ossec.conf: Granular Email options

Overview

Supported types

Global options are available in the the following installation types:

  • server

  • local

Notes

Global email configuration is necessary to use the granular email options.

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <email_alerts>
        <!--
        Email_alerts options here
        -->
    </email_alerts>
</ossec_config>

Options

  • email_alerts

    • email_to

      E-Mail recipients of alerts

      Allowed: Any valid e-mail address

    • level

      Minimum alerting level to forward the e-mails.

      Allowed: Any alert level 0 to 16

      Note

      level should be set at or above the email_alert_level in the <alerts> section of the configuration.

    • group

      The alert that must match this group to be forwarded. Multiple groups can be separated with a pipe character (“|”).

      Allowed: One or more groups or categories.

    • event_location

      The alert must match this event location to be forwarded. If multiple <event_location> options are specified, the last will be used.

      Allowed: Any single agent name, hostname, ip address, or log file

    • format

      Specifies the format of the e-mail

      • full: for normal e-mails

      • sms: for reduced size suitable for SMS

      Default: full

      Allowed: full/sms

    • rule_id

      Option to send granular emails based on rule id.

      Allowed: One or more rule IDs can be used here, separated by a comma and space.

      Example:

      <rule_id>5701, 5702</rule_id>

    • do_not_delay

      Option to send the e-mail right away (no delay).

      Example:

      <do_not_delay />

    • do_not_group

      Option to do not group alerts for this e-mail.

      Example:

      <do_not_group />

Examples

Example email alerts configurations:

Global Configuration:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
</global>

Global Configuration with a larger maximum emails per hour:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
  <email_maxperhour>100</email_maxperhour>
</global>

Granular Email alert: Level 12 and above:

<email_alerts>
  <email_to>other_admin@example.com</email_to>
  <level>12</level>
</email_alerts>

Syscheck alerts to syscheck admin address:

<email_alerts>
  <email_to>syscheck-admin@example.com</email_to>
  <group>syscheck</group>
</email_alerts>

Level 15 alerts from agent007 without delay or grouping:

<email_alerts>
  <email_to>bond@example.com</email_to>
  <event_location>agent007</event_location>
  <level>15</level>
  <do_not_delay />
  <do_not_group />
</email_alerts>