Not receiving email alerts from Wazuh

1,961 views
Skip to first unread message

Jason Youngquist

unread,
Aug 18, 2022, 2:26:45 PM8/18/22
to wa...@googlegroups.com

I’m having trouble with Wazuh not sending emails and trying to diagnose the issue.

 

I’m running the latest Security Onion - 2.3.140-20220719 updated as of today with Wazuh version 3.13.1-1

 

I’ve done a lot of Google searching over the last few days and have hit a roadblock.  It’s probably something simple that I’m missing.

 

Revelant part of ossec.conf - /opt/so/conf/wazuh/ossec.conf

<ossec_config>

  <global>

    <jsonout_output>no</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>127.0.0.1</smtp_server>

    <email_from>127.0.0.1</email_from>

    <email_to>jryoun...@ccis.edu</email_to>

    <email_maxperhour>100</email_maxperhour>

    <queue_size>131072</queue_size>

    <email_log_source>alerts.log</email_log_source>

  </global>

  <alerts>

    <log_alert_level>1</log_alert_level>

    <email_alert_level>3</email_alert_level>

  </alerts>

 

Contents of /etc/hosts

127.0.0.1   ccids04 ccids04.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain

 

 

Relevant part of postfix main.cf - /etc/postfix/main.cf

relayhost = [smtp.gmail.com]:587

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

smtp_use_tls = yes

 

Postfix is listening on port 25

netstat -tulpn | grep :25

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      16431/master

 

 

test emails from the server via postfix works.

echo "Test mail from postfix" | mail -s "Test Postfix" -r "jryoun...@cougars.ccis.edu" jryoun...@cougars.ccis.edu

[received test email]

 

 

Ossec-maild debug used via the following command:

./ossec-maild -f -ddd

 

 

On local server, test using “su” with invalid password in order to create a log entry in Wazuh

[security@ccids04 ~]$ su

Password:

su: Authentication failure

[security@ccids04 ~]$

 

Wazuh alerts.log entry  - /nsm/wazuh/logs/alerts/alerts.log

** Alert 1660837797.640432: mail  - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,

2022 Aug 18 15:49:57 (ccids04) 10.2.0.251->/var/log/secure

Rule: 5503 (level 5) -> 'PAM: User login failed.'

User: root

Aug 18 15:49:56 ccids04 su: pam_unix(su:auth): authentication failure; logname=security uid=1000 euid=0 tty=pts/4 ruser=security rhost=  user=root

logname: security

uid: 1000

euid: 0

tty: pts/4

 

 

 

The “mail” in the alert means that the a should be emailed.  Ossec.conf file email_alert_level is set to 3, log entry alert level is set to 5, so alert should be emailed.

 

 

 

Wazuh ossec-maild revelant output from debug mode

2022/08/18 15:53:38 ossec-maild[917] os_maild_client.c:220 at OS_RecvMailQ(): DEBUG: OS_RecvMailQ: mail->body[

Wazuh Notification.

2022 Aug 18 15:53:37

 

Received From: (ccids04) 10.2.0.251->/var/log/secure

Rule: 5503 fired (level 5) -> "PAM: User login failed."

User: root

Portion of the log(s):

 

Aug 18 15:53:36 ccids04 su: pam_unix(su:auth): authentication failure; logname=security uid=1000 euid=0 tty=pts/4 ruser=security rhost=  user=root

logname: security

uid: 1000

euid: 0

tty: pts/4

 

 

 

 --END OF NOTIFICATION

 

 

]

2022/08/18 15:53:48 ossec-maild[917] maild.c:334 at OS_Run(): ERROR: (1223): Error Sending email to 127.0.0.1 (smtp server)

 

 

 

 

Postfix was turned on in debug mode via modification to the main.cf

     debug_peer_level = 10

     debug_peer_list = 127.0.0.1

 

 

·         The emails from Wazuh haven’t made it to postfix in order to be sent out.

·         I disabled the Security Onion firewall, ran the “su” test again to generate an alert, and still get the same error message.

 

Any thoughts?

 

Please let me know if you need additional information.

 

Thanks.

Jason Youngquist

 

Sergio Gabriel Uncos

unread,
Aug 18, 2022, 3:39:56 PM8/18/22
to Wazuh mailing list
Hi jryoungquist, 

Thanks for using Wazuh!

Everything seems to be correctly enabled and ready to start sending emails within ossec.conf file.
Related to the rule that will trigger the email alert, have you added the <options>alert_by_email</options>  at the end?

I've attached an example about how the rule should be configured. 
For best practices purposes, I suggest you to overwrite the default rule to be triggered and send it to  /var/ossec/etc/rules/local_rules.xml 

Once this gets done, please restart the Wazuh Manager as well as Postfix:
  • systemctl restart wazuh-manager.service
  • systemctl restart postfix.service
If you keep experiencing issues related to this, I'd like to check the postfix logs and see why emails are being trunked.

Hope this could help you!
Thanks,
Regards.
Screenshot from 2022-08-18 16-31-41.png

jryoun...@cougars.ccis.edu

unread,
Aug 22, 2022, 2:37:32 PM8/22/22
to Wazuh mailing list
Hi.

thanks for you help.

I tried modifying the alert (see below snippet from local_rules.xml) and I'm still not getting the emails.
<rule id="100055" level="7">
    <if_sid>5557</if_sid>
    <description>change this su alert to level 7 and to config emails</description>
    <options>alert_by_email</options>
</rule>

when I do a "tail -f mailog"  I don't get any results, except for my postfix tests.  

How does ossec-maild work?  I get this error (see below) in my logs, and not sure if this error is before email is sent, during, after, etc. it is sent to postfix.

2022/08/22 18:12:13 ossec-maild: ERROR: (1223): Error Sending email to 127.0.0.1 (smtp server)


Any other things I could try?

Thanks.
Jason Youngquist
Reply all
Reply to author
Forward
0 new messages