how I configure a rule(s) to send a email when that Event 6416 arrives to the manager?

[Alberto Marín]

Hi Yolanda,

If you can see the event 6416 in the Event Viewer, the problem must be in the the decoder/rules. To check them please use ossec-logtest:

/var/ossec/bin/ossec-logtest

You can use this example alert to test:

2017 May 26 04:27:44 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Device ID: STORAGE\Volume\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_1.00#60A44C413DF8FE11898C0148&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: Volume Class ID: {71A27CDD-812A-11D0-BEC7-08002BE2092F} Class Name: Volume Vendor IDs: STORAGE\Volume Compatible IDs: – Location Information: –

If everything is configured correctly, you should obtain the following output:

**Phase 1: Completed pre-decoding.

       full event: '2017 May 26 04:27:44 WinEvtLog: Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Device ID: STORAGE\Volume\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_1.00#60A44C413DF8FE11898C0148&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: Volume Class ID: {71A27CDD-812A-11D0-BEC7-08002BE2092F} Class Name: Volume Vendor IDs: STORAGE\Volume Compatible IDs: – Location Information: –'

       hostname: 'ubuntu'

       program_name: 'WinEvtLog'

       log: 'Security: AUDIT_SUCCESS(6416): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-EDHF85L4G6H: A new external device was recognized by the system. Subject: Security ID: S-1-5-18 Account Name: WIN-EDHF85L4G6H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Device ID: STORAGE\Volume\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_1.00#60A44C413DF8FE11898C0148&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Device Name: Volume Class ID: {71A27CDD-812A-11D0-BEC7-08002BE2092F} Class Name: Volume Vendor IDs: STORAGE\Volume Compatible IDs: – Location Information: –'

**Phase 2: Completed decoding.

       decoder: 'windows'

       type: 'Security'

       status: 'AUDIT_SUCCESS'

       id: '6416'

       extra_data: 'Microsoft-Windows-Security-Auditing'

       dstuser: '(no user)'

       system_name: 'WIN-EDHF85L4G6H'

       subject.security_id: 'S-1-5-18'

       subject.account_name: 'WIN-EDHF85L4G6H$'

       subject.account_domain: 'WORKGROUP'

       subject.logon_id: '0x3E7'

       account_name: 'WIN-EDHF85L4G6H$'

       account_domain: 'WORKGROUP'

       usb.vendor: 'Kingston'

       usb.product: 'DataTraveler_3.0'

       usb.rev: '1.00'

       usb.serial_number: '60A44C413DF8FE11898C0148'

**Phase 3: Completed filtering (rules).

       Rule id: '100003'

       Level: '7'

       Description: 'Windows: Unauthorized PNP device connected.'

**Alert to be generated.

If not, please copy the output to this thread and we can check what is happening.

Regarding you other question, about sending an email when the alert is received, you can add the option "alert_by_email" to the rule from you want to receive an email.

In this case, the rule should be as follows:

<rule id="100003" level="7">

  <options>alert_by_email</options>

  <if_sid>18104</if_sid>

  <id>^6416$</id>

  <list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list>

  <description>Windows: Unauthorized PNP device connected.</description>

</rule>

Best regards,

On Thursday, August 31, 2017 at 1:58:07 AM UTC+2, yolanda wrote:

I can not found any trace of this Event 6416  in the Manager log: /var/ossec/logs/alerts/alerts.log

 

Please advice.

Thanks and Regards

  Yolanda


On 2017-08-30 17:54, yolanda wrote:

Hi Team

I already have Wazuh installed:

    Wazuh server:
    Elastic Stack:
    Wazuh agent:

Installed in single-host architectures configuration

I have 2 Windows Wazuh agents running and attached to the Wazuh manager.

I already configured  Local Security Policy  for the USB detection based on:

https://blog.wazuh.com/monitoring-usb-drives-in-windows-using-wazuh/


In windows, in Even Viewer I am capable to see the event
"6416: A new external device was recognized by the System"


1) How I can locate it in Kibana visor?

