reports
In this section are listed the different options for the configuration of daily reports based on alerts.
Note
Any number of <reports>
blocks can be declared in the same ossec.conf
file.
Options
group
Filter by group/category. It only accepts one group/category.
Default value |
n/a |
Allowed values |
Any group used is allowed. Any sregex expression |
category
Filter by group/category.
Default value |
n/a |
Allowed values |
Any category used is allowed. |
rule
Rule ID to filter for.
Default value |
n/a |
Allowed values |
Any Rule ID in Wazuh Rules is allowed. Any sregex expression |
level
Alert level to filter for. The report will include all levels above and including level specified.
Default value |
n/a |
Allowed values |
Any Alert level from 1 to 16 can be used. Any sregex expression |
location
Filter by the log location or agent name.
Default value |
n/a |
Allowed values |
Any file path, hostname or network is allowed. Any sregex expression |
srcip
Filter by the source ip of the event.
Default value |
n/a |
Allowed values |
Any hostname or network can be used. Any sregex expression |
user
Filter by the user name. This will match either the srcuser or dstuser.
Default value |
n/a |
Allowed values |
Any username. Any sregex expression |
title
Name of the report. This is a required field.
Default value |
n/a |
Allowed values |
Any text |
email_to
The email address to send the completed report. This is a required field.
Default value |
n/a |
Allowed values |
Any email address |
showlogs
Enable or disable the inclusion of logs when creating the report.
Default value |
no |
Allowed values |
yes, no |
Example of configuration
<reports>
<title>Auth_Report</title>
<group>authentication_failed,</group>
<srcip>192.168.1.10</srcip>
<email_to>recipient@example.wazuh.com</email_to>
<showlogs>yes</showlogs>
</reports>
<reports>
<title>List of logged users</title>
<rule>535</rule>
<email_to>recipient@example.wazuh.com</email_to>
<srcip>192.168.1.10</srcip>
<showlogs>yes</showlogs>
</reports>