email_alerts

This extends the email options configured in the <global> section.

Note

Global email configuration is necessary to use granular email options.

Options

email_to
level
group
event_location
format
rule_id
do_not_delay
do_not_group

email_to

This specifies a single email address to which to send email alerts. If you want to send alerts to multiple addresses, each address must be listed in a separate <email_to> section. Lists are not allowed.

Default value	n/a
Allowed values	Any valid email address is allowed.

level

This is the minimum alert severity level for which emails will be sent.

Note

The level option should be set at or above the email_alert_level in the <alerts> section of the configuration.

Default value	n/a
Allowed values	Any alert level 0 to 16 is allowed.

group

This limits the sending of emails to only when rules are tripped that belongs to one of the listed groups.

Default value	n/a
Allowed values	Any rule group is allowed. Multiple groups should be separated with a pipe character (“\|”).

Note

Observe that all groups must be finished by comma.

event_location

The alert must match this event location to be forwarded. Do not specify this option repeatedly, as only the last instance would be used.

Default value	n/a
Allowed values	Any single agent name, hostname, IP address, or log file is allowed

format

This specifies the email format.

Default value	full
Allowed values	full	Send normal emails.
Allowed values	sms	Use a compact format more suitable for SMS.

rule_id

This limits the sending of emails to only when rules are tripped that have one of the listed rule IDs.

Default value	n/a
Allowed values	One or more rule IDs can be used here, separated by a comma and a space ( ", " ).

do_not_delay

This causes email alerts to be sent right away, rather than to be delayed for the purpose of batching multiple alerts together.

Default value	n/a
Allowed values	XML tag with no value

do_not_group

This disables grouping of multiple alerts into the same email.

Default value	n/a
Allowed values	XML tag with no value

Warning

Notice that do_not_delay and do_not_group are special empty-element XML tags, so they stand alone, not having a starting and ending version of the tag. This is indicated by the tag name containing "/" at the end of the name.

Example of configuration

<email_alerts>
  <email_to>recipient@example.wazuh.com</email_to>
  <email_to>recipient2@example.wazuh.com</email_to>
  <level>12</level>
  <group>sshd,</group>
  <do_not_delay/>
</email_alerts>