Afternoon all, I am reading my .pdf chapters and have my server setup, active responses humming along and now introduced my 1st agent. Doc's were spot on, so he was up rather quickly, this guy is an apache server, and it's testing some new code, so as I roll out OSSEC to more servers, I hit a question I am not sure on. I was getting slammed with status 500 error emails from the server (sending on behalf of the agent) so that was cool that it's working.
But I don't want 100+ emails an hour (on just him), I am looking through this help doc http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html and I did test the email max per hour, but that leads me to my question. Can I limit the email from one agent? I don't want 100 emails from just that apache server, but cap that at 10 or so, then if a mysql box (soon to be added) has an issue I want that message to come through. (So almost a max email per client) type thing? Reading over a few times, I do see the section where you can add an email_alerts section <email_alerts> <email_to>[email protected]</email_to> <event_location>agent007</event_location> <level>15</level> <do_not_delay /> <do_not_group /></email_alerts> so I was thinking I could keep the email max at the global level high, then create email_alerts, the location I assume is the remote server name, etc. but can you use the email_maxperhour options, etc. But it also doesn't say where to put the email_alerts. Is it in the server's ossec.conf, after the global settings, or on the client machine? Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
