Email notifications part - Never got it working really

746 views
Skip to first unread message

Aleksandr Zaldak

unread,
Nov 28, 2017, 7:00:55 AM11/28/17
to Wazuh mailing list
Hi Guys,
Not sure what I'm doing wrong, but I never managed to resolve email notification part. The fact is, I never got any email as a start.

I have the following in my config:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>aspmx.l.google.com</smtp_server>
    <email_from>replaced1</email_from>
    <email_to>replaced2</email_to>
    <email_maxperhour>12</email_maxperhour>
  </global>

...
<alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>9</email_alert_level>
  </alerts>

  <email_alerts>
  <email_to>replaced3</email_to>
  <group>attacks|exploit_attempt</group>
  </email_alerts>

  <reports>
      <category>syscheck</category>
      <title>Daily report: File changes</title>
      <email_to>replaced3</email_to>
  </reports>

  <reports>
      <level>10</level>
      <title>Daily report: Alerts with level higher than 10</title>
      <email_to>replaced 4</email_to>
  </reports>


In /var/ossec/logs/ossec.log file i have:
2017/11/28 00:01:41 ossec-monitord: INFO: Starting daily reporting for 'Daily report: File changes'
2017/11/28 00:01:46 ossec-monitord: INFO: Report 'Daily report: File changes' completed. Creating output... how can I access the report on disk ? as I didn't get an email. Nothing in aspmx.l.google.com logs (via Google Apps reporting), so assume system never sent an report. Do I need to have local SMTP running for this to work ? No authentication is in place actually. Either Way, I have enabled postfix, but still got no emails.

Any advise ?
Thanks

#ENV
entOS Linux release 7.3.1611
wazuh-api-2.0.1-1.el7.x86_64
wazuh-manager-2.0.1-1.el7.x86_64
logstash-5.5.1-1.noarc

Jose Luis Ruiz

unread,
Nov 28, 2017, 7:26:43 AM11/28/17
to Aleksandr Zaldak, Wazuh mailing list
Hi Aleksandr,

SMTP with authentication like Gmail is not supported jet by Ossec/Wazuh manager, the only way to send mails through this SMTP is using a server relay, in the following link you can found the instructions to do this configuration:



I hope it helps.
Regards
————————
José Luis Ruiz.
Wazuh Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8ca55f3-d851-4d3b-9776-5b5a55f51c69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Aleksandr Zaldak

unread,
Nov 28, 2017, 7:44:11 AM11/28/17
to Wazuh mailing list
I hear you, but rejection (or ANY activity) should have been logged somewhere. Either in /var/log/maillog, or Google side (we have acceess to reports/logs). Nothing is there. Is PHP/Python MTA used instead ?

Also, Google logs state that no email were sent. Dropped emails are also logged btw.
btw we use aspmx.l.google.com alot and according to https://support.google.com/a/answer/176600?hl=en, no authentication is required. The limitation is the fact that email will be accepted only if you send to Gmail users, which is true in our case. Again, this implies records in logs IF Wazuh sends an email. Also, there is  way to whitelist an IP that will be used as authorisation actually, which we also use time to time.



Update
Even without making sense, I decided to setup postfix as requested...
But I haven't specified anything in echo [smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD > /etc/postfix/sasl_passwd #Just skipped that part.

Sent a test email and got it delivered AND logged in postfix logs. Ossec still sends no emails I'm afraid, but it should as I attack the server with multiple sql injections at the moment.
gulp
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Aleksandr Zaldak

unread,
Nov 28, 2017, 7:54:54 AM11/28/17
to Wazuh mailing list
Also, just changes SMTP part to a localhost
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

Still no emails or logs :( So Google doesn't even count here anymore

I also added an email in rule declaration. as per https://documentation.wazuh.com/2.0/user-manual/manager/output-options/manual-email-report/index.html, still no go. I'm sure it's silly error on my side though.
Very odd

Jose Luis Ruiz

unread,
Nov 28, 2017, 9:06:44 AM11/28/17
to Aleksandr Zaldak, Wazuh mailing list

Hi Aleksandr

You are right the aspmx.l.google.com is no authentication required, but this service needs an extra configuration on your side to make it works, from the same link: https://support.google.com/a/answer/176600?hl=en

If your device or application doesn’t support SSL, you can only send mail to Gmail or G Suite users.

Use the restricted SMTP server aspmx.l.google.com.

Connect to aspmx.l.google.com on port 25.
Configure an SPF record for your domain with the IP address of the device or application to ensure that recipients don’t reject mail sent from it.
In your Google Admin console, add this IP address to the Email Whitelist box.

For example, if your sending device sends from 123.45.67.89, add that address to your SPF record without removing the G Suite mail servers from the record: v=spf1 ip4:123.45.67.89 include:_spf.google.com ~all.

Do you have the previous configuration done in your site/domain?

