OSSEC 3.3

ossec.conf: Granular Email options

Overview

Supported types

Global options are available in the the following installation types:

  • server
  • local

Notes

Global email configuration is necessary to use the granular email options.

Location

All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <email_alerts>
        <!--
        Email_alerts options here
        -->
    </email_alerts>
</ossec_config>

Options

email_alerts
email_to

E-Mail recipients of alerts

Allowed: Any valid e-mail address

level

Minimum alerting level to forward the e-mails.

Allowed: Any alert level 0 to 16

Note

level should be set at or above the email_alert_level in the <alerts> section of the configuration.

group

The alert that must match this group to be forwarded. Multiple groups can be separated with a pipe character (“|”).

Allowed: One or more groups or categories.

event_location

The alert must match this event location to be forwarded. If multiple <event_location> options are specified, the last will be used.

Allowed: Any single agent name, hostname, ip address, or log file

format

Specifies the format of the e-mail

  • full: for normal e-mails
  • sms: for reduced size suitable for SMS

Default: full

Allowed: full/sms

rule_id

Option to send granular emails based on rule id.

Allowed: One or more rule IDs can be used here, separated by a comma and space (``, ``).

Example:

<rule_id>5701, 5702</rule_id>
do_not_delay

Option to send the e-mail right away (no delay).

Example:

<do_not_delay />
do_not_group

Option to do not group alerts for this e-mail.

Example:

<do_not_group />

Examples

Example email alerts configurations:

Global Configuration:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
</global>

Global Configuration with a larger maximum emails per hour:

<global>
  <email_notification>yes</email_notification>
  <email_to>admin@example.com</email_to>
  <smtp_server>127.0.0.1</smtp_server>
  <email_from>ossecm@example.com</email_from>
  <email_maxperhour>100</email_maxperhour>
</global>

Granular Email alert: Level 12 and above:

<email_alerts>
  <email_to>other_admin@example.com</email_to>
  <level>12</level>
</email_alerts>

Syscheck alerts to syscheck admin address:

<email_alerts>
  <email_to>syscheck-admin@example.com</email_to>
  <group>syscheck</group>
</email_alerts>

Level 15 alerts from agent007 without delay or grouping:

<email_alerts>
  <email_to>bond@example.com</email_to>
  <event_location>agent007</event_location>
  <level>15</level>
  <do_not_delay />
  <do_not_group />
</email_alerts>