This is the documentation for Wazuh 3.10. Check out the docs for the latest version of Wazuh!

reports

XML section name

<reports>
</reports>

In this section are listed the different options for the configuration of daily reports based on alerts.

Note

Any number of <reports> blocks can be declared in the same ossec.conf file.

Options

group

Filter by group/category. It only accepts one group/category.

Default value n/a
Allowed values Any group used is allowed. Any sregex expression

category

Filter by group/category.

Default value n/a
Allowed values Any category used is allowed.

rule

Rule ID to filter for.

Default value n/a
Allowed values Any Rule ID in Wazuh Rules is allowed. Any sregex expression

level

Alert level to filter for. The report will include all levels above and including level specified.

Default value n/a
Allowed values Any Alert level from 1 to 16 can be used. Any sregex expression

location

Filter by the log location or agent name.

Default value n/a
Allowed values Any file path, hostname or network is allowed. Any sregex expression

srcip

Filter by the source ip of the event.

Default value n/a
Allowed values Any hostname or network can be used. Any sregex expression

user

Filter by the user name. This will match either the srcuser or dstuser.

Default value n/a
Allowed values Any username. Any sregex expression

title

Name of the report. This is a required field.

Default value n/a
Allowed values Any text

email_to

The email address to send the completed report. This is a required field.

Default value n/a
Allowed values Any email address

showlogs

Enable or disable the inclusion of logs when creating the report.

Default value no
Allowed values yes, no

Example of configuration

<reports>
  <title>Auth_Report</title>
  <group>authentication_failed,</group>
  <srcip>192.168.1.10</srcip>
  <email_to>recipient@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>

<reports>
  <title>List of logged users</title>
  <rule>535</rule>
  <email_to>recipient@example.wazuh.com</email_to>
  <srcip>192.168.1.10</srcip>
  <showlogs>yes</showlogs>
</reports>