email_alerts

This extends the email options configured in the <global> section.

Note

Global email configuration is necessary to use granular email options.

Options

email_to

This specifies a single email address to which to send email alerts. If you want to send alerts to multiple addresses, each address must be listed in a separate <email_to> section. Lists are not allowed.

Default value

n/a

Allowed values

Any valid email address is allowed.

Usage

Required.

level

This is the minimum alert severity level for which emails will be sent.

Note

The level option should be set at or above the email_alert_level in the <alerts> section of the configuration.

Default value

n/a

Allowed values

Any alert level 0 to 16 is allowed.

group

This limits the sending of emails to only when rules are tripped that belongs to one of the listed groups.

Default value

n/a

Allowed values

Any rule group is allowed. Multiple groups should be separated with a pipe character (“|”).

Note

Observe that all groups must be finished by comma.

event_location

The alert must match this event location to be forwarded. Do not specify this option repeatedly, as only the last instance would be used.

Default value

n/a

Allowed values

Any single agent name, hostname, IP address, or log file is allowed

format

This specifies the email format.

Default value

full

Allowed values

default

Send normal emails.

full

Send normal emails.

sms

Use a compact format more suitable for SMS.

rule_id

This limits the sending of emails to only when rules are tripped that have one of the listed rule IDs.

Default value

n/a

Allowed values

One or more rule IDs can be used here, separated by a comma and a space ( ", " ).

do_not_delay

This causes email alerts to be sent right away, rather than to be delayed for the purpose of batching multiple alerts together.

Default value

n/a

Allowed values

XML tag with no value

do_not_group

This disables grouping of multiple alerts into the same email.

Default value

n/a

Allowed values

XML tag with no value

email_log_source

New in version 3.8.0.

This selects the alert file to be read from.

Default value

alerts.json

Allowed values

alerts.log or alerts.json

Warning

Notice that do_not_delay and do_not_group are special empty-element XML tags, so they stand alone, not having a starting and ending version of the tag. This is indicated by the tag name containing "/" at the end of the name.

Example of configuration

<email_alerts>
  <email_to>recipient@example.wazuh.com</email_to>
  <email_to>recipient2@example.wazuh.com</email_to>
  <level>12</level>
  <group>sshd,</group>
  <do_not_delay/>
</email_alerts>