[ossec-list] Re: OSSEC 2.7-beta0. Logcollector segfaults dirty fix

[JB]

PAL,

Really appreciate you looking into this. 
With the logcollector no longer segfaulting, could you check whether the 
linux_auditd logs are processed and rules fired correctly?

On Wednesday, September 19, 2012 2:40:03 AM UTC-7, PAL wrote:
>
> I tried to install OSSEC 2.7 in my environment.
> Unfortunately, logcollector have a serious problem.
> I defined config like:
>
>
> 
>>
>> > timeout="2">linux_auditd
>>
>>
>> 
>> /var/log/audit/audit.log
>>
>>
>> 
>>
>
> I got logcollector segfault  in short time. 
> I made some exploring. File was successfully accessed until start but lost 
> access in few minutes (looks like because audit.log is updated frequently) 
> , and after that logcollector segfault'ed. 
>
> Ok, lets to debug. As I found, when file not available, it's marked by set 
> logff[i].ign to 999 and logff[i].fp to null.
> BUT! In next cycle logcollector will try to interpret this file as 
> "command" type! This will incorrectly set size and position and when 
> function "read" will call, we got segfault
>
> For example, debug session:
>
> gdb ./client-logcollector -f
> [New process 11610]
> [New process 11611]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to process 11611]
> 0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6
> (gdb) bt
> #0  0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6
> #1  0x00405d6a in read_linux_audit (pos=3, drop_it=0) at 
> read_linux_audit.c:157
> #2  0x004033f0 in LogCollectorStart () at logcollector.c:349
> #3  0x00404992 in main (argc=1, argv=0x7fffc658) at main.c:184
> (gdb)
>
>
> The same happened (but not in allway, strange, hm) when I add to config 
> nonexisted file
>
> I make a patch (in attachment), which allow to avoid this problem
> After a day of testing logcollector work fine
>
>

Re: [ossec-list] linux_auditd log_format and configuration error in OSSEC 2.7 beta

[PAL]

Thank you. It really - ossec was updated from 2.6 (but rpm, is it 
important?)
I will try to do that tomorrow.

среда, 19 сентября 2012 г., 19:25:19 UTC+3 пользователь Kat написал:
>
> I ran into the same problem - *IF* you try updating a 2.6 install with the 
> beta - you must REPLACE it. So "no" to upgrade and then delete the existing 
> folder (when it asks) and install new 2.7. Otherwise it keeps some files 
> (have not verified which) that cause this.
>
>
>
> On Wednesday, September 19, 2012 9:21:09 AM UTC-7, dan (ddpbsd) wrote:
>>
>> On Wed, Sep 19, 2012 at 12:15 PM, PAL  wrote: 
>> > In ossec 2.7 a new log_format appeared: linux_auditd 
>> > I got a strange error. 
>> > 
>> > When I configure for read audit.log on agent side: 
>> > 
>> >>
>> >> linux_auditd 
>> >> /var/log/audit/audit.log 
>> >>
>> > 
>> > 
>> >  all work ok. 
>> > 
>> > But, when I wrote same lines on server host - I got error: 
>> > 
>> > 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute 
>> > 'log_format' in the configuration: 'linux_auditd'. 
>> > 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at 
>> > '/var/ossec/etc/ossec.conf'. Exiting. 
>> > 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration 
>> error at 
>> > '/var/ossec/etc/ossec.conf'. Exiting. 
>> > 
>> > When I set log_format to syslog OR comment out all rules, I have no 
>> errors. 
>> > 
>> > Is any way to fix it? 
>> > 
>> > 
>>
>> Are you sure your OSSEC server is running version 2.7? 
>>
>

Re: [ossec-list] linux_auditd log_format and configuration error in OSSEC 2.7 beta

[Kat]

I ran into the same problem - *IF* you try updating a 2.6 install with the 
beta - you must REPLACE it. So "no" to upgrade and then delete the existing 
folder (when it asks) and install new 2.7. Otherwise it keeps some files 
(have not verified which) that cause this.



