Difference between revisions of "Wazuh Email Alert Configuration"
From Notes_Wiki
Sunilvarma (talk | contribs) (Created page with " Home > Wazuh > Creating Wazuh Email Alert Configuration") |
Sunilvarma (talk | contribs) |
||
| Line 1: | Line 1: | ||
[[Main Page | Home]] > [[Wazuh]] > [[Creating Wazuh Email Alert Configuration]] | [[Main Page | Home]] > [[Wazuh]] > [[Creating Wazuh Email Alert Configuration]] | ||
= Wazuh Email Alert Configuration Guide = | |||
This document explains how to configure Postfix and Wazuh Manager for sending email alerts, including an optional custom integration script for enhanced alert details. | |||
== Step 1: Install Required Packages == | |||
Run the following commands on the Wazuh Manager: | |||
<syntaxhighlight lang="bash"> | |||
apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules | |||
</syntaxhighlight> | |||
== Step 2: Configure Postfix == | |||
Edit the Postfix configuration file: | |||
<syntaxhighlight lang="bash"> | |||
/etc/postfix/main.cf | |||
</syntaxhighlight> | |||
Add/update the following values: | |||
<syntaxhighlight lang="text"> | |||
relayhost = mail.gbb.co.in:587 | |||
smtp_use_tls = yes | |||
smtp_tls_security_level = may | |||
smtp_tls_note_starttls_offer = yes | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd | |||
smtp_sasl_security_options = | |||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt | |||
</syntaxhighlight> | |||
=== Explanation === | |||
* '''relayhost''': external SMTP mail server | |||
* '''smtp_use_tls''': enables TLS | |||
* '''smtp_sasl_auth_enable''': enables SMTP authentication | |||
== Step 3: Configure SMTP Credentials == | |||
Create or edit: | |||
<syntaxhighlight lang="bash"> | |||
/etc/postfix/sasl_passwd | |||
</syntaxhighlight> | |||
Add your SMTP credentials: | |||
<syntaxhighlight lang="text"> | |||
mail.gbb.co.in:587 <MAIL_ADDRESS> <MAIL_PASSWORD> | |||
</syntaxhighlight> | |||
Convert the credentials to a Postfix hash: | |||
<syntaxhighlight lang="bash"> | |||
postmap /etc/postfix/sasl_passwd | |||
</syntaxhighlight> | |||
Fix permissions: | |||
<syntaxhighlight lang="bash"> | |||
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db | |||
chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db | |||
</syntaxhighlight> | |||
== Step 4: Test Postfix == | |||
Send a test email to verify delivery: | |||
<syntaxhighlight lang="bash"> | |||
echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>" <RECEIVER_EMAIL> | |||
</syntaxhighlight> | |||
== Step 5: Enable Email Notifications in Wazuh == | |||
Edit: | |||
<syntaxhighlight lang="bash"> | |||
/var/ossec/etc/ossec.conf | |||
</syntaxhighlight> | |||
Inside the <global> tag add: | |||
<syntaxhighlight lang="xml"> | |||
<global> | |||
<jsonout_output>yes</jsonout_output> | |||
<alerts_log>yes</alerts_log> | |||
<logall>yes</logall> | |||
<logall_json>yes</logall_json> | |||
<email_notification>yes</email_notification> | |||
<smtp_server>localhost</smtp_server> | |||
<email_from>SENDER EMAIL ADDRESS</email_from> | |||
<email_to>RECEIVER EMAIL ADDRESS</email_to> | |||
<email_maxperhour>50</email_maxperhour> | |||
<email_log_source>alerts.log</email_log_source> | |||
<agents_disconnection_time>10m</agents_disconnection_time> | |||
<agents_disconnection_alert_time>0</agents_disconnection_alert_time> | |||
<update_check>yes</update_check> | |||
</global> | |||
</syntaxhighlight> | |||
Configure alert levels: | |||
<syntaxhighlight lang="xml"> | |||
<alerts> | |||
<log_alert_level>3</log_alert_level> | |||
<email_alert_level>12</email_alert_level> | |||
</alerts> | |||
</syntaxhighlight> | |||
