Hi, you should use the option do_not_group for the alerts that you ... don't want to group.
wiki : http://www.ossec.net/wiki/Know_How:GranularEmail manual : http://www.ossec.net/main/manual/configuration-options/#email_alerts example (from the wiki) <email_alerts> <email_to>[email protected]</email_to> <rule_id>123, 124</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> Cheers, Wim http://www.ossec.net/main/manual/configuration-options/#email_alerts On 17 Dec 2009, at 20:06, jplee3 wrote: > Hi all, > > I've been using OSSEC for some higher-traffic web servers running > ModSecurity SPAM/RBL rules as well as standard web-attack rules. I > have classified the RBL rules as alert level 9 and the web attack > rules as alert level 11. Both receiving emails. The RBL rules trigger > *very* often and I noticed in my alert level 11 emails (for web > attacks only) that there are often a large number of alert level 9 > alerts that show up in these emails and I often have to sort through > the email to find the actual alert level 11. My understanding was that > the subject and the body are supposed to contain the same content and > not overlap. Is this is a known issue or a "feature?" > I mean, I know there are some rules that trigger when a certain other > rule has been triggered too many times. But I'm pretty certain I don't > have it setup this way. > > Any input on this? > > > Thanks, > Jeremy
