Wazuh Email Alert

[rukende...@gmail.com]

Hello Everyone,

I need help in configuring the wazuh email alert.

I tried to follow the documentation provided by Wazuh but still I'm not receiving the email and getting error in the ossec.log file. 

Could you please help me, how to setup the email alert from start. Also, I want to send alert for a specific alert only. 

[diego.pr...@wazuh.com]

Hi there! I hope you are doing well!

I would like to help you with this. So, could you share with me more details? For example, could you share with us the errors that you are seeing in the ossec.log file? Is the smtp_server reachable from the Wazuh manager?

I'll be waiting for your comments, then I'll analyze the issue and get back with some help for you!

Thanks for sharing your questions with us!

Diego

[rukende...@gmail.com]

I have set up Amazon Simple Mail Sevice(SMS) and configured Sendmail in my linux EC2 instance. I'm able to send email using sendmail but when I try to configure the same in wazuh configuration file. I'm getting not reachable error message. 

I made changes at this place:

<ossec_config>

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>email-smtp.amazonaws.com</smtp_server>

    <email_from>ruke...@example.com</email_from>

    <email_to>ruke...@example.com</email_to>

    <email_maxperhour>12</email_maxperhour>

    <email_log_source>alerts.log</email_log_source>

  </global>

Smtp server is my amazon SMS service. 

Let me know if you need any other information.

Thanks

Rukender

[victor...@wazuh.com]

Hi rukender,
To send email alerts with SMTP authentication you have to configure a server relay. We recommend using postfix but Sendmail should work as well. After testing your issue I think that your Sendmail server is sending emails correctly but is refusing incoming requests from outside (Wazuh Manager). In order to configure Sendmail to accept requests from Wazuh Manager follow the next steps on your EC2 instance where the Sendmail is installed.

Create your own access list:

• Open /etc/mail/access and add the following to the end of the file:

• <manager-ip> RELAY

• After that recreate access.db file: makemap hash /etc/mail/access.db < /etc/mail/access

Make sure you are accepting requests from Wazuh Manager address, on file /etc/mail/sendmail.mc.
You can add the Wazuh Manager IP or none to accept requests from every single address.

# Remove `, Addr=' clauses to receive from any interface
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl

If your SMTP requires authentication, create a file with credentials:

mkdir -m 700 /etc/mail/authinfo

vim /etc/mail/authinfo/smtp-auth
AuthInfo: "U:root" "I:us...@domain.com" "P:password"

Create the hashmap: makemap hash /etc/mail/authinfo/smtp-auth < /etc/mail/authinfo/smtp-auth

Add access features to conf file /etc/mail/sendmail.mc. Before MAILER_DEFINITIONS.
Change <smtp-server-domain> with your aws smtp server, if it uses a different port from default 587 change it as well.

dnl # Masquerading options
FEATURE(`always_add_domain')dnl
MASQUERADE_AS(`<smtp-server-domain>')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
dnl #
dnl # Defining Gmail Smarthost for sendmail
define(`SMART_HOST',`[<smtp-server-domain>]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo/smtp-auth.db')dnl
FEATURE(`access_db')
dnl # Default Mailer setup
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl

Make new config and restart service:

make -C /etc/mail
systemctl restart sendmail

Now Sendmail is ready to send mails from Wazuh Manager.
Now, let's make sure Wazuh Manager's config file has no errors and it can resolve <smtp-server-ip>
/var/ossec/etc/ossec.conf

<global>

<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>

<smtp_server>sendmail-smtp</smtp_server>
<email_from>tes...@testingdomain.com</email_from>
<email_to>testin...@testingdomain.com</email_to>

<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>

</global> <alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>

In my case sendmail-smtp is the domain name of my SMTP server. You can test that with ping

user@wazuh-manager:/home/user# ping sendmail-smtp
PING sendmail-smtp (192.168.56.34) 56(84) bytes of data.
64 bytes from sendmail-smtp (192.168.56.34): icmp_seq=1 ttl=64 time=0.311 ms
64 bytes from sendmail-smtp (192.168.56.34): icmp_seq=2 ttl=64 time=0.418 ms

Restart Wazuh Manager after changing config file: systemctl restart wazuh-manager.
Finally try to generate an alert on and check if a email notification is sent checking logs on SMTP EC2 instance. In my case on sendmail-smtp machine.

