Wazuh can be configured to send email alerts to one or more email addresses when certain rules are triggered or for daily event reports.
- SMTP server
- Wazuh SIEM
- Email address & app passwords
This SMTP server configuration can be varied on different distrobution, this lab will configure postfix mail service(SMTP) with ubuntu os. Firstly, run following commands to install postfix & certificates modules.
apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
After installation is complete, configure postfix server configurations files are located at /etc/postfix/main.cf. And put following configurations.
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
Figure (1) postfix configurations
After that run following commands step by step.
echo [smtp.gmail.com]:587 [email protected]:PASSWORD > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
chmod 400 /etc/postfix/sasl_passwd
Which username is your email address. Which password is your gmail app password somethings like following figure.
Figure (2)
After that restart email service systemctl restart postfix. And test email using following commands.
echo "Test mail from postfix" | mail -s "Test Postfix" -r "[email protected]" [email protected]It will sends somethings like following figure.
Figure (3)
In order to configure Wazuh to send email alerts, the email settings must be configured in the section of the ossec.conf file which located at /var/ossec/etc/ossec.conf. After that configured file as followings.
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
<email_to>[email protected]</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<global>
After that restart wazuh manager systemctl restart wazuh-manager. I will delete some files from file integrity monitoring folder.
Figure (4) alerts
When alerts level reached 7 or above wazuh will sends emails to you like followings figures.
Figure (5) Wazuh Email Alerts
Figure (6) Wazuh Email Alerts
In this tutorial, Wazuh Email Alerts Configurations & SMTP server Configurations is demostrated. Do more Practice and Expert it!.
4/1/2024
Contributed By - Jord@n