On Thu, May 17, 2012 at 10:21 AM, Phil Daws <[email protected]> wrote: > We have that already set ... am wondering if the option is not exposed and it > is a true internal throttling restriction. The problem is when you have > something like this in your ossec.conf: >
Sorry, crystal ball's on the fritz. > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>email.somedomain.com</smtp_server> > <email_from>[email protected]</email_from> > </global> > > <email_alerts> > <email_to>[email protected]</email_to> > <rule_id>10201, 10202, 10203, 10204</rule_id> > <event_location>[email protected]</event_location> > <do_not_delay/> > <do_not_group/> > </email_alerts> > > can end up that the customer receives alerts for systems that they should not > see :( > -- > Thanks, Phil > Does this happen at the beginning of the hour? If so, you're possibly hitting the max emails per hour limit. Raise that up, see if it helps. > ----- Original Message ----- >> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping >> >> Maybe? >> >> On Thu, May 17, 2012 at 9:59 AM, Phil Daws <[email protected]> >> wrote: >> > Hello, >> > >> > when there is a flood of alerts I believe OSSEC throttles them to a >> > 15 >> > minute window and then sends out emails. Is there a way to disable >> > this >> > feature as I have noticed that sometimes alerts are going to people >> > that >> > should not be receiving them! >> > -- >> > Thanks, Phil >> > >>
