how to add geoip info in wazuh alert emails

[mauro....@cmcc.it]

Hi all,

do you know if I can add geoip information in the wazuh alert emails content?

At this moment, I can see only the IP address.

I just added maild.geoip=1 in local_internal_options.conf and restarted the manager, but nothing changed.

Thank you in advance,

Mauro

[Julia Magan Rodriguez]

Hello,
For seeing geoip information in the wazuh alert emails you also need to enable analysisd.geoip_jsonout in your internal options, so the geoip information is written in alerts.json. You can check how to configure this option here.
Regards.

​

[Mauro Tridici]

Hello Julia,

thank you very much for your answer.

Unfortunately, it seems that it is not working as expected.

I received the alert emaiil only with the srcip, with no additional geoip info.

This is my local internal options:

# local_internal_options.conf

#

# This file should be handled with care. It contains

# run time modifications that can affect the use

# of OSSEC. Only change it if you know what you

# are doing. Look first at ossec.conf

# for most of the things you want to change.

#

# This file will not be overwritten during upgrades.

#

maild.geoip=1

analysisd.geoip_jsonout=1

Do I need to change these values in internal_options.conf file too?

Thank you,

Mauro

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7a8PwSOj13I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/19f37bfd-80fc-4fcb-ba2f-0a4ab829b3c9n%40googlegroups.com.

[Julia Magan Rodriguez]

Hello,
Sorry for the late response, I was trying to reproduce the use case to find the solution.
You don’t need to change the configuration in /var/ossec/etc/internal_options.conf too. The difference between /var/ossec/etc/internal_options.conf and /var/ossec/etc/local_internal_options.conf is that the first one will be overwritten during upgrades, in order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.
For receiving GeoIP information in your alerts and then in your email, it is necessary to install wazuh from sources and then compile it with TARGET=server USE_GEOIP=yes.

yum install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool
curl -Ls https://github.com/wazuh/wazuh/archive/v4.1.5.tar.gz | tar zx
cd wazuh-*
cd src
make deps
make TARGET=server USE_GEOIP=yes
cd ../
./install.sh

Then you will need to add a database with the GeoIP information, you can see how it's done here: https://github.com/wazuh/wazuh/issues/4053#issuecomment-541069384
Finally, you will need to configure the email and wazuh as you got it before. Remember to add at /var/ossec/etc/local_internal_options.conf:

analysisd.geoip_jsonout=1
maild.geoip=1

And in /var/ossec/etc/ossec.conf you will need to add:

<global>
   ...
   ...
   <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
</global>

<alerts>
   ...
   ...
   <use_geoip>yes</use_geoip>
</alerts>

Regards.

​

[Mauro Tridici]

Hello Julia,

many thanks for your detailed answer.

I really appreciated it.

Unfortunately, I installed Wazuh server using all-in-one unattended installation.

So, I think that I have to start all over again :( (installation, configuration, tuning and so on…).

I see that you use “yum”, what is your OS distro version?

In any case, thanks fore the time you spent for me.

Kind Regards,

Mauro

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fa3f1ac-054d-491a-b02b-b63f9cc6baa1n%40googlegroups.com.

[Julia Magan Rodriguez]

Hello,

I used yum just for the example, it works on RPM-based Linux distributions (redhat, fedora, centos, etc.). You can see the specific command for more OS here: https://documentation.wazuh.com/current/installation-guide/more-installation-alternatives/wazuh-from-sources/wazuh-server/index.html

Regards.

​