Daily E-Mail Reports¶

Daily E-Mail reports are summaries of the OSSEC alerts for the day.

Configuration options¶

All of these configuration options should be specified in the /var/ossec/etc/ossec.conf.

reports¶

group¶

Filter by group/category.

Allowed: Any category used within OSSEC Rules.

categories¶

Filter by group/category.

Note

This is the same as the group option above.

Allowed: Any category used within OSSEC Rules.

rule¶

Rule ID to Filter for.

Allowed: Any Rule ID in OSSEC Rules.

level¶

Alert level to filter for. This is an inclusive option so all higher level alerts will also match.

Allowed: Any Alert level 1 to 16

location¶

Filter by the log location or agent name.

Allowed: Any file path or hostname or network.

srcip¶

Filter by the source ip of the event.

Allowed: Any hostname or network

user¶

Filter by the user name. This will match on either srcuser or dstuser

Allowed: Any username

title¶

The name of the report.

This is a required field for reports to function.

Allowed: Any Text

email_to¶

The email address to send the completed report.

This is a required field for a report to function.

Allowed: Any email address

showlogs¶

Include logs when creating the report

Allowed: yes/no

Default: no

Receive a summary of all authentication success alerts¶

The following example will send a daily report of all authentication_success alerts, sorted by the related field srcip.

<ossec_config>
    <reports>
        <category>authentication_success</category>
        <user type="relation">srcip</user>
        <title>Daily report: Successful logins</title>
        <email_to>me@example.com</email_to>

Receive summary of all File integrity monitoring alerts¶

The following example will send a report of all events related to syscheck.

<ossec_config>
    <reports>
        <category>syscheck</category>
        <title>Daily report: File changes</title>
        <email_to>me@example.com</email_to>