Wazuh Email Alert Configuration

From Notes_Wiki

Home > Wazuh > Creating Wazuh Email Alert Configuration

Wazuh Email Alert Configuration Guide

This document explains how to configure Postfix and Wazuh Manager for sending email alerts, including an optional custom integration script for enhanced alert details.

Step 1: Install Required Packages

Run the following commands on the Wazuh Manager: 

apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

Step 2: Configure Postfix

Edit the Postfix configuration file: 

/etc/postfix/main.cf

Add/update the following values: 

relayhost = mail.gbb.co.in:587
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Explanation

  • relayhost: external SMTP mail server
  • smtp_use_tls: enables TLS
  • smtp_sasl_auth_enable: enables SMTP authentication

Step 3: Configure SMTP Credentials

Create or edit: 

/etc/postfix/sasl_passwd

Add your SMTP credentials: 

mail.gbb.co.in:587 <MAIL_ADDRESS> <MAIL_PASSWORD>

Convert the credentials to a Postfix hash: 

postmap /etc/postfix/sasl_passwd

Fix permissions: 

chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Step 4: Test Postfix

Send a test email to verify delivery: 

echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>" <RECEIVER_EMAIL>

Step 5: Enable Email Notifications in Wazuh

Edit: 

/var/ossec/etc/ossec.conf

Inside the <global> tag add: 

<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>yes</alerts_log>
  <logall>yes</logall>
  <logall_json>yes</logall_json>
  <email_notification>yes</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from>SENDER EMAIL ADDRESS</email_from>
  <email_to>RECEIVER EMAIL ADDRESS</email_to>
  <email_maxperhour>50</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>10m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  <update_check>yes</update_check>
</global>

Configure alert levels: 

<alerts>
  <log_alert_level>3</log_alert_level>
  <email_alert_level>12</email_alert_level>
</alerts>

Optional: Enhanced Alert Email Using Custom Script

To add more information (agent name, rule ID, timestamp, etc.), use a custom integration script.

Create the Script

File: 

/var/ossec/integrations/custom-email.py

Content: 

#!/usr/bin/env python3
import sys
import json
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from datetime import datetime
import logging

SMTP_SERVER = '127.0.0.1'
SMTP_PORT = 25
SENDER_EMAIL = 'sender.email@gmail.com'
RECEIVER_EMAIL = 'receiver.email@email.com'

logging.basicConfig(
    filename='/var/ossec/logs/custom-email_integration.log',
    filemode='a',
    format='%(asctime)s %(name)s %(levelname)s %(message)s',
    datefmt='%Y-%m-%dT%H:%M:%S',
    level=logging.DEBUG
)

# Read alert file
try:
    alert_file = open(sys.argv[1])
    alert_json = json.loads(alert_file.read())
    alert_file.close()
except Exception as e:
    logging.error("Error reading alert file: %s", str(e))

# Extract fields
try:
    timestamp = alert_json['timestamp']
    location = alert_json['location']
    alert_level = alert_json['rule']['level']
    rule_id = alert_json['rule']['id']
    description = alert_json['rule']['description']
    agent_id = alert_json['agent']['id']
    agent_name = alert_json['agent']['name']
except Exception as e:
    logging.error("Error extracting fields: %s", str(e))

# Prepare email
try:
    data = f"""Wazuh Notification.
{timestamp}
Received From: {location}
Rule: {rule_id} (level {alert_level}) -> {description}
Agent: {agent_name} ({agent_id})
END OF NOTIFICATION"""

    message = MIMEMultipart()
    message['From'] = SENDER_EMAIL
    message['To'] = RECEIVER_EMAIL
    message['Subject'] = 'Alert Notification'
    message.attach(MIMEText(data, 'plain'))

    with smtplib.SMTP(SMTP_SERVER, SMTP_PORT) as server:
        server.send_message(message)

    logging.info("Email sent successfully!")
except Exception as e:
    logging.error("Error sending email: %s", str(e))

sys.exit(0)

Fix Permissions

chown root:wazuh /var/ossec/integrations/custom-email.py
chmod 750 /var/ossec/integrations/custom-email.py

Add Integration to Wazuh Configuration

Add inside `<ossec_config>` : 

<integration>
  <name>custom-email.py</name>
  <rule_id>150101</rule_id>
  <alert_format>json</alert_format>
  <options>JSON</options>
</integration>

Restart Wazuh Manager: 

systemctl restart wazuh-manager

Verification

Trigger any SSH authentication failure on any Wazuh agent. We should receive an email alert formatted using either:

  • Wazuh default email alerts
  • The enhanced custom-email.py script (if configured)
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Wazuh_Email_Alert_Configuration&oldid=9749"