Email Notifications and Critical Alerts
Narasimha Naidu B
Hi Team,
We would like to configure email notifications to receive only critical alerts. Could you please assist us in setting this up correctly?
Additionally, we need a daily report of all critical alerts generated, to be sent via email at the end of each day.
LEGAL DISCLAIMER: By including any personal data in your response to this email, you are freely consenting to this being used and stored by us for the purpose of service delivery. Any email and files/attachments transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose the information it contains. Please notify us immediately and delete the message from your system. 42Gears is committed to your privacy. To understand more about how we collect, store, and process your personal information, please take a look at our Privacy Notice.
Bony V John
Hi,
You can refer to the Wazuh email alert configuration documentation for configuring email alerts for critical alerts. In this documentation, Postfix is used to act as a server relay. You need to install Postfix on the Wazuh manager and set up the SMTP server on the Wazuh manager server.
Follow the steps until step 8, and then modify the <email_alert_level> tag value based on the alert rule level for which you want to receive email alerts. For example, if you need to receive email alerts for rule level 12 and above, set the <email_alert_level> value to 12.
You can also use other filters, such as the <group> tag or <rule_id> tag, to set conditions for sending email alerts.
For the daily email report for critical alerts, you can refer to the Wazuh report configuration documentation. You can follow the guidance to configure the Wazuh manager to send a daily report by email in text format.
For example, if you need to send a daily report of critical alerts with rule level 12 and above, add the configuration below to the Wazuh manager ossec.conf file:
<title>Critical Alerts</title>
<level>12</level>
<email_to>reci...@example.wazuh.com</email_to>
<showlogs>yes</showlogs>
</reports>
Then restart the Wazuh manager to apply the configuration. Every night, it will send a daily critical alerts report by email in text format.
If you want to send the daily critical alerts email report in PDF format, then you can refer to the Wazuh integration repository configuration guidance. There, a custom dashboard is used to generate a PDF report. So, you need to create a custom dashboard for critical alerts and add the dashboard permalink in the custom script to automatically send the daily critical alerts PDF report.
Please let me know if you have any further questions or face any issues.
Narasimha Naidu B
Currently, I have configured it as follows:
We are using Gmail for communication. I have installed Postfix and configured SMTP to use 127.0.0.1. I have also set the rule level to 12 and configured the decoders. After this setup, we started receiving email notifications.However, we are not receiving critical alerts on the wazuh dashboard. Could you please check and help us resolve this issue?
</group>
<group name="critical_events,">
<rule id="100300" level="12">
<if_sid>550</if_sid>
<description>CRITICAL: File integrity change detected</description>
</rule>
<rule id="100301" level="12">
<if_sid>5760</if_sid>
<description>CRITICAL: SSH authentication failure detected</description>
</rule>
<rule id="100302" level="13">
<if_sid>5403</if_sid>
<description>CRITICAL: Suspicious sudo activity</description>
</rule>
</group>
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/190e3f36-6acc-45ec-8fda-a7076c383d0cn%40googlegroups.com.
Bony V John
Apologies for the late response. Have you set the <email_alert_level> tag value in the Wazuh manager /var/ossec/etc/ossec.conf file as 12 or lower to send email alerts for alerts with rule level 12 and above?
If not, please set the <email_alert_level> value to 12 or lower.
Then restart the Wazuh manager service to apply the changes:
Ensure that these rules are triggering correctly and showing on the dashboard.
For further analysis, could you please share the Wazuh manager ossec.conf file with us? This will help us verify your configuration.
Also, please share the mail log from the Wazuh manager server, located at: /var/log/maillog
Narasimha Naidu B
Hi Bony,
Thanks for your support. I have made the changes in OSSEC as per the document, and I am now receiving email alerts.
However, I need some help here. The vulnerability detector alerts are triggering at rule level 3. If I set the level above 3, I start receiving all FIM-related alerts, which I do not require. I only want all the high and critical alerts to be sent via email.
Could you please help me configure this properly?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1678d351-90af-47f1-9fa7-9bda68f4ac06n%40googlegroups.com.
Bony V John
I understand your requirement. You can update the ossec.conf file as shown below:
First, remove the <email_to> configuration from the <global> tag. Then add the following configurations to send email alerts for vulnerability alerts and for alerts with rule level 12 and above.
For vulnerability alerts:
<email_to>y...@example.com</email_to>
<group>vulnerability-detector</group>
</email_alerts>
This will send all vulnerability alerts to y...@example.com. Replace it with your actual email address.
