From OSSEC Wiki

Contents 1 How to specify granular options for the e-mail alerting? 1.1 Configuration examples 1.1.1 If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec: 1.1.2 To e-mail (in the SMS format) aa@y.z for every event with severity higher than 10: 1.1.3 To e-mail bb@y.z for every event from rule 123 or rule 124 (without grouping): 1.1.4 To e-mail cc@y.z for every event with severity higher than 12, from agent qwert or agt1, without any delay (immediately): 1.1.5 Multiple granular options together:

How to specify granular options for the e-mail alerting?

• by Daniel B. Cid
• Taken from OSSEC blog

OSSEC allows very granular options for the e-mail alerting and its format (full or SMS).

Configuration examples

If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec:

  <email_alerts>
   <email_to>xx@y.z</email_to>
   <group>syslog</group>
 </email_alerts>

To e-mail (in the SMS format) aa@y.z for every event with severity higher than 10:

• (Note that the SMS format is not grouped, so the e-mail is sent immediately).

  <email_alerts>
   <email_to>aa@y.z</email_to>
   <level>10</level>
   <format>sms</format>
 </email_alerts>

To e-mail bb@y.z for every event from rule 123 or rule 124 (without grouping):

 <email_alerts>
   <email_to>bb@y.z</email_to>
   <rule_id>123, 124</rule_id>
   <do_not_delay />
   <do_not_group />
 </email_alerts>

To e-mail cc@y.z for every event with severity higher than 12, from agent qwert or agt1, without any delay (immediately):

 <email_alerts>
   <email_to>cc@y.z</email_to>
   <level>12</level>
   <event_location>qwerty|agt1</event_location>
   <do_not_delay />
 </email_alerts>

Multiple granular options together:

You can have as many granular options as you want. In this example, we want the following:

• Email cc@y.z for every alert from agents qwerty and agt1
• Email john@y.z for every alert from agent secsys, lowsys and aixsys
• Email mike@y.z for every alert from /log/secure (from any agent)
• Email l@y.z for every alert from 192.168.0.0/24 network
• Email boss@y.z for every alert above level 10.

  <ossec_config>

    <email_alerts>
      <email_to>cc@y.z</email_to>
      <event_location>qwerty|agt1</event_location>
    </email_alerts>
  
    <email_alerts>
      <email_to>john@y.z</email_to>
      <event_location>secsys|lowsys|aixsys</event_location>
    </email_alerts>

    <email_alerts>
      <email_to>mike@y.z</email_to>
      <event_location>/log/secure$</event_location>
    </email_alerts>

    <email_alerts>
      <email_to>l@y.z</email_to>
      <event_location>192.168.</event_location>
    </email_alerts>

    <email_alerts>
      <email_to>boss@y.z</email_to>
      <level>12</level>
    </email_alerts>

  </ossec_config>

You just need to tweak it for you own needs. Send any questions to our mailing list.