Issue with Wazuh Email Alerting

Dear Team,

I noticed some inconsistencies with the Wazuh email alert. I was trying to generate a separate alert so that it wouldn't be displayed as a grouped email alert hence, I added the <do_not_group/> tag. Below is the configuration I made in my manager's ossec.conf file:

<ossec_config>
  <global>
     -------------------------------------------------
    --------------------------------------------------
    --------------------------------------------------
    <email_notification>yes</email_notification>
    <smtp_server>IP_ADDRESS</smtp_server>
    <email_from>EMAIL_ADDRESS</email_from>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
     ------------------------------------------------------
     ------------------------------------------------------
     ------------------------------------------------------
  </global>

<email_alerts>
  <email_to>EMAIL_ADDRESS</email_to>
  <!-- <event_location>DESKTOP-IVRFJB0</event_location> -->
  <rule_id>553</rule_id>
  <do_not_group/>
</email_alerts>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>4</email_alert_level>
  </alerts>
  --------------------------------------------------------
  --------------------------------------------------------
  --------------------------------------------------------
<ossec_config>

On the agent section, I referenced the path I want to monitor with the below configuration:

<directories realtime="yes" check_all="yes">C:\Users\denre\Downloads\tFolder</directories>

With my above configuration, I deleted a file to trigger the syscheck delete alert. When I checked my mail, I saw that it still added the alert as part of a group (PDF of sample emails attached):

Wazuh email alert.pdf

Also, I noticed that if I remove the <event_location> tags, I won't receive any mail again.

Kindly assist in investigating this further.

wazuh / wazuh

Issue with Wazuh Email Alerting #28078