On the other hand, can run the following command cat /var/ossec/logs/ossec.log | grep ossec-maild and verify if you have any error?

Did you receive any mail from Ossec? Like Ossec server started, this email is always sent no matter which level setup in the configuration.

The Report is generated and sent once at midnight, and these reports are not stored in the disk, if you want to simulate the report you can run the following command:

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 10


Regards
————————
José Luis Ruiz.
Wazuh Inc.


Aleksandr Zaldak

unread,
Nov 28, 2017, 9:20:54 AM11/28/17
to Wazuh mailing list
Thanks for the "report" command. Very useful actually!

cat /var/ossec/logs/ossec.log | grep ossec-maild returns 0 records, which explains why no email were sent or at least logged. It never runs apparently.

For the report, I get this:

So apparently the whole email section is ignored. Is there a debug option I can play with ?

Also, there seems to be a new version of manager 2.1.1-1.el7.. Worth installing ?
Thank you

 

Jose Luis Ruiz

unread,
Nov 28, 2017, 9:22:23 AM11/28/17
to Aleksandr Zaldak, Wazuh mailing list
Can run the following command cat /var/ossec/logs/ossec.log | grep ossec-maild and verify if you have any error?

Regards
————————
José Luis Ruiz.
Wazuh Inc.


Aleksandr Zaldak

unread,
Nov 28, 2017, 9:24:54 AM11/28/17
to Wazuh mailing list
It returns 0 results
[root@wazuh ~]# cat /var/ossec/logs/ossec.log | grep ossec-maild
[root@wazuh ~]#


Also, ossec-maild seems to be running as well. See below.

[root@wazuh ~]# ps -aux|grep ossec-maild
ossecm    7506  0.0  0.1  45696  2096 ?        S    12:48   0:00 /var/ossec/bin/ossec-maild
root      9851  0.0  0.1 112652  2284 pts/1    S+   14:24   0:00 grep --color=auto ossec-maild
[root@wazuh ~]#

Jose Luis Ruiz

unread,
Nov 28, 2017, 9:29:26 AM11/28/17
to Aleksandr Zaldak, Wazuh mailing list

Ok so,

If you are using aspmx.l.google.com you did the configuration in your Gmail site?

Connect to aspmx.l.google.com on port 25.
Configure an SPF record for your domain with the IP address of the device or application to ensure that recipients don’t reject mail sent from it.
In your Google Admin console, add this IP address to the Email Whitelist box.

For example, if your sending device sends from 123.45.67.89, add that address to your SPF record without removing the G Suite mail servers from the record: v=spf1 ip4:123.45.67.89 include:_spf.google.com ~all.


Regards
————————
José Luis Ruiz.
Wazuh Inc.


--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Aleksandr Zaldak

unread,
Nov 28, 2017, 9:33:42 AM11/28/17
to Wazuh mailing list
Luis, you don't hear me :)

This is not Google issue. I have now switches to local SMTP and still have no records in the log file. Neither ossec-maild is triggered according to  /var/ossec/logs/ossec.log. I have also started ossec-maild:  debug mode
[root@wazuh ~]# cat /var/ossec/logs/ossec.log | grep maild
2017/11/28 14:25:16 ossec-maild: DEBUG: Starting ...

Please disregard Google part completely for now
Thank you
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Jose Luis Ruiz

unread,
Nov 28, 2017, 9:57:51 AM11/28/17
to Aleksandr Zaldak, Wazuh mailing list

If i understan you have your configuration like:

  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>replaced1</email_from>
    <email_to>replaced2</email_to>
    <email_maxperhour>12</email_maxperhour>
  </global>
  ……
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>9</email_alert_level>
  </alerts>

  <email_alerts>
    <email_to>replaced3</email_to>
    <group>attacks|exploit_attempt</group>
  </email_alerts>

Try to do the next steps:

1- Stop ossec and verify that all services are stopped: 1 the server with /var/ossec/bin/ossec-control stop and ps axu | grep ossec

2- Start again the manager with /var/ossec/bin/ossec-control start and verify that the services are running ps axu | grep ossec

3- If you are using localhost verify that postfix is enabled systemctl status postfix

3- Search any error in ossec.log cat /var/ossec/logs/ossec.log | grep ERROR and cat /var/ossec/logs/ossec.log | grep ossec-maild

4- Verify if you have any error in maillog


Regards
————————
José Luis Ruiz.
Wazuh Inc.


To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Aleksandr Zaldak

unread,
Dec 3, 2017, 2:04:09 PM12/3/17
to Wazuh mailing list
In the end I got it fixed by ...reinstalling wazuh from the scratch (and also removed all temp files and conf). I saved and restored all config files and history files and got it working with no data loss in the end.
 
Jose also kindly provided remote assistance with the issue, but in the end it was more ACL, not wazuh related issue, as my config files worked just fine on his end.
Thanks guys
Reply all
Reply to author
Forward
0 new messages