Wazuh

Setting up Wazuh Email Alerts

· August 8, 2023 · linux, Wazuh · , , , , , , , , , , , , · 3 Comments

If you want to configure email alerts on a Wazuh server, we will need to make changes to the ‘ossec.conf’ configuration file and ensure you have the appropriate email relay or server settings ready.

So below I will provide a general outline to help you configure your Wazuh server for email alert

SMTP Server Configuration:

  • First, we will need SMTP server details of your email provider. For example, if you’re using Gmail, the SMTP server would be ‘smtp.gamil.com’ and the port would be ‘587’ for TLS.
  • Depending on your provider, you might also need an App password or allow less secure apps.

Edit your ossec.conf file:

  • Open the main configuration file in a text editor like nano:
sudo nano /var/ossec/etc/ossec.conf
  • Locate the ‘<global>’ section and configure the following settings:
<email_notification>yes</email_notification>
<smtp_server>YOUR_SMTP_SERVER_HERE</smtp_server>
<email_from>YOUR_EMAIL_ADDRESS_HERE</email_from>
<email_maxperhour>NUMBER_OF_ALERTS_PER_HOUR</email_maxperhour>
  • In the same ‘ossec.conf’ file, set the desired email alert level and recipients. Locate or add the ‘<email_alert_level>’ and ‘<email_to>’ tags.
<email_alert_level>LEVEL</email_alert_level>
<email_to>RECIPIENT_LEVEL_ADDRESS_HERE</email_to>

This is and optional step (Email Authentication)

  • Some SMTP servers require authentication, if yours does then in the same ‘<global>’ section, add the following lines.
<smtp_auth>yes</smtp_auth>
<smtp_username>YOUR_EMAIL_USERNAME</smtp_username>
<smtp_password>YOUR_EMAIL_PASSWORD</smtp_password>

Restart Wazuh:

  • Once you have made the changes, your will need to restart the Wazuh manager for the changes to take effect:
sudo service wazuh-manager restart

Testing:

  • To test the email configuration, you can generate an alert or wait for a real one. Given the alert level you set in ‘ossec.conf’, you should receive email notifications.

Securing your email password:

  • Storing your email password in a plain text, in the configuration file isn’t secure. Depending on your email service provider, consider using API keys or OAuth tokens if they provide such options. You could also consider using a local relay that handles the email authentication for you.

Adjusting Rules:

  • You can adjust the rules or create custom ones to refine which events trigger email alerts, this will help reduce noise and focus on more significant or concerning activities.

Also, make sure if you are using Gmail or your personal account you’re not violating any terms of service. Sending too many emails or automating might get you suspended. I hope this helps, Wazuh is a great SIEM and I will have more articles the more I learn.

Where is Wazuh Data Stored?

· July 7, 2023 · linux, Wazuh · , , , , , , , , , , · No Comments

The data for Wazuh, an open-source security monitoring platform, is typically stored in several locations on a Linux system, depending on the specific components and configurations used. Here are some common directories where Wazuh data may be stored:

Log Files:

Wazuh logs are usually stored in the ‘/var/log’ directory. Look for files related to Wazuh, such a ossec.log, ossec-alerts.log, or wazuh.log. The exact filenames may vary depending on your Wazuh version and configuration.

Configuration Files:

Wazuh configuration files are typically located in the /var/ossec/etc directory. Important files include ossec.conf, which contains the main configuration settings and XML files in the rules subdirectory which define the rules for log analysis and alerting.

Databases:

Wazuh may utilize databases to store certain data, such as alerts or agent information. By default, Wazuh users SQLite as the backend database and the database file is often found at /var/ossec/data/ossec.db. If you have configured Wazuh to use a different database management system, the data will be stored according to the settings for that specific database.

Agent Data:

If you have Wazuh agents deployed on your network, their local data is usually stored in the /var/ossec/queue directory. This directory contains buffered events and logs that are waiting to be forwarded to the Wazuh server for analysis.

Please remember that these are only typical defaults, they may differ if you have customized your Wazuh installation. Thanks again!

Website Powered by WordPress.com.