ossec.conf <email_to> is not correctly populated.

[pavlinpetkov]

$ossec_emailto parameter of class wazuh::manager requires a list. However the values of the list are not correctly populated by the wazuh_manager.conf.erb template.
Instead of creating an <email_to> entry with each element of the list it creates one <email_to> entry with the full list.

[manuasir]

Hello @pavlinpetkov ,

Thanks for reporting this. We will fix it as soon as possible and will let you know when the patch is merged. Please, stay tuned to this ticket.

Cheers

[pavlinpetkov]

@manuasir , here's my patch if it helps. I was not able to submit a pull request.

--- templates/wazuh_manager.conf.erb	(revision 11dd4e9111200cad8f545ee7cf40f0b5ef8307f7)
+++ templates/wazuh_manager.conf.erb	(revision e9a00743f0f56c381e36cb77f634cbf59db892d6)
@@ -6,7 +6,7 @@
   <%- if @ossec_emailnotification -%>
     <email_notification>yes</email_notification>
     <%- @ossec_emailto.each do |emailto| -%>
-    <email_to><%= @ossec_emailto %></email_to>
+    <email_to><%= emailto %></email_to>
     <%- end -%>
     <smtp_server><%= @ossec_smtp_server %></smtp_server>
     <email_from><%= @ossec_emailfrom %></email_from>

[rshad]

Hi @pavlinpetkov

Hope you're doing well!

We have added the corresponding changes and ran some tests to detect the correct functionality.

Good News! all the tests got passed successfully.

Applied Changes and Required Steps

If we look over /var/ossec/etc/ossec.conf, our example looks like:

 <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <email_to>****@wazuh.com</email_to>
    <email_to>****@gmail.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>ossecm@example.wazuh.com</email_from>
    <email_maxperhour>12</email_maxperhour>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>10.0.0.2</white_list>
  </global>

Note that we have to assign the value true to the variable ossec_emailnotification which takes by default the value false as follows:

wazuh-puppet/manifests/params_manager.pp

Line 15 in bd5e793

$ossec_emailnotification = false

Note that this list of emails was generated by filling up the variable $ossec_emailto

wazuh-puppet/manifests/params_manager.pp

Line 16 in 236dea5

$ossec_emailto = []

Also by adding the changes you proposed in the template file wazuh_manager.conf.erb:

wazuh-puppet/templates/wazuh_manager.conf.erb

Lines 6 to 10 in 236dea5

	<%- if @ossec_emailnotification -%>
	<email_notification>yes</email_notification>
	<%- @ossec_emailto.each do |emailto| -%>
	<email_to><%= emailto %></email_to>
	<%- end -%>

You can also specify the value for the variable ossec_email_maxperhour, which is set to 12 by default:

wazuh-puppet/manifests/params_manager.pp

Line 19 in bd5e793

$ossec_email_maxperhour = 12

Faced Issue, How to resolve & Success Testing

Maybe your network only support IPv4 and not IPv6, so in case of not specifying the value of the variable inet_protocols to ipv6 in the config. file /etc/postfix/main.cf, postfix will take ipv6 by default and then you'd get a message error similar to the one below:

/var/log/maillog

Error Message

Aug 20 10:03:09 localhost postfix/smtp[8054]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1a]:25:
Network is unreachable

Error Complete Log

Aug 20 09:13:09 localhost postfix/postfix-script[2772]: starting the Postfix mail system
Aug 20 09:13:09 localhost postfix/master[2774]: daemon started -- version 2.10.1, configuration /etc/postfix
Aug 20 10:03:09 localhost postfix/smtpd[8050]: connect from centos-1[127.0.0.1]
Aug 20 10:03:09 localhost postfix/smtpd[8050]: 7E61F4B612A: client=centos-1[127.0.0.1]
Aug 20 10:03:09 localhost postfix/cleanup[8053]: 7E61F4B612A: message-id=<20190820100309.7E61F4B612A@centos-1.localdomain>
Aug 20 10:03:09 localhost postfix/smtpd[8050]: disconnect from centos-1[127.0.0.1]
Aug 20 10:03:09 localhost postfix/qmgr[2776]: 7E61F4B612A: from=<ossecm@example.wazuh.com>, size=662, nrcpt=2 (queue active)
Aug 20 10:03:09 localhost postfix/smtp[8054]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1a]:25:
Network is unreachable
Aug 20 10:03:10 localhost postfix/smtp[8054]: 7E61F4B612A: to=<*****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.133.26]:25, delay=0.83, delays=0.09/0.03/0.36/0.35, dsn=2.0.0, status=sent (250 2.0.0 OK  1566295474 s1si10897146wrn.59 - gsmtp)
Aug 20 10:03:10 localhost postfix/smtp[8055]: 7E61F4B612A: to=<****@wazuh.com>, relay=aspmx.l.google.com[74.125.133.26]:25, delay=0.89, delays=0.09/0.05/0.34/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK  1566295474 n16si13562055wrv.171 - gsmtp)
Aug 20 10:03:10 localhost postfix/qmgr[2776]: 7E61F4B612A: removed

Once I changed inet_protocols = all to inet_protocols = ipv4, the email notification started working successfully after restarting wazuh-manager service:

Success Log:

Aug 20 10:19:02 localhost postfix/smtpd[9341]: connect from centos-1[127.0.0.1]
Aug 20 10:19:02 localhost postfix/smtpd[9341]: A74474B612A: client=centos-1[127.0.0.1]
Aug 20 10:19:02 localhost postfix/cleanup[9344]: A74474B612A: message-id=<20190820101902.A74474B612A@centos-1.localdomain>
Aug 20 10:19:02 localhost postfix/smtpd[9341]: disconnect from centos-1[127.0.0.1]
Aug 20 10:19:02 localhost postfix/qmgr[2776]: A74474B612A: from=<ossecm@example.wazuh.com>, size=662, nrcpt=2 (queue active)
Aug 20 10:19:03 localhost postfix/smtp[9345]: A74474B612A: to=<****@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=0.58, delays=0.07/0.03/0.23/0.25, dsn=2.0.0, status=sent (250 2.0.0 OK  1566296367 x7si12814350wrt.362 - gsmtp)
Aug 20 10:19:03 localhost postfix/smtp[9346]: A74474B612A: to=<****@wazuh.com>, relay=aspmx.l.google.com[74.125.140.26]:25, delay=0.63, delays=0.07/0.04/0.27/0.25, dsn=2.0.0, status=sent (250 2.0.0 OK  1566296368 j10si13364293wrn.373 - gsmtp)
Aug 20 10:19:03 localhost postfix/qmgr[2776]: A74474B612A: removed

Screenshot of a received notification:

Kind regards,

Rshad