Re: How to setup Email Notification under Wazuh - All in one
2,776 views
Skip to first unread message
Message has been deleted
Message has been deleted
José Fernández
Dec 27, 2021, 5:39:11 AM12/27/21
to Wazuh mailing list
Hello Ritesh,
You can follow our documentation article that explains how to configure an SMTP server with Google mail but it could work with any other.
Only to remind that Google needs to allow access to third-party apps like postfix at this link https://myaccount.google.com/security
I hope it helps you, don't hesitate to ask us if you have any doubt.
On Monday, December 27, 2021 at 7:43:36 AM UTC+1 ree...@gmail.com wrote:
Pl refer output:root@XX01:/home/riteshpurbey# cat /var/ossec/etc/ossec.conf
<!--
Wazuh - Manager - Default configuration for ubuntu 20.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>SMTP_DNS_Namel</smtp_server>
<email_from>ossecm@domain_Name.com</email_from>
<email_to>us...@emailid.com</email_to>
<email_to> us...@emailid.com </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>###
root@XX01:/home/riteshpurbey# ps aux | grep ossec-maild | grep -v grep
ossecm 1650302 0.0 0.0 36844 16652 ? Sl 03:35 0:04 /var/ossec/bin/ossec-maild
root@XX01:/home/riteshpurbey###On Monday, December 27, 2021 at 12:03:03 PM UTC+5:30 Reetaes purbey wrote:How to setup Email Notification under Wazuh - All in one..Note: we're using SMTP relay host.Best Regards,Ritesh PurbeyOn Monday, December 27, 2021 at 12:03:03 PM UTC+5:30 Reetaes purbey wrote:How to setup Email Notification under Wazuh - All in one..Note: we're using SMTP relay host.Best Regards,Ritesh Purbey
Message has been deleted
José Fernández
Dec 28, 2021, 4:43:28 AM12/28/21
to Wazuh mailing list
If you have all set up and configured you can test it simply by lowering the level of email alerts from 12 to 3. Then you will receive the restart alert from the manager or any agent by email.
The tag inside ossec.conf is <email_alert_level>12</email_alert_level>
On Monday, December 27, 2021 at 1:54:35 PM UTC+1 ree...@gmail.com wrote:
Hi Jose,we have 'SMTP relay' host and we already 'whitelist' the SIEM server under SMTP Relay host and under ossec.conf already called our internal Email id. Is there any way to test?when we are using a relay host- then 'No Authentication required'.riteshpurbey@deluxpsiem01:~$ telnet XX.XX.XX.XX 25
Trying XX.XX.XX.XX ...
Connected to XX.XX.XX.XX .
Escape character is '^]'.
Connection closed by foreign host.
riteshpurbey@ XX01:~$Best Regards,Ritesh Purbey
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fc4a0630-7f8c-4d8c-9ed4-6181ef47147an%40googlegroups.com.
Message has been deleted
José Fernández
Dec 30, 2021, 3:57:01 AM12/30/21
to Wazuh mailing list
Could you try to send an email with postfix or any other tool inside the Wazuh AIO host? It seems to be a lack of configuration.
Please reply with the following information to help you:
1. What SMTP software are you using as an SMTP relay.
2. What configuration did you apply to it.
3. Did you follow some guide?
4. This SMTP server relay is working on another server or case?
5. Wazuh is up and running? do you receive and see Kibana alerts?
Thanks in advance. We will solve this matter.
On Tuesday, December 28, 2021 at 11:45:11 AM UTC+1 ree...@gmail.com wrote:
We did, but were not able to receive any email.Best Regards,Ritesh Purbey
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96207c55-8960-4c40-8c6d-f86e57b90267n%40googlegroups.com.
Message has been deleted
José Fernández
Jan 4, 2022, 10:00:19 AM1/4/22
to Wazuh mailing list
Hello Ritesh,
There are any updates on this matter? Did you solve the problem? I'm waiting for your reply. Thanks!
There are any updates on this matter? Did you solve the problem? I'm waiting for your reply. Thanks!
On Friday, December 31, 2021 at 5:34:07 AM UTC+1 Reetaes purbey wrote:
Hi ,It's an Exchange connector for smtp relay and with another server we are able to receive alerts via smtp relay host whitelisting...will try with send mail from Wazuh Host and update you soon.Best Regards,Ritesh Purbey
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24782bcb-926e-4ed1-b862-8b6e8dd745bdn%40googlegroups.com.
Message has been deleted
Message has been deleted
José Fernández
Jan 18, 2022, 4:38:24 AM1/18/22
to Wazuh mailing list
Hello Ritesh,
Thanks for your patience, to troubleshoot this we will need the following information:
1. Wazuh configuration, including mail.
2. Postfix configuration or the tool that are you using.
3. Send to us the Wazuh log, located at /var/ossec/logs/ossec.log
4. Execute wazuh-maild in the foreground with /var/ossec/bin/wazuh-maild -fdd and send to us any produced log.
We will try to check what's happening in a testing environment.