== Optional: Enhanced Alert Email Using Custom Script == | |||
To add more information (agent name, rule ID, timestamp, etc.), use a custom integration script. | |||
=== Create the Script === | |||
File: | |||
<syntaxhighlight lang="bash"> | |||
/var/ossec/integrations/custom-email.py | |||
</syntaxhighlight> | |||
Content: | |||
<syntaxhighlight lang="python"> | |||
#!/usr/bin/env python3 | |||
import sys | |||
import json | |||
import smtplib | |||
from email.mime.multipart import MIMEMultipart | |||
from email.mime.text import MIMEText | |||
from datetime import datetime | |||
import logging | |||
SMTP_SERVER = '127.0.0.1' | |||
SMTP_PORT = 25 | |||
SENDER_EMAIL = 'sender.email@gmail.com' | |||
RECEIVER_EMAIL = 'receiver.email@email.com' | |||
logging.basicConfig( | |||
filename='/var/ossec/logs/custom-email_integration.log', | |||
filemode='a', | |||
format='%(asctime)s %(name)s %(levelname)s %(message)s', | |||
datefmt='%Y-%m-%dT%H:%M:%S', | |||
level=logging.DEBUG | |||
) | |||
# Read alert file | |||
try: | |||
alert_file = open(sys.argv[1]) | |||
alert_json = json.loads(alert_file.read()) | |||
alert_file.close() | |||
except Exception as e: | |||
logging.error("Error reading alert file: %s", str(e)) | |||
# Extract fields | |||
try: | |||
timestamp = alert_json['timestamp'] | |||
location = alert_json['location'] | |||
alert_level = alert_json['rule']['level'] | |||
rule_id = alert_json['rule']['id'] | |||
description = alert_json['rule']['description'] | |||
agent_id = alert_json['agent']['id'] | |||
agent_name = alert_json['agent']['name'] | |||
except Exception as e: | |||
logging.error("Error extracting fields: %s", str(e)) | |||
# Prepare email | |||
try: | |||
data = f"""Wazuh Notification. | |||
{timestamp} | |||
Received From: {location} | |||
Rule: {rule_id} (level {alert_level}) -> {description} | |||
Agent: {agent_name} ({agent_id}) | |||
END OF NOTIFICATION""" | |||
message = MIMEMultipart() | |||
message['From'] = SENDER_EMAIL | |||
message['To'] = RECEIVER_EMAIL | |||
message['Subject'] = 'Alert Notification' | |||
message.attach(MIMEText(data, 'plain')) | |||
with smtplib.SMTP(SMTP_SERVER, SMTP_PORT) as server: | |||
server.send_message(message) | |||
logging.info("Email sent successfully!") | |||
except Exception as e: | |||
logging.error("Error sending email: %s", str(e)) | |||
sys.exit(0) | |||
</syntaxhighlight> | |||
=== Fix Permissions === | |||
<syntaxhighlight lang="bash"> | |||
chown root:wazuh /var/ossec/integrations/custom-email.py | |||
chmod 750 /var/ossec/integrations/custom-email.py | |||
</syntaxhighlight> | |||
=== Add Integration to Wazuh Configuration === | |||
Add inside `<ossec_config>` : | |||
<syntaxhighlight lang="xml"> | |||
<integration> | |||
<name>custom-email.py</name> | |||
<rule_id>150101</rule_id> | |||
<alert_format>json</alert_format> | |||
<options>JSON</options> | |||
</integration> | |||
</syntaxhighlight> | |||
Restart Wazuh Manager: | |||
<syntaxhighlight lang="bash"> | |||
systemctl restart wazuh-manager | |||
</syntaxhighlight> | |||
== Verification == | |||
Trigger any SSH authentication failure on any Wazuh agent. | |||
We should receive an email alert formatted using either: | |||
* Wazuh default email alerts | |||
* The enhanced custom-email.py script (if configured) | |||
Latest revision as of 09:14, 29 November 2025
Home > Wazuh > Creating Wazuh Email Alert Configuration
Wazuh Email Alert Configuration Guide
This document explains how to configure Postfix and Wazuh Manager for sending email alerts, including an optional custom integration script for enhanced alert details.
