>>> So increase the max emails per hour setting. >> >> But that's not the same. There can be still one system consuming all >> alert mails and suppress other alerts. >> > > That's possible no matter how you set it up. As long as you limit the > number of email alerts that can be sent out, one system can DoS your > alert mechanism.
Would it be possible to NOT limit the number email alerts per hour? Or, batch deliver them after hitting the limit, but still keep the alerts separate? I hadn't seen a way to do this. It seems like this topic comes up fairly frequently on the list, but it seems like the answers of "increase the max" or "use a tiered architecture" are somewhat sideways to the "problem" as people experience it - namely, grouped emails even when they think they have disabled grouping. Is there a more formal place for feature requests? >>> Use different OSSEC servers (in hybrid mode if you use 2.7) for each >>> division, and funnel all alerts to a single server for the people who >>> need to see everything. >> >> But than I have to multiply the syslog traffic by n divisions and also > > Why? Each division gets an OSSEC server. It accepts all logs from all > of the systems the division wants to monitor. So, basically the same > amount of traffic you saw before. The only addition is the data sent > from the spokes to the hub, but that's generally the alerts from the > division servers, not every log. That makes the amount of traffic much > smaller. My guess is that the 'divisions' might be different admin teams - network, email, security, database - who each might have different interests in the same set of servers. So the logs from the same machine would have to be sent to multiple OSSEC servers with different global_email settings and alert rules. >> Thanks for OSSEC, nice work. Seconded. :)
