Wazuh Dashboard Alerts

[Paul O'Shea]

Hi,

When I set up email alert destinations as part of anomaly detection the emails do not send and when I use the "send test message" function I get the following error ... javax.mail.MessagingException: Invalid Addresses.

The Wazuh servers are able to send email as I get alerts from my services for critical events. Is there something else that needs to be configured on the dashboard server to allow email alerts to be sent?

Thanks

Paul.

[Chantal Belen Kelm]

Good afternoon how are you? Thank you very much for using Wazuh.
Could you send me the link to the guide you used to set up email alerts?

I will be waiting for your answer!

Regards!

[Paul O'Shea]

Hi Chantal,

I didn't follow any specific guide to set up the email alerts, I just followed the steps in the process after I created an anomaly detector.

The online documentation for Wazuh doesn't really talk about setting up anomaly detectors or their associated alerts.

Regards

Paul.

[Chantal Belen Kelm]

Good morning Thank you very much for using Wazuh.
You can use this step by step guide https://opensearch.org/docs/latest/monitoring-plugins/ad/index/

I'll be here for any questions!

Regards!

[Paul O'Shea]

Hi Chantal,

I have set up the detectors and the appropriate alerts. As part of that process I created an alert monitor and during that process I added a trigger and an action. At the action stage, the action to be performed when the trigger is activated is to email me with the alert. I have created an appropriate destination for the email alert - which also has a correct "email sender" and "email group" defined for the destination, these are the same as are used for regular Wazuh alerting (which works).

When I then click on the "Send test message" the following error message is shown and the email does not arrive. The destination email address is correct and is use.

[Chantal Belen Kelm]

I'm doing some checking, I'll be back soon with an answer

Regards!

[Chantal Belen Kelm]

I've been researching and the easiest way to do what you want to do is to follow this guide: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html?highlight=mail

I'll be here for any questions!

Regards!

[Paul O'Shea]

Hi Chantal,

From what I can see, none of those options are applicable to the email alerts from the Anomaly Monitor function. I already have the generic email alert function working from the Wazuh Server as described in the Generic Email options section and this works as expected. It is just the email function from the Anomaly Monitor part that shows the error. Is there somewhere else these emails need to be configured?

Regards

Paul.

[Chantal Belen Kelm]

Good day how are you? I was asking colleagues about your problem.
I wanted to ask if you could send me some screenshots of how you configured the sender in manage email senders (attached screenshot) and how you configured the recipients? what email provider do you use? example: gmail.
Are you using Kibana with Open Distro for Elasticserach or Wazuh dashboard? in what version?

I will be waiting for your answer!

Regards!

[Paul O'Shea]

Hi Chantal,

Apologies for the delay in coming back to you - I was away on annual leave.

Here is the sender i have configured. The email server is an internal relay that is configured to allow the Wazuh servers to relay.

And  I have one destination group configured - which uses the same email address as the Wazuh server to send alerts to (which does work) ...

We are using Wazuh Server v.4.3.0 with Wazuh Dashboard.

Thanks

Paul.

[Chantal Belen Kelm]

Good day how are you? what email provider do you use? example: Gmail.

I will be waiting for your answer!

Regards!

[Paul O'Shea]

Hi Chantel,

We use an internal SMTP relay only ... 

Regards

Paul.

[Chantal Belen Kelm]

I'm doing some checking, I'll be back soon with an answer.

Regards!

[Chantal Belen Kelm]

Good afternoon how are you? I'm still figuring out what might be going on, I need you to check if the email addresses you're sending emails to are correct, as in one of the first photos you sent me the error says: invalid addresses.

I will be waiting for your answer! 

Regards!

[teknik987]

Hi Chantal

The addresses are correct. They are already in use for other elements of the Wazuh setup and works expected. 

Kind regards

Paul.

Sent from my Samsung Galaxy smartphone.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/VCd7CYmvc-M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6e5a62a4-a953-4db6-a75f-f6b7adfcec7dn%40googlegroups.com.

[Chantal Belen Kelm]

Good day Pablo how are you? Can you share the guide you used to configure the SMTP relay?

I will be waiting for your answer! 

Regards!

[teknik987]

Hi Chantal

The smtp relay we are using us an IIS relay that we use for all of our internal systems. It work as expected and also works for general alerts from wazuh. 

The only time I have an error is trying to send email alerts as part of the anomaly detection process.

Regards

Paul

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ef88de3d-a7fd-44fe-9b05-f5cd60171337n%40googlegroups.com.

[Chantal Belen Kelm]

Good afternoon how are you? I was consulting your case with my colleagues, the error you receive may be due to the relay you are using. What I suggest you do is follow Wazuh's guide to setting up email alerts https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html
And this other documentation for configuring SMTP https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html

Perhaps configuring this way solves the problem, otherwise, we try another way.

I'll be here for any questions.

Regards

[Paul O'Shea]

Hi Chantal,

Thanks for the reply. I have already configured SMTP for email alerts as per the first link, and because our relay does not require authentication the second link above is not required. Normal email alerts from WAZUH work as expected with the SMTP relay. I receive email alerts from WAZUH for all alerts over Level 10. 

Is the error message "javax.mail.MessagingException: Invalid Addresses" perhaps related to something like this ... https://github.com/opensearch-project/alerting/issues/461, although we are not using Docker containers?

Regards

paul.

[Chantal Belen Kelm]

Good day how are you? I was discussing your problem with my colleagues but we still don't know what could be happening.
What I suggest is that you comment on your problem in the issue that you had shared with me, that is, a comment that you are not using Docker, and detail the version of OpenSearch Dashboards on which the Wazuh dashboard that you are using is based.
Most likely you will get a solution.