Step 1: Install Required Packages
Run the following commands on the Wazuh Manager:
apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
Step 2: Configure Postfix
Edit the Postfix configuration file:
/etc/postfix/main.cf
Add/update the following values:
relayhost = mail.gbb.co.in:587
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Explanation
- relayhost: external SMTP mail server
- smtp_use_tls: enables TLS
- smtp_sasl_auth_enable: enables SMTP authentication
Step 3: Configure SMTP Credentials
Create or edit:
/etc/postfix/sasl_passwd
Add your SMTP credentials:
mail.gbb.co.in:587 <MAIL_ADDRESS> <MAIL_PASSWORD>
Convert the credentials to a Postfix hash:
postmap /etc/postfix/sasl_passwd
Fix permissions:
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
Step 4: Test Postfix
Send a test email to verify delivery:
echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>" <RECEIVER_EMAIL>
Step 5: Enable Email Notifications in Wazuh
Edit:
/var/ossec/etc/ossec.conf
Inside the <global> tag add:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>SENDER EMAIL ADDRESS</email_from>
<email_to>RECEIVER EMAIL ADDRESS</email_to>
<email_maxperhour>50</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
Configure alert levels:
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
Optional: Enhanced Alert Email Using Custom Script
To add more information (agent name, rule ID, timestamp, etc.), use a custom integration script.
Create the Script
File:
/var/ossec/integrations/custom-email.py
Content:
#!/usr/bin/env python3
import sys
import json
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from datetime import datetime
import logging
SMTP_SERVER = '127.0.0.1'
SMTP_PORT = 25
SENDER_EMAIL = 'sender.email@gmail.com'
RECEIVER_EMAIL = 'receiver.email@email.com'
logging.basicConfig(
filename='/var/ossec/logs/custom-email_integration.log',
filemode='a',
format='%(asctime)s %(name)s %(levelname)s %(message)s',
datefmt='%Y-%m-%dT%H:%M:%S',
level=logging.DEBUG
)
# Read alert file
try:
alert_file = open(sys.argv[1])
alert_json = json.loads(alert_file.read())
alert_file.close()
except Exception as e:
logging.error("Error reading alert file: %s", str(e))
# Extract fields
try:
timestamp = alert_json['timestamp']
location = alert_json['location']
alert_level = alert_json['rule']['level']
rule_id = alert_json['rule']['id']
description = alert_json['rule']['description']
agent_id = alert_json['agent']['id']
agent_name = alert_json['agent']['name']
except Exception as e:
logging.error("Error extracting fields: %s", str(e))
# Prepare email
try:
data = f"""Wazuh Notification.
{timestamp}
Received From: {location}
Rule: {rule_id} (level {alert_level}) -> {description}
Agent: {agent_name} ({agent_id})
END OF NOTIFICATION"""
message = MIMEMultipart()
message['From'] = SENDER_EMAIL
message['To'] = RECEIVER_EMAIL
message['Subject'] = 'Alert Notification'
message.attach(MIMEText(data, 'plain'))
with smtplib.SMTP(SMTP_SERVER, SMTP_PORT) as server:
server.send_message(message)
logging.info("Email sent successfully!")
except Exception as e:
logging.error("Error sending email: %s", str(e))
sys.exit(0)
Fix Permissions
chown root:wazuh /var/ossec/integrations/custom-email.py
chmod 750 /var/ossec/integrations/custom-email.py
Add Integration to Wazuh Configuration
Add inside `<ossec_config>` :
<integration>
<name>custom-email.py</name>
<rule_id>150101</rule_id>
<alert_format>json</alert_format>
<options>JSON</options>
</integration>
Restart Wazuh Manager:
systemctl restart wazuh-manager
Verification
Trigger any SSH authentication failure on any Wazuh agent. We should receive an email alert formatted using either:
- Wazuh default email alerts
- The enhanced custom-email.py script (if configured)
