I found the answer to my question below in the OSSEC manual: http://www.ossec.net/main/manual/
I added the email_maxperhour option to the Global element. I had previously looked through the ossec.conf file for any setting relating to my problem but found none. Perhaps the email_maxperhour option and its default value of 12 could be added to the default ossec.conf file to prevent other first-time users from having the same question. Yes, I should have Read The Fine Manual, but it has been my experience that the great majority of Linux services have all of their configuration options defined by default in their config file. Thanks for a great piece of software and well-written documentation. Doug Subject: Alert emails not being sent until new hour I have an OSSEC server running CentOS 5 and OSSEC 1.5. This server is receiving alerts from two Windows 2003 Active Directory servers running the OSSEC agents. The OSSEC server is receiving an average of 10,000 alerts per hour. Alert emails seem to function fine for the first 10 - 30 minutes of each hour. I receive one email per alert (for example, I receive an email with a single alert concerning Rule 18111 "User account changed"). At some point during the hour, I stop receiving emails. At the beginning of the next hour, I receive a single email with 10 - 30 alerts in it. Then the emails go back to one email per alert. For example: 9:00 AM email -- 24 alerts 9:01 AM email -- 1 alert 9:03 AM email -- 1 alert 9:05 AM email -- 1 alert 9:06 AM email -- 1 alert 9:10 AM email -- 1 alert 9:12 AM email -- 1 alert 9:15 AM email -- 1 alert 9:20 AM email -- 1 alert 9:21 AM email -- 1 alert (no more emails in the 9:00 AM hour) 10:00 AM email -- 10 alerts 10:01 AM email -- 1 alert 10:07 AM email -- 1 alert 10:22 AM email -- 1 alert (no more emails in the 10:00 AM hour) I have verified that /var/ossec/logs/alerts/alerts.log has alerts for the entire hour. It seems as if some process dies, restarts at the new hour, and then processes its queue of alerts to be emailed. Has anybody else seen this issue? Thanks, Doug