On Wednesday, September 19, 2012 9:21:09 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Sep 19, 2012 at 12:15 PM, PAL > 
> wrote: 
> > In ossec 2.7 a new log_format appeared: linux_auditd 
> > I got a strange error. 
> > 
> > When I configure for read audit.log on agent side: 
> > 
> >>
> >> linux_auditd 
> >> /var/log/audit/audit.log 
> >>
> > 
> > 
> >  all work ok. 
> > 
> > But, when I wrote same lines on server host - I got error: 
> > 
> > 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute 
> > 'log_format' in the configuration: 'linux_auditd'. 
> > 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at 
> > '/var/ossec/etc/ossec.conf'. Exiting. 
> > 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error 
> at 
> > '/var/ossec/etc/ossec.conf'. Exiting. 
> > 
> > When I set log_format to syslog OR comment out all rules, I have no 
> errors. 
> > 
> > Is any way to fix it? 
> > 
> > 
>
> Are you sure your OSSEC server is running version 2.7? 
>

Re: [ossec-list] linux_auditd log_format and configuration error in OSSEC 2.7 beta

[dan (ddp)]

On Wed, Sep 19, 2012 at 12:15 PM, PAL  wrote:
> In ossec 2.7 a new log_format appeared: linux_auditd
> I got a strange error.
>
> When I configure for read audit.log on agent side:
>
>>   
>> linux_auditd
>> /var/log/audit/audit.log
>>   
>
>
>  all work ok.
>
> But, when I wrote same lines on server host - I got error:
>
> 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute
> 'log_format' in the configuration: 'linux_auditd'.
> 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at
> '/var/ossec/etc/ossec.conf'. Exiting.
> 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error at
> '/var/ossec/etc/ossec.conf'. Exiting.
>
> When I set log_format to syslog OR comment out all rules, I have no errors.
>
> Is any way to fix it?
>
>

Are you sure your OSSEC server is running version 2.7?

[ossec-list] linux_auditd log_format and configuration error in OSSEC 2.7 beta

[PAL]

In ossec 2.7 a new log_format appeared: linux_auditd
I got a strange error.

When I configure for read audit.log on agent side:

  
> linux_auditd
> /var/log/audit/audit.log
>   
>

 all work ok.

But, when I wrote same lines on server host - I got error:

2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute 
'log_format' in the configuration: 'linux_auditd'.
2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at 
'/var/ossec/etc/ossec.conf'. Exiting.
2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error at 
'/var/ossec/etc/ossec.conf'. Exiting.

When I set log_format to syslog OR comment out all rules, I have no errors.

Is any way to fix it?

Re: [ossec-list] Re: real-time monitoring of growing log - PCI DSS 10.5.5

[Michael Starks]

On 19.09.2012 09:43, Andreas Lang wrote:

Thank you for your suggestion. But we don’t want to monitor the
OSSEC log files. For PCI we have to monitor the normal server and
application logs. The requirement is that an alert is generated if a
log file is changed. Real time monitoring would do exactly that.
Besides if new entries are added to the log file at the bottom there
no alert should be generated.


One of us is confused. :) You can monitor normal system logs for 
nefarious activity *and* get an alert if that file is truncated while 
running.

[ossec-list] Re: real-time monitoring of growing log - PCI DSS 10.5.5

[Andreas Lang]

 

Thank you for your suggestion. But we don’t want to monitor the OSSEC log 
files. For PCI we have to monitor the normal server and application logs. 
The requirement is that an alert is generated if a log file is changed. 
Real time monitoring would do exactly that. Besides if new entries are 
added to the log file at the bottom there no alert should be generated.

According to the documentation we know that it is only possible to monitor 
directories and not log files. So the plan is to monitor the log directory.

