psad alerting method noemail stops syslog messages
joshlinx opened this issue · 6 comments
I have noemail set in alerting method because i only want syslog messages. Psad dont write syslog messages if noemail is set. If i leave it to default ALL it writes syslog messages again.
current workaround for me is thresholding emails to 1 out of 1000 alerts and only email at danger level 5
I'm having trouble reproducing this in the latest psad sources. Syslog messages get disabled via this line: https://github.com/mrash/psad/blob/master/psad#L10136
They are also disabled in analyze, status, or test modes: https://github.com/mrash/psad/blob/master/psad#L3298
Which version of psad are you seeing this behavior? Also, what arguments are being passed on the command line to the running psad instance? (Just grep the process table.)
I am running latest version of psad 2.4.4. I didnt pass any aguments to the daemon other then what it reads from the config file. Here is a dump of my psad config. Its the opposite i want. I dont want email but i want syslog messages since the alerting threshold is very low with public facing ip address. I tested my self by scanning the host with noemail set and with ALL set. I first noticed a week later because i graph the scans with a munin plugin that collects the syslog messages "psad: scan detected".
Thanks for sending the config. This enabled me to find the problem, and if you want to clone the psad repository and try it out it should work. If would like a -pre release of psad-2.4.5 instead please let me know.
Note you can also work around the bug in 2.4.4 by setting EMAIL_THROTTLE to 0
thx for the tip i set email throttle to 0