Option to exclude mod_security alerts from OSSEC mails

breun · **Posted:** Mon Apr 06, 2009 10:14 am

Some of our servers are generating a lot of mod_security alerts. This is good, since it means it is doing its job. But the hourly OSSEC mails are getting kind of dominated by the endless lists of mod_security alerts and the really interesting events sometimes get overlooked because of this. I'd like to see an option to exclude mod_security alerts from OSSEC mails.

biggles · **Posted:** Mon Apr 06, 2009 12:10 pm

Second that!

mikeshinn · **Posted:** Mon Apr 06, 2009 5:49 pm

Added to the feature queue. We may need to look into adding this into some sort of config tab too. I'll get with Scotts team to brainstorm some ideas.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1843

You can easily modify the OSSEC rules to change the email trigger level, so that it only emails you for an alert over level 7 (or whatever level you want). However it gets overwritten when you run asl -u.

So count me in too!

Faris.

BerArt · **Posted:** Tue Apr 07, 2009 8:45 am

That would be very nice! Some of my OSSEC mail are 100Kb

breun · **Posted:** Sun Oct 11, 2009 4:53 pm

Mike, how is this request doing in the queue?

scott · **Posted:** Sun Oct 11, 2009 5:30 pm

Nobody has had the time to look into it yet

Option to exclude mod_security alerts from OSSEC mails

Who is online