<email from> in ossec.conf

[Prachi Katakwar]

Hi Team,

 

We are using Wazuh 4.3.10 version with a Elastic Stack basic license version.

 

A very strange thing is happening, whenever I try to change <email_from> in ossec .conf and restart wazuh manager, the email notification stops working.

 

And when I change back to the previous <email_from> in ossec.conf and restart wazuh manager, the email notification starts working.

 

Totally strange!!! do we need to change <email_from> anywhere else apart from ossec.conf? 

 

Cant see any error logs related to mailid...

 

BR

//Prachi

 

[Stuti Gupta]

Hi Prachi,
Hope you are doing well today and thank you for using wazuh.

To step the email you need to follow the steps given in this document https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html. You can use server relay, like postfix please Follow the instruction give in this.
We recommened to upgrade the wazuh also current we are on  4.5.3 To upgradeplease follow https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html

Hope this helps.
Regards,

[Prachi Katakwar]

Hi Stuti,

 

Thank you for a quick reply.

 

Yes ,  have read all these documentation during weekend, we have separate SMTP server so that is perfectly fine..the thing is in ossec.conf , just changing the <email_from> from servername.domain to servername@domain and email notifications have stopped☹

If I change back to servername.domain, the email notification starts coming..

<ossec_config>

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>relay server</smtp_server>

    <email_from>servername@domain</email_from>  

    <email_to>abc</email_to>

    <email_maxperhour>12</email_maxperhour>

    <email_log_source>alerts.log</email_log_source>

  </global>

 

If I do   cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

 

Also in var/log/ , the maillog is empty

 

Literally now am I so curious that such a small change of <email_from> have stopped the emails , why!! Is there any process stuck?

 

BR

//Prachi

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fcbd2913-fa95-4025-b08b-9168dfb29506n%40googlegroups.com.

[Stuti Gupta]

Hello Prachi

Werecommened to upgrade the wazuh also current we are on  4.5.3 To upgradeplease follow https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html
The relay server requires the email_from address to be a valid email address. the SMTP server has an authentication method, you will need to follow the steps explained here, because Wazuh mail doesn’t support this feature and you will have to use postfix.

Finally, to get more information about the mail daemon, you can follow the next steps:

Kill the mail daemon running process: pkill -f wazuh-maild
Start the daemon with the debug mode: /var/ossec/bin/wazuh-maild -dd
With this, the mail daemon will print the debug messages in the file /var/ossec/logs/ossec.log. Please, share the ossec.log file as an attachment in text format (again, hiding any sensitive information).

Regrads,

[Prachi Katakwar]

Hi Stuti and Team,

 

Below are my findings, from last 1 week I am literally scratching my head, Please help me Stuti and team☹

If anyone else has any idea in the group , please respond!!!

 

1. The document which you mentioned is for gmail domain, we are not using gmail domain. Ours is a separate mailhost server in the same domain where we have Wazuh server. (https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html)

Name of Wazuh server : wazuh.domainname

Name of SMTP server: mailhost.domainname

We are been using <email_from> from last 3 years as wazuh.domainname and are getting emails with no issues. Since last week I just changed it to wazuh@domainname( just added @)and emails stopped coming. Now if I put anything in <email_from> without @ the emails are fired but as soon as I add @ in <email_from) the emails stop coming. It seems the problem is not with smtp server, the problem is with appending @ in <email_from> and the emails are stopped

 

2. The strange thing is, only once since the last week,  the email came from wazuh@domainname, but after that it never came.
3. Now I installed postfix referring to the document , but in Step 1 and 3 , gave the below command without password and port is 25

relayhost = [mailhost.domainname]:25

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

smtp_use_tls = yes

 

echo [mailhost.domainname]:25 wazuh@domainname> /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

chmod 400 /etc/postfix/sasl_passwd

 

Still not getting emails from Wazuh

,

4. Attached file ossec.conf, ossec.log , screenshot of below command

 

 

 

BR

//Prachi

[Stuti Gupta]

Hi Prachi,
Thank you for reaching out to us. We understand that you are experiencing issues with email notifications when changing the <email_from> parameter in the ossec.conf file.
To troubleshoot this issue, we recommend checking the following:

1. Verify that the SMTP server configuration is correct in the ossec.conf file. Ensure that the <smtp_server> parameter is set to the correct relay server.
2. Ensure that the maillog file (/var/log/maillog) is not empty. If it is empty, there might be an issue with the email server or the email delivery process.

If none of the above steps resolve the issue, please provide us with more details about your environment, such as the operating system, Wazuh version, and any relevant log files. This will help us further investigate the issue and provide you with a more accurate solution. 