2) and how I configure a rule(s) to send a email when that Event 6416 
arrives to the manager?

Any idea?
Thanks in advanced !
Regards,
 Yolanda

[Alberto Marín]

Hi Yolanda,

Here are the answers to your question about the rules:

1. If you need to send an alert regardless of whether it is authorized or not, just remove the <list> tag and change the rule description. In this case you don't need to create a CDB list.

<rule id="100003" level="7">

  <if_sid>18104</if_sid>
  <id>^6416$</id>
  <list field="usb.serial_number" lookup="not_match_key">etc/lists/usb-devices</list>
  <description>Windows: Unauthorized PNP device connected.</description>
</rule>

Now, every time a Plug And Play device is connected, an alert will be generated.

2. If you need to send an email when this alert is generated, first check the email alert level in your ossec.conf file:

 <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>12</email_alert_level>

  </alerts>

By default, the alert by email is configured to level 12. This means that only alerts with level 12 or higher, or alerts with the tag <options>alert_by_email</options> will be sent by email.

There are some options if you need to receive this kind of alerts by email:

•  Increase the rule level.
  
•  Decrease the email_alert_level value in the ossec.conf file. This change can cause you to receive a large amount of emails.
  
•  Add the tag <options>alert_by_email</options> in your rule.
  
•  Configure email_alerts and add the tag <rule_id>100003</rule_id> in the ossec.conf file.
  

You can get more information about the options above and about sending alerts by email in the Wazuh documentation: 
https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html

Best regards,

[yol...@saitechnology.com]

Hi All,

Maybe I should create a new thread for this question, but I was trying
to find a new topic option , but when I login, I can not find the new
topic option anywhere.

( I attached the screen I get as soon as I log in Google account)

My question is the following:

How I can get a Regulatory complain reports? This is a very important
requirement for us.

I need to exports the information in CSV format or something like that?

I can not find any Report Option.

Could you please advise?

Thanks very much in advance.
Regards
Yolanda

[yol...@saitechnology.com]

Sorry for the typo:
I mean to says Regulatory compliance

> Maybe I should create a new thread for this question, but I was trying
to find a new topic option , but when I login, I can not find the new
> topic option anywhere.
>
> ( I attached the screen I get as soon as I log in Google account)
>
> My question is the following:
>

> How I can get a Regulatory compliance reports? This is a very

[Miguelangel Freitas]

Hi Yolanda,

Currently, Wazuh could generate daily reports to be sent by email, these reports can also be configured to send a summary of alerts using the group or category alert field. The Wazuh ruleset is mapped with the PCI-DSS compliance requirements, so you can generate daily reports using their PCI-DSS group name:

<ossec_config>
  <reports>
      <category>pci_dss_11.4</category>
      <title>Daily report: PCIDSS 11.4 requeriment</title>
      <email_to>exa...@test.com</email_to>
  </reports>
</ossec_config>

The above will send a daily report email to exa...@test.com with all generated alerts and will filter the output by the pci_dss_11.4 group. The Wazuh manager can't create a report of these alerts in a format like CSV or similar, just plain text. You could find more information regarding reports generation options here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/reports.html

A workaround could be the usage of a Kibana visualization. The Wazuh APP is shipped with several visualizations one of them is "Requirements by agent", this Data table visualization will show you the generated alerts grouping them by the source agent and the PCI-DSS requirement number.

Then you could export the results of the visualization into a CSV file using the "Formatted" export button

With Kibana you could set the timeframe used to display data into the visualization among others, this feature could help you to easily filter the output by setting this timeframe.

I hope it helps.

Best regards

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/13a99741aa8fc8393a378d148795ca86%40saitechnology.com.
For more options, visit https://groups.google.com/d/optout.

[yol...@saitechnology.com]

Hi Miguel,

Thanks very much for your advise.

