Navigation
Documentation

From OSSEC Wiki

Jump to: navigation, search

Why does ossec send me so many emails?

Why?

Well ossec has something to tell you and you should pay attention, but seriously why? There are several reasons why ossec will send you an alert.

  • 1 - The alert level has reached the global level threshold.
  • 2 - A rule specifically states that is should send you an email alert no matter what the level.

You can tell fairly easily by looking at a couple of things. You should first check to see if the alert was above the global alert threshold in the ossec.conf file. The default level is set to 7 as you can see here: 

   <alerts>
        <log_alert_level>1</log_alert_level>
        <email_alert_level>7</email_alert_level>
   </alerts>

It is also possible for a rule to send you an alert no matter what the global email alert level. How do you tell if this is the case? Well you look at the rule of course. Any rule can send you an email alert by simply including the following in the rule: 

   <options>alert_by_email</options>

One example of this would be: 

   OSSEC HIDS Notification.
   2008 Apr 03 14:30:11
   
   Received From: (foo) 192.168.0.2->/var/log/messages
   Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
   Portion of the log(s):
   
   Apr  3 14:30:09 foo.bar smbd[4878]:   read_data: read failure
   for 4 bytes to client 192.168.0.3. Error = Connection reset by peer


If you look at the rule #1002 

 <rule id="1002" level="2">
   <match>$BAD_WORDS</match>
   <options>alert_by_email</options>
   <description>Unknown problem somewhere in the system.</description>
 </rule>

You can see that the alert_by_email option is enabled.

Answer.

Well obviously this means you have some sort of a dire problem you should resolve. Yeah right who has the time to actually keep every error from happening on their network. To keep ossec useful and yourself sane you need to do some tunning to keep the signal to noise ratio high. One way is to add a local rule to /var/ossec/rules/local_rules.xml that can easily solve this problem: 

<rule id="101002" level="2">
    <if_sid>1002</if_sid>
    <program_name>^smbd</program_name>
    <regex>read_data: read failure for \d+ bytes to client \d+.\d+.\d+.\d+. Error = Connection reset by peer</regex>
    <options>no_email_alert</options>
    </rule>

When doing this you should always try to make your alerts as tight as possible so that you don't unintentionally filter out events that you haven't seen before. However if you just want to make it all go away you could use the overwrite option and add a local version of the rule to your local_rules.xml 

<rule id="1002" level="2" overwrite="yes">
  <match>$BAD_WORDS</match>
  <options>no_email_alert</options>
  <description>Unknown problem somewhere in the system.</description>
</rule>
Retrieved from "http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7"