FIM email alert

[Matias]

 Hi Wazuh Team,
I need the FIM alerts to reach me by email, I just want them to reach me on the routes that I configure.
set this in manager but it doesn't work

<!-- Reportes de FIM -->
    <email_alerts>
      <email_to>seg...@company.com</email_to>
      <event_location>TRX01|PP01|PP02|RX02|RX03</event_location>
      <rule_id>550, 553, 554</rule_id>
      <do_not_delay />
    </email_alerts>
  <!-- fin -->

[Carlos Dams]

Hi Matias,

Thanks for using Wazuh!

• Have you configured the SMTP server under the <global> tags of the file /var/ossec/etc/ossec.conf?

• Are TRX01|PP01|PP02|RX02|RX03 hostnames?

• Are you using a SMTP server with authentication (e.g. gmail, outlook)? If yes, did the step 6 under this guide worked? 

Also, I noticed the rule ids you want to get an email notification are level 5 or 7, take into account if you have an <email_alert_level> higher then you would not receive emails from these rules.

What I recommend you to do in this case, instead of getting the value of <email_alert_level> to a lower number is that you force the email alert by overwriting the rules and adding the option: <options>alert_by_email</options>

I hope this addresses your issue, please let  me know

[Matias]

• Have you configured the SMTP server under the <global> tags of the file /var/ossec/etc/ossec.conf?

YEP

• Are TRX01|PP01|PP02|RX02|RX03 hostnames?

are the registered names of the agents

• Are you using a SMTP server with authentication (e.g. gmail, outlook)? If yes, did the step 6 under this guide worked? 

YEP, The email works fine because I get other alerts

I will try what you say and comment.

Regards.