I created the following rules in:

/var/ossec/etc/ossec.conf

Based your advise and based the reports help link:

<ossec_config>

  <reports>
      <category>pci_dss_11.4</category>

      <title>Daily regulatory compliance report: PCIDSS 11.4 requeriment</title>
      <email_to>yol...@saitechnology.com</email_to>
  </reports>

<reports>
  <group>authentication_failed,</group>
  <srcip>192.168.1.141</srcip>
  <title>Auth_Report</title>
  <email_to>yol...@saitechnology.com</email_to>
  <showlogs>yes</showlogs>
</reports>

</ossec_config>

And restarted the wazuh-manager service.

But still I did not received any report.

What I am missing?
I need to restart some another component?

Please advise.
Thanks!
  Yolanda

On 2017-09-04 15:18, Miguelangel Freitas wrote:

Hi Yolanda,

Currently, Wazuh could generate daily reports to be sent by email,
these reports can also be configured to send a summary of alerts using
the group or category alert field. The Wazuh ruleset is mapped with
the PCI-DSS compliance requirements, so you can generate daily reports
using their PCI-DSS group name:

<ossec_config>
  <reports>

      <category>PCI_DSS_11.4</category>

      <title>Daily report: PCIDSS 11.4 requeriment</title>
      <email_to>exa...@test.com</email_to>
  </reports>
</ossec_config>

The above will send a daily report email to exa...@test.com with all

generated alerts and will filter the output by the PCI_DSS_11.4 group.

The Wazuh manager can't create a report of these alerts in a format
like CSV or similar, just plain text. You could find more information
regarding reports generation options here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/reports.html

[4]

A workaround could be the usage of a Kibana visualization. The Wazuh
APP is shipped with several visualizations one of them is
"Requirements by agent", this Data table visualization will show you
the generated alerts grouping them by the source agent and the PCI-DSS
requirement number.

Then you could export the results of the visualization into a CSV file
using the "Formatted" export button

With Kibana you could set the timeframe used to display data into the
visualization among others, this feature could help you to easily
filter the output by setting this timeframe.

I hope it helps.

Best regards

Miguelangel Freitas
Security Engineer

 [5]
www.wazuh.com [5]

On Fri, Sep 1, 2017 at 3:45 PM, <yol...@saitechnology.com> wrote:

Sorry for the typo:
I mean to says Regulatory compliance

Maybe I should create a new thread for this question, but I was
trying

to find a new topic option , but when I login, I can not find the
new

topic option anywhere.

( I attached the screen I get as soon as I log in Google account)

My question is the following:

How I can get a Regulatory compliance  reports? This is a very
important
requirement for us.

I need to exports the information in CSV format or something like
that?

I can not find any Report Option.

Could you please advise?

Thanks very much  in advance.
Regards
Yolanda

--
You received this message because you are subscribed to the Google
Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it,

send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh [1].

To view this discussion on the web visit

https://groups.google.com/d/msgid/wazuh/13a99741aa8fc8393a378d148795ca86%40saitechnology.com

[2].
For more options, visit https://groups.google.com/d/optout [3].

 

Links:
------
[1] https://groups.google.com/group/wazuh
[2]
https://groups.google.com/d/msgid/wazuh/13a99741aa8fc8393a378d148795ca86%40saitechnology.com
[3] https://groups.google.com/d/optout
[4]
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/reports.html
[5] http://www.wazuh.com/

[Miguelangel Freitas]

Hi Yolanda,

The daily reports like the email notification use the same generic configuration, you must configure these email options correctly in order to receive daily reports. You could set these options in the ossec.conf file of the Wazuh Manager like the following example:

<ossec_config>
    <global>
        <email_notification>yes</email_notification>
        <email_to>m...@test.com</email_to>
        <smtp_server>mail.test.com..</smtp_server>
        <email_from>wa...@test.com</email_from>
    </global>
</ossec_config>

Take into account that Wazuh uses an SMTP server to deliver email, you could see all options regarding the global and email settings here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html

Also, the following link could give you some guidance if your SMTP server requires authentication: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp_authentication.html

I hope it helps.

