Email alerts (Fortigate Logs)

[Syrine ZOUARI]

Hi team,

I'm reaching out to confirm the correct configuration for Wazuh to notify me only when specific rule IDs are triggered: 81626, 81606, and 81607. These rule IDs correspond to FortiGate authentication events (both successful and failed): 
<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>no</alerts_log>            
  <logall>no</logall>                    
  <logall_json>no</logall_json>         
  <email_notification>yes</email_notification>
  <smtp_server>mail.smartskills.com.tn</smtp_server>
  <email_from>syrine...@smartskills.com.tn</email_from>
  <email_to>syrine...@smartskills.com.tn</email_to>
  <email_maxperhour>12</email_maxperhour>
  <update_check>yes</update_check>
  <custom_alert_output>$TIMESTAMP $HOSTNAME $LOCATION $RULEID $RULELEVEL $SRCIP $DSTUSER $FULLLOG $RULEGROUP</custom_alert_output>
  <email_idsname>Firewall AUTH</email_idsname>
</global>
<email_alerts>
  <email_to>syrine...@smartskills.com.tn</email_to>
  <email_to>Syrine...@esprit.tn</email_to>
  <rule_id>81626</rule_id>
  <rule_id>81606</rule_id>
  <rule_id>81607</rule_id>
  <group>fortigate</group>
  <do_not_delay/>
</email_alerts>

Despite my current configuration, Wazuh continues to send notifications for all events. 

I would appreciate your help in identifying any missing or incorrect configurations that might be causing this issue.  

Best regards,

[Matías Mercado]

Hi Syrine,

Hope you are fine. If you only want to receive email alert for the following alerts ID: 81626, 81606, and 81607, your email configuration should be:

<email_alerts>
  <email_to>syrine...@smartskills.com.tn</email_to>
  <email_to>Syrine...@esprit.tn</email_to>

  <rule_id>81626, 81606, 81607</rule_id>
  <do_not_delay/>
</email_alerts>

Set all your rule ID in one line and remove the group.

Please test with this configuration and let me know if works.

Regards,
Matías.

[Matías Mercado]

Hi Syrine,

You may also need to check this configuration in your ossec.conf file (this is the default configuration):

<ossec_config>
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
</ossec_config>

The log_alert_level specifies the minimum alert level required to be displayed on your Wazuh dashboard. You can then modify the email_alert_level to receive only the alerts at or above that level via email.

I also noticed that the alerts you require have levels 3, 4, and 7. Keep in mind that email alerts can be defined by the level of the alert. In this case, the email_alert_level should be set to at least level 3, as that is your lowest alert level.

In the previous example, we defined the alerts by the rule ID, but you can also use the alert level, a group of alerts, or the location of the alert as a trigger.

You can find more information about configuring email alerts here: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#configuring-email-alerts

Regards,
Matías.