Trouble Setting Up Office365 Email Alerts in Wazuh (Docker Compose)

[rihab benabdelaziz]

Hello everyone,

Has anyone here successfully configured Office365 with Wazuh to receive email alerts, with Wazuh installed using Docker Compose?

I've been trying for a while, followed the docs, and used the same config, but it’s still not working.

Thanks a lot for your help!

[Manuel Pedro Gomez Castro]

Hi! Thank you for reaching out to us!

There are several systems at work that you have mentioned, and with the information provided is not really clear which ones were affected.
When deploying wazuh as a docker container, one must remember that docker containers do not retain changes from one instance to the next unless this data is stored in a volume. At the end of the default docker compose document , there is a section where volumes are defined that should be filled with local paths. Then, on any changes referenced in the documentation, /var/ossec/etc should be replaced by the path set in wazuh_etc. Verifying that the changes apply and persists across reboots is important since the container would need to be restarted in order for any changes to apply to the wazuh manager

Then there is the Office 365 integration, it would be really helpful if you could verify in our documentation that all the steps were followed correctly. If the configuration has been applied and sticks, your wazuh environment should be receiving events from office365 to be processed, and some of those events may be triggering alerts. Reviewing your archive.log and alerts.log files may help you troubleshoot if the events/alerts are being generated correctly. Note that in order for archives.log to show you may need to enable logall https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall

Lastly, provided that events are being generated and alerts are triggered, we just need to implement the email notifications. I recommend reviewing the documentation on that topic, particularly the alert level threshold as it may be the case that the alerts are just not severe enough to be sent by default.

I hope this helps in troubleshooting your issue! If you need further help, it would be really useful to know how exactly you know your system isn't working, so we can try to figure out a solution. Does your container fail to start? Do the events show in your log files? In your wazuh dashboard? Are other alerts being notified by email? Any information you have may be useful 

[rihab benabdelaziz]

I have added the local paths in the "volumes" section and double-checked the configuration after restarting the containers. To receive email alerts, I set up an SMTP relay using Postfix,. I also lowered the alert level on the Wazuh side to ensure I receive alerts by email, but I'm still not receiving any alerts.

When I check the logs in wazuh_manager, I get the following error: wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

I'm not sure where the problem is coming from. Could it be that Postfix is unable to connect to the container? I noticed in the configuration that the smtp_server field in the ossec.conf file should be set to localhost, and I even tried using the host's IP address, but it didn't work.  

[Manuel Pedro Gomez Castro]

I see! Yes, this is likely because a network issue on your docker compose file.

Some articles in the Wazuh documentation may assume that your SMTP server is installed in the same machine as your manager, so it may indicate to use localhost.

However, in your configuration, localhost for the manager would refer to the container itself, which does not have your SMTP relay installed.
In order to address this, you would need to use the host's IP address. However, it's very likely that the usual 192.168.xxx.xxx will not work, as your docker container will not be in that network.

There should be several solutions to this:
The simplest, according to this stack overflow answer, would be to add the snippet to your docker compose
extra_hosts:

    - "host.docker.internal:host-gateway"

And then, use "host.docker.internal" as your SMTP server within ossec.conf

You could also containerize your relay, including it into the docker compose file and addressing it by its service name

Lastly, you could attempt to switch the network your containers use from a "bridge" network to a "host" network, which would allow you to use localhost as is. However, it's possible that this may affect other configurations in your stack such as the connection between dashboard-indexer-manager, so I would recommend backing up your data and testing it before comiting to it.

[rihab benabdelaziz]

 Thanks Manuel! Regarding the option of containerizing the SMTP relay and including it in the docker-compose file, could you explain how to proceed with that? I'm not sure about the steps needed to add and configure it properly in docker-compose, and how to reference it by its service name.  

[Manuel Pedro Gomez Castro]

Adding SMTP as a container will depend exactly on your configuration and needs. The basic principle would be obtaining/creating a docker image that runs your service.
I found this tutorial that may be useful https://medium.com/@aedemirsen/how-do-we-set-up-our-own-send-only-smtp-server-postfix-docker-gmail-6a8a1bb57ea5

Then, docker compose is just a way to automate the process of launching several docker images. I suggest reviewing their documentation to learn how to use your docker image there https://docs.docker.com/compose/

Lastly, regarding the service name, if you notice Wazuh's docker compose file has several services, like wazuh.manager. Using the default networking docker compose provides, a container can use the service name as a url to access another container. So if you create a service called "smtp_server", the url to use it within your stack yould be "smtp_server"