reports

In this section are listed the different options for the configuration of daily reports based on alerts.

Note

Any number of <reports> blocks can be declared in the same ossec.conf file.

Options

group

Filter by group/category. It only accepts one group/category.

Default value

n/a

Allowed values

Any group used is allowed.

category

Filter by group/category.

Default value

n/a

Allowed values

Any category used is allowed.

rule

Rule ID to filter for.

Default value

n/a

Allowed values

Any Rule ID in ThreatLockDown Rules is allowed.

level

Alert level to filter for. The report will include all levels above and including level specified.

Default value

n/a

Allowed values

Any Alert level from 1 to 16 can be used.

location

Filter by the log location or agent name.

Default value

n/a

Allowed values

Any file path, hostname or network is allowed. Any sregex expression

srcip

Filter by the source IP address of the event.

Default value

n/a

Allowed values

Any IP address.

user

Filter by the user or dstuser name.

Default value

n/a

Allowed values

Any username.

title

Name of the report. This is a required field.

Default value

n/a

Allowed values

Any text

email_to

The email address to send the completed report. This is a required field.

Default value

n/a

Allowed values

Any email address

showlogs

Enable or disable the inclusion of logs when creating the report.

Default value

no

Allowed values

yes, no

Example of configuration

<reports>
  <title>Auth_Report</title>
  <group>authentication_failed,</group>
  <srcip>192.168.1.10</srcip>
  <email_to>recipient@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>

<reports>
  <title>List of logged users</title>
  <rule>535</rule>
  <email_to>recipient@example.wazuh.com</email_to>
  <srcip>192.168.1.10</srcip>
  <showlogs>yes</showlogs>
</reports>