Email Format Change

350 views
Skip to first unread message

Prajapati Hitesh

unread,
Jan 22, 2023, 12:24:13 AM1/22/23
to Wazuh mailing list
Hi,

How to change mail format. Currently i have configured .log format in configuration but i am getting message in below format, can we change the format so it will readable easily.

Wazuh Notification.

2023 Jan 21 10:37:44

 

Received From: (DC01) any->EventChannel

Rule: 60121 fired (level 11) -> "Computer account added/changed/deleted"

Portion of the log(s):

 

{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4742","version":"0","level":"0","task":"13825","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-01-21T10:37:50.951476800Z","eventRecordID":"707442106","processID":"576","threadID":"16728","channel":"Security","computer":"","severityValue":"AUDIT_SUCCESS","message":"\"A computer account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nComputer Account That Was Changed:\r\n\tSecurity ID:\t\t\r\n\tAccount Name:\t\ $\r\n\tAccount Domain:\t\t\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t1/21/2023 4:07:50 PM\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-\""},"eventdata":{"targetUserName":" ","targetDomainName":"","targetSid":"S-1-5-21-2884028398-3460095122-3110222294-12963","subjectUserSid":"S-1-5-7","subjectUserName":"ANONYMOUS LOGON","subjectDomainName":"NT AUTHORITY","subjectLogonId":"0x3e6","passwordLastSet":"1/21/2023 4:07:50 PM"}}}

win.system.providerName: Microsoft-Windows-Security-Auditing

win.system.providerGuid: 

win.system.eventID: 4742

win.system.version: 0

win.system.level: 0

win.system.task: 13825

win.system.opcode: 0

win.system.keywords: 0x8020000000000000

win.system.systemTime: 2023-01-21T10:37:50.951476800Z

win.system.eventRecordID:

win.system.processID: 576

win.system.threadID: 16728

win.system.channel: Security

win.system.computer:

win.system.severityValue: AUDIT_SUCCESS

win.system.message: "A computer account was changed.

 

 

 

Subject:

 

                Security ID:                         S-1-5-7

 

 

 

 

 --END OF NOTIFICATION 

 

Sandra Ocando

unread,
Jan 23, 2023, 3:38:33 AM1/23/23
to Prajapati Hitesh, Wazuh mailing list

Hello,To change the default email format you'd have to edit the Wazuh source code and recompile it.As an easy alternative, I suggest using the Wazuh integrator module and a script to send custom emails.  In this message, I'll explain how to configure it and I'll include a link to a script you can use and customize according to your needs.An integration can be triggered by a rule ID, rule level or rule groups. To learn more, see the integration section.For example, to send custom emails for alerts level 10 or higher, add the following integration in /var/ossec/etc/ossec.confon your Wazuh manager:
<integration>
  <name>custom-email-alerts</name> 
  <hook_url>reci...@example.com</hook_url>
  <level>10</level>
  <alert_format>json</alert_format>
</integration>
Add the custom script to send emails in /var/ossec/integrations/custom-email-alerts and give it the right ownership and permissions:
chown root:wazuh /var/ossec/integrations/custom-email-alerts
chmod 750 /var/ossec/integrations/custom-email-alerts
Modify the custom script (lines 32 and 33) to include your data. This script works with a local server, like Postfix.
email_server = "localhost"
email_from = "nor...@example.com"
Modify the subject and message in the generate_msg function as you wish.Restart the Wazuh manager so changes can take effect:
systemctl restart wazuh-manager
Let us know if you have any questions.
Cheers,
Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2bc06c7-5bf7-4811-af0f-52535f4ae48dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages