On Fri, May 18, 2012 at 4:06 AM, Phil Daws <[email protected]> wrote: > Interestingly, as a colleague noted, perhaps what should happen is that if > the max message limit is reached it should still honour the email alert rules > and *not* combine them into a coalesced one. Does that make sense ? > -- > Thanks, Phil
I think the 0 idea has merit. This idea however would just make you further and further behind in notification emails. Perhaps a log message about having hit the max emails per hour would be appropriate. > > ----- Original Message ----- >> A nice feature request would be by setting that to zero limiting is >> completely suppressed. Would that be possible ? >> >> -- >> Thanks, Phil >> >> ----- Original Message ----- >> > Thanks Dan that is perfect :) >> > -- >> > Thanks, Phil >> > >> > ----- Original Message ----- >> > > On Thu, May 17, 2012 at 10:21 AM, Phil Daws <[email protected]> >> > > wrote: >> > > > We have that already set ... am wondering if the option is not >> > > > exposed and it is a true internal throttling restriction. The >> > > > problem is when you have something like this in your >> > > > ossec.conf: >> > > > >> > > >> > > Sorry, crystal ball's on the fritz. >> > > >> > > > <global> >> > > > <email_notification>yes</email_notification> >> > > > <email_to>[email protected]</email_to> >> > > > <smtp_server>email.somedomain.com</smtp_server> >> > > > <email_from>[email protected]</email_from> >> > > > </global> >> > > > >> > > > <email_alerts> >> > > > <email_to>[email protected]</email_to> >> > > > <rule_id>10201, 10202, 10203, 10204</rule_id> >> > > > <event_location>[email protected]</event_location> >> > > > <do_not_delay/> >> > > > <do_not_group/> >> > > > </email_alerts> >> > > > >> > > > can end up that the customer receives alerts for systems that >> > > > they >> > > > should not see :( >> > > > -- >> > > > Thanks, Phil >> > > > >> > > >> > > Does this happen at the beginning of the hour? If so, you're >> > > possibly >> > > hitting the max emails per hour limit. Raise that up, see if it >> > > helps. >> > > >> > > > ----- Original Message ----- >> > > >> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping >> > > >> >> > > >> Maybe? >> > > >> >> > > >> On Thu, May 17, 2012 at 9:59 AM, Phil Daws >> > > >> <[email protected]> >> > > >> wrote: >> > > >> > Hello, >> > > >> > >> > > >> > when there is a flood of alerts I believe OSSEC throttles >> > > >> > them >> > > >> > to a >> > > >> > 15 >> > > >> > minute window and then sends out emails. Is there a way to >> > > >> > disable >> > > >> > this >> > > >> > feature as I have noticed that sometimes alerts are going to >> > > >> > people >> > > >> > that >> > > >> > should not be receiving them! >> > > >> > -- >> > > >> > Thanks, Phil >> > > >> > >> > > >> >> > > >> > >>