Best Regards,

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

On Wed, Sep 13, 2017 at 4:37 PM, <yol...@saitechnology.com> wrote:

Hi Miguel,

Thanks very much for your advise.

I created the following rules in:

/var/ossec/etc/ossec.conf

Based your advise and based the reports help link:

<ossec_config>

  <reports>
      <category>pci_dss_11.4</category>
      <title>Daily regulatory compliance report: PCIDSS 11.4 requeriment</title>

      <email_to>yolanda@saitechnology.com</email_to>

  </reports>

<reports>
  <group>authentication_failed,</group>
  <srcip>192.168.1.141</srcip>
  <title>Auth_Report</title>

  <email_to>yolanda@saitechnology.com</email_to>

  <showlogs>yes</showlogs>
</reports>

</ossec_config>

And restarted the wazuh-manager service.

But still I did not received any report.

What I am missing?
I need to restart some another component?

Please advise.
Thanks!
  Yolanda




On 2017-09-04 15:18, Miguelangel Freitas wrote:

Hi Yolanda,

Currently, Wazuh could generate daily reports to be sent by email,
these reports can also be configured to send a summary of alerts using
the group or category alert field. The Wazuh ruleset is mapped with
the PCI-DSS compliance requirements, so you can generate daily reports
using their PCI-DSS group name:

<ossec_config>
  <reports>
      <category>PCI_DSS_11.4</category>
      <title>Daily report: PCIDSS 11.4 requeriment</title>

      <email_to>example@test.com</email_to>

send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh [1].
To view this discussion on the web visit

https://groups.google.com/d/msgid/wazuh/13a99741aa8fc8393a378d148795ca86%40saitechnology.com

[2].
For more options, visit https://groups.google.com/d/optout [3].

 

Links:
------
[1] https://groups.google.com/group/wazuh
[2]
https://groups.google.com/d/msgid/wazuh/13a99741aa8fc8393a378d148795ca86%40saitechnology.com
[3] https://groups.google.com/d/optout
[4]
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/reports.html
[5] http://www.wazuh.com/

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f1be84363f9a5385166358ad394e3f60%40saitechnology.com.
For more options, visit https://groups.google.com/d/optout.

[yol...@saitechnology.com]

Hi Miguel
Thanks for your quick previous answer.

Some clue about what could happens in this case?


I already have the configuration that you referred:

<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>xxxxx.bluehost.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>yol...@saitechnology.com</email_to>
<email_maxperhour>12</email_maxperhour>
</global>

<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>

In fact, I have been receiving the Notifications regarding to the PNP
Plug Devices rule.

And I receives that Notifications emails from Wazuh almost immediately.
I am attaching here one of those messages

But I do not know what I am missing with the reports.

Could you guide me on that?.
Thanks and Regards
Yolanda

Example the messages received:

-------- Original Message --------
Subject: OSSEC Notification - (Agent002) 192.168.x.x - Alert level 12
Date: 2017-09-12 17:58
From: Wazuh <oss...@example.wazuh.com>
To: <yol...@saitechnology.com>

Wazuh Notification.
2017 Sep 12 16:57:53

Received From: (Agent002) 192.168.x.x->WinEvtLog
Rule: 100003 fired (level 12) -> "Windows: PNP device connected."
User: (no user)
Portion of the log(s):

2017 Sep 12 16:57:50 WinEvtLog: Security: AUDIT_SUCCESS(6416):
Microsoft-Windows-Security-Auditing: (no user): no domain: SALES4-PC: A

new external device was recognized by the system. Subject: Security ID:

S-1-5-18 Account Name: SALES4-PC$ Account Domain: WORKGROUP Logon ID:
0x3E7 Device ID: USB\VID_045E&PID_0040\5&238dc4ef&0&6 Device Name:
Microsoft USB Wheel Mouse Optical Class ID:
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} Class Name: HIDClass Vendor IDs:
USB\VID_045E&PID_0040&REV_0300 USB\VID_045E&PID_0040 Compatible IDs:
USB\Class_03&SubClass_01&Prot_02 USB\Class_03&SubClass_01 USB\Class_03
Location Information: Port_#0006.Hub_#0003
type: Security
subject.security_id: S-1-5-18
subject.account_name: SALES4-PC$
subject.account_domain: WORKGROUP
subject.logon_id: 0x3E7
account_name: SALES4-PC$
account_domain: WORKGROUP

[Polkan Garcia]

Hi Yolanda,

Do you have a SMTP working? Please check that you can send emails using the terminal. Please double check to continue.

