Hey, This groupping option can cause a lot of confusion. It means that OSSEC will not group any email and sent them independently.
However, we still have a "email_maxperhour" option that limits how many emails per hour it can send ( http://www.ossec.net/main/manual/configuration-options/#global_options ). So, even if you have groupping disabled, if the number of emails is higher than the email_maxperhour (default of 12 per hour), it will group any extra emails at the end of the hour and send together. The solution is to increase that to a higher number: <email_maxperhour>9999</email_maxperhour> *A request: If you ever get an answer that solves your problem (from everyone in the list), please try to take some time to add that to our wiki FAQ. I started with the email issues here: http://www.ossec.net/wiki/Know_How:Email Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 14, 2010 at 10:28 AM, dan (ddp) <[email protected]> wrote: > On Thu, May 13, 2010 at 8:49 PM, Michael Starks > <[email protected]> wrote: >> dan (ddp) wrote: >>> I'm seeing the same problem. Level 5 and 7 alerts in an email with the >>> subject claiming level 10. >> >> I wonder if what is happening is that some of the alerts that went into >> generating the event didn't make it into the e-mail. I don't think OSSEC >> will necessarily put all of them into the e-mail. Notice the "Portion of >> the log(s):" line in the alerts. >> >> -- >> Michael Starks >> [I] Immutable Security >> http://www.immutablesecurity.com >> > > Interesting, hadn't thought about that. >
