Global email configuration is necessary to use the granular email options.
All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<email_alerts>
<!--
Email_alerts options here
-->
</email_alerts>
</ossec_config>
E-Mail recipients of alerts
Allowed: Any valid e-mail address
Minimum alerting level to forward the e-mails.
Allowed: Any alert level 0 to 16
Note
level should be set at or above the email_alert_level in the <alerts> section of the configuration.
The alert that must match this group to be forwarded. Multiple groups can be separated with a pipe character (“|”).
Allowed: One or more groups or categories.
The alert must match this event location to be forwarded. If multiple <event_location> options are specified, the last will be used.
Allowed: Any single agent name, hostname, ip address, or log file
Specifies the format of the e-mail
Default: full
Allowed: full/sms
Option to send granular emails based on rule id.
Allowed: One or more rule IDs can be used here, separated by a comma and space.
Example:
<rule_id>5701, 5702</rule_id>
Option to send the e-mail right away (no delay).
Example:
<do_not_delay />
Option to do not group alerts for this e-mail.
Example:
<do_not_group />
<global>
<email_notification>yes</email_notification>
<email_to>admin@example.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@example.com</email_from>
</global>
<global>
<email_notification>yes</email_notification>
<email_to>admin@example.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@example.com</email_from>
<email_maxperhour>100</email_maxperhour>
</global>
<email_alerts>
<email_to>other_admin@example.com</email_to>
<level>12</level>
</email_alerts>
<email_alerts>
<email_to>syscheck-admin@example.com</email_to>
<group>syscheck</group>
</email_alerts>
<email_alerts>
<email_to>bond@example.com</email_to>
<event_location>agent007</event_location>
<level>15</level>
<do_not_delay />
<do_not_group />
</email_alerts>