Wazuh Notification
169 views
Skip to first unread message
Raguram Reddy
May 16, 2025, 4:11:52 AM5/16/25
to Wazuh | Mailing List
I have configured the wazuh ossec.conf with SMTP and working
but in wazuh GUI under notification I am getting error as authentication failed
but in wazuh GUI under notification I am getting error as authentication failed
Antonio David Gutiérrez
May 16, 2025, 5:32:05 AM5/16/25
to Wazuh | Mailing List
Assuming you get the problem in the Notifications app of Wazuh dashboard, I guess this could caused by a misconfiguration or some configuration is missing. Take a look to the documentation reference: https://docs.opensearch.org/docs/2.19/observing-your-data/notifications/index/
Are you configuring in the Notification app, an email of an email provider (gmail, etc..) or are you configuring to send the email through an SMTP relay server?
If your email provider requires SSL or TLS, ensure you defined the crendentials for the sender: https://docs.opensearch.org/docs/2.19/observing-your-data/notifications/index/#authenticate-sender-account. In the commands, replace `/usr/share/opensearch-dashboards` by `/user/share/wazuh-dashboard`.
Consider to review:
- Configuration of SMTP sender in Notification app
- Wazuh dashboards logs
- Wazuh indexer logs
- SMTP relay server logs (if used)
If you need more assistance, provide some evidence of the problem:
- UI screenshots
- Wazuh dashboards logs
- Wazuh indexer logs
- SMTP relay server logs (if used)
If you share information, obfuscate the sensitive data.
Are you configuring in the Notification app, an email of an email provider (gmail, etc..) or are you configuring to send the email through an SMTP relay server?
If your email provider requires SSL or TLS, ensure you defined the crendentials for the sender: https://docs.opensearch.org/docs/2.19/observing-your-data/notifications/index/#authenticate-sender-account. In the commands, replace `/usr/share/opensearch-dashboards` by `/user/share/wazuh-dashboard`.
Consider to review:
- Configuration of SMTP sender in Notification app
- Wazuh dashboards logs
- Wazuh indexer logs
- SMTP relay server logs (if used)
If you need more assistance, provide some evidence of the problem:
- UI screenshots
- Wazuh dashboards logs
- Wazuh indexer logs
- SMTP relay server logs (if used)
If you share information, obfuscate the sensitive data.
Raguram Reddy
May 16, 2025, 6:05:52 AM5/16/25
to Wazuh | Mailing List
[status_exception] {"event_status_list": [{"config_id":"_4QD2JYB0VvxFan9rU0G","config_type":"email","config_name":"temp-IKF","email_recipient_status":[{"recipient":"mail.com","delivery_status":{"status_code":"502","status_text":"sendEmail Error, status:530-5.7.0 Authentication Required. For more information, go to\n530 5.7.0 https://support.google.com/accounts/troubleshooter/2402620. 98e67ed59e1d1-30e7d576ac9sm1059466a91.30 - gsmtp\n"}}],"delivery_status":{"status_code":"502","status_text":"sendEmail Error, status:530-5.7.0 Authentication Required. For more information, go to\n530 5.7.0 https://support.google.com/accounts/troubleshooter/2402620. 98e67ed59e1d1-30e7d576ac9sm1059466a91.30 - gsmtp\n"}}]}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ip-**.**.**.**.ap-south-1.compute.internal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, ip-**.**.**.**.ap-south-1.compute.internal, localhost.ap-south-1.compute.internal, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
I have followe wazuh documentation and installed smtp relay for notifictaion in ossec.conf and in console
now give me complete steps what I should do to get the notification in GUI also
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ip-**.**.**.**.ap-south-1.compute.internal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, ip-**.**.**.**.ap-south-1.compute.internal, localhost.ap-south-1.compute.internal, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
I have followe wazuh documentation and installed smtp relay for notifictaion in ossec.conf and in console
now give me complete steps what I should do to get the notification in GUI also
Antonio David Gutiérrez
May 16, 2025, 8:46:40 AM5/16/25
to Wazuh | Mailing List
I assume your Wazuh server-SMTP relay server connection is working as expected and you can receive emails emitted by the Wazuh server through the SMTP relay server.
