If you want to configure email alerts on a Wazuh server, we will need to make changes to the ‘ossec.conf’ configuration file and ensure you have the appropriate email relay or server settings ready.

So below I will provide a general outline to help you configure your Wazuh server for email alert

SMTP Server Configuration:

• First, we will need SMTP server details of your email provider. For example, if you’re using Gmail, the SMTP server would be ‘smtp.gamil.com’ and the port would be ‘587’ for TLS.
• Depending on your provider, you might also need an App password or allow less secure apps.

Edit your ossec.conf file:

• Open the main configuration file in a text editor like nano:

sudo nano /var/ossec/etc/ossec.conf

• Locate the ‘<global>’ section and configure the following settings:

<email_notification>yes</email_notification>
<smtp_server>YOUR_SMTP_SERVER_HERE</smtp_server>
<email_from>YOUR_EMAIL_ADDRESS_HERE</email_from>
<email_maxperhour>NUMBER_OF_ALERTS_PER_HOUR</email_maxperhour>

• In the same ‘ossec.conf’ file, set the desired email alert level and recipients. Locate or add the ‘<email_alert_level>’ and ‘<email_to>’ tags.

<email_alert_level>LEVEL</email_alert_level>
<email_to>RECIPIENT_LEVEL_ADDRESS_HERE</email_to>

This is and optional step (Email Authentication)

• Some SMTP servers require authentication, if yours does then in the same ‘<global>’ section, add the following lines.

<smtp_auth>yes</smtp_auth>
<smtp_username>YOUR_EMAIL_USERNAME</smtp_username>
<smtp_password>YOUR_EMAIL_PASSWORD</smtp_password>

Restart Wazuh:

• Once you have made the changes, your will need to restart the Wazuh manager for the changes to take effect:

sudo service wazuh-manager restart

Testing:

• To test the email configuration, you can generate an alert or wait for a real one. Given the alert level you set in ‘ossec.conf’, you should receive email notifications.

Securing your email password:

• Storing your email password in a plain text, in the configuration file isn’t secure. Depending on your email service provider, consider using API keys or OAuth tokens if they provide such options. You could also consider using a local relay that handles the email authentication for you.

Adjusting Rules:

• You can adjust the rules or create custom ones to refine which events trigger email alerts, this will help reduce noise and focus on more significant or concerning activities.

Also, make sure if you are using Gmail or your personal account you’re not violating any terms of service. Sending too many emails or automating might get you suspended. I hope this helps, Wazuh is a great SIEM and I will have more articles the more I learn.