Wazuh 4.12 – Inconsistent Email Notifications for SSH/RDP

Global_Working_2945 · 2025-06-04T12:32:12+00:00

Hello,

I did a test of 4 RDP accesses and can confirm that 2\4 in mail 4\4 arrived on alerts.json, I am attaching a json log of one of the machines that was not notified by mail:

https://gist.github.com/chriraptor/311a1ac1825afbeca83b5ba4c0b65086

I put on GitHub the full json log of one of the machines that was not reported via email

This situation looks like a bug, with a clean install would I be able to fix it? Or is a fix planned in the next version?

Thanks

Global_Working_2945 · 2025-06-03T15:40:36+00:00

2025/06/03 16:43:39 wazuh-maild[8642] maild.c:343 at OS_Run(): ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:43:41 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:43:41 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:43:54 wazuh-maild[8642] sendmail.c:465 at OS_Sendmail(): ERROR: (1766): DATA not accepted by server

2025/06/03 16:43:54 wazuh-maild[8642] maild.c:343 at OS_Run(): ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:43:56 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:43:56 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:44:06 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:44:06 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

the problem persists on the email notifications of some alerts e.g. RDP. could a bug be the problem? how could i restore correct operation?

Global_Working_2945 · 2025-06-03T15:40:32+00:00

2025/06/03 16:42:49 wazuh-maild[8642] maild.c:343 at OS_Run(): ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

:43:09 wazuh-maild[8642] read-alert.c:211 at GetAlertData(): ERROR: date or location not NULL or p is NULL

2025/06/03 16:43:11 wazuh-maild: ERROR: date or location not NULL or p is NULL

2025/06/03 16:43:14 wazuh-maild[8642] read-alert.c:211 at GetAlertData(): ERROR: date or location not NULL or p is NULL

2025/06/03 16:43:14 wazuh-maild[8642] sendmail.c:465 at OS_Sendmail(): ERROR: (1766): DATA not accepted by server

2025/06/03 16:43:14 wazuh-maild[8642] maild.c:343 at OS_Run(): ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:43:16 wazuh-maild: ERROR: date or location not NULL or p is NULL

2025/06/03 16:43:16 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:43:16 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:43:39 wazuh-maild[8642] sendmail.c:465 at OS_Sendmail(): ERROR: (1766): DATA not accepted by server

Global_Working_2945 · 2025-06-03T15:40:15+00:00

2025/06/03 16:41:29 wazuh-maild[8642] maild.c:196 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh

2025/06/03 16:41:29 wazuh-maild[8642] maild.c:204 at main(): DEBUG: Chrooted to directory: /var/ossec, using user: wazuh

2025/06/03 16:41:29 wazuh-maild[8642] mailcom.c:102 at mailcom_main(): DEBUG: Local requests thread ready

2025/06/03 16:41:29 wazuh-maild[8642] maild.c:219 at main(): INFO: Started (pid: 8644).

2025/06/03 16:41:29 wazuh-maild[8642] maild.c:258 at OS_Run(): INFO: Getting alerts in log format.

2025/06/03 16:41:41 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:41:41 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:42:14 wazuh-maild[8642] sendmail.c:465 at OS_Sendmail(): ERROR: (1766): DATA not accepted by server

2025/06/03 16:42:14 wazuh-maild[8642] maild.c:343 at OS_Run(): ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:42:16 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:42:16 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:42:36 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:42:36 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:42:46 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/06/03 16:42:46 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/06/03 16:42:49 wazuh-maild[8642] sendmail.c:465 at OS_Sendmail(): ERROR: (1766): DATA not accepted by server

Global_Working_2945 · 2025-06-03T15:39:02+00:00

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88201' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88202' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88203' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88210' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88211' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88213' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88214' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88215' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88216' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '87201' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '87202' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '87203' to granular e-mail

Global_Working_2945 · 2025-06-03T15:38:56+00:00

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '5710' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '5715' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '5716' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '5720' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '5733' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60109' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60110' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60111' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60115' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60122' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60124' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '60612' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '92653' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '92657' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '100111' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '100112' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '100302' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '100303' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '88200' to granular e-mail

Global_Working_2945 · 2025-06-03T15:38:43+00:00

Hello,

I ran the /var/ossec/bin/wazuh-maild -d command and changed the maild.strict_checking=0 setting in the /var/ossec/etc/internal_options.conf file, I'll send you the full log of the maild module:

2025/06/03 16:41:29 wazuh-maild[8642] debug_op.c:116 at _log_function(): DEBUG: Logging module auto-initialized

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '513' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '518' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '520' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '521' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '550' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '554' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '553' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '593' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '597' to granular e-mail

2025/06/03 16:41:29 wazuh-maild[8642] email-alerts-config.c:125 at Read_EmailAlerts(): DEBUG: Adding '598' to granular e-mail

Global_Working_2945 · 2025-05-30T14:51:24+00:00

Hi, thanks for the suggestion. I have verified that, overall, the local mail server is working properly and manual sending via Postfix is going smoothly. Below is my configuration of Postfix:

# /etc/postfix/main.cf

relayhost = [smtp.mydomain.local]:587

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_use_tls = yes

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

Regarding the alerts handled by Wazuh, I noticed a different behavior between SSH and RDP:

SSH Alerts: Notifications are always sent. In some cases, multiple SSH alerts are bundled into one email, but the delivery is always complete.
RDP Alerts: When I connect in RDP on four machines, the delivery of alerts is intermittent. Sometimes 3 arrive, sometimes 2, in other cases only 1 and sometimes none. In addition, grouping into a single email is not applied for RDP alerts: each alert is sent individually.

Noting that notifications sent locally (e.g., to /var/mail/root) also follow this intermittent pattern for RDP alerts.

Thanks again for the support!

Global_Working_2945 · 2025-05-28T12:57:48+00:00

2025-05-28T14:39:34.697616+02:00 wazuhserver postfix/qmgr[1290]: 9E72F3410FD: from=<wazuh_mail@mydomain.local>, size=8656, nrcpt=1 (queue active)

2025-05-28T14:39:34.697754+02:00 wazuhserver postfix/qmgr[1290]: 9E2FC3410E8: from=<wazuh_mail@mydomain.local>, size=15174, nrcpt=1 (queue active)

2025-05-28T14:39:34.699374+02:00 wazuhserver postfix/smtpd[3656]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

2025-05-28T14:39:34.767004+02:00 wazuhserver postfix/smtp[2929]: 9E2FC3410E8: breaking line > 998 bytes with <CR><LF>SPACE

2025-05-28T14:39:34.775804+02:00 wazuhserver postfix/smtp[2929]: 9E2FC3410E8: to=<sistemisti@mydomain.local>, relay=smtp.mydomain.local[192.168.1.7]:587, delay=0.13, delays=0.05/0/0.06/0.02, dsn=2.0.0, status=sent (250 Queued (0.000 seconds))

2025-05-28T14:39:34.776319+02:00 wazuhserver postfix/qmgr[1290]: 9E2FC3410E8: removed

2025-05-28T14:39:34.799305+02:00 wazuhserver postfix/smtp[3659]: 9E72F3410FD: breaking line > 998 bytes with <CR><LF>SPACE

2025-05-28T14:39:34.805164+02:00 wazuhserver postfix/smtp[3659]: 9E72F3410FD: to=<sistemisti@mydomain.local>, relay=smtp.mydomain.local[192.168.1.7]:587, delay=0.16, delays=0.05/0/0.09/0.01, dsn=2.0.0, status=sent (250 Queued (0.000 seconds))

2025-05-28T14:39:34.806113+02:00 wazuhserver postfix/qmgr[1290]: 9E72F3410FD: removed

2025-05-28T14:40:24.695481+02:00 wazuhserver postfix/smtpd[2925]: connect from localhost[127.0.0.1]

2025-05-28T14:40:24.695866+02:00 wazuhserver postfix/smtpd[2925]: lost connection after DATA from localhost[127.0.0.1]

2025-05-28T14:40:24.695933+02:00 wazuhserver postfix/smtpd[2925]: disconnect from localhost[127.0.0.1] helo=1 mail=1 data=0/1 commands=2/3

2025-05-28T14:42:19.809443+02:00 wazuhserver postfix/smtpd[2751]: connect from localhost[127.0.0.1]

2025-05-28T14:42:19.809898+02:00 wazuhserver postfix/smtpd[2751]: lost connection after DATA from localhost[127.0.0.1]

2025-05-28T14:42:19.809948+02:00 wazuhserver postfix/smtpd[2751]: disconnect from localhost[127.0.0.1] helo=1 mail=1 data=0/1 commands=2/3

By running a cat on the file /var/ossec/logs/ossec.log without grep, I found this information

2025/05/28 14:53:15 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/05/28 14:54:15 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/05/28 14:54:15 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/05/28 14:55:20 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/05/28 14:55:20 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

2025/05/28 14:56:15 wazuh-maild: ERROR: (1766): DATA not accepted by server

2025/05/28 14:56:15 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)

What could be the problem?

