Hi Dan ,
Thanks for the response . I am aware of the frequency and time frame options in the rule but it does not serve the purpose . Let me frame the requirement in a slightly different way .
Basically , we have 50 duplicate events generated within the period of 1 sec which we want to throttle down to 1 event per sec . This is to avoid having user investigate too many events . To achieve this , OSSEC will have to hold the said event [ based on rule ID ] for 1 sec and see how many such events arrive within the period of 1 sec . If the number goes beyond 50 , then post just one aggregated alert instead of 50 different ones. If that does not happen, then just release whatever is holded .
Hope that helps. If there is any workaround in OSSEC to achieve this , it would really help to reduce the number of events .