For alerts with rule level 12 and above:
This configuration will send alerts with rule level 12 and above.
Narasimha Naidu B
Thanks for the reply,
I have tried the configuration, but emails are still not being sent. Could you please review the screenshots below and let me know if anything needs to be changed?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/506e1adc-24fb-46fc-9fa3-2188ee3c3861n%40googlegroups.com.
Bony V John
Hi,
It seems you created another custom child rule for the vulnerability alerts, and that custom rule does not exist in the vulnerability-detector rule group. That is why you are not receiving the email alert. I replicated the same configuration on my end, and it is working fine.
In your ossec.conf file, make the following change:
Remove the <email_to> tag instead of commenting it out.
In your environment, you created custom rules for critical alerts and grouped them under the critical_alerts rule group for all level 12 and vulnerability alerts that you want to receive by email. So you can remove both existing <email_alerts> tags from the configuration and use the below configuration instead:
This will send all alerts triggered under the critical_alerts rule group.
Restart the Wazuh manager service:
Bony V John
Based on the last shared details, it seems you have created custom rules for the alerts that you want to receive by email. In this case, we can use a rule group to configure email alerts for critical alerts.
You can use a rule group name such as critical_alerts and add all custom rules that you consider critical into that rule group. For that, add the <group> tag inside the rules you want to receive email alerts for.
For example:
<rule id="100234" level="3">
<if_sid>5760</if_sid>
<description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
<group>critical_alerts,</group>
</rule>
</group>
In the above configuration, the rule ID 100234 is added to the critical_alerts group. Similarly, you can assign multiple rules to the same group. You can also add the group name in the main <group name=""> tag if you want it to apply to all rules inside that rule file.
You can refer to the Wazuh rules syntax documentation for more details.
Then restart the manager:
This will send email alerts for rules that trigger with the critical_alerts rule group.
If you want to send email alerts for default rules as well, you can add those rule group names in the <group> tag in the email alert configuration, separated by commas. You can refer to the Wazuh email alert configuration documentation for more details.
Narasimha Naidu B
I have configured the email alerts as suggested, and they are working fine. Currently, the alerts are being generated based on rule levels. However, some high-severity vulnerabilities are appearing under lower alert levels. Could you please help us understand how we can configure Wazuh to send email alerts specifically for critical and high vulnerabilities regardless of the rule level?
Additionally, I have configured the daily email report, and it is working successfully. However, the report is not very clear and is difficult to understand. Is there any way to receive a more visualized or user-friendly report/dashboard for easier analysis and monitoring?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/d34b06c3-6440-4b8c-bc8c-332099c5193bn%40googlegroups.com.
Bony V John
Hi,
Apologies for the late response.
For email alerts, you can check the following points:
Ensure that you have removed the <email_to> configuration from the <global> tag. Also, decrease the default <email_alert_level> value from 12 to 3. This will allow alerts with rule level 3 and above to be eligible for email alerts. Then, you can use the <email_alerts> block to send alerts based on specific conditions.
For critical alerts, you have different options depending on your requirement.
- To send alerts based on specific rule groups:
<email_to>y...@example.com</email_to>
<group>vulnerability-detector,ssh,critical_alerts</group>
</email_alerts>
The above configuration works based on rule group names. When any alert is triggered with one of the listed rule groups, Wazuh will send an email alert.
You can find the rule group names of the alerts you want to send and add them in the <group> tag. You can also create a specific rule group, such as critical_alerts, for the rules that should trigger email alerts, and then add that rule group name in the <group> tag.
- To send alerts based on rule IDs:
<email_to>y...@example.com</email_to>
<rule_id>100301,100302,100001</rule_id>
</email_alerts>
This condition works based on rule IDs. When an alert is triggered by any rule in that list, Wazuh will send an email alert. You can identify the rule IDs you want to send as email alerts and configure them in the <rule_id> tag.
- To send alerts based on rule level:
This condition works based on the <level> tag. It will send email alerts for rules with level 12 and above. You can configure the level based on when you want to receive email alerts.
In your case, I recommend using <rule_id> or <group> filtering to send email alerts based on your requirement. You can refer to the Wazuh email alerts configuration documentation for more details.
Regarding email reports, as you mentioned, the default email report is in text format. If you want to send the daily critical alerts email report in PDF format, then you can refer to the Wazuh integration repository configuration guidance. There, a custom dashboard is used to generate a PDF report. So, you need to create a custom dashboard for critical alerts and add the dashboard permalink in the custom script to automatically send the daily critical alerts PDF report.