How to make ossec send only one email for an alert?

Question

I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert.

For example, an alert email is sent for

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

What I am trying to set up is to send email about this only once. Currently, it keeps sending email about this alert every 6 or 7 minutes.

The issue seems to be that rule 1002 will catch a bunch of cases and getting an alert is fine. But getting the same alert 100 times doesn't seem to make sense. Anyway to fix this?

score 0 · Answer 1 · edited Feb 07 '17 at 19:53

0

I believe you can use the <email_maxperhour> directive globally in ossec.conf. So if you set the value to 1, on the top of the hour it will group all the queued emails and send it together as one.

I'm not sure if that suits your need but it's an alternative.

Note, you can not apply this directive per rule, e.g. local_rules.xml and rule 1002 in your case.

edited Feb 07 '17 at 19:53

Slipeer

3,255
2
18
32

answered Feb 07 '17 at 17:42

JSL

21
3

How to make ossec send only one email for an alert?

1 Answers1