Email notifications
Nick
Franco Giovanolli
Glad to hear you already have your notification channel working. I can tell you two ways to do what you are asking.
Option 1 – Dashboard Monitor (OpenSearch Alerting)
You can create a Monitor in the Wazuh Dashboard that queries the alerts index by rule.level:
- Go to OpenSearch Plugins → Alerting → Monitors and create a new monitor.
- Set the monitor type to Per query monitor.
- Choose Extraction query editor and set the index to wazuh-alerts-*.
- Use a query like this to match alerts with level 12 or above:
- Set the schedule/frequency according to your needs (e.g., every 1–5 minutes).
- Under Triggers, create a trigger with a condition like ctx.results[0].hits.total.value > 0.
- In the trigger's Actions, select the notification channel you already configured.
Option 2 – Native Wazuh email alerts (recommended)
Wazuh also has a built-in email alerting mechanism configured directly in the manager's ossec.conf. This is generally more reliable and straightforward for level-based alerting since it doesn't depend on the indexer pipeline. You can set it up by adding/editing the following in your /var/ossec/etc/ossec.conf:
After saving, restart the manager with systemctl restart wazuh-manager. From that point on, any alert at level 12 or above will automatically trigger an email — no monitors or additional configuration needed.
You can also use <email_maxperhour> to control the volume of emails and <granular_email_options> if you want to fine-tune which alerts go to which recipients.
More details in the documentation: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html
Hope that helps!
Regards,Franco.