Custom Email Alert Subject Line
187 views
Skip to first unread message
Lee Seeman
Oct 1, 2020, 4:29:10 PM10/1/20
to Wazuh mailing list
What's up everyone!
I searched through the Wazuh docs and I did not see an option to modify the email alert subject line. This would be very beneficial to better interpret alerts when emails come in. For example, if we could have a subject of "Wazuh Alert: <rule name>, <agentname>"
Is this possible?
jeremias...@wazuh.com
Oct 1, 2020, 8:33:29 PM10/1/20
to Wazuh mailing list
Hi leeseeman,
Thank you for using Wazuh!
The subject line has few options to be modified. You can change /var/ossec/etc/local_internal_options.conf and add this string maild.full_subject=1 to include the alert comment in the subject line. But there are no other customizations to perform.
On the other hand. I searched for a workaround and found this interesting thread where it's explained how to code-modify the subject. This will allow you to compile Wazuh with a specific subject, but will not allow you to create different subjects based on other fields of the alert.
I will get in touch with other co-workers to ask if a similar feature is in the roadmap of Wazuh and come back to you with the repsonse.
If you have further questions, don't hesitate to ask.
Best regards.
The subject line has few options to be modified. You can change /var/ossec/etc/local_internal_options.conf and add this string maild.full_subject=1 to include the alert comment in the subject line. But there are no other customizations to perform.
On the other hand. I searched for a workaround and found this interesting thread where it's explained how to code-modify the subject. This will allow you to compile Wazuh with a specific subject, but will not allow you to create different subjects based on other fields of the alert.
I will get in touch with other co-workers to ask if a similar feature is in the roadmap of Wazuh and come back to you with the repsonse.
If you have further questions, don't hesitate to ask.
Best regards.
Juan Carlos
Oct 2, 2020, 4:15:10 PM10/2/20
to Wazuh mailing list
Hi Lee,
I would like to add that the Wazuh Integrator provides great flexibility without the need to re-compile.
So you can add an integration to send email alerts tailored to your preference.
Attached
to this message you may find an integration I created some time ago,
but in this case adapted to the subject line you asked for.
At the start you must specify the sender's address and the email server.
The file must be placed in the Wazuh manager with the /var/ossec/integrations/custom-email-alert path and then given the proper ownership and permissions:
chown root:ossec /var/ossec/integrations/custom-email-alerts
chmod 750 /var/ossec/integrations/custom-email-alertsThen the manager's configuration must include a stanza like this within an <ossec_config> tag:
<integration>
<name>custom-email-alerts</name>
<hook_url>emailre...@example.com</hook_url>
<level>10</level>
<group>windows</group>
<alert_format>json</alert_format>
</integration>You can adapt the generate_msg function to fit your specific needs.
The script sends email to an email server that does not require authentication, so it could also be adapted to perform authentication by itself or use postfix like the default email configuration for Wazuh currently does.
I hope this helps,
Best Regards,
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages