Can not getting email.

356 views
Skip to first unread message

krunal kalaria

unread,
Jun 26, 2018, 6:42:16 AM6/26/18
to Wazuh mailing list
Hello Everyone,

I am using Wazuh 3.3 and ELK Stack 6.2 i did not receive email from wazuh i have configured smtp also like following

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
this all i have tried i am getting echo test mail but can not getting email alerts.
i have used this command : cat /var/ossec/logs/ossec.log | grep ossec-maild
and i got this :

2018/06/26 00:01:02 ossec-maild: ERROR: (1764): Mail from not accepted by server
2018/06/26 00:01:02 ossec-maild: ERROR: (1223): Error Sending email to 74.125.130.108 (smtp server)
2018/06/26 00:05:45 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 00:05:55 ossec-maild: INFO: Started (pid: 61662).
2018/06/26 00:05:55 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 00:09:09 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 00:09:14 ossec-maild: INFO: Started (pid: 62038).
2018/06/26 00:09:14 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:01:19 ossec-maild: ERROR: (1764): Mail from not accepted by server
2018/06/26 01:01:19 ossec-maild: ERROR: (1223): Error Sending email to 74.125.68.109 (smtp server)
2018/06/26 01:20:09 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:20:13 ossec-maild: INFO: Started (pid: 69517).
2018/06/26 01:20:13 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:24:28 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:24:33 ossec-maild: INFO: Started (pid: 70009).
2018/06/26 01:24:33 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:49:51 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:49:56 ossec-maild: INFO: Started (pid: 71734).
2018/06/26 01:49:56 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:52:30 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:52:33 ossec-maild: INFO: Started (pid: 72232).
2018/06/26 01:52:33 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:55:55 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:56:03 ossec-maild: INFO: Started (pid: 72757).
2018/06/26 01:56:03 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:56:59 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:57:02 ossec-maild: INFO: Started (pid: 73220).
2018/06/26 01:57:02 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:58:01 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:58:03 ossec-maild: INFO: Started (pid: 74064).
2018/06/26 01:58:03 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 01:58:23 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 01:58:25 ossec-maild: INFO: Started (pid: 74747).
2018/06/26 01:58:25 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 02:00:12 ossec-maild: ERROR: (1764): Mail from not accepted by server
2018/06/26 02:00:12 ossec-maild: ERROR: (1223): Error Sending email to 74.125.130.108 (smtp server)
2018/06/26 02:04:27 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 02:04:32 ossec-maild: INFO: Started (pid: 75530).
2018/06/26 02:04:32 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 02:20:38 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 02:20:44 ossec-maild: INFO: Started (pid: 76772).
2018/06/26 02:20:44 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 02:21:05 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 02:21:07 ossec-maild: INFO: Started (pid: 77499).
2018/06/26 02:21:07 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 02:35:28 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 02:35:31 ossec-maild: INFO: Started (pid: 78549).
2018/06/26 02:35:31 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 02:35:42 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/26 02:35:43 ossec-maild: INFO: Started (pid: 78859).
2018/06/26 02:35:43 ossec-maild: INFO: Getting alerts in log format.
2018/06/26 03:00:00 ossec-maild: ERROR: (1764): Mail from not accepted by server
2018/06/26 03:00:00 ossec-maild: ERROR: (1223): Error Sending email to 74.125.24.108 (smtp server)

i dont know what is the issue or problem please help me to solve this problem.

Thanks & Regards,
Krunal. 

rafael...@wazuh.com

unread,
Jun 26, 2018, 9:42:46 AM6/26/18
to Wazuh mailing list
Hi Krunal,

you need to configure the email options in your /var/ossec/etc/ossec.conf file in your manager. 

<global>
  <email_notification>yes</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>USERNAME@gmail.com</email_from>
  <email_to>you@example.com</email_to>
</global>

Restart the manager and try again.

Tell us if it worked for you.

Best regards.

krunal kalaria

unread,
Jun 27, 2018, 12:42:50 AM6/27/18
to Wazuh mailing list
Hi Rafael,

Thank you for your quick answer.

i have already configure this in global following is my configuration:

  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>smtp.gmail.com</smtp_server>
    <email_from>krunal...@gmail.com</email_from>
    <email_to>krunal...@gmail.com</email_to>
    <email_maxperhour>1</email_maxperhour>
  </global>

i have added smtp server in smtp.gmail.com is it ok with this config ? can you please check this config and anything wrong with this please suggest me.

Thanks & Regards,
Krunal.

rafael...@wazuh.com

unread,
Jun 27, 2018, 3:14:16 AM6/27/18
to Wazuh mailing list
Hi Krunal,

the smtp server must be localhost, postfix will redirect the mail to your gmail smtp.


Is the exact use case as yours.

Best regards

On Tuesday, June 26, 2018 at 12:42:16 PM UTC+2, krunal kalaria wrote:

krunal kalaria

unread,
Jun 27, 2018, 4:02:06 AM6/27/18
to Wazuh mailing list
So i will replace the <smtp>smtp.gmail.com</smtp> to <smtp>localhost</smtp> and other procedure will remaining same right ? if i am not wrong understanding.

rafael...@wazuh.com

unread,
Jun 27, 2018, 4:54:37 AM6/27/18
to Wazuh mailing list
Hi Krunal,


yes you are right. Tell me if it works.

Best regards.

On Tuesday, June 26, 2018 at 12:42:16 PM UTC+2, krunal kalaria wrote:

krunal kalaria

unread,
Jun 27, 2018, 6:12:28 AM6/27/18
to Wazuh mailing list
Thank You so much Rafael,

It's working fine for me thanks for the helping.

i have one question currently i have configured gmail so i am getting alerts for gmail.