We had Samhain in place before and switched last year to OSSEC. Maybe 
Samhain can handle this issue, but nothing else worked reliable with 
Samhain. We are very pleased with OSSEC and would never switch back. So the 
feature described above is the only thing that we cannot get working 


On Wednesday, September 19, 2012 12:59:37 PM UTC+2, Andreas Lang wrote:
>
> Hello,
>
> We have some questions regarding analysing log files with OSSEC referring 
> to the log file requirements in PCI-DSS 10.5.5.
>
> PCI DSS 10.5.5.:
> *Use file-integrity monitoring or change-detection software on logs to 
> ensure that existing log data cannot be changed without generating alerts 
> (although new data being added should not cause an alert).*
>
> To cover this issue we wanted to enable real-time monitoring on our log 
> file directories. Unfortunately we are getting this error:
> Ignoring flag for real time monitoring on directory: '/data/'
>
> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. 
> We are using OSSEC 2.5 for clients and server. I know, that for real-time 
> monitoring the tool inotify-tools must be installed, but unfortunately this 
> didn’t resolve the issue.
> Do you have any suggestions have we can make the real-time monitoring of 
> growing log files working correctly?
>
> Thank you very much in advantage
>
> Regards.
>
> Andreas Lang
>
>

Re: [ossec-list] McAfee ePO and OSSEC

[Michael Starks]

On 19.09.2012 05:22, C. L. Martinez wrote:

Hi all,

 Somebody have tried to configure OSSEC to extract alerts from a
McAfee ePO server that uses a sql express a database repositories for
events?? I am trying to extract some info from ePO database like
events, virus detected, etc and then parse with OSSEC.

Thanks.


I haven't tried querying the database, but ePO has automatic responses, 
which themselves have some correlation capabilities, but they also can 
run an external command using registered executables. This means you can 
use a syslog client. See here: 
http://www.youtube.com/watch?v=XykFT1_8N4k

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Michael Starks]

On 19.09.2012 05:59, Andreas Lang wrote:

Hello,


Hi.


We have some questions regarding analysing log files with OSSEC
referring to the log file requirements in PCI-DSS 10.5.5.

PCI DSS 10.5.5.:
_Use file-integrity monitoring or change-detection software on logs 
to

ensure that existing log data cannot be changed without generating
alerts (although new data being added should not cause an alert)._


I have experience in PCI, but I am not a QSA, nor do I play one on TV, 
so take this for what it's worth. This is my take on the requirement and 
I have never had it be a problem in audits:


No current tool that I know of can be 100% sure that running logs have 
not been modified. What OSSEC *can* do, however, is to alert you if the 
running log file size has been reduced, which is an indication of 
tampering. OSSEC can also check *rotated* logs in real time. There is no 
good reason for a rotated log file to change. If you rotate logs once 
per day, along with acting on the log size reduced alerts, *I* believe 
that this reasonably meets the requirement. I think a QSA would have a 
hard time arguing otherwise and demonstrating a better way.

Re: [ossec-list] McAfee ePO and OSSEC

[C. L. Martinez]

On Wed, Sep 19, 2012 at 1:09 PM, dan (ddp)  wrote:
> On Wed, Sep 19, 2012 at 6:22 AM, C. L. Martinez  wrote:
>> Hi all,
>>
>>  Somebody have tried to configure OSSEC to extract alerts from a
>> McAfee ePO server that uses a sql express a database repositories for
>> events?? I am trying to extract some info from ePO database like
>> events, virus detected, etc and then parse with OSSEC.
>>
>> Thanks.
>
> What are your plans for getting the events out of the db? I didn't get
> to do any admin work with epo, but I remember there were issues
> integrating parts of it with other products.

My idea is to launch a sql script and redirect its output to a log
file. After that, ossec can read it and trigger an alert if it is
necessary.

Re: [ossec-list] McAfee ePO and OSSEC

[dan (ddp)]

On Wed, Sep 19, 2012 at 6:22 AM, C. L. Martinez  wrote:
> Hi all,
>
>  Somebody have tried to configure OSSEC to extract alerts from a
> McAfee ePO server that uses a sql express a database repositories for
> events?? I am trying to extract some info from ePO database like
> events, virus detected, etc and then parse with OSSEC.
>
> Thanks.

What are your plans for getting the events out of the db? I didn't get
to do any admin work with epo, but I remember there were issues
integrating parts of it with other products.

