We have that already set ... am wondering if the option is not exposed and it
is a true internal throttling restriction. The problem is when you have
something like this in your ossec.conf:
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>email.somedomain.com</smtp_server>
<email_from>[email protected]</email_from>
</global>
<email_alerts>
<email_to>[email protected]</email_to>
<rule_id>10201, 10202, 10203, 10204</rule_id>
<event_location>[email protected]</event_location>
<do_not_delay/>
<do_not_group/>
</email_alerts>
can end up that the customer receives alerts for systems that they should not
see :(
--
Thanks, Phil
----- Original Message -----
> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping
>
> Maybe?
>
> On Thu, May 17, 2012 at 9:59 AM, Phil Daws <[email protected]>
> wrote:
> > Hello,
> >
> > when there is a flood of alerts I believe OSSEC throttles them to a
> > 15
> > minute window and then sends out emails. Is there a way to disable
> > this
> > feature as I have noticed that sometimes alerts are going to people
> > that
> > should not be receiving them!
> > --
> > Thanks, Phil
> >
>
