OSSEC: Stop Agent Email Notifications from Being Grouped

This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.

This has to do with two things:

  1. Number of emails sent in an hour
  2. Grouping setting is On

Default Max Emails

By default, OSSEC has a max email setting in its configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.

One trick to get around this is to use the . This will override the default setting, so in my configurations you’ll often find something like this:

<email_maxperhour>9999</email_maxperhour>

Disable Grouping

To disable the grouping setting you’ll want to navigate to your internal_options.conf file, often found here: /var/ossec/etc/internal_options.conf.

Change the maild.groupping setting to 0, this will disable the groupings. It will look something like this:

# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=0


Posted in   ossec   ossec-troubleshooting     by Tony Perez (@perezbox)

Simple, affordable, log management and analysis.