New install of ossec server on Debian 10, clients on Debian and Centos hosts
Contents of /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Mon Sep 14 18:34:57 UTC 2020"
TYPE="server"
I set the alerts thusly, and restarted ossec:
# grep alert ossec.conf
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
But I'm still getting emails for events of level 2, 3 etc, which I thought would be inhibited by the value of this parameter.
What am I missing?
email_alert_level setting ignored
-
- Forum User
- Posts: 6
- Joined: Sat Dec 19, 2020 1:16 pm
- Location: US
Re: email_alert_level setting ignored
Good morning!
<log_alert_level>1</log_alert_level>
The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>
https://www.ossec.net/docs/docs/syntax/ ... lert_level
<log_alert_level>1</log_alert_level>
The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>
https://www.ossec.net/docs/docs/syntax/ ... lert_level
-
- Forum User
- Posts: 6
- Joined: Sat Dec 19, 2020 1:16 pm
- Location: US
Re: email_alert_level setting ignored
Thank you for the sanity check. This seems counter-intuitive, but I'll try it.cponton wrote:Good morning!
<log_alert_level>1</log_alert_level>
The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>
https://www.ossec.net/docs/docs/syntax/ ... lert_level
Now I'm wondering exactly what the email_alert_level parameter is for....