Problem Receiving Email Alerts

944 views
Skip to first unread message

Juan Ferdinan

unread,
Nov 6, 2022, 10:04:15 PM11/6/22
to Wazuh mailing list
Hi Everyone

I have some problems regarding email alerts that are not sent to email users that I have registered in ossec.conf wazuh manager, previously email alerts worked perfectly without any problems, here I describe the problem:
1. I just realized the email alerts received by the user on 2 Nov 2022
DF6F8CAB-1DEC-4D33-AEBF-6D3F343D2E05_1_201_a.jpeg

2. I checked the registered email to send the email alerts to the users who received it, the last one was on 2 Nov 2022 too
E3089803-A26F-4349-A18D-6D2760643631_1_201_a.jpeg

3. I just realized, after seeing the list of email alerts that should have been sent to the user's email, but the emails were not received by the user. It can be seen in points no. 1 and 2, in point no. 1 is the last email alert received by the user and point no. 2 is the last email alert sent to the user. Why is the email in point no 2 not received by the user?

Thanks & Regards
Juan

Damian Nicastro

unread,
Nov 7, 2022, 12:25:21 AM11/7/22
to Wazuh mailing list
Hello Juan:
I hope you are fine.
As you probably know, the Wazuh manager does not have a built-in application to send mails to different mail recipients. We need to use a third-party application that acts as SMTP relay to your mail server.
For instance, you can check how to configure Postfix as SMTP relay using Google as mail server application in this document:

If all your configuration is correct and you can send test emails as described in the previous document, you can first check the log of your relay application to see if there was some problem sending the emails. In Postfix, the log is located by default in /var/log/mailog. If there is some issue in this log, you can share it with me and we can analyze it. If there is no error, the problem is outside the Wazuh server. You might need to check if your mail server or some device in the middle is rejecting the mails sent the Wazuh server.
Please, also share the "global configuration" of your Wazuh server and the configuration of SMTP relay.

I hope this helps.
Thanks

Juan Ferdinan

unread,
Nov 7, 2022, 2:03:24 AM11/7/22
to Wazuh mailing list
Hi Damian

After I checked the logs in /var/log/mailog, there seems to be a problem, please help to analyze it
59906CDB-C16A-4350-94AF-95DD00B9083E_1_201_a.jpeg

Here I attach the global wazuh server configuration and SMTP relay
824ABFC8-7B14-4DD5-838F-7A9739E2FD72_1_201_a.jpeg
79250738-CF27-4CF4-B6C7-B01F6DDAC5C0_1_201_a.jpeg

Thanks & Regrads
Juan

Damian Nicastro

unread,
Nov 7, 2022, 3:08:16 AM11/7/22
to Wazuh mailing list
Hi Juan:
It seems quite clear that the Wazuh server cannot connect to the mail server. First, ensure that a simple mail can be received from the Wazuh server executing the Postfix command:
# echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com
Previously, I would also tail the Postfix log to see what happened when postfix try to send the mail:
# tail -f /var/log/mailog
If the test mail is not received, we can confirm that there is a connectivity issue between your Wazuh server and the mail server. Ensure that port 587 is not being used or blocked in the Wazuh server firewall or in any other device between.

Regarding the configuration of Postfix itself, please check the validity of the CA cert. It might be expired:
# openssl x509 -enddate -noout -in /etc/ssl/certs/ca-certificates.crt

Finally, checking your Wazuh configuration, I can see that <email_alert_level> is not configured in the <alerts>. This means that default value of level=12 will be used:
The granular "email_alerts" options you have configured will not triggered any mail because the previous configuration has higher priority. Only alerts with level 12 or higher will trigger mails in this case. To overcome this, you have to add this in your config:
# vi /var/ossec/etc/ossec.conf
...
<alerts>
  <log_alert_level>3</log_alert_level>
  <email_alert_level>4</email_alert_level>
</alerts>
...
And then restart your wazuh-manager:
# systemctl restart wazuh-manager

With this config, your configured recipients will receive up to 12 mails per hours from alerts with level=4 or higher.

I hope this helps.
Thanks

Juan Ferdinan

unread,
Nov 7, 2022, 3:45:05 AM11/7/22
to Wazuh mailing list
Hi Damian

I don't get email after running the following command # echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com
Here is the result of the command # tail -f /var/log/mailog
AAAC347E-6E62-43B9-8AAC-7854FA741F47_1_201_a.jpeg

I've also checked for the certificate
5FF7300B-5876-408F-B8A0-805A1965D67C_1_201_a.jpeg

isn't it for this configuration you mentioned
<alerts>
  <log_alert_level>3</log_alert_level>
  <email_alert_level>4</email_alert_level>
</alerts>
the same as what i did (i gave a green box)
824ABFC8-7B14-4DD5-838F-7A9739E2FD72_1_201_a.jpeg

Thanks & Regards
Juan

Damian Nicastro

unread,
Nov 7, 2022, 4:17:08 AM11/7/22
to Wazuh mailing list
Hi Juan:
The Postfix config must be only as detailed in the documentation. It seems that is overriding the relay host for some reason. Please, configure as is mentioned in the documetnation and leave the rest as default:
Do not forget to restart the Postfix service after the change:
# systemctl reload postfix

Regarding the Wazuh configuration it is not the same because the "alerts" configuration has precedence. It will override the "email_alerts" section that you have configured. For more information, please check the following document:
However, this is meaningless if you are not able to receive a test email from with Postfix command.
I hope this helps.
Thanks


Juan Ferdinan

unread,
Nov 7, 2022, 10:47:28 PM11/7/22
to Wazuh mailing list
Hi Damian

Can you help me with this error
8BB839DE-7559-4027-9BFB-7BF078A7A263_1_201_a.jpeg

I have followed the configuration in the link you provided SMTP server with authentication - Configuring email alerts (wazuh.com), but the error still appears regarding overriding earlier entry: relayhost=
Here I also attach the configuration I did in main.cf
0118CE49-D5B0-40AC-AE11-6E7BD6FCE31F_1_201_a.jpeg

Thanks & Regards
Juan

Damian Nicastro

unread,
Nov 8, 2022, 1:59:39 AM11/8/22
to Wazuh mailing list
Hello Juan:
I hope you are fine.
It seems you might a duplicated entry for the "relahost" parameter, please check it with this command:
# grep -R "relayhost" /etc/postfix/

If you find it, remove it and reload the postfix service as mentioned before. If you don't find anything, I would suggest removing and reinstall postfix to start from a fresh "main.cf" file.
I hope this helps.
Thanks

Juan Ferdinan

unread,
Nov 8, 2022, 3:52:07 AM11/8/22
to Wazuh mailing list
Hi Damian

Thanks for the help, now I can receive the email alerts, this is due to the IP and port blocking activity from the network team and the error message overriding earlier entry: relayhost= no longer appears

Regards
Juan

Damian Nicastro

unread,
Nov 8, 2022, 4:10:52 AM11/8/22
to Wazuh mailing list
Hi Juan:
I am glad you can find the issue. As we mentioned previously, most of the times these kinds of issues are related to connectivity.
Thanks

Juan Ferdinan

unread,
Dec 6, 2022, 11:51:51 PM12/6/22
to Wazuh mailing list
Hi Damian

can I still ask about this email alert problem again?
The problem I'm facing now is, none of the wazuh alerts are running, even though I have set the email alert at level 5, is there something wrong and how do I check it?
shouldn't you be able to see here also the alerts that were successfully generated?
CD40EFDF-D13A-4C43-917D-DC82F30CA99E_1_201_a.jpeg
Reply all
Reply to author
Forward
0 new messages