On Monday, January 10, 2022 at 7:10:33 PM UTC+1 Reetaes purbey wrote:
from to server able to trigger the mail but from tools not able to receive any alert.like : i have configured report from agent disconnected and other end i have stopped the service and waited 30 minutes .##echo "This is the body of the email" | mail -s "This is the subject line" ritesh...@company.com ==> able to receive the mail into my inbox.
Message has been deleted
Message has been deleted
Message has been deleted
José Fernández
Jan 28, 2022, 4:02:17 AM1/28/22
to Wazuh mailing list
Hello Ritesh,
Thanks for your patience. I have tested and reviewed all that you sent to me. I have some points that need your review.
1. Review your Postfix configuration file. The relayhost property is empty at least for the file you attached.
2. Instead of wazuh-maild, launch ossec-maild (We are migrating daemons).
3. As you mentioned your relay host is working good if you perform a test from the manager node to any other place. You can send mails from the manager manually. Confirm that it's true.
4. Also, check the mynetworks parameter inside postfix configuration it has some local IPs that maybe prevent sending mail outside of the own host.
Thanks for your patience. I have tested and reviewed all that you sent to me. I have some points that need your review.
1. Review your Postfix configuration file. The relayhost property is empty at least for the file you attached.
2. Instead of wazuh-maild, launch ossec-maild (We are migrating daemons).
3. As you mentioned your relay host is working good if you perform a test from the manager node to any other place. You can send mails from the manager manually. Confirm that it's true.
4. Also, check the mynetworks parameter inside postfix configuration it has some local IPs that maybe prevent sending mail outside of the own host.
On Friday, January 28, 2022 at 3:44:35 AM UTC+1 Reetaes purbey wrote:
Hi Team,Any update on the same!!!BR,RiteshOn Monday, January 24, 2022 at 9:44:24 AM UTC+5:30 Reetaes purbey wrote:Any update!!!Best Regards,RiteshOn Wed, Jan 19, 2022 at 7:02 PM Reetaes purbey <ree...@gmail.com> wrote:Hi ,PFA.root@XX01:/home/riteshpurbey# /var/ossec/bin/wazuh-maild -fdd
bash: /var/ossec/bin/wazuh-maild: No such file or directory
root@XX01:/home/riteshpurbey# /var/ossec/bin/
agent_control ossec-agentlessd ossec-execd ossec-monitord syscheck_control wazuh-clusterd
agent_groups ossec-analysisd ossec-integratord ossec-regex syscheck_update wazuh-db
agent_upgrade ossec-authd ossec-logcollector ossec-remoted update_ruleset wazuh-logtest
clear_stats ossec-control ossec-logtest ossec-reportd util.sh wazuh-modulesd
cluster_control ossec-csyslogd ossec-maild ossec-syscheckd verify-agent-conf
manage_agents ossec-dbd ossec-makelists rootcheck_control wazuh-apid
root@XX01:/home/riteshpurbey# /var/ossec/bin/wazuh-
wazuh-apid wazuh-clusterd wazuh-db wazuh-logtest wazuh-modulesd
root@XX01:/home/riteshpurbey# /var/ossec/bin/
agent_control ossec-agentlessd ossec-execd ossec-monitord syscheck_control wazuh-clusterd
agent_groups ossec-analysisd ossec-integratord ossec-regex syscheck_update wazuh-db
agent_upgrade ossec-authd ossec-logcollector ossec-remoted update_ruleset wazuh-logtest
clear_stats ossec-control ossec-logtest ossec-reportd util.sh wazuh-modulesd
cluster_control ossec-csyslogd ossec-maild ossec-syscheckd verify-agent-conf
manage_agents ossec-dbd ossec-makelists rootcheck_control wazuh-apid
root@XX01:/home/riteshpurbey# /var/ossec/bin/Best Regards,Ritesh
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/46f5f4ba-84c9-4295-b2f0-417d42daa7a7n%40googlegroups.com.
Calvin Nguyen
Mar 7, 2023, 4:55:57 AM3/7/23
to Wazuh mailing list
I'm newbie from wazuh.
Please help me setup alert email when the sever login fail. Please check the config
Best regards.
Mmesoma Okaro
May 12, 2023, 7:46:49 AM5/12/23
to Wazuh mailing list
I tried setting up my wazyh alert using office365 as my stmp mail provider... I followed the documentation on the official wazuh page on smtp authentication with office365 but i still cannot get any mail alert even after setting it up..
Please I need help and its urgent
Please I need help and its urgent
Facu Basgall
Dec 31, 2024, 8:43:57 AM12/31/24
to Wazuh | Mailing List
Hi, I have the same problem as Mmesoma Okaro, can you help me?
Reply all
Reply to author
Forward
0 new messages