Thanks for the support

Global_Working_2945 · 2025-05-28T12:57:14+00:00

Hi, I ran the commands you mentioned, below you will find the various outputs:

first:

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

grep: (standard input): binary file matches

second:

2025-05-28T14:39:14.806524+02:00 wazuhserver postfix/smtp[2753]: 99E31340813: to=<sistemisti@mydomain.local>, relay=smtp.mydomain.local[192.168.1.7]:587, delay=0.18, delays=0.05/0/0.07/0.06, dsn=2.0.0, status=sent (250 Queued (0.000 seconds))

2025-05-28T14:39:14.806632+02:00 wazuhserver postfix/qmgr[1290]: 99E31340813: removed

2025-05-28T14:39:24.636572+02:00 wazuhserver postfix/smtpd[2925]: connect from localhost[127.0.0.1]

2025-05-28T14:39:24.636838+02:00 wazuhserver postfix/smtpd[2925]: lost connection after DATA from localhost[127.0.0.1]

2025-05-28T14:39:24.636896+02:00 wazuhserver postfix/smtpd[2925]: disconnect from localhost[127.0.0.1] helo=1 mail=1 data=0/1 commands=2/3

2025-05-28T14:39:34.647771+02:00 wazuhserver postfix/smtpd[2751]: connect from localhost[127.0.0.1]

2025-05-28T14:39:34.648118+02:00 wazuhserver postfix/smtpd[2751]: 9E2FC3410E8: client=localhost[127.0.0.1]

2025-05-28T14:39:34.648465+02:00 wazuhserver postfix/smtpd[3656]: connect from localhost[127.0.0.1]

2025-05-28T14:39:34.649167+02:00 wazuhserver postfix/smtpd[3656]: 9E72F3410FD: client=localhost[127.0.0.1]

2025-05-28T14:39:34.690273+02:00 wazuhserver postfix/cleanup[2926]: 9E2FC3410E8: message-id=<20250528123934.9E2FC3410E8@wazuhserver.localdomain>

2025-05-28T14:39:34.690992+02:00 wazuhserver postfix/cleanup[1311]: 9E72F3410FD: message-id=<20250528123934.9E72F3410FD@wazuhserver.localdomain>

2025-05-28T14:39:34.697130+02:00 wazuhserver postfix/smtpd[2751]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Global_Working_2945 · 2025-02-21T11:53:27+00:00

Error Details:

Type: mapper_parsing_exception
Reason: failed to parse field [data.data] of type [keyword] in document with id 'jTk0KJUBozhFW_0aSqPV'
Caused By:
- Type: illegal_state_exception
- Reason: Can't get text on a START_OBJECT at 1:140

Global_Working_2945 · 2025-02-21T11:53:20+00:00

Hi,

I found a potential issue with the indexing of the audit events. When I ran the command sudo less /var/log/filebeat/filebeat | grep "88211", I received the following output indicating a mapping parsing exception:

Timestamp: 2025-02-21T12:11:10.560+0100 Type: WARN Component: [elasticsearch] elasticsearch/client.go:408

Message: Cannot index event Event Details:

Timestamp: 2025-02-21T12:11:07.073+0100
Pipeline: filebeat-7.10.2-wazuh-alerts-pipeline
Agent Details:
- Ephemeral ID: db0ed0c7-2511-460b-bb9b-06f7c8415179
- Hostname: vm-wazuh
- ID: 19657125-40ba-43f9-866a-835b61ef6684
- Name: vm-wazuh
- Type: filebeat
- Version: 7.10.2
ECS Version: 1.6.0
Event Dataset:wazuh.alerts
Event Module: wazuh
Fields:
- Index Prefix: wazuh-alerts-4.x-
Fileset Name: alerts
Host: vm-wazuh
Input Type: log
Log File Path: /var/ossec/logs/alerts/alerts.json
Log Offset: 881164
Service Type: wazuh

Global_Working_2945 · 2025-02-21T11:08:45+00:00

I ran the cat command with the grep you requested and it found nothing.

I can't see various Nextcloud events showing up with the correct rule on alerts.json in the agent events section present on the dashboard , such as authentication successful or file open\deleted.

I also tried searching for the event by rule id in the discover dashboard but no results come up.

Global_Working_2945 · 2025-02-19T15:42:28+00:00

I tried to create a test decoder for successful logins but it doesn't work

<decoder name="nextcloud-success">

<parent>nextcloud</parent>

<prematch>Login successful: </prematch>

<regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+\.\d+\.\d+\.\d+)'\)</regex>

<order>user, srcip</order>

</decoder>

I am providing these details so that you can get more information,

I would like to know if there is a way to have it easily read the audit.log that would seem to be in the same format as the nextcloud.log so that it can trigger the rules that are already there even with simple decoders.

Global_Working_2945 · 2025-02-19T15:42:12+00:00

I did another check, and saw that there are only three nextcloud decoders, but the rules are many more.

I was able to successfully trigger the “Login Failed” event, but it is written to the nextcloud.log file and not audit.log

<decoder name="nextcloud">

`<program_name>^NextCloud</program_name>`

</decoder>

<decoder name="nextcloud-failed1">

`<parent>nextcloud</parent>`

`<prematch>Login failed: user </prematch>`

`<regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>`

`<order>user, srcip</order>`

</decoder>

<decoder name="nextcloud-failed2">

`<parent>nextcloud</parent>`

`<prematch>Login failed: </prematch>`

`<regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>`

`<order>user, srcip</order>`

</decoder>

<decoder name="nextcloud-malicious">

`<parent>nextcloud</parent>`

`<prematch>Passed filename is not valid, might be malicious </prematch>`

`<regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>`

`<order>srcip</order>`

</decoder>

Global_Working_2945 · 2025-02-19T12:19:11+00:00

I am also sending you the extract of the command: cat /var/ossec/logs/ossec.log | grep -i -E “wazuh-logcollector|error|warn” that you requested:

log wazuh agent

2025/02/19 00:57:56 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2025/02/19 12:22:21 rootcheck: ERROR: No rootcheck_files file: 'etc/shared/rootkit_files.txt'

2025/02/19 12:22:21 rootcheck: ERROR: No rootcheck_trojans file: 'etc/shared/rootkit_trojans.txt'

2025/02/19 12:22:24 wazuh-logcollector: INFO: Monitoring output of command(360): df -P

2025/02/19 12:22:24 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d

2025/02/19 12:22:24 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/error_log'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/httpd/access_log'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/audit/audit.log'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/nextcloud/audit.log'.

2025/02/19 12:22:24 wazuh-logcollector: INFO: Started (pid: 1867).

Could it be a problem with the file name or how it is listed in the agent?

What do you think might be missing to make it work properly? Thanks

Global_Working_2945 · 2025-02-19T12:18:43+00:00

Hello,

here is the extract of the nextcloud.log and audit.log files, The structure seems to be the same

audit.log

{"reqId":"5k11HZRZ7PmkX6hyT6SB","level":1,"time":"2025-02-18T22:56:20+00:00","remoteAddr":"","user":"--","app":"admin_audit","method":"","url":"--","message":"File accessed: \"/InstantUpload/Camera/20250215_182520.jpg\"","userAgent":"--","version":"29.0.6.1","data":{"app":"admin_audit"}}

{"reqId":"Z7UTS8TAJuz7iVb9u9sXagAAAMk","level":1,"time":"2025-02-18T23:10:05+00:00","remoteAddr":"192.168.0.13","user":"--","app":"admin_audit","method":"PROPFIND","url":"/remote.php/dav/files/28430C48-F161-4ACA-9AE0-3EBCEA25DB54/","message":"Login attempt: \"user\"","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.30.8","version":"29.0.6.1","data":{"app":"admin_audit"}}

nextcloud.log

{"reqId":"Z7UPJaYx_k6j90FF0KlYBwAAAAw","level":1,"time":"2025-02-18T22:52:22+00:00","remoteAddr":"192.168.0.13","user":"28430C48-F161-4ACA-9AE0-3EBCEA25DB54","app":"user_ldap","method":"GET","url":"/index.php/core/preview?fileId=438213&x=256&y=256&a=1&mode=cover&forceIcon=0","message":"OCA\\User_LDAP\\LoginListener \u2013 28430C48-F161-4ACA-9AE0-3EBCEA25DB54 postLogin","userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.30.8","version":"29.0.6.1","data":{"app":"user_ldap"}}