• First make sure an alert is generated on wazuh-manager: tail -f /var/ossec/logs/alerts/alerts.json :

{"timestamp":"2020-10-09T14:43:58.226+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":true,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manage"},"id":"1602254638.112031","full_log":"Oct 9 14:43:56 wazuh-manage sshd[31045]: Failed password for invalid user asdf from 192.168.56.35 port 38000 ssh2","predecoder":{"program_name":"sshd","timestamp":"Oct 9 14:43:56","hostname":"wazuh-manage"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.35","srcuser":"asdf"},"location":"/var/log/auth.log"}

• Now on EC2 SMTP instance: tail -f /var/log/mail.log

Oct 9 14:44:14 buster sm-mta[6095]: STARTTLS=client, relay=smtp.server.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Oct 9 14:44:15 buster sm-mta[6095]: 099EiDoF006093: to=<test...@mail.com>, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=121243, relay=smtp.server.com. [74.125.133.108], dsn=2.0.0, stat=Sent (OK 1602254655 u2sm12984485wre.7 - gsmtp

[rukende...@gmail.com]

Hi Victor,

I made the required changes still I'm seeing the following error:

sendmail.mc: which the below configuration, I'm able to send email using Sendmail. I followed this link to configure amazon simple Email service using sendmail: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-sendmail.html

dnl FEATURE(masquerade_entire_domain)dnl

dnl #

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

define(`SMART_HOST', `email-smtp.us-west-1.amazonaws.com')dnl

define(`RELAY_MAILER_ARGS', `TCP $h 25')dnl

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl

FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl

MASQUERADE_AS(`example.com')dnl

FEATURE(masquerade_envelope)dnl

FEATURE(masquerade_entire_domain)dnl

MAILER(smtp)dnl

MAILER(procmail)dnl

dnl MAILER(cyrusv2)dnl

ossec.conf:

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>email-smtp.us-west-1.amazonaws.com</smtp_server>

    <email_from>ruke...@example.com</email_from>

    <email_to>ruke...@example.com</email_to>

    <email_maxperhour>12</email_maxperhour>

    <email_log_source>alerts.log</email_log_source>

  </global>

  <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>5</email_alert_level>

  </alerts>

tail -f /var/log/mail

Oct 12 07:05:39 ip-172-30-0-12 sendmail[4243]: daemon MTA-v4: problem creating SMTP socket

Oct 12 07:05:44 ip-172-30-0-12 sendmail[4243]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA-v4: cannot bind: Address already in use

tail -f /var/ossec/logs/ossec.log

2020/10/12 07:06:42 ossec-maild: ERROR: (1764): Mail from not accepted by server

2020/10/12 07:06:42 ossec-maild: ERROR: (1223): Error Sending email to <IP_address> (smtp server)

Please let me know if I'm missing anything here. 

[rukende...@gmail.com]

Did you get a chance to check my response? 

[Victor Moreno Jimenez]

Hi Rukender,

It seems that you have port 25 already in use and Sendmail is not starting properly.

NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA-v4: cannot bind: Address already in use

First, lets check that you have connectivity from Wazuh Manager host to Sendmail host on port 25.

From Wazuh manager:

- telnet <sendmail-ip> 25

If telnets connects, lets find out which service is running on port 25.

