Email Notifications and Critical Alerts

28 views
Skip to first unread message

Narasimha Naidu B

unread,
Apr 24, 2026, 1:16:08 AM (3 days ago) Apr 24
to Wazuh | Mailing List

Hi Team,

We would like to configure email notifications to receive only critical alerts. Could you please assist us in setting this up correctly?

Additionally, we need a daily report of all critical alerts generated, to be sent via email at the end of each day.






LEGAL DISCLAIMER: By including any personal data in your response to this email, you are freely consenting to this being used and stored by us for the purpose of service delivery. Any email and files/attachments transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose the information it contains. Please notify us immediately and delete the message from your system. 42Gears is committed to your privacy. To understand more about how we collect, store, and process your personal information, please take a look at our Privacy Notice.

Bony V John

unread,
Apr 24, 2026, 1:51:59 AM (3 days ago) Apr 24
to Wazuh | Mailing List

Hi,

You can refer to the Wazuh email alert configuration documentation for configuring email alerts for critical alerts. In this documentation, Postfix is used to act as a server relay. You need to install Postfix on the Wazuh manager and set up the SMTP server on the Wazuh manager server.

Follow the steps until step 8, and then modify the <email_alert_level> tag value based on the alert rule level for which you want to receive email alerts. For example, if you need to receive email alerts for rule level 12 and above, set the <email_alert_level> value to 12.

You can also use other filters, such as the <group> tag or <rule_id> tag, to set conditions for sending email alerts.


For the daily email report for critical alerts, you can refer to the Wazuh report configuration documentation. You can follow the guidance to configure the Wazuh manager to send a daily report by email in text format.

For example, if you need to send a daily report of critical alerts with rule level 12 and above, add the configuration below to the Wazuh manager ossec.conf file:

<reports>
  <title>Critical Alerts</title>
  <level>12</level>
  <email_to>reci...@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>

Then restart the Wazuh manager to apply the configuration. Every night, it will send a daily critical alerts report by email in text format.

If you want to send the daily critical alerts email report in PDF format, then you can refer to the Wazuh integration repository configuration guidance. There, a custom dashboard is used to generate a PDF report. So, you need to create a custom dashboard for critical alerts and add the dashboard permalink in the custom script to automatically send the daily critical alerts PDF report.

Please let me know if you have any further questions or face any issues.

Narasimha Naidu B

unread,
Apr 24, 2026, 7:29:34 AM (3 days ago) Apr 24
to Bony V John, Wazuh | Mailing List
Hi @Bony V John Thanks for the reply,

Currently, I have configured it as follows:

We are using Gmail for communication. I have installed Postfix and configured SMTP to use 127.0.0.1. I have also set the rule level to 12 and configured the decoders. After this setup, we started receiving email notifications.

However, we are not receiving critical alerts on the wazuh dashboard. Could you please check and help us resolve this issue?


</group>
<group name="critical_events,">

  <rule id="100300" level="12">
    <if_sid>550</if_sid>
    <description>CRITICAL: File integrity change detected</description>
  </rule>

  <rule id="100301" level="12">
    <if_sid>5760</if_sid>
    <description>CRITICAL: SSH authentication failure detected</description>
  </rule>

  <rule id="100302" level="13">
    <if_sid>5403</if_sid>
    <description>CRITICAL: Suspicious sudo activity</description>
  </rule>

</group>



--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/190e3f36-6acc-45ec-8fda-a7076c383d0cn%40googlegroups.com.

Bony V John

unread,
12:33 AM (12 hours ago) 12:33 AM
to Wazuh | Mailing List
Hi,

Apologies for the late response. Have you set the <email_alert_level> tag value in the Wazuh manager /var/ossec/etc/ossec.conf file as 12 or lower to send email alerts for alerts with rule level 12 and above?

If not, please set the <email_alert_level> value to 12 or lower.

Then restart the Wazuh manager service to apply the changes:

systemctl restart wazuh-agent

Ensure that these rules are triggering correctly and showing on the dashboard.

For further analysis, could you please share the Wazuh manager ossec.conf file with us? This will help us verify your configuration.

Also, please share the mail log from the Wazuh manager server, located at: /var/log/maillog

Narasimha Naidu B

unread,
8:14 AM (5 hours ago) 8:14 AM
to Bony V John, Wazuh | Mailing List

Hi Bony,

Thanks for your support. I have made the changes in OSSEC as per the document, and I am now receiving email alerts.

However, I need some help here. The vulnerability detector alerts are triggering at rule level 3. If I set the level above 3, I start receiving all FIM-related alerts, which I do not require. I only want all the high and critical alerts to be sent via email.

Could you please help me configure this properly?


To view this discussion visit https://groups.google.com/d/msgid/wazuh/1678d351-90af-47f1-9fa7-9bda68f4ac06n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages