ossec.conf and email alerts
147 views
Skip to first unread message
Louis Escobar
Nov 16, 2023, 6:15:43 PM11/16/23
to Wazuh | Mailing List
Hello,
I setup Wazuh, everything working just fine, got email alerts to work just fine using the following settings in ossec.conf:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server><IP of external SMTP server, no authentication></smtp_server>
<email_from>no-r...@wazuh.localdomain</email_from>
<email_to><my email address></email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
Now, if want to add another alert with another email (set to level 5 alerts), I attempt to do that by adding the following:
<email_alerts>
<email_to><second email></email_to>
<level>5</level>
</email_alerts>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server><IP of external SMTP server, no authentication></smtp_server>
<email_from>no-r...@wazuh.localdomain</email_from>
<email_to><my email address></email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
Now, if want to add another alert with another email (set to level 5 alerts), I attempt to do that by adding the following:
<email_alerts>
<email_to><second email></email_to>
<level>5</level>
</email_alerts>
I still get email alerts on primary emails but never get any level 5 alerts. I looked it up on the wazuh instructions but seems vague to me, did i declare a second email correctly? If i bundle all the emails together in a single email_alerts section, do I still need to declare an email in the global section...?
thanks in advance
Mauricio Ruben Santillan
Nov 16, 2023, 8:57:29 PM11/16/23
to Wazuh | Mailing List
Hi Louis,
So in order to receive level 5 alerts into your <second email>, you would need to increase your email_alert_level to 5.
And in case you still wanted to receive level 3 alerts into
<my email address>, while sending level 5 alerts to
<second email>, you would need to:
- Leave your email_alert_level as 3.
- Remove the line <email_to><my email address></email_to> from the global module.
- Add another email_alerts module for your mailbox <my email address>
For example:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server><IP of external SMTP server, no authentication></smtp_server>
<email_from>no-r...@wazuh.localdomain</email_from>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server><IP of external SMTP server, no authentication></smtp_server>
<email_from>no-r...@wazuh.localdomain</email_from>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
<email_alerts>
<email_to> <my email address> </email_to>
<level>3</level>
</email_alerts>
<email_to> <my email address> </email_to>
<level>3</level>
</email_alerts>
<email_alerts>
<email_to><second email></email_to>
<level>5</level>
</email_alerts>
<email_to><second email></email_to>
<level>5</level>
</email_alerts>
I hope this helps. Let me know how it goes.
Mauricio Santillan
Reply all
Reply to author
Forward
0 new messages