Email notifications

[Nick]

Hi Team

I have setup a channel in notifications and received the test email. I have also setup a test alert and pointed it to this channel. When the alert is triggered i receive the email.

How do i set up alerts in general above a certain level, the default been 12, to send notifications via this channel?

regards

Nick

[Franco Giovanolli]

Hi Nick;

Glad to hear you already have your notification channel working. I can tell you two ways to do what you are asking.

Option 1 – Dashboard Monitor (OpenSearch Alerting)

You can create a Monitor in the Wazuh Dashboard that queries the alerts index by rule.level:

1. Go to OpenSearch Plugins → Alerting → Monitors and create a new monitor.
2. Set the monitor type to Per query monitor.
3. Choose Extraction query editor and set the index to wazuh-alerts-*.
4. Use a query like this to match alerts with level 12 or above:

{ "query": { "range": { "rule.level": { "gte": 12 } } } }

5. Set the schedule/frequency according to your needs (e.g., every 1–5 minutes).
6. Under Triggers, create a trigger with a condition like ctx.results[0].hits.total.value > 0.
7. In the trigger's Actions, select the notification channel you already configured.

Option 2 – Native Wazuh email alerts (recommended)

Wazuh also has a built-in email alerting mechanism configured directly in the manager's ossec.conf. This is generally more reliable and straightforward for level-based alerting since it doesn't depend on the indexer pipeline. You can set it up by adding/editing the following in your /var/ossec/etc/ossec.conf:

<global> <email_notification>yes</email_notification> <smtp_server>your_smtp_server</smtp_server> <email_from>wa...@yourdomain.com</email_from> <email_to>ni...@yourdomain.com</email_to> <email_alert_level>12</email_alert_level> </global>

After saving, restart the manager with systemctl restart wazuh-manager. From that point on, any alert at level 12 or above will automatically trigger an email — no monitors or additional configuration needed.

You can also use <email_maxperhour> to control the volume of emails and <granular_email_options> if you want to fine-tune which alerts go to which recipients.

More details in the documentation: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html

Hope that helps!

Regards,
Franco.

[Nick]

Hi Franco

Thanks for your prompt reply and help.

I have got option 1 working and edited the default Mustache template to give me more data in the email.

something like this:

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Rule: {{ctx.results.0.hits.hits.0._source.rule.description}}
- Rule ID: {{ctx.results.0.hits.hits.0._source.rule.id}}
- Agent: {{ctx.results.0.hits.hits.0._source.agent.name}}
- Rule Level: {{ctx.results.0.hits.hits.0._source.rule.level}}
- Log: {{ctx.results.0.hits.hits.0._source.full_log}}

- Period start: {{ctx.periodStart}} UTC
- Period end: {{ctx.periodEnd}} UTC

Which gives me this:

Monitor Email Alerts just entered alert status. Please investigate the issue.

- Trigger: Alert Tigger
- Severity: 1
- Rule: Office 365: SharePoint file operation events.
- Rule ID: 91537
- Agent: wazuh-server
- Rule Level: 3
- Log:

- Period start: 2026-03-17T17:02:46Z UTC
- Period end: 2026-03-17T17:03:46Z UTC

But will need some more tweaking.

 
For the smtp server in option 2, can it be a ip address or must it be a FQDN?

Regards

Nick

[hasitha.u...@wazuh.com]

Hi Nick

We are glad that your option 1 is working. In option 2, yes, you can use both. Wazuh supports either an IP address or a hostname in <smtp_server>. The current documentation lists the allowed values as a valid hostname or IP address, and it also allows a full path to a sendmail-like executable.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#smtp-server 

Let us know if you need further assistance on this, so we can assist you further.