reports

Configuration options for reporting of alerts.

Options

group

Filter by group/category. It only accepts one group/category.

Default value

n/a

Allowed values

Any group used is allowed.

category

Filter by group/category.

Default value

n/a

Allowed values

Any category used is allowed.

rule

Rule ID to filter for.

Default value

n/a

Allowed values

Any Rule ID in Wazuh Rules is allowed

level

Alert level to filter for. The report will include all levels above and including level specified.

Default value

n/a

Allowed values

Any Alert level from 1 to 16 can be used

location

Filter by the log location or agent name.

Default value

n/a

Allowed values

Any file path, hostname or network is allowed

srcip

Filter by the source ip of the event.

Default value

n/a

Allowed values

Any hostname or network can be used.

user

Filter by the user name. This will match either the srcuser or dstuser.

Default value

n/a

Allowed values

Any username

title

Name of the report. This is a required field.

Default value

n/a

Allowed values

Any text

email_to

The email address to send the completed report. This is a required field.

Default value

n/a

Allowed values

Any email address

showlogs

Enable or disable the inclusion of logs when creating the report.

Default value

no

Allowed values

yes, no

Example of configuration

<reports>
  <group>authentication_failed,</group>
  <srcip>192.168.1.10</srcip>
  <title>Auth_Report</title>
  <email_to>recipient@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>