OSSEC: Stop Agent Email Notifications from Being Grouped

This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.

This has to do with two things:

  1. Number of emails sent in an hour
  2. Grouping setting is On

Default Max Emails

By default, OSSEC has a max email setting in their configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.

One trick to get around this is to use the <email_maxperhour>. This will override the default setting, so in my configurations you’ll often find something like this:

    <email_maxperhour>9999</email_maxperhour>

Disable Grouping

To disable the grouping setting you’ll want to navigate to your internal_options.conf file, often found here: /var/ossec/etc/internal_options.conf

Change the maild.groupping setting to 0, this will disable the groupings.

# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=0

Hope this helps, if you manage your own OSSEC implementations and find yourself interested in professional help, please be sure to contact me at Sucuri MSSP Team. You can find more info on what the MSSP program is about here.