Regards,

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/458cc415f792690830aa42f183d68f53%40saitechnology.com.

[yol...@saitechnology.com]

Hi Polkan,
Hi All,

Did you have a chance to look into this issue? Some clue?


Thanks for your support.


The SMTP server is working ( Please see the dialogue SMTP attached)

As I explained before, I am receiving almost immediately the emails due
my local rule if I attach the PNP device.( Please see the message
attached)

That rule to receive the regulatory complain email could be awesome, but
I am not sure why is not working.

in /var/ossec/etc/ossec.conf

<ossec_config>

<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>

<smtp_server>*****.bluehost.com</smtp_server>
<email_from>oss...@controller.wazuh.com</email_from>

<email_to>yol...@saitechnology.com</email_to>
<email_maxperhour>12</email_maxperhour>
</global>

<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>

..........

<ossec_config>
<reports>
<category>pci_dss_11.4</category>
<title>Daily regulatory compliance report: PCIDSS 11.4
requeriment</title>

<email_to>yol...@saitechnology.com</email_to>

</reports>

<reports>
<group>authentication_failed,</group>

<srcip>192.168..x.x</srcip>
<title>Auth_Report</title>
<email_to>yol...@saitechnology.com</email_to>

<showlogs>yes</showlogs>
</reports>
</ossec_config>

Dialogue SMTP
[root@controller etc]# telnet *****.bluehost.com 25
Trying 162.144.182.15...
Connected to box3140.bluehost.com.
Escape character is '^]'.
220-*****.bluehost.com ESMTP Exim 4.87 #1 Thu, 14 Sep 2017 12:52:00
-0600
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo
250 *****.bluehost.com Hello
50-197-177-185-static.hfc.comcastbusiness.net [50.197.177.185]
mail from:root
501 root: sender address must contain a domain
mail from:ro...@controller.com
250 OK
rcpt to:yol...@saitechnology.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
test
.
250 OK id=1dsZGP-000g91-L8


Should I explicit the smtp host in that <report> tags? In the following
way?
Pleases advice.

<reports>
<category>pci_dss_11.4</category>
<title>Daily regulatory compliance report: PCIDSS 11.4
requeriment</title>

<smtp_server>*****.bluehost.com</smtp_server>
<email_from>oss...@controller.wazuh.com</email_from>
<email_to>yol...@saitechnology.com</email_to>
</reports>

