Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email alerts are not sent when using full or default format #23350

Open
davidcr01 opened this issue May 8, 2024 · 1 comment
Open

Email alerts are not sent when using full or default format #23350

davidcr01 opened this issue May 8, 2024 · 1 comment
Labels
level/task type/bug Something isn't working

Comments

@davidcr01
Copy link
Contributor

Description

This issue is created from: #22901

The user and I have detected that the email alerts are not received when using the full or default format in the <email_alerts> block configuration of the Wazuh manager.

I noticed that two types of notifications are sent:

  • "Wazuh notification".
  • "Wazuh <alert_level>" - <RULE_ID>.

I suppose the first one are alerts generated from the email configuration of the global configuration, and the second one are alerts generated from the email_alerts configuration.

The configuration used is the following:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>me@wazuh.com</email_from>
    <email_to>me@wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <email_alerts>
    <email_to>me@wazuh.com</email_to>
    <level>3</level>
    <format>default</format>
    <do_not_delay />
  </email_alerts>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>3</email_alert_level>
  </alerts>
...

The emails of the green block received using the full or default format. As you can see, Gmail notifies that he could not send the emails. The emails of the red block are emails using the sms format. This behavior is exactly the same the community user reports.
image

Steps to reproduce

On a Ubuntu 22.04 system:

  1. Install Wazuh v4.7.3.
  2. Configure the STMP server: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/smtp-authentication.html
  3. Configure the email alerts: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html
  4. Configure the email alerts using the sms format. Check that you receive the emails correctly.
  5. Configure the email alerts using the full or default format. Check that you get Gmail warnings notifying that some emails could not be sent.

Conclusion

It is necessary to investigate why this is happening and fix it if it is a problem.
@davidcr01 davidcr01 added type/bug Something isn't working level/task labels May 8, 2024
@davidcr01 davidcr01 mentioned this issue May 8, 2024
Closed
@Kobrik1
Copy link

Kobrik1 commented May 22, 2024
edited

Hello,
Not functional even with reproduction steps 1 and 5 only. Not functional even with unencrypted SMTP on port 25. SMS format does not need to be configured.

image

Email notifications generated by global settings or in rules <options>alert_by_email</options> work.
Using <email_alerts> does not.
Eliminating this problem would make the job much easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidcr01 @Kobrik1