This guide explains how to configure SMTP settings in Wazuh to enable email alerts for security events. By setting up email notifications, you can receive alerts when specific rules are triggered.
- Run this command to install the required packages. Select No configuration, if prompted about the mail server configuration type.
sudo apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
-
Select No Configuration
-
Append these lines to the
/etc/postfix/main.cffile to configure Postfix. Create the file if missing.
nano /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination-
Go to your gmail of the mail you were using and create a app password
-
Set the credentials of the sender in the
/etc/postfix/sasl_passwdfile and create a database file for Postfix. Replace the and variables with sender’s email address username and password respectively.
echo [smtp.gmail.com]:587 <USERNAME>@gmail.com:<PASSWORD> > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
- Secure your password DB file so that only the root user has full read and write access to it. This is because the
/etc/postfix/sasl_passwdand/etc/postfix/sasl_passwd.dbfiles have plaintext credentials.
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
- Restart Postfix to effect the configuration changes
systemctl restart postfix
- Run the following command to test the configuration
echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>" <RECEIVER_EMAIL>
Wazuh generates alerts based on predefined rules. By default, alerts are stored in:
/var/ossec/logs/alerts/alerts.log/var/ossec/logs/alerts/alerts.json
To enhance monitoring, you can configure Wazuh to forward alerts via syslog, email, or external databases.
Edit the Wazuh configuration file located at /var/ossec/etc/ossec.conf and add the following configuration under the <global> section:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>me@test.com</email_to>
<smtp_server>mail.test.com</smtp_server>
<email_from>wazuh@test.com</email_from>
</global>
</ossec_config>Modify the <alerts> section in /var/ossec/etc/ossec.conf to set the minimum severity level for email alerts:
<ossec_config>
<alerts>
<email_alert_level>10</email_alert_level>
</alerts>
</ossec_config>The <email_alert_level> value determines the minimum alert severity required to trigger an email. The allowed range is from 1 to 16.
After modifying the configuration file, restart the Wazuh manager for the changes to take effect:
systemctl restart wazuh-managerOnce configured, Wazuh will send email notifications when an alert meets the specified threshold. Below is an example of an email notification:
Wazuh Notification.
2024 Apr 29 08:58:30
Received From: wazuh-server->syscheck
Rule: 553 fired (level 7) -> "File deleted."
Portion of the log(s):
File '/var/ossec/test_dir/somefile.txt' deleted
Mode: realtime
--END OF NOTIFICATION
- If you need to forward alerts to multiple email addresses, separate them with commas in the
<email_to>field. - Ensure the SMTP server is accessible from the Wazuh server.
- Review Wazuh logs (
/var/ossec/logs/ossec.log) for troubleshooting email delivery issues.
By configuring SMTP in Wazuh, you can receive real-time alerts via email, improving incident response and monitoring efficiency. For advanced configurations, refer to the Wazuh documentation.