Wazuh alerts by email problem
1,255 views
Skip to first unread message
Felipe Andres Concha Sepúlveda
Aug 30, 2019, 8:37:18 AM8/30/19
to Wazuh mailing list
Hello good afternoon,
I am testing email alerts and I have had some problems
My configuration is as follows, I only send emails when the alert is greater than 12
Then I modified an alert in local_rules to do a test, I have raised the alert level to 13 of a password change, as I show below
I have made the password change and I have received the alert by mail, so far so good
Once verified that the emails arrive when I change the alert level of a rule I have configured another rule and raised the alert level.
Then after a few days I see that an event has been generated with the alert level 13, but the automatic notification email has not been sent, I have tried with the previous rule of change of pass and the mail arrives, therefore I can assume that the error is only with this rule
Do you have any information about this problem?
Daniel Escalona
Sep 2, 2019, 11:06:33 AM9/2/19
to Wazuh mailing list
Hi Felipe!
Indeed, this is a known bug which have been fixed in this pull request.
This bug is due to the next two options are provided, no email notification will be sent:
- The email_log_source option is set to alerts.json. Since, email_log_source is not being provided in your configuration file, it will take the default value, as you can see here
- The no_full_log option is set in a rule, as your custom rule, 60144.
1) Set the email_log_source to alerts.log in the global section of the ossec.conf file.
OR
2) Remove the no_full_log option from your custom rules.
We apologize for the inconvenience.
I hope I have been helpful.
Kind regards,
Daniel & WazuhTeam
OR
2) Remove the no_full_log option from your custom rules.
We apologize for the inconvenience.
I hope I have been helpful.
Kind regards,
Daniel & WazuhTeam
Daniel Escalona
Sep 3, 2019, 10:22:14 AM9/3/19
to Felipe Concha Sepúlveda, Wazuh mailing list
Hi Felipe!
I'm going to change the email_log_source option and leave it with the alerts.log value but my question is, when I change, won't I be affecting other system components? If I change it it will be something transparent or do I have to verify another system operation?
This change won't affect other system components, it only involves the source which will be taken to send the mail notifications.
Moreover, when using the alerts.json as email_log_source, the json formatted alert is parsed to be sent as a plain text notification. Since the alerts.log is used as email_log_source you are saving 2 steps:
Moreover, when using the alerts.json as email_log_source, the json formatted alert is parsed to be sent as a plain text notification. Since the alerts.log is used as email_log_source you are saving 2 steps:
- Parsing the json to plain text
- Include the no full log option will not be necessary because full log has not included in alerts.log
Can you tell me when this new release will happen?
The new release will be available as soon as possible!I hope I have been helpful.
If you have more questions, please let us know.
Kind regards,On Tue, Sep 3, 2019 at 12:40 PM Felipe Concha Sepúlveda <felip...@outlook.com> wrote:
Hi Thank you Daniel for your answer
I'm going to change the email_log_source option and leave it with the alerts.log value but my question is, when I change, won't I be affecting other system components? If I change it it will be something transparent or do I have to verify another system operation?Can you tell me when this new release will happen?
Regards,
Felipe
Daniel Escalona
Sep 4, 2019, 4:37:35 AM9/4/19
to Felipe Concha Sepúlveda, Wazuh mailing list
We are glad to help you. =)
Regards,
Daniel & WazuhTeam
On Tue, Sep 3, 2019 at 4:23 PM Felipe Concha Sepúlveda <felip...@outlook.com> wrote:
Thank You very much!!!! Daniel!!!! :)
Regards,
Felipe
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAGz4jrNoo7TejaQz4iveWc3iUy63C%3DHrzuCDBrMqqyCPrfujDg%40mail.gmail.com.
Daniel Escalona
Sep 13, 2019, 12:11:40 PM9/13/19
to Felipe Concha Sepúlveda, Wazuh mailing list
Hi, Felipe!
This behavior could happen due to a specific configuration in options email_maxperhour and alert_by_email. The last one is set in a lot of rules by default.- With alert_by_email option, it will always send an email notification ignoring the minimum set by email_alert_level.
So, you could be receiving email notifications from the rules with this option. - The email_maxperhour option refers to the emails sent in an hour. This option counts every message sent. It is mean as you have 4 granular email options when 3 email alerts are triggered you will reach the limit because it sends 12 messages, 3 emails to each destination.
- On the other hand, when this maximum has been reached, alerts with a higher level of email_alert_level could be queued.
Therefore, as I can see in your configuration file, you are interested in level 12 alerts. To fix this problem, you could try :
- Increase the email_alert_level value to 12, if you do not need alerts at a lower level.
- Remove the alert_by_email option from the rules which you are not interested in.
- Increase the email_maxperhour as you consider appropriate but keep in mind the option's behavior explained before.
I hope I have been helpful.
If you have more questions, do not hesitate to contact us.
Kind regards,
Daniel & WazuhTeam.
On Fri, Sep 13, 2019 at 1:22 PM Felipe Concha Sepúlveda <felip...@outlook.com> wrote:
Hello Daniel
When making the change that you indicated to me, I began to receive the level 13 alerts that did not arrive to me, but in a disorderly way, the mail arrives with the subject well, but the information of the alerts correspond to level 10 and other types.
Regards,
Felipe
Reply all
Reply to author
Forward
0 new messages