On Tue, Sep 18, 2012 at 10:50:51AM -0400, dan (ddp) wrote: > On Tue, Sep 18, 2012 at 10:44 AM, Juergen Kahnert > <[email protected]> wrote: >> The global option email_maxperhour would also be very useful inside >> email_alerts. My testalert stuff consumed all mails per hour so that >> rule 100005 to [email protected] was suppressed (until the end of >> hour). > > So increase the max emails per hour setting.
But that's not the same. There can be still one system consuming all alert mails and suppress other alerts. I know, it's not a feature of OSSEC right now. And I'm free to submit a feature request or better than that, submit a patch. ;) >> The OSSEC server is performing very well with all the events, but I >> need a way to send out email alerts without mixing different divisions >> together (see below). > > Use different OSSEC servers (in hybrid mode if you use 2.7) for each > division, and funnel all alerts to a single server for the people who > need to see everything. But than I have to multiply the syslog traffic by n divisions and also every OSSEC server has to analyse all the stuff again, which results into more hardware / CPU usage. > Submit a patch and it should be accepted, after 2.7 anyhow. I'll think about it. Thanks for OSSEC, nice work.
