email_alert_level setting ignored

Support/Development for OSSEC
raskolnikov88
Forum User
Forum User
Posts: 6
Joined: Sat Dec 19, 2020 1:16 pm
Location: US

email_alert_level setting ignored

Unread post by raskolnikov88 »

New install of ossec server on Debian 10, clients on Debian and Centos hosts
Contents of /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v3.6.0"
DATE="Mon Sep 14 18:34:57 UTC 2020"
TYPE="server"

I set the alerts thusly, and restarted ossec:
# grep alert ossec.conf
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>

But I'm still getting emails for events of level 2, 3 etc, which I thought would be inhibited by the value of this parameter.

What am I missing?
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 13
Joined: Fri Oct 09, 2020 9:41 am

Re: email_alert_level setting ignored

Unread post by cponton »

Good morning!

<log_alert_level>1</log_alert_level>

The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>

https://www.ossec.net/docs/docs/syntax/ ... lert_level
raskolnikov88
Forum User
Forum User
Posts: 6
Joined: Sat Dec 19, 2020 1:16 pm
Location: US

Re: email_alert_level setting ignored

Unread post by raskolnikov88 »

cponton wrote:Good morning!

<log_alert_level>1</log_alert_level>

The value entered here will allow alerts from any events level 1 or higher. If you only want level 7 or higher, you would set <log_alert_level>7</log_alert_level>

https://www.ossec.net/docs/docs/syntax/ ... lert_level
Thank you for the sanity check. This seems counter-intuitive, but I'll try it.

Now I'm wondering exactly what the email_alert_level parameter is for....
Post Reply