Hey Mark, I can't say whether you can change this behavior, but I can say that this happens to me as well, so yes, it's probably normal.
On Mar 27, 6:10 am, "Delahunty, Mark" <[email protected]> wrote: > Is this normal? If so can I make OSSEC send emails containing alerts for > only one server? > > Here's an (anonymized) example from 1 email this morning: > > I noticed the Subject: always refers to the last notification contained > in the email > > ------------ snip > Subject: OSSEC Notification - (xxil9) 123.123.111.119 - Alert level 10 > > OSSEC HIDS Notification. > 2009 Mar 27 10:03:18 > > Received From: (xxxdb3) 123.123.111.113->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 27 10:03:16 xxxdb3 ntpd[1941]: frequency error 512 PPM exceeds > tolerance 500 PPM > > --END OF NOTIFICATION > > OSSEC HIDS Notification. > 2009 Mar 27 10:03:24 > > Received From: (xxil9) 123.123.111.119->/var/log/maillog > Rule: 3158 fired (level 10) -> "Multiple pre-greetings rejects." > Portion of the log(s): > ---------- snip > > Thanks > > Mark Delahunty > University College Cork > Cork > Ireland