Now i want configure email alert in Outlook. How i can get alert in Outlook ?

Please suggest me and help me to this one email alert in Outlook.

Thanks & Regards,
Krunal.

krunal kalaria

unread,
Jun 27, 2018, 6:59:13 AM6/27/18
to Wazuh mailing list
This is my ossec.conf file :

  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>kalari...@gmail.com</email_from>
    <email_to>krunal...@gmail.com</email_to>
    <email_maxperhour>1</email_maxperhour>
  </global>

  <email_alerts>
    <email_to>krunal...@gmail.com</email_to>
    <event_location>192.168.203.158</event_location>
    <do_not_delay />
  </email_alerts>

  <email_alerts>
    <email_to>krunal...@gmail.com</email_to>
    <level>3</level>
    <do_not_delay />
  </email_alerts>

  <email_alerts>
    <email_to>krunal...@gmail.com</email_to>
    <rule_id>40111</rule_id>
    <do_not_delay />
  </email_alerts>

  <email_alerts>
    <email_to>krunal...@gmail.com</email_to>
    <rule_id>2501</rule_id>
    <do_not_delay />
  </email_alerts>

  <email_alerts>
    <email_to>krunal...@gmail.com</email_to>
    <rule_id>5557</rule_id>
    <do_not_delay />
  </email_alerts>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <reports>
    <category>syscheck</category>
    <title>Daily report: File changes</title>
    <email_to>krunal...@gmail.com</email_to>
  </reports>

  <reports>
    <level>3</level>
    <title>Daily report: Alerts with level higher than 3</title>
    <email_to>krunal...@gmail.com</email_to>
  </reports>

  <reports>
    <group>authentication_failed,</group>
    <srcip>192.168.203.158</srcip>
    <title>Auth_Report</title>
    <email_to>krunal...@gmail.com</email_to>
    <showlogs>yes</showlogs>
  </reports>

  <reports>
    <category>pci_dss_11.5</category>
    <title>Daily regulatory compliance report: PCIDSS 11.5 requeriment</title>
    <email_to>krunal...@gmail.com</email_to>
  </reports>

When i am typing wrong password 5 to 6 time after i am not getting email and still same i can get:

2018/06/27 03:43:05 ossec-maild: INFO: Started (pid: 39835).
2018/06/27 03:43:05 ossec-maild: INFO: Getting alerts in log format.
2018/06/27 03:43:20 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/27 03:43:23 ossec-maild: INFO: Started (pid: 40306).
2018/06/27 03:43:23 ossec-maild: INFO: Getting alerts in log format.
2018/06/27 03:46:21 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/27 03:46:24 ossec-maild: INFO: Started (pid: 40815).
2018/06/27 03:46:24 ossec-maild: INFO: Getting alerts in log format.
2018/06/27 03:47:02 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/27 03:47:04 ossec-maild: INFO: Started (pid: 41288).
2018/06/27 03:47:04 ossec-maild: INFO: Getting alerts in log format.
2018/06/27 03:49:27 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/27 03:49:31 ossec-maild: INFO: Started (pid: 42523).
2018/06/27 03:49:31 ossec-maild: INFO: Getting alerts in log format.
2018/06/27 03:50:06 ossec-maild: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/06/27 03:50:08 ossec-maild: INFO: Started (pid: 43253).
2018/06/27 03:50:08 ossec-maild: INFO: Getting alerts in log format.

Once time i got the mail but then i have tried so many times authentication failed but seems alert is not coming please help me.

On Wednesday, June 27, 2018 at 2:24:37 PM UTC+5:30, rafael...@wazuh.com wrote:

rafael...@wazuh.com

unread,
Jun 27, 2018, 7:24:49 AM6/27/18
to Wazuh mailing list
Hi Krunal,

you are not getting the emails because you have:

<email_maxperhour>1</email_maxperhour>

You have only 1 email per hour. Please increase this number and restart the manager.

If you want to receive the email to your Outlook add this to your ossec.conf file:


<global>
   <jsonout_output>yes</jsonout_output>
   <alerts_log>yes</alerts_log>
   <logall>no</logall>
   <logall_json>no</logall_json>
   <email_notification>yes</email_notification>
   <smtp_server>localhost</smtp_server>
   <email_from>kalariakrunal@gmail.com</email_from>
   <email_to>krunalkalaria@gmail.com</email_to>
   <email_to>YOUR_OUTLOOK_EMAIL</email_to>
   <email_maxperhour>1</email_maxperhour>
 </global>


Best regards.

On Tuesday, June 26, 2018 at 12:42:16 PM UTC+2, krunal kalaria wrote:

krunal kalaria

unread,
Jun 27, 2018, 7:35:26 AM6/27/18
to Wazuh mailing list
Can we add more then <email_to> field ??

I will do it same configuration as you have mention if anything is their i will update you.

Thanks & Regards,
Krunal.

rafael...@wazuh.com

unread,
Jun 27, 2018, 9:19:26 AM6/27/18
to Wazuh mailing list
Hi Krunal,

yes you can add multiple <email_to> fields like this:
<email_to>krunalkalaria@gmail.com</email_to>
<email_to>exa...@outlook.com</email_to>

Best regards.

On Tuesday, June 26, 2018 at 12:42:16 PM UTC+2, krunal kalaria wrote:

krunal kalaria

unread,
Jun 28, 2018, 1:15:15 AM6/28/18
to Wazuh mailing list
Okk i will do this same.

Now how i can configure the domain email like i have my work email id kru...@aforecybersec.com and its Microsoft office 365. 

So i want to configure that and i want email alert in above mention email id, how to config it please suggest me.

Thanks & Regards,
Krunal.
Reply all
Reply to author
Forward
0 new messages