email_alerts

This extends the email options configured in the <global> section.

Note

Global email configuration is necessary to use granular email options.

Options

email_to
level
group
event_location
format
rule_id
do_not_delay
do_not_group

email_to

This specifies a single email address to which to send email alerts. If you want to send alerts to multiple addresses, each address must be listed in a separate <email_to> section. Lists are not allowed.

Default value	n/a
Allowed values	Any valid email address is allowed.
Usage	Required.

level

This is the minimum alert severity level for which emails will be sent.

Note

The level option should be set at or above the email_alert_level in the <alerts> section of the configuration.

Default value	n/a
Allowed values	Any alert level 0 to 16 is allowed.

group

This option sets specific rule groups that alerts must belong to for email notification.

Default value	n/a
Allowed values	Any group string. For multiple groups, separate the strings with a pipe character `\|`.

Note

To avoid partial matches, add a comma at the end of the group string. For example, <rules_group>group_a,|group_b,|group_c,</rules_group>. Not ending the group string with a comma implies that it's a substring open for partial matches. For example, the group string authentication matches rule groups authentication, authentication_success, and authentication_failure while the group string authentication, matches only rule group authentication.

Also, check that the rule group in your rule definitions ends with a comma as well. For example, <group>group_b,</group>. This is usually the case in the ThreatLockDown default ruleset.

event_location

The alert must match this event location to be forwarded. Do not specify this option repeatedly, as only the last instance would be used.

Default value	n/a
Allowed values	Any single agent name, hostname, IP address, or log file is allowed

format

This specifies the email format.

Default value	full
Allowed values	default	Send normal emails.
	full	Send normal emails.
	sms	Use a compact format more suitable for SMS.

rule_id

This limits the sending of emails to only when rules are tripped that have one of the listed rule IDs.

Default value	n/a
Allowed values	One or more rule IDs can be used here, separated by a comma and a space ( ", " ).

do_not_delay

This causes email alerts to be sent right away, rather than to be delayed for the purpose of batching multiple alerts together.

Default value	n/a
Allowed values	XML tag with no value

do_not_group

This disables grouping of multiple alerts into the same email.

Default value	n/a
Allowed values	XML tag with no value

Warning

Notice that do_not_delay and do_not_group are special empty-element XML tags, so they stand alone, not having a starting and ending version of the tag. This is indicated by the tag name containing "/" at the end of the name.

Example of configuration

<email_alerts>
        <email_to>recipient@example.wazuh.com</email_to>
        <email_to>recipient2@example.wazuh.com</email_to>
        <level>12</level>
        <group>sshd,</group>
        <do_not_delay/>
</email_alerts>