If you’re managing multiple agents in OSSEC, you might encounter a situation where notifications from different agents get grouped into a single email. This can make it difficult to distinguish which agent triggered which alert.
Why This Happens
There are two main reasons why OSSEC groups notifications:
| Email Rate Limits | OSSEC has a default limit on the number of emails it can send per hour. When this limit is reached, OSSEC consolidates remaining notifications into a single email. |
| Grouping Setting | OSSEC’s configuration includes a setting that groups notifications by default. |
Adjusting the Email Limit
By default, OSSEC uses a maximum emails-per-hour setting to prevent email spam. If this limit is reached, notifications from various agents are bundled together.
To increase this limit, you can override the default setting in your OSSEC configuration file (ossec.conf) like this:<email_maxperhour>9999</email_maxperhour>
This change ensures that OSSEC sends more individual emails without grouping them, provided your mail server can handle the increased volume.
Disable Grouping
To completely disable email grouping, you’ll need to adjust the internal_options.conf file. This file is usually located at:
/var/ossec/etc/internal_options.conf
Find the following line and change the setting:
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same email.
maild.groupping=1Change it to:
maild.groupping=0This change will stop OSSEC from bundling notifications, ensuring each alert is sent as a separate email.