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[dan (ddp)]

On Wed, Sep 19, 2012 at 9:04 AM, Eero Volotinen  wrote:
> 2012/9/19 dan (ddp) :
>> On Wed, Sep 19, 2012 at 6:59 AM, Andreas Lang  
>> wrote:
>>> Hello,
>>>
>>> We have some questions regarding analysing log files with OSSEC referring to
>>> the log file requirements in PCI-DSS 10.5.5.
>>>
>>> PCI DSS 10.5.5.:
>>> Use file-integrity monitoring or change-detection software on logs to ensure
>>> that existing log data cannot be changed without generating alerts (although
>>> new data being added should not cause an alert).
>>>
>>> To cover this issue we wanted to enable real-time monitoring on our log file
>>> directories. Unfortunately we are getting this error:
>>> Ignoring flag for real time monitoring on directory: '/data/'
>>>
>>> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
>>> are using OSSEC 2.5 for clients and server. I know, that for real-time
>>> monitoring the tool inotify-tools must be installed, but unfortunately this
>>> didn’t resolve the issue.
>>> Do you have any suggestions have we can make the real-time monitoring of
>>> growing log files working correctly?
>>>
>>> Thank you very much in advantage
>>>
>>> Regards.
>>>
>>> Andreas Lang
>>>
>>
>> Are you sure the inotify stuff was enabled in the build? It sounds
>> like the support didn't get compiled in.
>
> does ossec support log analysis in realtime? or only directory
> checksumming realtime?
>
> --
> Eero

Now you have me worried. It seems like you're mixing up a few things.

Log analysis is as realtime as it can really get. ossec-logcollector
basically tails the log file and forwards the log messages on as it
gets them. But this is very different than the realtime syscheck
alerting.

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[dan (ddp)]

On Wed, Sep 19, 2012 at 7:14 AM, Eero Volotinen  wrote:
> 2012/9/19 Andreas Lang :
>> Hello,
>>
>> We have some questions regarding analysing log files with OSSEC referring to
>> the log file requirements in PCI-DSS 10.5.5.
>>
>> PCI DSS 10.5.5.:
>> Use file-integrity monitoring or change-detection software on logs to ensure
>> that existing log data cannot be changed without generating alerts (although
>> new data being added should not cause an alert).
>>
>> To cover this issue we wanted to enable real-time monitoring on our log file
>> directories. Unfortunately we are getting this error:
>> Ignoring flag for real time monitoring on directory: '/data/'
>>
>> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
>> are using OSSEC 2.5 for clients and server. I know, that for real-time
>> monitoring the tool inotify-tools must be installed, but unfortunately this
>> didn’t resolve the issue.
>> Do you have any suggestions have we can make the real-time monitoring of
>> growing log files working correctly?
>
> how about installing samhain on ossec server to monitor ossec logs?
>
> --
> Eero

And Aide to monitor the samhain stuff!

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Eero Volotinen]

2012/9/19 dan (ddp) :
> On Wed, Sep 19, 2012 at 6:59 AM, Andreas Lang  wrote:
>> Hello,
>>
>> We have some questions regarding analysing log files with OSSEC referring to
>> the log file requirements in PCI-DSS 10.5.5.
>>
>> PCI DSS 10.5.5.:
>> Use file-integrity monitoring or change-detection software on logs to ensure
>> that existing log data cannot be changed without generating alerts (although
>> new data being added should not cause an alert).
>>
>> To cover this issue we wanted to enable real-time monitoring on our log file
>> directories. Unfortunately we are getting this error:
>> Ignoring flag for real time monitoring on directory: '/data/'
>>
>> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
>> are using OSSEC 2.5 for clients and server. I know, that for real-time
>> monitoring the tool inotify-tools must be installed, but unfortunately this
>> didn’t resolve the issue.
>> Do you have any suggestions have we can make the real-time monitoring of
>> growing log files working correctly?
>>
>> Thank you very much in advantage
>>
>> Regards.
>>
>> Andreas Lang
>>
>
> Are you sure the inotify stuff was enabled in the build? It sounds
> like the support didn't get compiled in.

does ossec support log analysis in realtime? or only directory
checksumming realtime?

