After some tests and readthedocs and looking into the source there are
some differences between the docs and the source and between
<email_alerts> and <reports>.
1. email_alerts
(a) from the docs
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-email_alerts
"email_to
E-Mail recipients of alerts
Allowed: Any valid e-mail address"
The plural is misleading. You can specify exactly one email address
within <email_to></email_to>. It's later passed to "RCPT TO: <%s>" which
handles exactly one email address.
(b) from the src
src/config/email-alerts-config.c (~ line 120):
else if(strcmp(node[i]->element, xml_email_to) == 0)
{
os_strdup(node[i]->content, Mail->gran_to[granto_size -1]);
}
If you specify multiple <email_to></email_to> the last one wins.
(c) from the tests
(b) wins
2. reports
(a) from the docs
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.reports.html#element-email_to
"email_to
The email address to send the completed report.
This is a required field for a report to function.
Allowed: Any email address"
You can specify exactly one email address within <email_to></email_to>.
You can use <email_to></email_to> more then once which isn't documented here.
But look at the code.
(b) from the src
src/config/reports-config.c (~ line 213):
else if(strcmp(node[i]->element, xml_email) == 0)
{
mon_config->reports[s]->emailto = os_AddStrArray(node[i]->content, mon_config->reports[s]->emailto);
}
Multiple <email_to></email_to> are copied to an array and multiple
"RCPT TO" fields are generated in src/os_maild/sendcustomemail.c (~ line 159).
(c) from the tests
(b) wins
Conclusion:
one email address for email_alerts
multiple email adresses for reports
A workaround would be an entry for (every) email_alerts in /etc/aliases.
A better solution will be a code consolidation.
Christian