Wazuh custom rules email alerts

174 views
Skip to first unread message

Jerome Nelson Jayaprakash

unread,
Jul 25, 2023, 2:44:37 AM7/25/23
to Wazuh mailing list
Hello Community,

I am new to wazuh and have some trouble getting email alerts from custom rules and some predefined rules. I had configured the ossec.conf file to receive email alerts for rule level 10 and above. I can receive alerts for level 10 and got flooded with the emails and set it to 11. After that I couldn't receive any alert, however, I could see the events with rule 11 to 14 in the security events. 

Please advice if I am missing anything here??

Julia Magán Rodríguez

unread,
Jul 25, 2023, 3:25:39 AM7/25/23
to Wazuh mailing list

Hello,

To see what might be happening, we must check: that the mail server is working correctly and that the configuration is correct. To do this:

  1. Send a test mail to see if we can receive emails:
echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com
    2.  If we do not receive any mail, look in /var/log/maillog to see if there is an error log.
    3.  If everything works correctly, we should check the manager configuration and logs:
egrep -iE "error|warn" /var/ossec/logs/ossec.log

Jerome Nelson Jayaprakash

unread,
Jul 27, 2023, 5:56:25 AM7/27/23
to Wazuh mailing list
Hi Julia,

I have checked the logs and found no suspected ones in there. I have tried adding <email_to> tag to the <global> and received the email alerts between level 10 and 14. However I need it to be worked with the <integration>, as I have written custom email alert in it. Alerts not receiving from it and added below for your reference.

<integration>
  <name>custom-email-alerts-all</name>
  <hook_url>jer...@example.com</hook_url>
   <level>11</level>
  <alert_format>json</alert_format>
</integration>

Julia Magán Rodríguez

unread,
Jul 28, 2023, 5:32:46 AM7/28/23
to Wazuh mailing list

Hello,

Could you check if the script has the expected permissions?

ls -lah /var/ossec/etc/integrations

Also, if that script comes from this one, you have to configure email_server and email_from inside.

To reproduce your use case, could you tell me what OS and what version of Wazuh you are using? If you could also share the script you are using (if it does not have sensitive information), it would be helpful.

Reply all
Reply to author
Forward
0 new messages