Wondering email in wazuh
865 views
Skip to first unread message
Le Sok
Oct 16, 2023, 12:56:51 AM10/16/23
to Wazuh | Mailing List
Hi everyone,
I don't know why Wazuh can send alerts to me. When I find the wazuh email it's doesn't even existed.
please help me to understand this problem please
I wonder why I setup email alerts from this ossec.conf I get alerts from email wazuh
but I don't configuration smtp or postfix like this https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html document I just configuration like this
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>Mydomain</smtp_server>
<email_from>wazuhalerts@domain</email_from>
<email_to>test@domain</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>5m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global
but I don't configuration smtp or postfix like this https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html document I just configuration like this
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>Mydomain</smtp_server>
<email_from>wazuhalerts@domain</email_from>
<email_to>test@domain</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>5m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global
and it's send alerts to me
here is wazuh send me alerts
Wazuh <wazuhalerts@domain>
here is wazuh send me alerts
Wazuh <wazuhalerts@domain>
Wazuh Notification.
Received From: (Thy) any->EventChannel
Rule: 60137 fired (level 3) -> "Windows User Logoff."
........
--END OF NOTIFICATIONI don't know why Wazuh can send alerts to me. When I find the wazuh email it's doesn't even existed.
please help me to understand this problem please
Best Regards.
Stuti Gupta
Oct 16, 2023, 1:42:18 AM10/16/23
to Wazuh | Mailing List
Hi Le Sok,
Hope you are doing well today and thank you for using wazuh.
The Wazuh manager can send email alerts without an SMTP server configured if it is able to deliver the emails directly to the recipient's mail server. This is possible if the recipient's mail server is on the same network as the Wazuh manager, or if the Wazuh manager is able to connect to the recipient's mail server using a relay host.
In your case, it seems that the Wazuh manager is able to deliver emails to your mail server directly. This is why you are receiving email alerts even though you have not configured an SMTP server in your ossec.conf file. Wazuh doesn't handle SMTP authentication. If your email service uses this, you need to configure a server relay. This allows you to control the routing of email alerts and to use authentication if necessary.
Hope this helps.
Regards,
Hope you are doing well today and thank you for using wazuh.
The Wazuh manager can send email alerts without an SMTP server configured if it is able to deliver the emails directly to the recipient's mail server. This is possible if the recipient's mail server is on the same network as the Wazuh manager, or if the Wazuh manager is able to connect to the recipient's mail server using a relay host.
In your case, it seems that the Wazuh manager is able to deliver emails to your mail server directly. This is why you are receiving email alerts even though you have not configured an SMTP server in your ossec.conf file. Wazuh doesn't handle SMTP authentication. If your email service uses this, you need to configure a server relay. This allows you to control the routing of email alerts and to use authentication if necessary.
Hope this helps.
Regards,
Le Sok
Oct 16, 2023, 2:37:58 AM10/16/23
to Wazuh | Mailing List
yes, I use the same network but can you explain me how wazuh process because I don't configuration port and IP domain I just user mail server domain and it's can send alerts to me.
Stuti Gupta
Oct 18, 2023, 12:02:06 AM10/18/23
to Wazuh | Mailing List
Hi again.
In such cases, since the communication occurs within a trusted environment or through a relay that doesn't require authentication, the Wazuh manager is able to send email alerts without the need for explicit SMTP authentication. As Wazuh doesn't handle SMTP authentication. If your email service uses this, you need to configure a server relay.Wazuh email alerts does not support SMTP servers with authentication such as Gmail. However, you can use a server relay, like Postfix, to send these emails.
This is a valid setup as long as it aligns with your specific network architecture and security policies. However, please be aware that in many environments, SMTP authentication is a crucial security measure to prevent unauthorized access and email abuse. It's important to consider the security implications and make sure your network is properly protected if you choose to rely on this configuration.
Hope this helps .
Regards,
In such cases, since the communication occurs within a trusted environment or through a relay that doesn't require authentication, the Wazuh manager is able to send email alerts without the need for explicit SMTP authentication. As Wazuh doesn't handle SMTP authentication. If your email service uses this, you need to configure a server relay.Wazuh email alerts does not support SMTP servers with authentication such as Gmail. However, you can use a server relay, like Postfix, to send these emails.
This is a valid setup as long as it aligns with your specific network architecture and security policies. However, please be aware that in many environments, SMTP authentication is a crucial security measure to prevent unauthorized access and email abuse. It's important to consider the security implications and make sure your network is properly protected if you choose to rely on this configuration.
Hope this helps .
Regards,
Le Sok
Oct 18, 2023, 12:22:17 AM10/18/23
to Wazuh | Mailing List
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>Mydomain</smtp_server>
<email_from>wazuhalerts@domain</email_from>
<email_to>test@domain</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>5m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global
If I configure like this, this is a SMTP relay or not <jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>Mydomain</smtp_server>
<email_from>wazuhalerts@domain</email_from>
<email_to>test@domain</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>5m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global
Stuti Gupta
Oct 18, 2023, 11:39:59 PM10/18/23
to Wazuh | Mailing List
Hi again.
The provided configuration isn't an SMTP relay. SMTP relays forward emails to other mail servers, often for internal-to-external communication. In this setup, Wazuh attempts to send emails directly to the recipient's mail server. If both are on the same network or connected through a relay host, it works without an SMTP relay.
However, if the recipient's mail server is external or not directly reachable, configuring an SMTP relay becomes essential. The configuration specifies a specific SMTP server (<smtp_server>) and includes email-related settings. Still, it lacks elements of a full SMTP relay setup. However, if the recipient's mail server is not on the same network as the Wazuh manager, or if the Wazuh manager cannot connect to the recipient's mail server using a relay host, then Wazuh will be unable to send emails.
Remember, SMTP relays act as intermediaries, forwarding emails. If Mydomain reliably delivers emails from Wazuh, it's acting as an SMTP server without the need for a separate relay.
The provided configuration is not for an SMTP relay. It's for Wazuh to send emails using a specified SMTP server (Mydomain). This setup works if Mydomain accepts emails from your Wazuh manager and forwards them to the recipient's mail server.
Hope this helps,
Regards.
The provided configuration isn't an SMTP relay. SMTP relays forward emails to other mail servers, often for internal-to-external communication. In this setup, Wazuh attempts to send emails directly to the recipient's mail server. If both are on the same network or connected through a relay host, it works without an SMTP relay.
However, if the recipient's mail server is external or not directly reachable, configuring an SMTP relay becomes essential. The configuration specifies a specific SMTP server (<smtp_server>) and includes email-related settings. Still, it lacks elements of a full SMTP relay setup. However, if the recipient's mail server is not on the same network as the Wazuh manager, or if the Wazuh manager cannot connect to the recipient's mail server using a relay host, then Wazuh will be unable to send emails.
Remember, SMTP relays act as intermediaries, forwarding emails. If Mydomain reliably delivers emails from Wazuh, it's acting as an SMTP server without the need for a separate relay.
The provided configuration is not for an SMTP relay. It's for Wazuh to send emails using a specified SMTP server (Mydomain). This setup works if Mydomain accepts emails from your Wazuh manager and forwards them to the recipient's mail server.
Hope this helps,
Regards.
Reply all
Reply to author
Forward
0 new messages