Monitoring outgoing email traffic

238 views
Skip to first unread message

Matthias Appelmans

unread,
Apr 9, 2024, 6:00:34 AM4/9/24
to Wazuh | Mailing List
Hi all,

I'm trying to see mail traffic from my postfix server. So I configured following in agent.conf because traffic gets logged into /var/log/mailtest.log

<localfile>
<location>/var/log/mailtest.log</location>
<log_format>syslog</log_format>
</localfile>


I can't get the logs to be displayed in either archive.log or on the wazuh UI

Am I doing something wrong?

Md. Nazmur Sakib

unread,
Apr 9, 2024, 6:37:48 AM4/9/24
to Wazuh | Mailing List

Hi Matthias Appelmans,


Can you check if you have logs inside the /var/log/mailtest.log file?



I have tried to replicate this. In my case, it is working fine.


This is my file name

/var/log/mail.log


And this is my configuration:


  <localfile>

    <log_format>syslog</log_format>

    <location>/var/log/mail.log</location>

  </localfile>





If you have enabled the archive log. You can use this command to check if the logs are in the archive log


cat /var/ossec/logs/archives/archives.log | grep "/var/log/mailtest.log"


Make sure to restart the agent after making any changes to the configuration of the agent.

Let me know your findings on the issue.

Matthias Appelmans

unread,
Apr 9, 2024, 7:17:18 AM4/9/24
to Wazuh | Mailing List
Hi 

Thank you for the fast response.

I did everything as you described:

tail /var/log/mailtest.log
Apr 09 13:04:53 debian postfix/smtp[6834]: 210DD7FCB6: to=<matt...@fake.be>, relay=uit.telenet.be[195.130.132.10]:25, delay=0.27, delays=0.01/0.02/0.16/0.09, dsn=2.0.0, status=sent (250 2.0.0 Message accepted for delivery (8z4s2C00E2pxrA606z4spW))
Apr 09 13:04:53 debian postfix/qmgr[5781]: 210DD7FCB6: removed
Apr 09 13:05:46 debian postfix/smtpd[6829]: disconnect from unknown[192.168.154.169] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr 09 13:07:06 debian postfix/smtpd[6829]: connect from unknown[192.168.154.169]
Apr 09 13:07:06 debian postfix/smtpd[6829]: 1C3757FCB6: client=unknown[192.168.154.169]
Apr 09 13:07:06 debian postfix/cleanup[6846]: 1C3757FCB6: message-id=<>
Apr 09 13:07:06 debian postfix/qmgr[5781]: 1C3757FCB6: from=<tgeergzer...@telenet.be>, size=365, nrcpt=1 (queue active)
Apr 09 13:07:06 debian postfix/smtp[6847]: 1C3757FCB6: to=< matt...@fake.be  >, relay=uit.telenet.be[195.130.132.10]:25, delay=0.27


Config:

   <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/mailtest.log</location>
  </localfile>


I enabled the archives in filebeat.yml and logall

Then I generated some traffic 

This returns nothing (it's not empty) : 
root@WAZUH-VM:/home/matthias# tail /var/ossec/logs/archives/archives.log | grep "/var/log/mailtest.log"
root@WAZUH-VM:/home/matthias#


Anything else that could be the issue?
Best regards


Op dinsdag 9 april 2024 om 12:37:48 UTC+2 schreef Md. Nazmur Sakib:

Md. Nazmur Sakib

unread,
Apr 17, 2024, 2:34:57 AM4/17/24
to Wazuh | Mailing List

Hi Matthias


Sorry for the late response. I was on holiday.

The configuration looks fine to me.


Can you check the file permission of the

/var/log/mailtest.log file?

Are there other logs inside the archive.log

tail /var/ossec/logs/archives/archives.log 



Also, it's better to test the archive log for some sacrifice logs with cat command instead of tail. The archive log file is populated very fast by different log

cat /var/ossec/logs/archives/archives.log | grep "/var/log/mailtest.log"


Check if there is any relevant log inside the ossec.log


cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

cat /var/ossec/logs/ossec.log | grep -i -E "/var/log/mailtest.log"


can you share your whole ossec.conf file if possible.


Looking forward to your update on the issue.

