I have an OSSEC server running CentOS 5 and OSSEC 1.5. This server is receiving alerts from two Windows 2003 Active Directory servers running the OSSEC agents. The OSSEC server is receiving an average of 10,000 alerts per hour.
Alert emails seem to function fine for the first 10 - 30 minutes of each hour. I receive one email per alert (for example, I receive an email with a single alert concerning Rule 18111 "User account changed"). At some point during the hour, I stop receiving emails. At the beginning of the next hour, I receive a single email with 10 - 30 alerts in it. Then the emails go back to one email per alert. For example: 9:00 AM email -- 24 alerts 9:01 AM email -- 1 alert 9:03 AM email -- 1 alert 9:05 AM email -- 1 alert 9:06 AM email -- 1 alert 9:10 AM email -- 1 alert 9:12 AM email -- 1 alert 9:15 AM email -- 1 alert 9:20 AM email -- 1 alert 9:21 AM email -- 1 alert (no more emails in the 9:00 AM hour) 10:00 AM email -- 10 alerts 10:01 AM email -- 1 alert 10:07 AM email -- 1 alert 10:22 AM email -- 1 alert (no more emails in the 10:00 AM hour) I have verified that /var/ossec/logs/alerts/alerts.log has alerts for the entire hour. It seems as if some process dies, restarts at the new hour, and then processes its queue of alerts to be emailed. Has anybody else seen this issue? Thanks, Doug
