Mail config for specific rule_id not working
76 views
Skip to first unread message
Pablo Barboza
Sep 13, 2023, 9:56:55 AM9/13/23
to Wazuh | Mailing List
Hello,
I'm trying to set up email alerts, but I think I'm doing something wrong.
I need to receive emails for both alert levels above 13 and specific rule_id. I'm only receiving emails based on alert levels.
Wazuh 4.5.2
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<email_to>maila...@mailserver.com</email_to>
<smtp_server>smtp.mailserver.com</smtp_server>
<email_from>wa...@mailserver.com</email_from>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<email_alerts>
<email_to>maila...@mailserver.com</email_to>
<rule_id>60115, 60130, 60133, 60110, 60125, 60128</rule_id>
<do_not_delay />
</email_alerts>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>13</email_alert_level>
</alerts>
What should I do to receive both, alert level above 13 and rule_id 60110 (for example)?
I'm trying to set up email alerts, but I think I'm doing something wrong.
I need to receive emails for both alert levels above 13 and specific rule_id. I'm only receiving emails based on alert levels.
Wazuh 4.5.2
- rule.id 23506
- rule.level 13
- rule.mail true
Config:
<ossec_config><global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<email_to>maila...@mailserver.com</email_to>
<smtp_server>smtp.mailserver.com</smtp_server>
<email_from>wa...@mailserver.com</email_from>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<email_alerts>
<email_to>maila...@mailserver.com</email_to>
<rule_id>60115, 60130, 60133, 60110, 60125, 60128</rule_id>
<do_not_delay />
</email_alerts>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>13</email_alert_level>
</alerts>
What should I do to receive both, alert level above 13 and rule_id 60110 (for example)?
Julian Bustamante Narvaez
Sep 13, 2023, 11:20:01 AM9/13/23
to Wazuh | Mailing List
HI,
you can overwrite the level of rule, copy the rule 60110 from https://github.com/wazuh/wazuh/blob/17469f88206a90e54e0d5f6ee81a0a04996ada1f/ruleset/rules/0580-win-security_rules.xml#L117C1-L126C10 and paste in /var/ossec/etc/rules/local_rules.xml then add overwrite = "yes" tag with level 13.
overwrite="yes">
Pablo Barboza
Sep 13, 2023, 12:14:30 PM9/13/23
to Julian Bustamante Narvaez, Wazuh | Mailing List
Thank you, Julian!
I'll do this! But is it normal <email_alerts> <rule_id> does not work?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ZaFiQ-BKewo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c8966ddf-af64-4fba-9fba-e62f86003a2en%40googlegroups.com.
Julian Bustamante Narvaez
Sep 13, 2023, 12:16:54 PM9/13/23
to Wazuh | Mailing List
No, the rule 23506 should launch email alert (<email_alert_level>13</email_alert_level>)
Reply all
Reply to author
Forward
0 new messages