Wazuh Email Alerts

Configuring Wazuh email alerts by realying mails through Postfix to a SMTP provider

Introduction
Postfix
Wazuh Mail Notification Config
- Wazuh SMTP Config
- Wazuh email alerts level
Troubleshooting Postfix
- Check connection issues

Introduction

In order to achieve mail notifications in Wazuh server a smtp server is required, furthermore i've not seen any option for authentication therefore a relay is needed.

In this case a Postfix will be set up to relay mails from wazuh to a SMTP provider

Postfix

Installation

In order to get postfix install the following packages

# Install Postfix and mail utilities
sudo apt update
sudo apt install postfix mailutils libsasl2-module

Main Postfix Config

First lets prepare postfix main config: main.cf

###/etc/postfix/main.cf

## Logging
maillog_file = /var/log/mail.log

# Network restrictions
inet_interfaces = loopback-only
mynetworks = 127.0.0.0/8 [::1]/128

## Relay configuration
relayhost = [mail.gmx.es]:587
## Authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/password
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
## TLS Encryption for authentication
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt



## Prevent open relay
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination



## Address rewriting (hides internal hostnames)
smtp_generic_maps = hash:/etc/postfix/generic

SMTP Credentials config

Create the file for storing the credentials /etc/postfix/sasl_passwd and put the creds in the following format

[mail.gmx.es]:587   w4tcher@gmx.es:S@feP@ssword

Once saved, restrict file permissions and run postmap

sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

This will create /etc/postfix/sasl_passwd.db

Address rewriting config

Create the generic mapping file to rewrite sender addresses

In /etc/postfix/generic

root@deb04.localdomain    your_email@gmx.es
root@deb04                your_email@gmx.es
@deb04.localdomain        your_email@gmx.es

Apply the mapping

sudo postmap /etc/postfix/generic

Reload Postfix service

Once configuration is done, reload the service and verify status and that its listening in localhost on port 25

# Reload configuration
sudo systemctl reload postfix

# Check service status
sudo systemctl status postfix

# Verify Postfix is listening only on localhost
sudo netstat -tlnp | grep :25

Test email sending

Once postfix is up and running without any errors, test sending an email and monitor mail log file for further info on the test

# Send a test email
echo "Test Postfix Relay Configuration" | mail -s "Postfix Test from Wazuh Server" your_email@gmx.es

# Monitor logs for errors or success
sudo tail -f /var/log/mail.log

Wazuh Mail Notification Config

Wazuh SMTP Config

At the Wazuh server ossec config file define the email settings inside global section /var/

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>w4tcher@gmx.es</email_from>
    <email_to>w4tcher@gmx.es</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

Wazuh email alerts level

In order to get notifications from alerts with a lower level, add the following section below global section or modify it with your desired alert level

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>3</email_alert_level>
  </alerts>

In this case alerts equal or above level 3 will be logged and notified via email

Troubleshooting Postfix

Check loaded config

Check the loaded config is the desired one

# View all active Postfix settings
postconf

# View specific relay settings
postconf relayhost smtp_sasl_auth_enable smtp_use_tls

Check mail queue and delivery

mailq

Check connection issues

Test for port 587

nc -v -z mail.gmx.es:587

Test SMTP connection to provider

sudo openssl s_client -connect mail.gmx.es:587 -starttls smtp

Authentication failures

Check /var/log/mail.log for SASL errors

Common fixes may include

If using gmail ensure less secure apps or app-specific password is enabled
Verify credentials in /etc/postfix/sasl_passwd are correct
Check file permissions are 600

Also you can test sasl auth with

# Test SASL login to GMX
sudo testsaslauthd -u your_username@gmx.es -p 'your_password' -s smtp

Table of Contents