Re: emailalert.pl sending null data

PNTECH · ‎07-21-2004

Hello,

I have tried to implement the emailalert.pl script to e-mail more detailed info. I can verify that the script works, it will e-mail me when the event rule is tripped, but the e-mail only contains the following:

reported a severity alert at // ::

Signature (:) from to

Actions taken:

----------------------------------------------------

I have a 4215 running S101. I can also verify that the 'idsalert' file in the temp directory contains the same info. Also, if I manually run the script from its directory, it does send out an e-mail with the fields populated, but it has something like 100 plus entries in the e-mail. Can anyone help ?

thanks!

gfullage · ‎07-21-2004

What are your Event Rule parameters? If you have something like "Severity=High AND VictimAddress=10.1.1.1" then remove the Victim Address one, just use Severity. There's a known bug with certain event parameters (VictimAddress being one) that returns empty database queries, and hence the email that gets sent is empty also.

Other than that there a section in the emailalert.pl script that reads:

# If you want to see the actual database query result in the email, un-comment

# out the line below (useful for troubleshooting):

# print(OUT "$oneline\n");

Un-comment out the last line there, and the next time you get an email the database query will be listed at the top, if you can post that then it may give us an indication of what's going wrong.

PNTECH · ‎07-22-2004

Thanks, I'll give that a try.

dpatkins · ‎08-16-2004

Was there a solution to this? I am having the same problem.

Thanks

dwane