Thanks Dan that is perfect :) -- Thanks, Phil
----- Original Message ----- > On Thu, May 17, 2012 at 10:21 AM, Phil Daws <[email protected]> > wrote: > > We have that already set ... am wondering if the option is not > > exposed and it is a true internal throttling restriction. The > > problem is when you have something like this in your ossec.conf: > > > > Sorry, crystal ball's on the fritz. > > > <global> > > <email_notification>yes</email_notification> > > <email_to>[email protected]</email_to> > > <smtp_server>email.somedomain.com</smtp_server> > > <email_from>[email protected]</email_from> > > </global> > > > > <email_alerts> > > <email_to>[email protected]</email_to> > > <rule_id>10201, 10202, 10203, 10204</rule_id> > > <event_location>[email protected]</event_location> > > <do_not_delay/> > > <do_not_group/> > > </email_alerts> > > > > can end up that the customer receives alerts for systems that they > > should not see :( > > -- > > Thanks, Phil > > > > Does this happen at the beginning of the hour? If so, you're possibly > hitting the max emails per hour limit. Raise that up, see if it > helps. > > > ----- Original Message ----- > >> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping > >> > >> Maybe? > >> > >> On Thu, May 17, 2012 at 9:59 AM, Phil Daws <[email protected]> > >> wrote: > >> > Hello, > >> > > >> > when there is a flood of alerts I believe OSSEC throttles them > >> > to a > >> > 15 > >> > minute window and then sends out emails. Is there a way to > >> > disable > >> > this > >> > feature as I have noticed that sometimes alerts are going to > >> > people > >> > that > >> > should not be receiving them! > >> > -- > >> > Thanks, Phil > >> > > >> >