> Example the messages received:
>
> _ -------- ORIGINAL MESSAGE --------_
> _ SUBJECT: OSSEC NOTIFICATION - (AGENT002) 192.168.X.X - ALERT LEVEL
> 12_
> _ DATE: 2017-09-12 17:58_
> _ FROM: WAZUH <OSS...@EXAMPLE.WAZUH.COM>_
> _ TO: <YOL...@SAITECHNOLOGY.COM>_
>
> _ WAZUH NOTIFICATION._
> _ 2017 SEP 12 16:57:53_
>
> _ RECEIVED FROM: (AGENT002) 192.168.X.X->WINEVTLOG_
> _ RULE: 100003 FIRED (LEVEL 12) -> "WINDOWS: PNP DEVICE CONNECTED."_
> _ USER: (NO USER)_
> _ PORTION OF THE LOG(S):_
>
> _ 2017 SEP 12 16:57:50 WINEVTLOG: SECURITY: AUDIT_SUCCESS(6416):
> MICROSOFT-WINDOWS-SECURITY-AUDITING: (NO USER): NO DOMAIN: SALES4-PC:
> A NEW EXTERNAL DEVICE WAS RECOGNIZED BY THE SYSTEM. SUBJECT: SECURITY
> ID: S-1-5-18 ACCOUNT NAME: SALES4-PC$ ACCOUNT DOMAIN: WORKGROUP LOGON
> ID: 0X3E7 DEVICE ID: USB\VID_045E&PID_0040\5&238DC4EF&0&6 DEVICE NAME:
> MICROSOFT USB WHEEL MOUSE OPTICAL CLASS ID:
> {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} CLASS NAME: HIDCLASS VENDOR
> IDS: USB\VID_045E&PID_0040&REV_0300 USB\VID_045E&PID_0040 COMPATIBLE
> IDS: USB\CLASS_03&SUBCLASS_01&PROT_02 USB\CLASS_03&SUBCLASS_01
> USB\CLASS_03 LOCATION INFORMATION: PORT_#0006.HUB_#0003_
> _ TYPE: SECURITY_
> _ SUBJECT.SECURITY_ID: S-1-5-18_
> _ SUBJECT.ACCOUNT_NAME: SALES4-PC$_
> _ SUBJECT.ACCOUNT_DOMAIN: WORKGROUP_
> _ SUBJECT.LOGON_ID: 0X3E7_
> _ ACCOUNT_NAME: SALES4-PC$_
> _ ACCOUNT_DOMAIN: WORKGROUP_

>
> On 2017-09-14 12:24, Polkan Garcia wrote:
>
>> Hi Yolanda,
>>
>> Do you have a SMTP working? Please check that you can send emails
>> using the terminal. Please double check to continue.
>>
>> Regards,
>>
>> On Thu, Sep 14, 2017 at 1:11 PM <yol...@saitechnology.com> wrote:
>>
>>> Hi Miguel
>>> Thanks for your quick previous answer.
>>>
>>> Some clue about what could happens in this case?
>>>
>>> I already have the configuration that you referred:
>>>
>>> <global>
>>> <jsonout_output>yes</jsonout_output>
>>> <alerts_log>yes</alerts_log>
>>> <logall>no</logall>
>>> <logall_json>no</logall_json>
>>> <email_notification>yes</email_notification>

>>> <smtp_server>xxxxx.bluehost.com [1 [1]]</smtp_server>

> https://groups.google.com/d/msgid/wazuh/CA%2BZmg5NY_yQxQgstmmEBWRGWegpOkesVrKHqwuUOeVH73MuhqQ%40mail.gmail.com
>> [2].

>> For more options, visit https://groups.google.com/d/optout.
>>

>> Links:
>> ------
>> [1] http://xxxxx.bluehost.com
>> [2]
>>
> https://groups.google.com/d/msgid/wazuh/CA%2BZmg5NY_yQxQgstmmEBWRGWegpOkesVrKHqwuUOeVH73MuhqQ%40mail.gmail.com?utm_medium=email&utm_source=footer
>
>
> Links:
> ------
> [1] http://xxxxx.bluehost.com

[Polkan G.]

Yolanda,

Which rule level has your local rule? Try to change to level 12, restart Wazuh and try again (unplug and plug your USB device).

You have in your ossec.conf:

<email_alert_level>12</email_alert_level>

So, the alerts to be delivered via email must have almost this level.

Regards,

Polkan Garcia / Security Engineer 
pol...@wazuh.com
Webex Personal Room

Wazuh Inc 
http://wazuh.com/

       

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/efc9ff728367600dfb66a016d6a87423%40saitechnology.com.

[yol...@saitechnology.com]

Hi Polkan,
Thanks for your quick answer.
The rule for the PNPdevices and  and emails work perfectly!!!

The issue I have is the rule to receive daily the regulatory complaince reports ,( and another Auth reports ) based on these rules in /var/ossec/etc/ossec.conf  I added:

<ossec_config>
 <reports>
 <category>pci_dss_11.4</category>
 <title>Daily regulatory compliance report: PCIDSS 11.4
 requeriment</title>
 <email_to>yol...@saitechnology.com</email_to>
 </reports>

 <reports>
 <group>authentication_failed,</group>
 <srcip>192.168..x.x</srcip>
 <title>Auth_Report</title>
 <email_to>yol...@saitechnology.com</email_to>
 <showlogs>yes</showlogs>
 </reports>
 </ossec_config>

I would need configure something else in another(s)  file(s)?

