Error creating rule to be triggered by Alert ID
12 views
Skip to first unread message
Leonardo Dourado
Mar 27, 2026, 3:01:23 PM (10 days ago) Mar 27
to Wazuh | Mailing List
Hello there!
Can someone please advise why I am getting an error when applying the below configuration to OSSEC_CONFIG?
I am trying to get triggered by email by a specific rule id.
<email_alerts>
<email_to>mye...@myemail.com</email_to>
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<description>Email alert for Logon Failure - Unknown user or bad password</description> </email_alerts>
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<description>Email alert for Logon Failure - Unknown user or bad password</description> </email_alerts>
I appreciate any help!
Thanks,
Leonardo.
Olamilekan Abdullateef Ajani
Mar 27, 2026, 3:30:07 PM (10 days ago) Mar 27
to Wazuh | Mailing List
Hello Leo,
<description>Email alert for Logon Failure - Unknown user or bad password</description>
Your syntax is not accurate. Please refer to this documentation on configuring email alerts and available options. The email alerts option is an extension of global email options. And it is used to define specific rules with their level or group to fire an email. An example configuration can be seen below.
<email_alerts>
<email_to>mye...@myemail.com</email_to>
<level>12</level>
<group>authentication-failure,</group>
</email_alerts>
<email_alerts>
<email_to>mye...@myemail.com</email_to>
<level>12</level>
<group>authentication-failure,</group>
</email_alerts>
It does not support the use of rule ID and if_sid. Another option you can use is:
<email_alerts>
<email_to>mye...@myemail.com</email_to>
<rule_id>60122</rule_id>
<do_not_delay/>
</email_alerts>
<email_to>mye...@myemail.com</email_to>
<rule_id>60122</rule_id>
<do_not_delay/>
</email_alerts>
But if your intention is to attach emailing to the rule itself, you can use the option below:
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<if_sid>60105</if_sid>
<options>alert_by_email</options>
<description>Email alert for Logon Failure - Unknown user or bad password</description>
</rule>
This will ensure an email is sent to the default email defined in the global alerting option at the top of your ossec.conf file.
For more information on email definition, please go through the documentation below and apply it to your environment based on your requirement and use case. And please let me know if you require additional information or support on this.
https://documentation.wazuh.com/current/user-manual/manager/alert-management.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/email-alerts.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/email-alerts.html
Best regards,
Reply all
Reply to author
Forward
0 new messages