One of the most popular feature requests for ossec that I received lately was the availability of granular e-mail alerting options. Well, if you have been waiting for it, it is now available to be used… Just try our first beta release of version 1.2 and let us know how it goes.
Here are some examples of what you can do:
If you want to e-mail xx@y.z for every event in the group syslog you can add the following to ossec:
<email_alerts> <email_to>xx@y.z</email_to> <group>syslog</group> </email_alerts>
To e-mail (sms format) aa@y.z for every event with severity higher than 10 (Note that the SMS format is not grouped, so the e-mail is sent immediately):
<email_alerts> <email_to>aa@y.z</email_to> <level>10</level> <format>sms</format> </email_alerts>
To e-mail bb@y.z for every event from rule 123 or rule 124:
<email_alerts> <email_to>bb@y.z</email_to> <rule_id>123, 124</rule_id> </email_alerts>
To e-mail cc@y.z for every event with severity higher than 12, from agent qwert, without any delay (immediately):
<email_alerts> <email_to>cc@y.z</email_to> <level>12</level> <event_location>qwerty</event_location> <do_not_delay /> </email_alerts<
You just need to tweak it for you own needs. Send any questions to our mailing list or here in the comments.
Download it from here (always use the latest package available): beta snapshots.