Wazuh email alert on audit fail
18 views
Skip to first unread message
Yolanda Leroy
Dec 30, 2025, 10:54:22 AM (20 hours ago) Dec 30
to Wazuh | Mailing List
When Wazuh fails, like it stops collecting logs in general or on a specific device, I would like for it to send me an email alert. I've had it fail (stopped logging collection for a week) in the past and got no notification, so I figured I need to configure it. I already have email alerting set up for certain events. is there more events i should do? if there's no events TO identify (log collection failure), what can I do to get notified?
juanjos...@wazuh.com
Dec 30, 2025, 11:51:33 AM (20 hours ago) Dec 30
to Wazuh | Mailing List
Hi Yolanda,
Since you already have email alerting configured, you can add these specific rules to your ossec.conf on the manager:
<email_alerts>
<email_to>your-emaiil-here</email_to>
<rule_id>5715</rule_id>
<do_not_delay />
</email_alerts>
where:
Rule 5715 - Agent disconnected
Rule 5716 - Agent reconnected
you can find more rules here: https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0016-wazuh_rules.xml
Since you already have email alerting configured, you can add these specific rules to your ossec.conf on the manager:
<email_alerts>
<email_to>your-emaiil-here</email_to>
<rule_id>5715</rule_id>
<do_not_delay />
</email_alerts>
where:
Rule 5715 - Agent disconnected
Rule 5716 - Agent reconnected
you can find more rules here: https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0016-wazuh_rules.xml
Reply all
Reply to author
Forward
0 new messages