Wazuh email notification subject change
1,772 views
Skip to first unread message
ismailctest C
Sep 11, 2023, 7:55:47 AM9/11/23
to Wazuh | Mailing List
Hi,
How to change the wazuh email notification subject?
Can we add additional custom lines in each mail?
Thanks,
Gabriel Emanuel Valenzuela
Sep 11, 2023, 8:32:31 AM9/11/23
to Wazuh | Mailing List
Hi ! How are you ?
To easily customize email alerts, without recompiling the Wazuh source code, you can use the Wazuh integrator module and a script to send custom emails. In this message, I'll explain how to configure it and I'll include a link to a script (https://github.com/jctello/JCT-Wazuh/blob/main/integrations/custom-email-alerts) you can use and customize according to your needs.
An integration can be triggered by a rule ID, rule level or rule groups. To learn more, see the integration section. (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html)
For example, to send custom emails for alerts level 10 or higher, add the following integrations in your Wazuh manager configuration file /var/ossec/etc/ossec.conf:
<integration>
<name>custom-email-alerts</name>
<hook_url>your-emai...@example.com</hook_url>
<level>10</level>
<alert_format>json</alert_format>
</integration>
Add the custom script to send emails in /var/ossec/integrations/custom-email-alerts and give it the right ownership and permissions:
chown root:wazuh /var/ossec/integrations/custom-email-alerts
chmod 750 /var/ossec/integrations/custom-email-alerts
Make sure that the <name> tag in the integration configuration and the script name are an exact match, for example, if you use the .py extension in your script you must include it in the integration <name>.
Modify the custom script (lines 32 and 33) to include your data. This script works with a local server, like Postfix. (https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html)
email_server = "localhost"
email_from = "nor...@example.com"
You may modify the subject and message in the generate_msg function according to your needs. By default, this script includes the alert description and agent name in the email subject.
Restart the Wazuh manager so changes can take effect:
systemctl restart wazuh-manager
Let us know if you have any questions. We're here to help =)
To easily customize email alerts, without recompiling the Wazuh source code, you can use the Wazuh integrator module and a script to send custom emails. In this message, I'll explain how to configure it and I'll include a link to a script (https://github.com/jctello/JCT-Wazuh/blob/main/integrations/custom-email-alerts) you can use and customize according to your needs.
An integration can be triggered by a rule ID, rule level or rule groups. To learn more, see the integration section. (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html)
For example, to send custom emails for alerts level 10 or higher, add the following integrations in your Wazuh manager configuration file /var/ossec/etc/ossec.conf:
<integration>
<name>custom-email-alerts</name>
<hook_url>your-emai...@example.com</hook_url>
<level>10</level>
<alert_format>json</alert_format>
</integration>
Add the custom script to send emails in /var/ossec/integrations/custom-email-alerts and give it the right ownership and permissions:
chown root:wazuh /var/ossec/integrations/custom-email-alerts
chmod 750 /var/ossec/integrations/custom-email-alerts
Make sure that the <name> tag in the integration configuration and the script name are an exact match, for example, if you use the .py extension in your script you must include it in the integration <name>.
Modify the custom script (lines 32 and 33) to include your data. This script works with a local server, like Postfix. (https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html)
email_server = "localhost"
email_from = "nor...@example.com"
You may modify the subject and message in the generate_msg function according to your needs. By default, this script includes the alert description and agent name in the email subject.
Restart the Wazuh manager so changes can take effect:
systemctl restart wazuh-manager
Let us know if you have any questions. We're here to help =)
Luiz Farah
Mar 4, 2024, 6:17:39 AM3/4/24
to Wazuh | Mailing List
Uau...
Wow...I found out why it didn't work.
All custom integration names must start with 'custom-'
Wow...I found out why it didn't work.
All custom integration names must start with 'custom-'
Luiz Farah
Mar 4, 2024, 6:17:39 AM3/4/24
to Wazuh | Mailing List
Hi Gabriel.
I followed the procedures you described, but the customized emails are not sent.
I changed the log path to make it easier to find the error, but this log is not even created when a level 12 rule is triggered. Do you know what might be happening here?
Em segunda-feira, 11 de setembro de 2023 às 09:32:31 UTC-3, Gabriel Emanuel Valenzuela escreveu:
Luiz Farah
Mar 5, 2024, 12:57:08 PM3/5/24
to Wazuh | Mailing List
Gabriel, I need to send an email to more than one recipient. How to make ?
I think this <hook_url> option only accepts one email. How to insert others?
I think this <hook_url> option only accepts one email. How to insert others?
Gabriel Emanuel Valenzuela
Mar 5, 2024, 8:39:41 PM3/5/24
to Wazuh | Mailing List
Hi Luiz! How are you?
>> I changed the log path to make it easier to find the error, but this log is not even created when a level 12 rule is triggered. Do you know what might be happening here?
According to the code in (https://github.com/jctello/JCT-Wazuh/blob/main/integrations/custom-email-alerts), to send the email to more than one recipient, you need to separate by `,` the recipients
>> I changed the log path to make it easier to find the error, but this log is not even created when a level 12 rule is triggered. Do you know what might be happening here?
Could you solve this?
Greetings!
Greetings!
francisco bustillo
Mar 12, 2024, 8:21:14 AM3/12/24
to Wazuh | Mailing List
good morning gabriel, how are you?
the reason for my message is that I followed the steps to create the script that I leave to modify the body and subject of the message from wazuh to the email but the change was not applied and I want to change the subject in which I want to add agent id and the type of alert.
I attach the part of the script that I have modified so that you can check the modification that I have made:
def generate_msg(alert):
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert.
"""
description = alert['rule']['description']]
level = alert['rule']['level']]
alert_type = alert['rule']['group']
agentname = alert['agent']['name']] agent_id = alert['agent']['agent_id']['agent_name']]
agent_id = alert['agent']['id']
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
subject = 'Wazuh Notification - {0} - {1} - {2} - Alert level {3}'.format(agentname, agent_id, description, level)
message = """
This is an automatic message from your Wazuh Instance.
In {a} an agent event "{b}" triggered rule "{c}" of level {d}.
The full content of the alert is:
{e}
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
return subject, message
and integrate it in the ossec as follows:
<integration>
<name>custom-email-alerts.py</name>
<hook_url>/var/ossec/integrations/custom-email-alerts.py</hook_url>
<alert_format>json</alert_format>
<level>3</level>
<group>default</group>
</integration>
I will attach an image only so you can see that it does enable the script input but does not make the change.
greetings and have a nice day!
the reason for my message is that I followed the steps to create the script that I leave to modify the body and subject of the message from wazuh to the email but the change was not applied and I want to change the subject in which I want to add agent id and the type of alert.
I attach the part of the script that I have modified so that you can check the modification that I have made:
def generate_msg(alert):
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert.
"""
description = alert['rule']['description']]
level = alert['rule']['level']]
alert_type = alert['rule']['group']
agentname = alert['agent']['name']] agent_id = alert['agent']['agent_id']['agent_name']]
agent_id = alert['agent']['id']
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
subject = 'Wazuh Notification - {0} - {1} - {2} - Alert level {3}'.format(agentname, agent_id, description, level)
message = """
This is an automatic message from your Wazuh Instance.
In {a} an agent event "{b}" triggered rule "{c}" of level {d}.
The full content of the alert is:
{e}
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
return subject, message
and integrate it in the ossec as follows:
<integration>
<name>custom-email-alerts.py</name>
<hook_url>/var/ossec/integrations/custom-email-alerts.py</hook_url>
<alert_format>json</alert_format>
<level>3</level>
<group>default</group>
</integration>
I will attach an image only so you can see that it does enable the script input but does not make the change.
greetings and have a nice day!
Gabriel Emanuel Valenzuela
Mar 15, 2024, 10:50:12 AM3/15/24
to Wazuh | Mailing List
Hi Fracisco! How are you?
Sorry for the late, I think the error is here:
````
Sorry for the late, I think the error is here:
````
description = alert['rule']['description']]
level = alert['rule']['level']]
alert_type = alert['rule']['group']
agentname = alert['agent']['name']] agent_id = alert['agent']['agent_id']['agent_name']]
agent_id = alert['agent']['id']
level = alert['rule']['level']]
alert_type = alert['rule']['group']
agentname = alert['agent']['name']] agent_id = alert['agent']['agent_id']['agent_name']]
agent_id = alert['agent']['id']
````
You should have only an assignment in the variable because Python is flexible in the type of data, so maybe is overwriting your variable agent_id.