 As you can see the : ERROR: date or location not NULl this error and have found a possible solution. Let’s try modifying the following line in the ossec.conf file:

<email_log_source>alerts.log</email_log_source>

to:

<email_log_source>alerts.json</email_log_source>

After this change has been made, we will restart:

service wazuh-manager restart

If the error persists after changing the alerts to .json format, try removing that line from the configuration.

This error should be fixed in the latest versions of Wazuh, I hope this solves the problem, otherwise I look forward to your response to further investigate the error knowing the version of Wazuh you use.

More information:

• https://groups.google.com/g/wazuh/c/xsT1WFYLhgU
• https://github.com/wazuh/wazuh/issues/5872
• https://github.com/wazuh/wazuh/issues/5758

 Werecommened to upgrade the wazuh also current we are on  4.5.3 To upgrade please follow https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html. 

Hope this helps

[Prachi Katakwar]

Hi Stuti and team,

 

Last week only we upgraded Wazuh from 4.3.10 to 4.5.3.

Also have gone through all the links which you have shared in the trail email last week itself and tried out changing alerts.log to alerts .json but nothing worked.

 

Just now  I removed this line from the configuration but still not getting emails if we append @ in <email_from> , and also mailog came into picture when postfix was installed, before that there was no maillog ..it is only mail directory in var/log.

 

At the moment , I stopped postfix and changed the <email_from> to testmail.com and immediately the email is fired , I am 99% sure its nothing with the postfix or the smtp server otherwise the email would not have come..

Attached the email from testmail.com.

 

We are using VM ( Centos 8 Stream) and on that Wazuh is installed

 

Please let me know what logs you need for investigation.

 

BR

//Prachi

 

 

From: 'Stuti Gupta' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: 20 October 2023 12:13
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: <email from> in ossec.conf

 

Hi Prachi,

Thank you for reaching out to us. We understand that you are experiencing issues with email notifications when changing the <email_from> parameter in the ossec.conf file.
To troubleshoot this issue, we recommend checking the following:

1.    Verify that the SMTP server configuration is correct in the ossec.conf file. Ensure that the <smtp_server> parameter is set to the correct relay server.

2.    Ensure that the maillog file (/var/log/maillog) is not empty. If it is empty, there might be an issue with the email server or the email delivery process.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ee3688f0-a994-43c3-a4c6-aac80cae3f11n%40googlegroups.com.

[Stuti Gupta]

Hi again.

The provided configuration isn't an SMTP relay. SMTP relays forward emails to other mail servers, often for internal-to-external communication. In this setup, Wazuh attempts to send emails directly to the recipient's mail server. If both are on the same network or connected through a relay host, it works without an SMTP relay.
However, if the recipient's mail server is external or not directly reachable, configuring an SMTP relay becomes essential. The configuration specifies a specific SMTP server (<smtp_server>) and includes email-related settings. Still, it lacks elements of a full SMTP relay setup. However, if the recipient's mail server is not on the same network as the Wazuh manager, or if the Wazuh manager cannot connect to the recipient's mail server using a relay host, then Wazuh will be unable to send emails.
Remember, SMTP relays act as intermediaries, forwarding emails. If Mydomain reliably delivers emails from Wazuh, it's acting as an SMTP server without the need for a separate relay.
The provided configuration is not for an SMTP relay. It's for Wazuh to send emails using a specified SMTP server (Mydomain). This setup works if Mydomain accepts emails from your Wazuh manager and forwards them to the recipient's mail server.

Hope this helps,
Regards.

[Prachi Katakwar]

Hi Stuti/Mauro/Sandra,

 

Sorry to bother you all, but hope you try to understand my problem and as I have worked with Mauro and Sandra so curious to know their insights.

 

We have Centos 8 Stream VM ,on which we have installed Wazuh with basic elastic search licence 4.5.3 version.

Problem Statement :

Name of Wazuh server : wazuh.domainname

Name of SMTP server: mailhost.domainname

We are been using <email_from> from last 3 years as wazuh.access.domainname and are getting emails with no issues. Since last week I just changed it to wa...@access.domainname( just added @)and emails stopped coming. Now if I give anything in <email_from> without @ the emails are fired but as soon as I add @ in <email_from>the emails stop coming. It seems the problem is with appending @ in <email_from> and the emails are stopped. Both Wazuh and SMTP are in same domain and network as well.

