problem email not send alerts

[zaydwazuh]

hello

please can any one help me, I use wazuh_docker and I installed postfix in root and my gmail received postfix email test  but wazuh did not send any alerts to my gmail. In addition how I configure wazuh  ossec.conf and restart wazuh manager without lost configuration details.

[Jorge Alberto Marino]

Hello, I will be taking care of this community issue.

There are general email settings to setup. Please check manual email report link first.
To see all of the available email configuration options, go to the global section.

There are specific settings to setup a SMTP server with auth via Postfix here.

Note

The password must be an App Password. App Passwords can only be used with accounts that have 2-Step Verification turned on.

Can you please share your configuration to provide specific troubleshooting as well as the output of:

grep '"mail":true' /var/ossec/logs/alerts/alerts.json

If no results are shown this indicates that no alerts are meeting the criteria to be sent via e-mail.

You may also look for any error messages from the Wazuh mail daemon:

grep mail /var/ossec/logs/ossec.log

And information within the maillog. Thank you. I'll keep expecting these results.

grep -i error /var/log/maillog

[Jorge Alberto Marino]

Hello,

Please send email answers to the group, not private so the community can benefit from this.

Could you share the ossec.conf file section regarding email please?

What Operating System ?

Thank you

> Thanks a lot for your reply
> I did the postfix setting and I did not have any problem with postfix and I checked it for sending email and i received email in my gmail . Also, I configured the wazuh ossec.conf file for mail but the problem wazuh did not send any email. when I used the commands that  you send to check the messages are
> grep: /var/ossec/logs/alerts/alerts.json: No such file or directory
> grep: /var/ossec/logs/ossec.log: No such file or directory                                              
> grep -i error /var/log/maillog : No such file or directory                (as the folder is /var/log/mail.log) connection refused

> can you guide me how to configure wazuh with docker to send email because I used wazuh inside docker 

>

[zaydwazuh]

thanks dear

This is the configuration 

OS is ubuntu

[Jorge Alberto Marino]

Hello again,

Can we check 3 things:

1. What is the email_alert_level is in the alerts section in ossec.conf?

2. Please share the /etc/postfix/main.cf file .

3. Have you overriden mynetworks in main.cf ?

Thank you

[zaydwazuh]

hello dear

the alert level i make it 4

i use this configuration but di not solve the problem        mynetwork=127.0.0.0/8 172.17.0.0/16
this is main.cf

[Jorge Alberto Marino]

Hello,

As far as the config you shared, it looks like there's a connectivity issue between Wazuh and PostFix. Therefore reachability, certificates and auth issues may arise.

You mentioned you are using Wazuh inside a docker container.

IMPORTANT: We are dealing now with a very specific issue, PLEASE take time to overview EVERY point here and reply with as much information as possible.

If you followed the steps of the Official Wazuh Documentation and it's not yet working properly, we have to find what's the problem.

1. Is the PostFix relay server installed in the same container as the Manager is running on? I mean, why would you need to set mynetwork=127.0.0.0/8 172.17.0.0/16 with two networks?
2.  If postfix server is in another container, did you make sure Wazuh Manager host can reach it at network level?

3. Can you check if the file /var/log/mail.log exists? Why connection refused? Are you using the right user permissions and terminal access?
4. Can you share the output of postconf -n where postfix is installed?

5. Please check postfix basic conf in the section What clients to relay mail from to match your setup.

Thank you, please overview every point and come back with detailed information. Thank you again.

Regards,

Jorge.

[zaydwazuh]

hello

yes i used wazuh inside docker. The problem is some configurations i made it in the file inside volumes is lost when restart device  

The postfix did not installed as container i fellow the steps on wazuh webpage to install it.

The file var/log/mail.log exist

thanks for your time

[Jorge Alberto Marino]

Hello again,

We appreciate your answer. But I'm afraid you did not specify if the postfix server is in the same host as the manager, also if not, if it has reach-ability to it.

I have to insist on the information I requested before. Please provide answers for every point here:

IMPORTANT: We are dealing now with a very specific issue, PLEASE take time to overview EVERY point here and reply with as much information as possible.

If you followed the steps of the Official Wazuh Documentation and it's not yet working properly, we have to find what's the problem.

1. Is the PostFix relay server installed in the same container as the Manager is running on? I mean, why would you need to set mynetwork=127.0.0.0/8 172.17.0.0/16 with two networks?
2.  If postfix server is in another container, did you make sure Wazuh Manager host can reach it at network level?

3. Can you check if the file /var/log/mail.log exists? Why connection refused? Are you using the right user permissions and terminal access?
4. Can you share the output of postconf -n where postfix is installed?

5. Please check postfix basic conf in the section What clients to relay mail from to match your setup.

6. Share /var/log/mail.log contents please.

Thank you, please overview every point and come back with detailed information. Thank you again.

I understand that some configuration was lost when restarting the devices, but if we can't track what's the actual cause of the issue, it'd be nearly impossible to fix it.

I strongly ask if you can provide ALL information I have requested. Include IPs, hostnames, OS, versions, and so on.

Thank you,

Jorge (WAZUH - Core Development)