Also here
```
message = """
This is an automatic message from your Wazuh Instance.
In {a} an agent event "{b}" triggered rule "{c}" of level {d}.
The full content of the alert is:
{e}
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
This is an automatic message from your Wazuh Instance.
In {a} an agent event "{b}" triggered rule "{c}" of level {d}.
The full content of the alert is:
{e}
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
```
f and g, don't exist so maybe generates and error and the script fails in the execution.
Let me know if you need anything more, nice day =D
francisco bustillo
Mar 20, 2024, 11:39:33 AM3/20/24
to Wazuh | Mailing List
Im well, i hope you are having a good day, I apologize for the late reply.
According to your advice the code will be something like this, by the way where do you look if the script is throwing an error, thank you for answering before.
message = """
This is an automatic message from your Wazuh Instance.
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
return subject, message
According to your advice the code will be something like this, by the way where do you look if the script is throwing an error, thank you for answering before.
def generate_msg(alert):
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert
"""
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert
"""
description = alert['rule']['description']
level = alert['rule']['level']
alert_type = alert['rule']['group']
agentname = alert['agent']['name']
level = alert['rule']['level']
alert_type = alert['rule']['group']
agentname = alert['agent']['name']
agent_id = alert['agent']['id']
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
subject = 'Wazuh notification - {0} - {1} - {2} - Alert level {3}'.format(alert_type, description, agentname, level)
message = """
This is an automatic message from your Wazuh Instance.
On {a} an event from agent "{b}" triggered the rule "{c}" of level {f} the alert time is {d}
The full contents of the alert are:
{e}
Alerts of details(JSON):
{g}
The full contents of the alert are:
{e}
Alerts of details(JSON):
{g}
""".format(a=alert_type, b=agentname, c=agent_id, d=timestamp, e=description, f=level, g=json.dumps(alert,indent=4))
return subject, message
francisco bustillo
Mar 20, 2024, 3:34:54 PM3/20/24
to Wazuh | Mailing List
Sorry, I saw that I had repeated content in the body of the message, here it is without that extra data.
The full contents of the alert are:
def generate_msg(alert):
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert
"""
description = alert['rule']['description']
level = alert['rule']['level']
alert_type = alert['rule']['group']
agentname = alert['agent']['name']
agent_id = alert['agent']['id']
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
subject = 'Wazuh notification - {0} - {1} - {2} - Alert level {3}'.format(alert_type, description, agentname, level)
message = """
This is an automatic message from your Wazuh Instance.
"""
Function that will provide the custom subject and body for the email.
It takes as input a dictionary object generated from the json alert
"""
description = alert['rule']['description']
level = alert['rule']['level']
alert_type = alert['rule']['group']
agentname = alert['agent']['name']
agent_id = alert['agent']['id']
t = time.strptime(alert['timestamp'].split('.')[0],'%Y-%m-%dT%H:%M:%S')
timestamp = time.strftime('%c',t)
subject = 'Wazuh notification - {0} - {1} - {2} - Alert level {3}'.format(alert_type, description, agentname, level)
message = """
This is an automatic message from your Wazuh Instance.
On {a} an event from agent "{b}" with id {e} triggered the rule "{c}" of level {f} the alert type is {d}
The full contents of the alert are:
{g}
""".format(a=timestamp, b=agentname, c=description, d=alert_type, e=agent_id, f=level, g=json.dumps(alert,indent=4))
return subject, message
""".format(a=timestamp, b=agentname, c=description, d=alert_type, e=agent_id, f=level, g=json.dumps(alert,indent=4))
return subject, message
Gabriel Emanuel Valenzuela
Mar 25, 2024, 9:58:00 PM3/25/24
to Wazuh | Mailing List
Hi Francisco! How are you?
I was out of the office this days, tell me, the last code works?
Nice day!
I was out of the office this days, tell me, the last code works?
Nice day!
Reply all
Reply to author
Forward
0 new messages