unix SysAdmin
> > Will.Froning@xxxxxxxxx
> > MSN: wfroning@xxxxxxxx
> > YIM: will_froning
> > AIM: willfroning
> >
>


-- 
Will Froning
Unix SysAdmin
Will.Froning@xxxxxxxxx
MSN: wfroning@xxxxxxxx
YIM: will_froning
AIM: willfroning

Follow-Ups:
- [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
  - From: Daniel Cid

References:
- [ossec-list] Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
  - From: Frank Spierings
- [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
  - From: Clayton Dillard
- [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
  - From: Will Froning
- [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Active Response behind a load balancer
Next by Date: [ossec-list] Re: rootkit or trojaned version netstat alerts
Previous by thread: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Next by thread: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.