If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec
<email_alerts>
<email_to>xx@y.z</email_to>
<group>syslog</group>
</email_alerts>
To e-mail (in the SMS format) aa@y.z for every event with severity higher than 10
Note
Note that the SMS format is not grouped, so the e-mail is sent immediately).
<email_alerts>
<email_to>aa@y.z</email_to>
<level>10</level>
<format>sms</format>
</email_alerts>
To e-mail bb@y.z for every event from rule 123 or rule 124 (without grouping):
<email_alerts>
<email_to>bb@y.z</email_to>
<rule_id>123, 124</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
To e-mail cc@y.z for every event with severity higher than 12, from agent qwert or agt1, without any delay (immediately):=====
<email_alerts>
<email_to>cc@y.z</email_to>
<level>12</level>
<event_location>qwerty|agt1</event_location>
<do_not_delay />
</email_alerts>
You can have as many granular options as you want. In this example, we want the following:
Email cc@y.z for every alert from agents qwerty and agt1
Email john@y.z for every alert from agent secsys, lowsys and aixsys
Email mike@y.z for every alert from /log/secure (from any agent)
Email l@y.z for every alert from 192.168.0.0/24 network
Email boss@y.z for every alert above level 10.
<ossec_config>
<email_alerts>
<email_to>cc@y.z</email_to>
<event_location>qwerty|agt1</event_location>
</email_alerts>
<email_alerts>
<email_to>john@y.z</email_to>
<event_location>secsys|lowsys|aixsys</event_location>
</email_alerts>
<email_alerts>
<email_to>mike@y.z</email_to>
<event_location>/log/secure$</event_location>
</email_alerts>
<email_alerts>
<email_to>l@y.z</email_to>
<event_location>192.168.</event_location>
</email_alerts>
<email_alerts>
<email_to>boss@y.z</email_to>
<level>12</level>
</email_alerts>
</ossec_config>
The following example will send a daily report of all authentication_success alerts, sorted by the related field srcip.
<ossec_config>
<reports>
<category>authentication_success</category>
<user type="relation">srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@example.com</email_to>
The following example will send a report of all events related to syscheck.
<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>me@example.com</email_to>
<syslog_output>
<server>10.10.10.125</server>
</syslog_output>
<syslog_output>
<server>10.10.10.126</server>
<format>cef</format>
</syslog_output>
<syslog_output>
<server>10.10.10.127</server>
<port>515</port>
<level>6</level>
</syslog_output>