extra labels in the alert e-mail

[Yuri Krysko]

Hello All,

I am trying to utilize the labels feature to inject extra info about the aws environment into Wazuh alerts. I can see the information in my alerts.json on the Wazuh manager, but the e-mails that I get for these same alerts lack the labels data. Is there something extra that needs to be done configuration-wise?

Thanks much,

Yuri

[francisc...@wazuh.com]

Hello Yuri!

As far as I know, what you expect is the default behavior of wazuh emails. I would need more information in order to help you.

Can you show me your configuration of manager and agents? And show me some emails alerts received with that config?

One example of an environment where I am receiving emails with the desired labels:

MANAGER: Centos7 with wazuh manager v3.8.2:

/var/ossec/etc/ossec.conf

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>exa...@gmail.com</email_from>
    <email_to>exa...@gmail.com</email_to>
    <email_log_source>alerts.log</email_log_source>
    <queue_size>131072</queue_size>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>3</email_alert_level>
  </alerts>

AGENT: Fedora 23 wazuh agent v3.8.2: *

/var/ossec/etc/

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

Example of email received:

Wazuh Notification.
 2019 Apr 16 08:05:09

 Received From: (fedora23) 172.16.1.25->syscheck
 Rule: 550 fired (level 7) -> "Integrity checksum changed."
 Portion of the log(s):

 aws.instance-id: i-052a1838c
 aws.sec-group: sg-1103
 network.ip: 172.17.0.0
 network.mac: 02:42:ac:11:00:02
 File '/etc/profile' checksum changed.
 Old modification time was: 'Tue Apr 16 08:00:04 2019', now it is 'Tue Apr 16 08:04:52 2019'
 Old inode was: '8391850', now it is '8391851'
 Old md5sum was: '71689c79c092de1c2b5cee935abca1a2'
 New md5sum is : '6fb46d5c0d5b896a9aedfbb98cd18588'
 Old sha1sum was: 'd9af7091e88142a3acaabba9ff0055eebb370822'
 New sha1sum is : 'a80bfe0fb71c43591ee906bc3880ed4528a46f03'
 Old sha256sum was: '82e40133483aea77d2730548bcf34e16c33cd43ba97e64c84f1281dc73607816'
 New sha256sum is : '0220e1e48e3d84e3cb724f91fb73d69387178e80546c530808195dbc014c980c'

​