--
Eero

Re: [ossec-list] ossec inotify status on rhel 5 and 6

[dan (ddp)]

On Wed, Sep 19, 2012 at 8:48 AM, Eero Volotinen  wrote:
> Hi,
>
> Is inotify working on rhel 5 and 6 on ossec?
>
> --
> Eero

Yes

[ossec-list] ossec inotify status on rhel 5 and 6

[Eero Volotinen]

Hi,

Is inotify working on rhel 5 and 6 on ossec?

--
Eero

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[dan (ddp)]

On Wed, Sep 19, 2012 at 6:59 AM, Andreas Lang  wrote:
> Hello,
>
> We have some questions regarding analysing log files with OSSEC referring to
> the log file requirements in PCI-DSS 10.5.5.
>
> PCI DSS 10.5.5.:
> Use file-integrity monitoring or change-detection software on logs to ensure
> that existing log data cannot be changed without generating alerts (although
> new data being added should not cause an alert).
>
> To cover this issue we wanted to enable real-time monitoring on our log file
> directories. Unfortunately we are getting this error:
> Ignoring flag for real time monitoring on directory: '/data/'
>
> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
> are using OSSEC 2.5 for clients and server. I know, that for real-time
> monitoring the tool inotify-tools must be installed, but unfortunately this
> didn’t resolve the issue.
> Do you have any suggestions have we can make the real-time monitoring of
> growing log files working correctly?
>
> Thank you very much in advantage
>
> Regards.
>
> Andreas Lang
>

Are you sure the inotify stuff was enabled in the build? It sounds
like the support didn't get compiled in.

[ossec-list] commercial rule updates for ossec

[Eero Volotinen]

Hi List,

is there any commercial rule updates available for ossec?

--
Eero

Re: [ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Eero Volotinen]

2012/9/19 Andreas Lang :
> Hello,
>
> We have some questions regarding analysing log files with OSSEC referring to
> the log file requirements in PCI-DSS 10.5.5.
>
> PCI DSS 10.5.5.:
> Use file-integrity monitoring or change-detection software on logs to ensure
> that existing log data cannot be changed without generating alerts (although
> new data being added should not cause an alert).
>
> To cover this issue we wanted to enable real-time monitoring on our log file
> directories. Unfortunately we are getting this error:
> Ignoring flag for real time monitoring on directory: '/data/'
>
> Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We
> are using OSSEC 2.5 for clients and server. I know, that for real-time
> monitoring the tool inotify-tools must be installed, but unfortunately this
> didn’t resolve the issue.
> Do you have any suggestions have we can make the real-time monitoring of
> growing log files working correctly?

how about installing samhain on ossec server to monitor ossec logs?

--
Eero

[ossec-list] real-time monitoring of growing log - PCI DSS 10.5.5

[Andreas Lang]

Hello,

We have some questions regarding analysing log files with OSSEC referring 
to the log file requirements in PCI-DSS 10.5.5.

PCI DSS 10.5.5.:
*Use file-integrity monitoring or change-detection software on logs to 
ensure that existing log data cannot be changed without generating alerts 
(although new data being added should not cause an alert).*

To cover this issue we wanted to enable real-time monitoring on our log 
file directories. Unfortunately we are getting this error:
Ignoring flag for real time monitoring on directory: '/data/'

Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. We 
are using OSSEC 2.5 for clients and server. I know, that for real-time 
monitoring the tool inotify-tools must be installed, but unfortunately this 
didn’t resolve the issue.
Do you have any suggestions have we can make the real-time monitoring of 
growing log files working correctly?

Thank you very much in advantage

Regards.

Andreas Lang

[ossec-list] McAfee ePO and OSSEC

[C. L. Martinez]

Hi all,

 Somebody have tried to configure OSSEC to extract alerts from a
McAfee ePO server that uses a sql express a database repositories for
events?? I am trying to extract some info from ePO database like
events, virus detected, etc and then parse with OSSEC.

Thanks.

[ossec-list] OSSEC 2.7-beta0. Logcollector segfaults dirty fix

[PAL]

I tried to install OSSEC 2.7 in my environment.
Unfortunately, logcollector have a serious problem.
I defined config like:

 
  
>
>  timeout="2">linux_auditd 
>   
>
> 
> /var/log/audit/audit.log 
>   
>
> 
>

I got logcollector segfault  in short time. 
I made some exploring. File was successfully accessed until start but lost 
access in few minutes (looks like because audit.log is updated frequently) 
, and after that logcollector segfault'ed. 

Ok, lets to debug. As I found, when file not available, it's marked by set 
logff[i].ign to 999 and logff[i].fp to null.
BUT! In next cycle logcollector will try to interpret this file as 
"command" type! This will incorrectly set size and position and when 
function "read" will call, we got segfault

For example, debug session:

gdb ./client-logcollector -f
[New process 11610]
[New process 11611]

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 11611]
0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6
(gdb) bt
#0  0x2ad2bb1c in fgetpos64@@GLIBC_2.2.5 () from /lib64/libc.so.6
#1  0x00405d6a in read_linux_audit (pos=3, drop_it=0) at 
read_linux_audit.c:157
#2  0x004033f0 in LogCollectorStart () at logcollector.c:349
#3  0x00404992 in main (argc=1, argv=0x7fffc658) at main.c:184
(gdb)


The same happened (but not in allway, strange, hm) when I add to config 
nonexisted file

I make a patch (in attachment), which allow to avoid this problem
After a day of testing logcollector work fine

--- ossec-hids-2.7-beta-0/src/logcollector/logcollector.c.orig	2012-09-06 22:38:43.0 -0400
+++ ossec-hids-2.7-beta-0/src/logcollector/logcollector.c	2012-09-18 09:06:37.0 -0400
@@ -339,6 +339,21 @@
 {
 if(!logff[i].fp)
 {
+		// check is those real command or not
+		if ((strcmp(logff[i].logformat, "full_command") != 0) && (strcmp(logff[i].logformat, "command") != 0))
+		{
+		debug2("%s: DEBUG: File %s (logformat: %s) tried to interpret as command. Stop that",ARGV0, logff[i].file, logff[i].logformat);
+	// do not process file with out of max try to open, let's reinitialize them
+	if(logff[i].ign >= 999)
+	{
+	verbose("%s: INFO: File %s reached of maximum try to open (%d). Counters will reset.", ARGV0, logff[i].file, max_file);
+	/* Trying to open it again */
+		logff[i].fp = NULL;
+	logff[i].ign=0;
+	handle_file(i, 1, 1);
+	}
+	continue;
+	}
 /* Run the command. */
 if(logff[i].command && (f_check %2))
 {

Re: [ossec-list] Granular E-Mail alerts

[Juergen Kahnert]

On Tue, Sep 18, 2012 at 03:01:39PM -0400, Christina Plummer wrote:
> Would it be possible to NOT limit the number email alerts per hour?

Not really, having one system which produces lots of alerts and
notification mails are sent to an admin list will disturb the mail
system causing problems for a few thousand user.


> Or, batch deliver them after hitting the limit, but still keep the
> alerts separate?

Sure, that's the missing feature. ;)


> My guess is that the 'divisions' might be different admin teams -

Indeed, most of them are sections of the IT division but in real it's
more complicated than that.


> So the logs from the same machine would have to be sent to multiple
> OSSEC servers with different global_email settings and alert rules.

If done this way than every section or admin team has to configure the
OSSEC server and do the same work others already did to ignore those
messages, they don't want to see.  Doing the same work at different
places isn't productive.

And it wouldn't solve my problem anyway, because I'm interested into
security alerts of every system / service, so I would have to be part
of the global email configuration and would get all the mails I don't
want to see.

That's why I miss the feature that only unassigned mails (not handled by
any email_alerts block) will be sent to a global email address.