Interestingly, as a colleague noted, perhaps what should happen is that if the max message limit is reached it should still honour the email alert rules and *not* combine them into a coalesced one. Does that make sense ? -- Thanks, Phil
----- Original Message ----- > A nice feature request would be by setting that to zero limiting is > completely suppressed. Would that be possible ? > > -- > Thanks, Phil > > ----- Original Message ----- > > Thanks Dan that is perfect :) > > -- > > Thanks, Phil > > > > ----- Original Message ----- > > > On Thu, May 17, 2012 at 10:21 AM, Phil Daws <[email protected]> > > > wrote: > > > > We have that already set ... am wondering if the option is not > > > > exposed and it is a true internal throttling restriction. The > > > > problem is when you have something like this in your > > > > ossec.conf: > > > > > > > > > > Sorry, crystal ball's on the fritz. > > > > > > > <global> > > > > <email_notification>yes</email_notification> > > > > <email_to>[email protected]</email_to> > > > > <smtp_server>email.somedomain.com</smtp_server> > > > > <email_from>[email protected]</email_from> > > > > </global> > > > > > > > > <email_alerts> > > > > <email_to>[email protected]</email_to> > > > > <rule_id>10201, 10202, 10203, 10204</rule_id> > > > > <event_location>[email protected]</event_location> > > > > <do_not_delay/> > > > > <do_not_group/> > > > > </email_alerts> > > > > > > > > can end up that the customer receives alerts for systems that > > > > they > > > > should not see :( > > > > -- > > > > Thanks, Phil > > > > > > > > > > Does this happen at the beginning of the hour? If so, you're > > > possibly > > > hitting the max emails per hour limit. Raise that up, see if it > > > helps. > > > > > > > ----- Original Message ----- > > > >> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping > > > >> > > > >> Maybe? > > > >> > > > >> On Thu, May 17, 2012 at 9:59 AM, Phil Daws > > > >> <[email protected]> > > > >> wrote: > > > >> > Hello, > > > >> > > > > >> > when there is a flood of alerts I believe OSSEC throttles > > > >> > them > > > >> > to a > > > >> > 15 > > > >> > minute window and then sends out emails. Is there a way to > > > >> > disable > > > >> > this > > > >> > feature as I have noticed that sometimes alerts are going to > > > >> > people > > > >> > that > > > >> > should not be receiving them! > > > >> > -- > > > >> > Thanks, Phil > > > >> > > > > >> > > > > > >