Investigation :

• Changed <email_log_source> from alerts.log to alerts.json , but nothing happened so now changed back to alerts.log and strange thing is if I give command

cat alerts.json | grep ‘“mail”:true’ , the event will come but email wont be fired , provided ( <email_from> : wa...@access.domainname)

The email would be fired only if I give <email_from>: wazuh.access.domainname / or anything without @

• Also tried removing <email_log_source> line from ossec.conf but no results.
• Installed postfix/sendmail (Referring Wazuh documentation) but no results.
• Yesterday uninstalled and reinstalled only Wazuh manager but no results.
• On giving this command , cat /var/ossec/logs/ossec.log | grep ERROR

• Also If I give cat /var/log/ messages | grep ERROR , here could see segmentfault

Oct 23 04:36:53 sekaissecdetection kernel: aex-pluginmanag[107708]: segfault at 8 ip 00007fe1def7d3b1 sp 00007fe1dfcc9470 error 4 in libaps.so.1.0[7fe1deef2000+140000]

Oct 23 04:36:58 sekaissecdetection kernel: aex-pluginmanag[107840]: segfault at 8 ip 00007fe66d9e73b1 sp 00007fe66e733470 error 4 in libaps.so.1.0[7fe66d95c000+140000]

Oct 23 04:37:03 sekaissecdetection kernel: aex-pluginmanag[107852]: segfault at 8 ip 00007fb3e10133b1 sp 00007fb3e1d5f470 error 4 in libaps.so.1.0[7fb3e0f88000+140000]

Oct 23 04:37:08 sekaissecdetection kernel: aex-pluginmanag[107864]: segfault at 8 ip 00007f21d6b663b1 sp 00007f21d78b2470 error 4 in libaps.so.1.0[7f21d6adb000+140000]

Oct 23 04:37:14 sekaissecdetection kernel: aex-pluginmanag[107876]: segfault at 8 ip 00007fa1e3f113b1 sp 00007fa1e4c5d470 error 4 in libaps.so.1.0[7fa1e3e86000+140000]

Oct 23 04:37:19 sekaissecdetection kernel: aex-pluginmanag[107930]: segfault at 8 ip 00007ffa1c7b33b1 sp 00007ffa1d4ff470 error 4 in libaps.so.1.0[7ffa1c728000+140000]

Oct 23 04:37:24 sekaissecdetection kernel: aex-pluginmanag[107943]: segfault at 8 ip 00007f9a467293b1 sp 00007f9a47475470 error 4 in libaps.so.1.0[7f9a4669e000+140000]

Oct 23 04:37:29 sekaissecdetection kernel: aex-pluginmanag[107955]: segfault at 8 ip 00007f81421383b1 sp 00007f8142e84470 error 4 in libaps.so.1.0[7f81420ad000+140000]

Oct 23 04:37:35 sekaissecdetection kernel: aex-pluginmanag[107966]: segfault at 8 ip 00007efc2348c3b1 sp 00007efc241d8470 error 4 in libaps.so.1.0[7efc23401000+140000]

• Attached is the ossec.conf , please guide!!!

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/556580c2-7a10-4a73-a7ed-ec7ed93b306cn%40googlegroups.com.

[Prachi Katakwar]

Hi Wazuh Team,

 

Please, its  request can someone help me on this? From last 2 weeks I am struggling , did end to end troubleshoot but not able to articulate what is the problem☹

 

I am not getting any emails if I append @ in <email_from> in ossec.conf meaning if I give <email_from> as testmail.com the emails will be fired irrespective of the fact that postfix is installed or not…but if I change to testmail@com the email wont come..So strange!!

 

My Wazuh is upgraded to 4.5.3, and also after reading so many links , installed postfix as well.

In my email_log_source its alerts.log , when I do cat alerts.log | grep mail, the alert is generated as mail but is not coming in my email box

Also , if I do var/log/maillog -> nothing is generated in terms of Alerts , I mean it gives normal postfix started /stopped but nothing related to Alert

 

Also if I do cat /var/ossec/logs/ossec.log | grep ERROR but nothing related to Wazuh-maild

 

Could see segfault in var/log/messages

[Prachi Katakwar]

Hi Stuti and Team,

 

Finally able to solve the problem by using the SMTP configuration in Wazuh documentation. Although both Wazuh and mailhost server are in same domain but simply putting the mailhost in <smtp_server> in ossec.conf doesn’t work.

 

Thank you Stuti, your explanation on the trail email regarding smtp relay is very nice, after reading it with cool mind I understood your point😊

 

Now with that, just one last question.. on both of Wazuh server and our mailhost server maillog , the status of email is coming as queued for delivery..any pointers??

 

Happy Dusshera😊

[Stuti Gupta]

Hi Prachi,
Sorry for the late response.
This status message is a positive confirmation from the receiving mail server. It acknowledges that the email has been accepted and is now in the process of being delivered to the recipient's mailbox. The email has been assigned a unique identifier (7726180) for tracking purposes within the mail server's queue. This message is indicative of normal and expected behavior in the email delivery process. It means that the email has successfully cleared initial checks and has been queued for further processing and eventual delivery to the recipient.

Hope this helps
Regards,