Please advise
Regards
 Yolanda

On 2017-09-15 13:44, Polkan G. wrote:

Yolanda,

Which rule level has your local rule? Try to change to level 12,
restart Wazuh and try again (unplug and plug your USB device).

You have in your ossec.conf:

<email_alert_level>12</email_alert_level>

So, the alerts to be delivered via email must have almost this level.

Regards,

 [5]

Polkan Garcia / Security Engineer
pol...@wazuh.com

Webex Personal Room [6]

Wazuh Inc
http://wazuh.com/

  [7]   [8]   [9]   [10]

On Sep 15, 2017, at 12:04 PM, yol...@saitechnology.com wrote:

Hi Polkan,
Hi All,

Did you have a chance to look into this issue? Some clue?

Thanks for your support.

The SMTP server is working ( Please see the dialogue SMTP attached)

As  I explained before, I am receiving almost immediately the emails
due my local rule if I attach the PNP device.( Please see the
message  attached)

That rule to receive the regulatory complain email could be awesome,
but I am not sure why is not working.

in /var/ossec/etc/ossec.conf

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>

<smtp_server>*****.bluehost.com [1]</smtp_server>

[root@controller etc]# telnet *****.bluehost.com [1] 25
Trying 162.144.182.15...
Connected to box3140.bluehost.com [2].

Escape character is '^]'.

220-*****.bluehost.com [1] ESMTP Exim 4.87 #1 Thu, 14 Sep 2017

12:52:00 -0600
220-We do not authorize the use of this system to transport
unsolicited,
220 and/or bulk e-mail.
helo

250 *****.bluehost.com [1] Hello
50-197-177-185-static.hfc.comcastbusiness.net [3] [50.197.177.185]

mail from:root
501 root: sender address must contain a domain
mail from:ro...@controller.com
250 OK
rcpt to:yol...@saitechnology.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
test
.
250 OK id=1dsZGP-000g91-L8

Should I explicit the smtp host in that <report> tags? In the
following way?
Pleases advice.

<reports>
<category>pci_dss_11.4</category>
<title>Daily regulatory compliance report: PCIDSS 11.4
requeriment</title>

<smtp_server>*****.bluehost.com [1]</smtp_server>

<smtp_server>xxxxx.bluehost.com [4] [1 [1]]</smtp_server>

Links:
------
[1] http://bluehost.com
[2] http://box3140.bluehost.com
[3] http://50-197-177-185-static.hfc.comcastbusiness.net
[4] http://xxxxx.bluehost.com
[5] http://wazuh.com/
[6] https://wazuh.my.webex.com/join/polkan
[7] https://twitter.com/wazuh
[8] https://www.linkedin.com/company-beta/7576479/
[9] https://www.youtube.com/channel/UC3Kr7V99AXOOOuPy4bLhS8w
[10] https://github.com/wazuh

[yol...@saitechnology.com]

Hi All,
I finally received today a regulatory compliance Report.

But doesn't have too many details and is not daily.

But I will like:

add more information

and receive it daily.

How can I accomplish that?

Please advise.

