Can't receive alerts by email

[Leonardo Dourado]

Hello, all.

Can someone please advise about any possible issue or additional configuration to be done so I can start receiving alerts?

Postfix has been configured properly, tests from Postfix are received;

Enabled the alerts on ossec_config side;

Tried to generate events with low level;

None has worked.

I really appreciate any help!

Ex:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from> mye...@myemail.com </email_from>
    <email_to> mye...@myemail.com </email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>15m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

  <alerts>

    <log_alert_level>3</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
 
  <email_alerts>
    <email_to>mye...@myemail.com</email_to>
    <level>7</level>
  </email_alerts>
 
  <email_alerts>
    <email_to>mye...@myemail.com</email_to>

    <rule_id>60122</rule_id>
    <do_not_delay/>
  </email_alerts>

[hasitha.u...@wazuh.com]

Hi Leonardo,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[hasitha.u...@wazuh.com]

Hi Leonardo,

For this, you need to check out this documentation instead for alert management.

The <email_alert_level> tag sets the minimum severity level for an alert to generate an email notification. The default value is 12. The allowed value is any integer from 1 to 16. This setting overrides granular email alert configuration. 

<email_alerts> is a Granular email option, so it falls below the global email alerts as described above.

 If the severity level here is less than the email_alert_level configured in the <alerts> section, the email will not be sent.

So if you want to use the granular email option, the level has to be above the <alerts> configuration option.

I can see that 60122 is level 5, which is why it won't send an alert, because your alerts section includes email_alert_level as 7 or above.

1.  <rule id="60122" level="5">
2.     <if_sid>60105</if_sid>
3.     <field name="win.system.eventID">^529$|^4625$</field>
4.     <description>Logon Failure - Unknown user or bad password</description>
5.     <options>no_full_log</options>
6.     <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
7.   </rule>

You can only configure the granular email alert option, which specifies the rule whose severity level should be above according to this <email_alert_level>7</email_alert_level> section.

You can test by reducing the <email_alert_level> to 4 and restarting the manager: systemctl restart wazuh-manager

Then simulate the above conditions and check again.

If the issue persists, please share the ossec.log to check further.
cat /var/ossec/logs/ossec.log | grep -i -E "mail|error|warn"

Let me know the update on this. 

[hasitha.u...@wazuh.com]

Hi Leonardo,

Thanks for the update through private mail, and I am glad that your issue has been resolved!

[Leonardo Dourado]

Hello Hasitha.

Thanks for your reply. It worked, I guess that was just a matter of Wazuh gathering data to send…

I am receiving a lot of emails with rule id 7, changing to higher rule id now.

Thanks a lot!

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/230e012b-6ea5-4c8e-901a-f6d93cc0944bn%40googlegroups.com.