wazuh, alert via email if no alert logged for 1 hour

Question

I need to send an email if the fortigate firewall does not send a log to Wazuh for an hour. I tried some rules that chat-gpt generated but always endup with errors. The rule I used:<rule id="132000" level="10">

 <rule id="132000" level="10">
      <if_sid>44601,44602,44603,44604,44605,44606,44607,44608,44609,44610,44611,44612,44613,44614,44615,44616,44617,44618,44619,44620,44621,44623,44625,44626,44627,44628,44629,44630,44631,81606,81607,81608,81609,81610,81611,81612,81613,81614,81615,81616,81617,81618,81619,81620,81621,81622,81623,81624,81625,81626,81627,81628,81629,81630,81631,81632,81633,81634,81635,81636,81637,81638,81639,81640,81642,81643,81644,81645,81646</if_sid> 
      <field name="received_at" operator="less_equal">-1h</field>
      <description>FortiGate Firewall Log Delay</description>
      <group>fortigate_log</group>
      <options>no_caching,no_alert</options>
      <program_name>FortiGate</program_name>
      <email_notification>
        <subject>Wazuh Alarm: FortiGate Firewall Log Delay</subject>
        <to>admin@test.com</to>
        <html>yes</html>
        <body>The FortiGate firewall is not sending logs. Log delay has occurred.</body>
      </email_notification>
    </rule>

Nof · Answer 1 · 2023-06-26T21:31:58.747

0

I was analyzing the case, and in the wazuh platform there is no way to alert about an unexecuted event.

In order to solve this requirement you need to apply an external solution, one option could be to build a script to collect the alerts and validate that, for the period of time you set, the alert in question was not executed.

edited Jun 26 '23 at 21:31

answered Jun 19 '23 at 00:25

Nof

13
3

wazuh, alert via email if no alert logged for 1 hour

1 Answers1