On Thu, May 17, 2012 at 10:21 AM, Phil Daws <[email protected]> wrote:
> We have that already set ... am wondering if the option is not exposed and it 
> is a true internal throttling restriction.  The problem is when you have 
> something like this in your ossec.conf:
>

Sorry, crystal ball's on the fritz.

>  <global>
>    <email_notification>yes</email_notification>
>    <email_to>[email protected]</email_to>
>    <smtp_server>email.somedomain.com</smtp_server>
>    <email_from>[email protected]</email_from>
>  </global>
>
>  <email_alerts>
>    <email_to>[email protected]</email_to>
>    <rule_id>10201, 10202, 10203, 10204</rule_id>
>    <event_location>[email protected]</event_location>
>    <do_not_delay/>
>    <do_not_group/>
>  </email_alerts>
>
> can end up that the customer receives alerts for systems that they should not 
> see :(
> --
> Thanks, Phil
>

Does this happen at the beginning of the hour? If so, you're possibly
hitting the max emails per hour limit. Raise that up, see if it helps.

> ----- Original Message -----
>> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping
>>
>> Maybe?
>>
>> On Thu, May 17, 2012 at 9:59 AM, Phil Daws <[email protected]>
>> wrote:
>> > Hello,
>> >
>> > when there is a flood of alerts I believe OSSEC throttles them to a
>> > 15
>> > minute window and then sends out emails.  Is there a way to disable
>> > this
>> > feature as I have noticed that sometimes alerts are going to people
>> > that
>> > should not be receiving them!
>> > --
>> > Thanks, Phil
>> >
>>

Reply via email to