For another hand, in the Notification app of Wazuh dashboard, how did you configure the SMTP sender? Provide details.
Reviewing the screenshot, I see you could have configured a SMTP sender in the Notification app that could be using a Gmail account, if this is the case, you need to add the credentials for the SMTP sender configured in Wazuh dashboard. You will need to use an app password instead of the account password for the Gmail account. You can generate an app password for Gmail account here: https://myaccount.google.com/apppasswords.
Gmail app password reference: https://support.google.com/mail/answer/185833?hl=en
Then, you need to define the credentials in the Wazuh indexer host:
echo "<EMAIL>" | sudo -u wazuh-indexer /usr/share/wazuh-indexer/bin/opensearch-keystore add opensearch.notifications.core.email.<SENDER_NAME>.username --
echo "<APP_PASSWORD>" | sudo -u wazuh-indexer /usr/share/wazuh-indexer/bin/opensearch-keystore add opensearch.notifications.core.email.<SENDER_NAME>.password --
replace the placeholders, where:
- <EMAIL>: the Gmail account (e.g. exa...@gmail.com) you defined in the SMTP sender configured in the Notification app of the Wazuh dashboard
- <APP_PASSWORD>: the generated app password for the Gmail account
- <SENDER_NAME>: the name of the SMTP sender configured in the Notification app of the Wazuh dashboard
Then, restart the `wazuh-indexer` service:
systemctl restart wazuh-indexer
Then you could try to send a test email when creating the notification channel in the Notifications app of the Wazuh dashboard to check it is working correctly.
For another hand, in the Notification app of Wazuh dashboard, how did you configure the SMTP sender? Provide details.
Reviewing the screenshot, I see you could have configured a SMTP sender in the Notification app that could be using a Gmail account, if this is the case, you need to add the credentials for the SMTP sender configured in Wazuh dashboard. You will need to use an app password instead of the account password for the Gmail account. You can generate an app password for Gmail account here: https://myaccount.google.com/apppasswords.
Gmail app password reference: https://support.google.com/mail/answer/185833?hl=en
Then, you need to define the credentials in the Wazuh indexer host:
echo "<EMAIL>" | sudo -u wazuh-indexer /usr/share/wazuh-indexer/bin/opensearch-keystore add opensearch.notifications.core.email.<SENDER_NAME>.username --
echo "<APP_PASSWORD>" | sudo -u wazuh-indexer /usr/share/wazuh-indexer/bin/opensearch-keystore add opensearch.notifications.core.email.<SENDER_NAME>.password --
replace the placeholders, where:
- <EMAIL>: the Gmail account (e.g. exa...@gmail.com) you defined in the SMTP sender configured in the Notification app of the Wazuh dashboard
- <APP_PASSWORD>: the generated app password for the Gmail account
- <SENDER_NAME>: the name of the SMTP sender configured in the Notification app of the Wazuh dashboard
Then, restart the `wazuh-indexer` service:
systemctl restart wazuh-indexer
Then you could try to send a test email when creating the notification channel in the Notifications app of the Wazuh dashboard to check it is working correctly.
Raguram Reddy
May 16, 2025, 2:29:13 PM5/16/25
to Wazuh | Mailing List
Working . Thank you
I am facing anther issue.