Thanks! and Regards
Yolanda

On 2017-09-15 13:55, yol...@saitechnology.com wrote:
>
> Thanks for your quick answer.
> The rule for the PNPdevices and and emails work perfectly!!!
>
> The issue I have is the rule to receive daily the regulatory
> complaince reports ,( and another Auth reports ) based on these rules
> in /var/ossec/etc/ossec.conf I added:
>

> _<OSSEC_CONFIG>_
> _ <REPORTS>_
> _ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
> _ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
> _ REQUERIMENT</TITLE>_
> _ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
> _ </REPORTS>_
>
> _ <REPORTS>_
> _ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
> _ <SRCIP>192.168..X.X</SRCIP>_
> _ <TITLE>AUTH_REPORT</TITLE>_
> _ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
> _ <SHOWLOGS>YES</SHOWLOGS>_
> _ </REPORTS>_
> _ </OSSEC_CONFIG>_

>
> I would need configure something else in another(s) file(s)?
>
> Please advise
> Regards
> Yolanda
>
> On 2017-09-15 13:44, Polkan G. wrote:
>
>> Yolanda,
>>
>> Which rule level has your local rule? Try to change to level 12,
>> restart Wazuh and try again (unplug and plug your USB device).
>>
>> You have in your ossec.conf:
>>
>>> <email_alert_level>12</email_alert_level>
>>
>> So, the alerts to be delivered via email must have almost this
>> level.
>>
>> Regards,
>>

>> [5 [5]]

>>
>> Polkan Garcia / Security Engineer
>> pol...@wazuh.com

>> Webex Personal Room [6 [6]]
>>
>> Wazuh Inc
>> http://wazuh.com/
>>
>> [7 [7]] [8 [8]] [9 [9]] [10 [10]]

>>
>>> On Sep 15, 2017, at 12:04 PM, yol...@saitechnology.com wrote:
>>>
>>> Hi Polkan,
>>> Hi All,
>>>
>>> Did you have a chance to look into this issue? Some clue?
>>>
>>> Thanks for your support.
>>>
>>> The SMTP server is working ( Please see the dialogue SMTP
>>> attached)
>>>
>>> As I explained before, I am receiving almost immediately the
>>> emails
>>> due my local rule if I attach the PNP device.( Please see the
>>> message attached)
>>>
>>> That rule to receive the regulatory complain email could be
>>> awesome,
>>> but I am not sure why is not working.
>>>
>>> in /var/ossec/etc/ossec.conf
>>>
>>> <ossec_config>
>>> <global>
>>> <jsonout_output>yes</jsonout_output>
>>> <alerts_log>yes</alerts_log>
>>> <logall>no</logall>
>>> <logall_json>no</logall_json>
>>> <email_notification>yes</email_notification>

>>> <smtp_server>*****.bluehost.com [1 [1]]</smtp_server>

>>> [root@controller etc]# telnet *****.bluehost.com [1 [1]] 25
>>> Trying 162.144.182.15...
>>> Connected to box3140.bluehost.com [2 [2]].

>>> Escape character is '^]'.

>>> 220-*****.bluehost.com [1 [1]] ESMTP Exim 4.87 #1 Thu, 14 Sep 2017

>>> 12:52:00 -0600
>>> 220-We do not authorize the use of this system to transport
>>> unsolicited,
>>> 220 and/or bulk e-mail.
>>> helo

>>> 250 *****.bluehost.com [1 [1]] Hello
>>> 50-197-177-185-static.hfc.comcastbusiness.net [3 [3]]

>>> [50.197.177.185]
>>> mail from:root
>>> 501 root: sender address must contain a domain
>>> mail from:ro...@controller.com
>>> 250 OK
>>> rcpt to:yol...@saitechnology.com
>>> 250 Accepted
>>> data
>>> 354 Enter message, ending with "." on a line by itself
>>> test
>>> .
>>> 250 OK id=1dsZGP-000g91-L8
>>>
>>> Should I explicit the smtp host in that <report> tags? In the
>>> following way?
>>> Pleases advice.
>>>
>>> <reports>
>>> <category>pci_dss_11.4</category>
>>> <title>Daily regulatory compliance report: PCIDSS 11.4
>>> requeriment</title>

>>> <smtp_server>*****.bluehost.com [1 [1]]</smtp_server>

>>> <smtp_server>xxxxx.bluehost.com [4 [4]] [1 [1]]</smtp_server>

>> [2 [2]].

>> For more options, visit https://groups.google.com/d/optout.
>> Links:
>> ------
>> [1] http://xxxxx.bluehost.com

>> [2 [2]]