Wazuh disconnected agent alert

[SP_11]

Hi,

I have wazuh windows agents installed in my environment and I would like to receive an email alert if any of these agents become disconnected.

May I know how can I achieve this?

Thank you

[Selu López]

Hi SP_11,

There is an option in the ruleset to allow emails always to be sent when a specific rule matches, regardless of the level. Its name is <alert_by_email>, you can read more about it on this documentation page:

• Options - Rules XML syntax

By default, there is already a rule that triggers an alert every time an agent disconnects (504), but it has to be edited in order to include the option mentioned above. To do this, add the following snippet to your custom rules (located in /var/ossec/etc/rules/local_rules.xml or via the dashboard). That will overwrite the original rule, making the modification persistent to upgrades as explained in Custom rules and decoders - Ruleset:

<group name="ossec,">
    <rule id="504" level="3" overwrite="yes">
        <if_sid>500</if_sid>
        <match>Agent disconnected</match>
        <description>Ossec agent disconnected.</description>
        <options>alert_by_email</options>
        <mitre>
          <id>T1562.001</id>
        </mitre>
        <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
    </rule>
</group>

Lastly, restart the manager for the change to take effect. Remember that you will need to configure a mail server for this to work. If you haven’t already, you’ll need to create an SMTP relay and modify your manager’s configuration file (/var/ossec/etc/ossec.conf) as explained on the following pages before you can receive emails:

1. SMTP server with authentication - Wazuh server administration
2. Generic email options - Configuring email alerts

Let me know if you have any questions or problems in the process.

Best regards,
Selu.

​