Matthias Appelmans

unread,
Apr 17, 2024, 2:43:43 AM4/17/24
to Wazuh | Mailing List

Hi, 

Hope you had a nice holiday!

The logging works fine now.

However I'm trying to get my use case to work still. I want to make a dashboard or query that shows me how much outbound mail traffic has been succesful and how much has failed.

I don't know what would be the best approach, perhaps something with this entry

 to=<matt...@fake.be>, relay=uit.telenet.be[195.130.132.10]:25, delay=0.27, delays=0.01/0.02/0.16/0.09, dsn=2.0.0, status=sent (250 2.0.0 Message accepted for delivery (8z4s2C00E2pxrA606z4spW))

DSN 2.0.0 means it's succesful, 4.0.0 means it failed for instance

Is there a way to group all those email linked together in one? or is there a better way to do this so I can get all info in one log or?

Regards
Op woensdag 17 april 2024 om 08:34:57 UTC+2 schreef Md. Nazmur Sakib:

Md. Nazmur Sakib

unread,
Apr 19, 2024, 1:11:20 AM4/19/24
to Wazuh | Mailing List

Hi Matthias Appelmans,


I am glad that you have successfully forwarded your log.


Now, you can write some custom decoders and rules to trigger alerts on the Dashboard.


You can write separate rules for successful and failed events.


Check this document to get help with writing custom decoders and rules


Custom Decoders


Custom Rules


Decoder Syntax


Rule Syntax


Also, check the logtest rule which is helpful while writing custom decoders and rules.


Ref: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

After that, Based on filters you can query those alerts on Dashbaord.


Next, Create some Dashboards to visualize those events


https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/creating-custom-dashboards.html


I hope this solves your issue. 


Let me know if you need any further assistance.

Matthias Appelmans

unread,
Apr 19, 2024, 2:57:13 AM4/19/24
to Wazuh | Mailing List
Hi,

thanks for your response.

The problem with SMTP/postfix logs is that 1 mail creates multiple events. I need the info of 2 of those events to make my usecase work.


There is one of the entries that contains the status of if the mail has been send and  then there is another one containing the source mail address.

Example: 

Apr 19 08:44:19 debian postfix/qmgr[1496]: 0B5C01031F6: from=<use...@telenet.be>, size=368, nrcpt=1 (queue active)
Apr 19 08:44:19 debian postfix/smtp[3701]: 0B5C01031F6: to=<desti...@test.com>, relay=uit.telenet.be[1.1.1.1]:25, delay=0.3, delays=0.01/0.01/0.13/0.15, dsn=2.0.0, status=sent (250 2.0.0 Message accepted for delivery (CukK2C0072pxrA601ukKQd))


I there a way to put these 2 together?

Kind regards
Matthias
Op vrijdag 19 april 2024 om 07:11:20 UTC+2 schreef Md. Nazmur Sakib:

Md. Nazmur Sakib

unread,
Apr 19, 2024, 7:03:13 AM4/19/24
to Wazuh | Mailing List

Hi Matthias Appelmans,


If your only motive is to find out information about failed and successful mail 


As you have mentioned earlier 

DSN 2.0.0 means it's successful, 4.0.0 means it failed


This information is present in this log


Apr 19 08:44:19 debian postfix/smtp[3701]: 0B5C01031F6: to=<desti...@test.com>, relay=uit.telenet.be[1.1.1.1]:25, delay=0.3, delays=0.01/0.01/0.13/0.15, dsn=2.0.0, status=sent (250 2.0.0 Message accepted for delivery


You can simply write decoder and rules based on this format log only and ignore the other log

Apr 19 08:44:19 debian postfix/qmgr[1496]: 0B5C01031F6: from=<use...@telenet.be>, size=368, nrcpt=1 (queue active)


If you want to combine these two logs in one log. You have to write a custom script to manage two logs and save those logs in a separate file and use local-file option to read the logfile and forward it to Wazuh.


<localfile>

  <location>/<FILE_PATH>/file.log</location>

  <log_format>syslog</log_format>

</localfile>



https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#monitoring-basic-log-files


I hope you find this helpful. Let me know if you need any further information.

Reply all
Reply to author
Forward
0 new messages