Turn off email grouping. In /var/ossec/etc/internal_options.conf set: maild.groupping=0
You may need to bump the max emails per hour, depending on how many alerts you normally get. On Tue, Jul 26, 2011 at 10:59 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > I have set up a central “server” and several “agent” OSSEC hosts and > OSSEC-WUI and I can see them in the UI, but I have a question relating to > alerts. > > Previously I had the agents configured as “local” OSSEC hosts and the alerts > from them were obviously from each individual host, but now I have a server > and agent setup, I see alerts from the agents, but all alerts I’ve seen so > far, contain the wrong details in the subject line: - > > “Subject: OSSEC Notification - (Hathor) 10.0.2.10 - Alert level 10” > > This email alert actually contained many alerts, for multiple hosts, but the > subject is quite misleading. > > Have I done something wrong and what can I do to make the alert subject a > bit less misleading? > > I’d actually prefer to see individual alerts anyway, so I can easily scan > through them and tune out (using some ruleset) those that are not > important. Is this possible? > > Cheers, > -- > ChrisP > >
