[ossec-list] Re: Separate email_to addresses per agent?

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Warren,

Version 1.1 will have this feature and you can try it out on our latest
beta:

http://www.ossec.net/dcid/?p=42

Just a few notes with this feature. If you receive multiple alerts at
the same time, they will all go in the same e-mail message (as
you probably already noticed), so even if you configure an e-mail to
only receive from one specific agent, it will get all the other alerts within
the same message**.. Makes sense?


How to configure it? Examples below:

-Send only levels >= 10 to xx@xxxxxx:

 <email_alerts>
   <email_to>xx@xxxxxx</email_to>
   <level>10</level>
 </email_alerts>

-Send only alerts from agent xyz123 to abc@xxxxxxx:

 <email_alerts>
    <email_to>abc@xxxxxxx</email_to>
     <event_location>xyz123</event_location>
 </email_alerts>

**If you want to disable e-mail groupping, edit etc/internal_options.conf
and set maild.groupping to 0. You will also want to set "email_maxperhour"
in the global config to a very high value (9999)...
http://www.ossec.net/en/manual.html#global_options

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net



On 1/18/07, Warren Petrofsky <petrofsk@xxxxxxxxxxxxx> wrote:
> We are installing ossec agents on a ton of departmental servers, each
> with their own sysadmin.  We would like our security office to receive
> all alerts, and for the individual sysadmins to receive alerts triggered
> by their agent only.
>
> Right now we have set email_to to a generic address and are using
> procmail to filter alerts to the appropriate users, but would it be
> feasible in the future to allow an email_to per agent?
>
> How are other folks handling email alerts currently?
>
> Thanks,
>
> --
> Warren Petrofsky
> petrofsk@xxxxxxxxxxxxx