Probably another email server is installed on your host. Use netstat to figure out.
You can install netstat from net-tools package. Use <PID> from netstat output to stop such program.

vagrant@d10postfix:~$ sudo netstat -tulpn | grep :25

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1890/master          
tcp6       0      0 :::25                   :::*                    LISTEN      1890/master          

vagrant@d10postfix:~$ ps -aux | grep 1890            
root      1890  0.0  0.3  43472  3992 ?        Ss   06:57   0:00 /usr/lib/postfix/sbin/master -w

vagrant   1904  0.0  0.0   6076   888 pts/0    S+   07:05   0:00 grep 1890

In our case postfix is using port 25, so we should stop it before starting Sendmail. Stop the service,
make sure that port 25 is free and restart Sendmail:

vagrant@d10postfix:~$ sudo systemctl stop postfix    
vagrant@d10postfix:~$ sudo netstat -tulpn | grep :25
vagrant@d10postfix:~$ sudo systemctl restart sendmail

Regards,

Víctor.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d94cb8e-41a5-4dd5-80e0-5725582954cen%40googlegroups.com.

[rukende...@gmail.com]

Hi Victor,

I'm able to telnet to the sendmail host:

[root@ rules]# telnet email-smtp.us-west-1.amazonaws.com 25

Trying <IP-address>...

Connected to email-smtp.us-east-1.amazonaws.com.

Escape character is '^]'.

220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-0XHPQW5Y6 Y1C7AZHbgARFl3FHJcWa

^C^C

When I did netstat, I was not able to find port 25 listening.

[root@ rules]# netstat -auntlp|grep -i :25

[root@ rules]# service sendmail restart

Shutting down sm-client:                                   [  OK  ]

Shutting down sendmail:                                    [  OK  ]

Starting sendmail:                                         [  OK  ]

Starting sm-client:                                        [  OK  ]

Do, I need to make any changes in the ossec.conf file? because when I try to send email using sendmail directly it works fine. 

Let me know if you need any other information from my end to troubleshoot this.

Thanks

Rukender

[rukende...@gmail.com]

Hi Victor,

I configured everything and this time it worked. 

Thanks for your support. 

So, when I enabled email in ossec.conf file, wazuh start send email for each alert. I want to configure wazuh to only send email it alert breaches the threshold for example someone is trying to bruteforce ssh login and If I see no of alert exceeding more than 5 then I should get the email. Is it possible to configure? if yes then how can I do this.

Thanks

Rukender

[rukende...@gmail.com]

Currently, wazuh is send email for alert level 3 although it is mentioned in the configuration that it should trigger only for alert level 10 and above. 

<ossec_config>

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>yes</email_notification>

    <smtp_server>127.0.0.1</smtp_server>

    <email_from>ruke...@example.com</email_from>

    <email_to>ruke...@example.com</email_to>

    <email_maxperhour>12</email_maxperhour>

    <email_log_source>alerts.log</email_log_source>

  </global>

  <alerts>

    <log_alert_level>3</log_alert_level>

    <email_alert_level>10</email_alert_level>

  </alerts>

How can I tune email alerts? 

[victor...@wazuh.com]

Hi Rukender,
With your current configuration, Wazuh will send email alerts when an alert with level 10 or higher is triggered.
You are allowed to put any integer from 1 to 16 on <email_alert_level></email_alert_level> block.
Here  you can find more information about alerts. Feel free to check our user manual on manual email reports.

Regards,
Víctor.

[rukende...@gmail.com]

Hi Victor,

Eventhough the alert level is set to 10 but I'm still getting alert for the Level 3.

Rule: 5715 fired (level 3) -> "sshd: authentication success."

Can I send an email based on rule name only like "sshd: authentication success."

Thanks

Rukender

[victor...@wazuh.com]

Hi rukender,
Please make sure that you restarted wazuh-manager after making changes on ossec.conf .
After restart, it is normal to receive some emails since delays usually accumulate in the shipments.
If this continues to happen after a few hours we will think about a more complex troubleshooting.
To send an email based on a rule you could add alert_by_email option for the desired rule and add your custom description to it.

<rule id="10565" level="=10">
   <match>sshd: authentication success</match>
   <description>Authentication success</description>
   <options>alert_by_email</options>
</rule>

Feel free to check our https://wazuh.com/blog/how-to-send-email-notifications-with-wazuh/.

Regards,

Víctor.

[Supragya Karki]

How can I send email to multiple email address at once? Like100 email addresses. Is there anything I can do with CDB list? 

Looking for a response!