search

wazuh / wazuh-docker

Wazuh - Docker containers
https://wazuh.com
Other
714 stars 402 forks source link

issue with email alert #993

Open farzadha2 opened 1 year ago

farzadha2 commented 1 year ago

hi guys currently im getting an issue on smtp alerts, currently running wazuh in docker multi mode these are the steps i tookin the wazuh master edited this file to this

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>wazuh-smtp</smtp_server>
    <email_from>ids@domain.com</email_from>
    <email_to>ids@domain.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

then after created a docker compose for postfix

version: "2.1"
services:
 postfix:
    image: eeacms/postfix:2.10-3.5
    hostname: wazuh-smtp
    networks:
      - multi-node_default
    restart: always
    environment:
      - MTP_RELAY=mail.domain.com
      - MTP_PORT=587
      - MTP_USER=ids@domain.com
      - MTP_PASS=mypassword
      - MTP_HOST=mail.domain.com

networks:
  multi-node_default:
   name: multi-node_default

using swak to test out the email which is working on the container 

$root@wazuh:/#  swaks -f ids@domain.com -t ids@domain.com --server wazuh-smtp
=== Trying wazuh-smtp:25...
=== Connected to wazuh-smtp.
<-  220 mail.domain.com ESMTP Postfix
 -> EHLO wazuh.master
<-  250-mail.domain.com
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> MAIL FROM:<ids@domain.com>
<-  250 2.1.0 Ok
 -> RCPT TO:<ids@domain.com>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 10 Sep 2023 20:19:38 -0500
 -> To: ids@domain.com
 -> From: ids@domain.com
 -> Subject: test Sun, 10 Sep 2023 20:19:38 -0500
 -> Message-Id: <20230910201938.079757@wazuh.master>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 ->
 -> This is a test mailing
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as E826E6C34F4
 -> QUIT
<-  221 2.0.0 Bye

i checked on the webGUI and it got triggered a level 12 very odd not getting the alert image

not sure what else i missed?

IoannisKonstatinopoulos commented 3 months ago

Facing the same issue through compose configuration, the following compose section was added inside official docker-compose.yml file - single node. Inside wazuh_manager.conf, you should change the value of smtp_server as hostname's compose<smtp_server>wazuh-smtp</smtp_server> Note that the specifc image was used as recommended in #193 

     image: eeacms/postfix:3.5-1.0
     hostname: wazuh-smtp
     restart: always
     environment:
       - MTP_RELAY=<smtp-server-name>
       - MTP_PORT=<smtp-port>
       - MTP_USER=<smtp-username>
       - MTP_PASS=<smtp-password>
       - MTP_HOST=<smtp-user's-domain>