reports

In this section are listed the different options for the configuration of daily reports based on alerts.

Note

Any number of <reports> blocks can be declared in the same ossec.conf file.

Options

group

Filter by group/category. It only accepts one group/category.

Default value

n/a

Allowed values

Any group used is allowed. Any sregex expression

category

Filter by group/category.

Default value

n/a

Allowed values

Any category used is allowed.

rule

Rule ID to filter for.

Default value

n/a

Allowed values

Any Rule ID in Wazuh Rules is allowed. Any sregex expression

level

Alert level to filter for. The report will include all levels above and including level specified.

Default value

n/a

Allowed values

Any Alert level from 1 to 16 can be used. Any sregex expression

location

Filter by the log location or agent name.

Default value

n/a

Allowed values

Any file path, hostname or network is allowed. Any sregex expression

srcip

Filter by the source ip of the event.

Default value

n/a

Allowed values

Any hostname or network can be used. Any sregex expression

user

Filter by the user name. This will match either the srcuser or dstuser.

Default value

n/a

Allowed values

Any username. Any sregex expression

title

Name of the report. This is a required field.

Default value

n/a

Allowed values

Any text

email_to

The email address to send the completed report. This is a required field.

Default value

n/a

Allowed values

Any email address

showlogs

Enable or disable the inclusion of logs when creating the report.

Default value

no

Allowed values

yes, no

Example of configuration

<reports>
  <title>Auth_Report</title>
  <group>authentication_failed,</group>
  <srcip>192.168.1.10</srcip>
  <email_to>recipient@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>

<reports>
  <title>List of logged users</title>
  <rule>535</rule>
  <email_to>recipient@example.wazuh.com</email_to>
  <srcip>192.168.1.10</srcip>
  <showlogs>yes</showlogs>
</reports>