But I am unable to customize the alert subject in trigger
please find the attached screenshot
I want to get details like alert name , log source , hostname , sourceip and all details from the respective log
{
"_index": "wazuh-alerts-4.x-2025.05.16",
"_id": "p4RZ2ZYB0VvxFan9a49c",
"_version": 1,
"_score": null,
"_source": {
"predecoder": {
"hostname": "ip-1qei3",
"program_name": "sudo",
"timestamp": "May 16 13:47:14"
},
"cluster": {
"node": "master",
"name": "wazuh"
},
"input": {
"type": "log"
},
"agent": {
"ip": "kb33",
"name": "Pqkbcsab",
"id": "010"
},
"data": {
"uid": "0",
"dstuser": "root"
},
"manager": {
"name": "iplscnkqjc-175"
},
"rule": {
"mail": true,
"level": 3,
"pci_dss": [
"10.2.5"
],
"hipaa": [
"164.312.b"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "PAM: Login session opened.",
"groups": [
"pam",
"syslog",
"authentication_success"
],
"nist_800_53": [
"AU.14",
"AC.7"
],
"gdpr": [
"IV_32.2"
],
"firedtimes": 82,
"mitre": {
"technique": [
"Valid Accounts"
],
"id": [
"T1078"
],
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation",
"Initial Access"
]
},
"id": "5501",
"gpg13": [
"7.8",
"7.9"
]
},
"location": "/var/log/auth.log",
"decoder": {
"parent": "pam",
"name": "pam"
},
"id": "1747403234.25563424",
"full_log": "May 16 13:47:14 ip-10-26-20-233 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)",
"timestamp": "2025-05-16T13:47:14.478+0000"
},
"fields": {
"timestamp": [
"2025-05-16T13:47:14.478Z"
]
},
"sort": [
1747403234478
]
}
for the above log give me message body for in Action Tab under monitor
I am facing anther issue.
But I am unable to customize the alert subject in trigger
please find the attached screenshot
I want to get details like alert name , log source , hostname , sourceip and all details from the respective log
{
"_index": "wazuh-alerts-4.x-2025.05.16",
"_id": "p4RZ2ZYB0VvxFan9a49c",
"_version": 1,
"_score": null,
"_source": {
"predecoder": {
"hostname": "ip-1qei3",
"program_name": "sudo",
"timestamp": "May 16 13:47:14"
},
"cluster": {
"node": "master",
"name": "wazuh"
},
"input": {
"type": "log"
},
"agent": {
"ip": "kb33",
"name": "Pqkbcsab",
"id": "010"
},
"data": {
"uid": "0",
"dstuser": "root"
},
"manager": {
"name": "iplscnkqjc-175"
},
"rule": {
"mail": true,
"level": 3,
"pci_dss": [
"10.2.5"
],
"hipaa": [
"164.312.b"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "PAM: Login session opened.",
"groups": [
"pam",
"syslog",
"authentication_success"
],
"nist_800_53": [
"AU.14",
"AC.7"
],
"gdpr": [
"IV_32.2"
],
"firedtimes": 82,
"mitre": {
"technique": [
"Valid Accounts"
],
"id": [
"T1078"
],
"tactic": [
"Defense Evasion",
"Persistence",
"Privilege Escalation",
"Initial Access"
]
},
"id": "5501",
"gpg13": [
"7.8",
"7.9"
]
},
"location": "/var/log/auth.log",
"decoder": {
"parent": "pam",
"name": "pam"
},
"id": "1747403234.25563424",
"full_log": "May 16 13:47:14 ip-10-26-20-233 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)",
"timestamp": "2025-05-16T13:47:14.478+0000"
},
"fields": {
"timestamp": [
"2025-05-16T13:47:14.478Z"
]
},
"sort": [
1747403234478
]
}
for the above log give me message body for in Action Tab under monitor
Antonio David Gutiérrez
May 19, 2025, 4:09:50 AM5/19/25
to Wazuh | Mailing List
I guess you want to include in the message subject some variables but it seems that could not support the interpolation of variables.
For another hand, the variables you can interpolate in the message (body) are these according to the documentation: https://docs.opensearch.org/docs/2.19/observing-your-data/alerting/monitors/#monitor-variables
For another hand, the variables you can interpolate in the message (body) are these according to the documentation: https://docs.opensearch.org/docs/2.19/observing-your-data/alerting/monitors/#monitor-variables
Reply all
Reply to author
Forward
0 new messages