So this is the description: maild.groupping
If set to 1 alerts will be grouped together in one email. These alerts may be of different types or levels, and may be from different systems. *Default:* 1 *Allowed:* 1 or 2 What does "2" do then? I always thought disabled=0 and enabled=1... On Thu, Aug 18, 2011 at 11:18 AM, dan (ddp) <ddp...@gmail.com> wrote: > Did you change this: > > http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping > > On Thu, Aug 18, 2011 at 2:11 PM, Ralphy <jtu...@gmail.com> wrote: > > Periodically (2 or 3 times a day) OSSEC is somehow combining logs it > > receives from two separate hosts and reports them as if they were from > > just one host. Has anyone else seen this and if so, is there a fix? > > > > I'm happy to supply example messages received. I just didn't want to > > post specifics with hostnames etc. > > > > Thanks in advance! > > > > Ralphy >
