Is this normal? If so can I make OSSEC send emails containing alerts for only one server?
Here's an (anonymized) example from 1 email this morning: I noticed the Subject: always refers to the last notification contained in the email ------------ snip Subject: OSSEC Notification - (xxil9) 123.123.111.119 - Alert level 10 OSSEC HIDS Notification. 2009 Mar 27 10:03:18 Received From: (xxxdb3) 123.123.111.113->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Mar 27 10:03:16 xxxdb3 ntpd[1941]: frequency error 512 PPM exceeds tolerance 500 PPM --END OF NOTIFICATION OSSEC HIDS Notification. 2009 Mar 27 10:03:24 Received From: (xxil9) 123.123.111.119->/var/log/maillog Rule: 3158 fired (level 10) -> "Multiple pre-greetings rejects." Portion of the log(s): ---------- snip Thanks Mark Delahunty University College Cork Cork Ireland
