Daily E-Mail reports are summaries of the OSSEC alerts for the day.
All of these configuration options should be specified in the /var/ossec/etc/ossec.conf.
reports
group
Filter by group/category.
Allowed: Any category used within OSSEC Rules.
categories
Filter by group/category.
Note
This is the same as the group option above.
Allowed: Any category used within OSSEC Rules.
rule
Rule ID to Filter for.
Allowed: Any Rule ID in OSSEC Rules.
level
Alert level to filter for. This is an inclusive option so all higher level alerts will also match.
Allowed: Any Alert level 1 to 16
location
Filter by the log location or agent name.
Allowed: Any file path or hostname or network.
srcip
Filter by the source ip of the event.
Allowed: Any hostname or network
user
Filter by the user name. This will match on either srcuser or dstuser
Allowed: Any username
title
The name of the report.
This is a required field for reports to function.
Allowed: Any Text
email_to
The email address to send the completed report.
This is a required field for a report to function.
Allowed: Any email address
showlogs
Include logs when creating the report
Allowed: yes/no
Default: no
The following example will send a daily report of all authentication_success alerts, sorted by the related field srcip.
OSSEC<ossec_config>
<reports>
<category>authentication_success</category>
<user type="relation">srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@example.com</email_to>
The following example will send a report of all events related to syscheck.
<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>me@example.com</email_to>