Atomicorp

Security for Everyone
https://forums.atomicorp.com/

email_alert_level setting ignored

https://forums.atomicorp.com/viewtopic.php?t=8966

Page 1 of 1

email_alert_level setting ignored

Posted: Sat Dec 19, 2020 1:26 pm
by raskolnikov88
New install of ossec server on Debian 10, clients on Debian and Centos hosts
Contents of /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Mon Sep 14 18:34:57 UTC 2020"
TYPE="server"

I set the alerts thusly, and restarted ossec:
# grep alert ossec.conf
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>

But I'm still getting emails for events of level 2, 3 etc, which I thought would be inhibited by the value of this parameter.

What am I missing?

Re: email_alert_level setting ignored

Posted: Mon Dec 21, 2020 9:40 am
by cponton
Good morning!

<log_alert_level>1</log_alert_level>

The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>

https://www.ossec.net/docs/docs/syntax/ ... lert_level

Re: email_alert_level setting ignored

Posted: Mon Dec 21, 2020 12:14 pm
by raskolnikov88
cponton wrote:Good morning!

<log_alert_level>1</log_alert_level>

The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>

https://www.ossec.net/docs/docs/syntax/ ... lert_level
Thank you for the sanity check. This seems counter-intuitive, but I'll try it.

Now I'm wondering exactly what the email_alert_level parameter is for....
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited