On Tue, Sep 18, 2012 at 03:01:39PM -0400, Christina Plummer wrote: > Would it be possible to NOT limit the number email alerts per hour?
Not really, having one system which produces lots of alerts and notification mails are sent to an admin list will disturb the mail system causing problems for a few thousand user. > Or, batch deliver them after hitting the limit, but still keep the > alerts separate? Sure, that's the missing feature. ;) > My guess is that the 'divisions' might be different admin teams - Indeed, most of them are sections of the IT division but in real it's more complicated than that. > So the logs from the same machine would have to be sent to multiple > OSSEC servers with different global_email settings and alert rules. If done this way than every section or admin team has to configure the OSSEC server and do the same work others already did to ignore those messages, they don't want to see. Doing the same work at different places isn't productive. And it wouldn't solve my problem anyway, because I'm interested into security alerts of every system / service, so I would have to be part of the global email configuration and would get all the mails I don't want to see. That's why I miss the feature that only unassigned mails (not handled by any email_alerts block) will be sent to a global email address.
