>> Would it be possible to NOT limit the number email alerts per hour? Or, >> batch deliver them after hitting the limit, but still keep the alerts >> separate? I hadn't seen a way to do this. It seems like this topic comes >> up fairly frequently on the list, but it seems like the answers of "increase >> the max" or "use a tiered architecture" are somewhat sideways to the >> "problem" as people experience it - namely, grouped emails even when they >> think they have disabled grouping. >> > > No idea if you can turn off the limit. I'd have to look in the source > because I don't remember this possibility being documented. I think > that should be an available option though. > > How would you "batch deliver" but keep everything separate?
I was thinking of some sort of throttle, where OSSEC could hold on to the individual alerts after the "limit per hour" was reached, and then just send them out in batches (but still as separate emails) once the "queue" cleared (or a new hour began) - allowing a temporary surge to "catch up" over time. I haven't looked at the code so I'm not sure the best way to make that work; it might need a separate queue runner once a day to just deliver (or possibly delete with a notification) any alerts that were still outstanding, regardless of the limit. >> Is there a more formal place for feature requests? >> > > https://bitbucket.org/jbcheng/ossec-hids Thanks.
