On Tue, Sep 18, 2012 at 3:01 PM, Christina Plummer <[email protected]> wrote: > >>>> So increase the max emails per hour setting. >>> >>> But that's not the same. There can be still one system consuming all >>> alert mails and suppress other alerts. >>> >> >> That's possible no matter how you set it up. As long as you limit the >> number of email alerts that can be sent out, one system can DoS your >> alert mechanism. > > Would it be possible to NOT limit the number email alerts per hour? Or, > batch deliver them after hitting the limit, but still keep the alerts > separate? I hadn't seen a way to do this. It seems like this topic comes up > fairly frequently on the list, but it seems like the answers of "increase the > max" or "use a tiered architecture" are somewhat sideways to the "problem" as > people experience it - namely, grouped emails even when they think they have > disabled grouping. >
No idea if you can turn off the limit. I'd have to look in the source because I don't remember this possibility being documented. I think that should be an available option though. How would you "batch deliver" but keep everything separate? > Is there a more formal place for feature requests? > https://bitbucket.org/jbcheng/ossec-hids >>>> Use different OSSEC servers (in hybrid mode if you use 2.7) for each >>>> division, and funnel all alerts to a single server for the people who >>>> need to see everything. >>> >>> But than I have to multiply the syslog traffic by n divisions and also >> >> Why? Each division gets an OSSEC server. It accepts all logs from all >> of the systems the division wants to monitor. So, basically the same >> amount of traffic you saw before. The only addition is the data sent >> from the spokes to the hub, but that's generally the alerts from the >> division servers, not every log. That makes the amount of traffic much >> smaller. > > My guess is that the 'divisions' might be different admin teams - network, > email, security, database - who each might have different interests in the > same set of servers. So the logs from the same machine would have to be sent > to multiple OSSEC servers with different global_email settings and alert > rules. > >>> Thanks for OSSEC, nice work. > > Seconded. :)
