This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.
This has to do with two things:
,- Number of emails sent in an hour
,- Grouping setting is On
Default Max Emails
By default, OSSEC has a max email setting in their configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.
One trick to get around this is to use the <email_maxperhour>. This will override the default setting, so in my configurations you'll often find something like this:
<email_maxperhour>9999</email_maxperhour>
Disable Grouping
To disable the grouping setting you'll want to navigate to your internal_options.conf file, often found here: /var/ossec/etc/internal_options.conf
Change the
maild.groupping setting to 0, this will disable the groupings.
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=0
Hope this helps, if you manage your own
OSSEC
implementations and find yourself interested in professional help, please be sure to contact me at Sucuri MSSP Team. You can find more info on what the MSSP program is about here.,