Output

Granular Email Examples

Example 1: Group alerts

If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec

<email_alerts>
    <email_to>xx@y.z</email_to>
    <group>syslog</group>
</email_alerts>

Example 2: Message Format

To e-mail (in the SMS format) aa@y.z for every event with severity higher than 10

Note

Note that the SMS format is not grouped, so the e-mail is sent immediately).

<email_alerts>
    <email_to>aa@y.z</email_to>
    <level>10</level>
    <format>sms</format>
</email_alerts>

Example 3: Email based on Rule ID’s

To e-mail bb@y.z for every event from rule 123 or rule 124 (without grouping):

<email_alerts>
    <email_to>bb@y.z</email_to>
    <rule_id>123, 124</rule_id>
    <do_not_delay />
    <do_not_group />
</email_alerts>

Example 4: Email based on severity and agent

To e-mail cc@y.z for every event with severity higher than 12, from agent qwert or agt1, without any delay (immediately):=====

<email_alerts>
    <email_to>cc@y.z</email_to>
    <level>12</level>
    <event_location>qwerty|agt1</event_location>
    <do_not_delay />
</email_alerts>

Example 5: Multiple granular options together

You can have as many granular options as you want. In this example, we want the following:

  • Email cc@y.z for every alert from agents qwerty and agt1

  • Email john@y.z for every alert from agent secsys, lowsys and aixsys

  • Email mike@y.z for every alert from /log/secure (from any agent)

  • Email l@y.z for every alert from 192.168.0.0/24 network

  • Email boss@y.z for every alert above level 10.

<ossec_config>
    <email_alerts>
        <email_to>cc@y.z</email_to>
        <event_location>qwerty|agt1</event_location>
    </email_alerts>

    <email_alerts>
        <email_to>john@y.z</email_to>
        <event_location>secsys|lowsys|aixsys</event_location>
    </email_alerts>

    <email_alerts>
        <email_to>mike@y.z</email_to>
        <event_location>/log/secure$</event_location>
    </email_alerts>

    <email_alerts>
        <email_to>l@y.z</email_to>
        <event_location>192.168.</event_location>
    </email_alerts>

    <email_alerts>
        <email_to>boss@y.z</email_to>
        <level>12</level>
    </email_alerts>
</ossec_config>

Report Output Examples

Receive a summary of all authentication success alerts

The following example will send a daily report of all authentication_success alerts, sorted by the related field srcip.

<ossec_config>
    <reports>
        <category>authentication_success</category>
        <user type="relation">srcip</user>
        <title>Daily report: Successful logins</title>
        <email_to>me@example.com</email_to>

Receive summary of all File integrity monitoring alerts

The following example will send a report of all events related to syscheck.

<ossec_config>
    <reports>
        <category>syscheck</category>
        <title>Daily report: File changes</title>
        <email_to>me@example.com</email_to>

Syslog Output Examples

Send all alerts to 10.10.10.125:

<syslog_output>
  <server>10.10.10.125</server>
</syslog_output>

Send all alerts to 10.10.10.126 in CEF:

<syslog_output>
  <server>10.10.10.126</server>
  <format>cef</format>
</syslog_output>

Send all alerts level 6 and above to 10.10.10.127 on port 515:

<syslog_output>
  <server>10.10.10.127</server>
  <port>515</port>
  <level>6</level>
</syslog_output>