If you want to receive daily email reports (summaries) of your OSSEC alerts, you will like this new feature.
First, start off by downloading the latest snapshot: http://www.ossec.net/files/snapshots/ (get the latest file from there).
Then you will be able to use the “reports” option to configure what alerts do you want to receive summarized by the end of the day (instead of in realtime). You can use the following options:
group: Filter by group categories: Filter by group (alias to the above) rule: Filter by rule id level: Filter by severity location: Filter by the log location or agent name srcip: Filter by a source ip user: Filter by an user name
You can also use the same options with the ‘type=”relation” specified to get the relation between fields. For example <srcip type=”relation”>user</srcip> will get you a list of users per source ip.
Every report must have a <title> specified and as many “email_to” as you want.
Example 1: Receive summary of all the authentication success:
<ossec_config>
<reports>
<category>authentication_success</category>
<user type=”relation”>srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>Example 2: Receive summary of all File integrity monitoring (syscheck) alerts:
<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>Please try it out and let us know if you have suggestions or find any bugs…