Rodolfo Bandeira

Rodolfo Bandeira

software, electronics, security, devops, thoughts

How to disable email alert level 2 in OSSEC HIDS

"Received From: srvcob->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

My server are sending a lot of level 2 alert emails.  It’s so boring and in my point of view it’s completely unnecessary. So, how to disable it?

Go to

/var/ossec/rules

and then, edit this:

syslogd_rules.xml and comment this line:

  <rule id="1002" level="2">
    <match>$BAD_WORDS</match>
<!--    <options>alert_by_email</options> -->
    <description>Unknown problem somewhere in the system.</description>
  </rule>

To restart the OSSEC service type:

/var/ossec/bin/ossec-control stop
/var/ossec/bin/ossec-control start

Last modified:

LinkedIn
WhatsApp