Email alerts

88 views
Skip to first unread message

M G

unread,
Nov 28, 2022, 7:49:06 AM11/28/22
to Wazuh mailing list
Hello All,

This is my config

<ossec_config>
  <global>
    (...)
    <email_notification>yes</email_notification>
    <email_from>xyz</email_from>
    <email_to>a...@example.com</email_to>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>4</email_alert_level>
  </alerts>
</ossec_config>

(...)

<ossec_config>
  <email_alerts>
    <email_to>a...@example.com</email_to>
    <event_location>server.vm</event_location>
    <level>4</level>
    <do_not_delay />
  </email_alerts>
</ossec_config>

1. It is possible to disable alerts to a...@example.com (This time I want a alerts only from server.vm)?
2. I do not got any alerts from server.vm to a...@example.com. Where is a my mistake?

Julián Morales

unread,
Nov 28, 2022, 8:21:20 AM11/28/22
to M G, Wazuh mailing list
Hi MG,


1. It is possible to disable alerts to a...@example.com (This time I want a alerts only from server.vm)?

The event_location option is used to filter the location of an alert, and could be used to filter the name of the agent that generated the event. If for example you want to receive by email all the alerts of level 4 or more of the server.vm agent:

  <email_alerts>
        <email_to>a2.....@example.com</email_to>

        <event_location>server.vm</event_location>
        <level>4</level>
        <do_not_delay/>
</email_alerts>


On the other hand the event_location option supports regex of OS_Match type, so if you want to receive alerts from agents but excluding server.vm, then the configuration block could be like this:

  <email_alerts>
        <email_to>a1.....@example.com</email_to>
        <event_location>!server.vm</event_location>
        <level>4</level>
        <do_not_delay/>
</email_alerts>



2. I do not got any alerts from server.vm to a...@example.com. Where is a my mistake?

Do you receive email alerts from other agents? This would help us to rule out that it is a problem of the mail server or of the wazuh configuration for the connection with the mail server.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ef35b2c-c1a1-4f80-a489-5987b767cfa8n%40googlegroups.com.

M G

unread,
Nov 28, 2022, 8:36:19 AM11/28/22
to Wazuh mailing list
Do you receive email alerts from other agents? This would help us to rule out that it is a problem of the mail server or of the wazuh configuration for the connection with the mail server.
I receive emails with:
Notifications (send to a...@example.com) about other servers (from section <alerts> (...) </alerts>)
daily reports (send to a...@example.com) about other server


In

<ossec_config>
  <email_alerts>
    <email_to>a...@example.com</email_to>
    <event_location>server.vm</event_location>
    <level>4</level>
    <do_not_delay />
  </email_alerts>
</ossec_config>


 I don't use other VM.

3. If I change <email_notification>yes</email_notification> to NO, on global configure, I switch off all mails from Wazuh?

Julián Morales

unread,
Nov 29, 2022, 7:17:02 AM11/29/22
to M G, Wazuh mailing list
Hi M G,

I have checked the configuration and it seems correct, could you share with me an alert from server.vm in json format that should have sent you an email but didn't?

3. If I change <email_notification>yes</email_notification> to NO, on global configure, I switch off all mails from Wazuh?

 No, just disable email alerts.

M G

unread,
Nov 29, 2022, 10:14:09 AM11/29/22
to Wazuh mailing list
Hello Julian,

Thank you for your response.

Now I got alerts, but still I have one problem.
When I got email alerts from server.vm I got this kinde of message:

Wazuh Notification.
Received From: (otherServer1) any->/var/log/mail.info
(...)
  --END OF NOTIFICATION

Wazuh Notification.
Received From: (otherServer2) any->/var/log/mail.info
(...)
 --END OF NOTIFICATION

Wazuh Notification.
Received From: (otherServerN) any->/var/log/mail.info
(...)
 --END OF NOTIFICATION

Wazuh Notification.
Received From: (server.vm) any->/var/log/mail.info
(...)
 --END OF NOTIFICATION

I would like to receive notifications on B...@example.com only from server.vm.
Currently, an event on server.vm triggers a notification, but events from other VMs are also included in the content.


This is part of my actual config

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>x...@example.com</email_from>
    <email_to>A@example.com</email_to>
    <email_maxperhour>20</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>

  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>4</email_alert_level>
  </alerts>
</ossec_config>

<ossec_config>
  <email_alerts>
    <email_to>B@example.com</email_to>

    <event_location>server.vm</event_location>
    <level>4</level>
    <do_not_delay />
    <do_not_group />
  </email_alerts>
</ossec_config>


Regards
Mateusz

Julián Morales

unread,
Dec 1, 2022, 8:45:44 AM12/1/22
to M G, Wazuh mailing list
Hi MG,

The configuration seems to be correct. I would like to do some tests. Could you share with me some otherServerN alerts that have triggered the sending of grouped alert mails when they shouldn't?

M G

unread,
Dec 5, 2022, 7:54:10 AM12/5/22
to Wazuh mailing list
Hi Julian,
Title: Wazuh notification - (otherServerK) any - Alert level 11


Wazuh Notification.
2022 Dec 04 04:14:17

Received From: (otherServer1) any->/var/
Rule: 5503 fired (level 5) -> "PAM: User login failed."
Src IP: xyz.xyz.xyz.xyz
User: abc
Portion of the log(s):

 --END OF NOTIFICATION

(many others events)

Wazuh Notification.
2022 Dec 04 04:14:34

Received From: (otherServerN) any->/var/
Rule: 80710 fired (level 10) -> "Auditd: Device enables promiscuous mode."
Portion of the log(s):

 --END OF NOTIFICATION


Wazuh Notification.
2022 Dec 04 04:14:35

Received From: (server.vm) any->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

 --END OF NOTIFICATION

otherServerK from title isn't in any notification in this email.

In this configuration I got from Wazuh:
TO: A...@example.com
other grouped alerts where lvl > 3.

1. Maybe is any possibly to disable email to A...@example.com?
2. Is it any possible to change title of email? (I want put there a rule.id)
3. In title (Wazuh notification - (otherServerK) any - Alert level 11) whats mean "any"?
4. Do You want I change a server.vm to otherServerN in <email_alerts>?

Regards
Mateusz
Reply all
Reply to author
Forward
0 new messages