Reports options are available in the the following installation types:
All reports options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
<ossec_config>
<reports>
<!--
Reports options here
-->
</reports>
</ossec_config>
reports
¶group
¶Filter by group/category.
Allowed: Any category used within OSSEC Rules.
categories
¶Filter by group/category.
Note
This is the same as the group option above.
Allowed: Any category used within OSSEC Rules.
rule
¶Rule ID to Filter for.
Allowed: Any Rule ID in OSSEC Rules.
level
¶Alert level to filter for. This is an inclusive option so all higher level alerts will also match.
Allowed: Any Alert level 1 to 16
location
¶Filter by the log location or agent name.
Allowed: Any file path or hostname or network.
srcip
¶Filter by the source ip of the event.
Allowed: Any hostname or network
user
¶Filter by the user name. This will match on either srcuser or dstuser
Allowed: Any username
title
¶The name of the report.
This is a required field for reports to function.
Allowed: Any Text
email_to
¶The email address to send the completed report.
This is a required field for a report to function.
Allowed: Any email address
showlogs
¶Include logs when creating the report
Allowed: yes/no
Default: no