Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issue with email alert #993

Open
farzadha2 opened this issue Sep 13, 2023 · 0 comments
Open

issue with email alert #993

farzadha2 opened this issue Sep 13, 2023 · 0 comments

Comments

@farzadha2
Copy link

hi guys currently im getting an issue on smtp alerts,
currently running wazuh in docker multi mode these are the steps i tookin the wazuh master edited this file to this

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>wazuh-smtp</smtp_server>
    <email_from>ids@domain.com</email_from>
    <email_to>ids@domain.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

then after created a docker compose for postfix

version: "2.1"
services:
 postfix:
    image: eeacms/postfix:2.10-3.5
    hostname: wazuh-smtp
    networks:
      - multi-node_default
    restart: always
    environment:
      - MTP_RELAY=mail.domain.com
      - MTP_PORT=587
      - MTP_USER=ids@domain.com
      - MTP_PASS=mypassword
      - MTP_HOST=mail.domain.com

networks:
  multi-node_default:
   name: multi-node_default

using swak to test out the email which is working on the container

$root@wazuh:/#  swaks -f ids@domain.com -t ids@domain.com --server wazuh-smtp
=== Trying wazuh-smtp:25...
=== Connected to wazuh-smtp.
<-  220 mail.domain.com ESMTP Postfix
 -> EHLO wazuh.master
<-  250-mail.domain.com
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> MAIL FROM:<ids@domain.com>
<-  250 2.1.0 Ok
 -> RCPT TO:<ids@domain.com>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 10 Sep 2023 20:19:38 -0500
 -> To: ids@domain.com
 -> From: ids@domain.com
 -> Subject: test Sun, 10 Sep 2023 20:19:38 -0500
 -> Message-Id: <20230910201938.079757@wazuh.master>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 ->
 -> This is a test mailing
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as E826E6C34F4
 -> QUIT
<-  221 2.0.0 Bye

i checked on the webGUI and it got triggered a level 12 very odd not getting the alert
image

not sure what else i missed?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@farzadha2