This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.
This has to do with two things:
By default, OSSEC has a max email setting in its configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.
One trick to get around this is to use the
<email_maxperhour>9999</email_maxperhour>
To disable the grouping setting you’ll want to navigate to your internal_options.conf file, often found here: /var/ossec/etc/internal_options.conf.
Change the maild.groupping setting to 0, this will disable the groupings. It will look something like this:
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=0