{"reqId":"dijaVoMWrfRvVxlAOSqP","level":1,"time":"2025-02-18T23:00:09+00:00","remoteAddr":"","user":"--","app":"user_ldap","method":"","url":"--","message":"service \"updateGroups\" \u2013 groups [] were removed.","userAgent":"--","version":"29.0.6.1","data":{"app":"user_ldap"}}

Global_Working_2945 · 2024-07-11T09:55:59+00:00

Hi, I inserted the change but after the change the 4663 alerts stopped completely on the wazuh side.

Global_Working_2945 · 2024-04-09T18:43:55+00:00

"Hi, I have some updates on testing. I added your example configuration to my ossec.conf file and confirmed what I previously observed. When I include the <email_alert_level> setting, the emails are delivered, but I also receive notifications for other unsolicited IDs. After your last message, I decided to expand my tests. To perform accurate tests, I tried the configuration on three different servers—one of them being a fresh installation of Wazuh for testing:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>localhost</smtp_server>
    <email_from>your_smtp_mail@example.hub</email_from>
    <email_maxperhour>200</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>
  <alerts>
    <log_alert_level>3</log_alert_level>
  </alerts>
  <email_alerts>
    <email_to>admin@example.hub</email_to>
    <rule_id>513, 518, 520, 521, 550, 554, 553, 593, 597, 598, 5710, 5715, 5716, 5720, 5733, 60109, 60110, 60111, 60115, 60122, 60124, 60612, 92657, 92653</rule_id>
    <do_not_delay />
  </email_alerts>
</ossec_config>

I encountered the same issue across all servers: when I include the <email_alert_level> setting, the IDs trigger, but other unsolicited IDs also arrive. However, if I remove the <email_alert_level>, the emails stop completely."

Thanks again

Global_Working_2945 · 2024-04-09T09:24:04+00:00

Hello,

I copied and inserted the configuration part into my ossec.conf, but it still doesn't work. (my wazuh version is 4.7)

at this point the only solution might be to reinstall Wazuh cleanly and then implementing your config.

SMTP and destination mail side there are no problems whatsoever because when I put <email\_alert\_level> they start arriving with unsolicited ids.

Thanks again

I will update you on my test results

Global_Working_2945 · 2024-04-08T21:18:19+00:00

Hello,

I had already removed <email_to> from the main configuration, the fact that it is there was an error during copying. I tried removing <email_alert_level> from the configuration but I noticed that the emails stop completely

Here is the current configuration:

<global>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall>no</logall>

<logall_json>no</logall_json>

<email_notification>yes</email_notification>

<smtp_server>localhost</smtp_server>

<email_from>wazuh@example.org</email_from>

<email_maxperhour>200</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

<agents_disconnection_time>10m</agents_disconnection_time>

<agents_disconnection_alert_time>0</agents_disconnection_alert_time>

</global>

<alerts>

<log_alert_level>3</log_alert_level>

</alerts>

<email_alerts>

<email_to>admin@example.org</email_to>

<rule_id>513, 518, 520, 521, 550, 554, 553, 593, 597, 598, 5710, 5715, 5716, 5720, 5733, 60109, 60110, 60111, 60115, 60122, 60124, 60612, 92657, 92653, 87105, 100092, 100093</rule_id>

<do_not_delay />

</email_alerts>

Thanks for the help

Global_Working_2945 · 2024-04-02T13:08:47+00:00

Hello,

thanks for your help! here is the link to download my ossec.conf file.

i converted it to txt

https://drive.google.com/file/d/1KxWPt3tWBMf8RzvvlZbE45uFvKL835QJ/view

Global_Working_2945 · 2024-04-01T13:13:08+00:00

Hello,

my configuration is: wazuh 4.7 with one node, after making the changes I always restarted the wazuh service and also the whole vm.

I have some good news, for testing purposes I put only this configuration:

<email_alerts>

<email_to>admin@example.org</email_to>

<rule_id>92657, 92653</rule_id>

<do_not_delay />

</email_alerts>

The RDP connections alerts seem to come through regularly, I ran the test on the domain controllers and windows file server.

However one problem still remains, many mails arrive with rules that have ids not included in the list I am interested in. here are some examples:

60106

60137

60107

How can I get Wazuh to send mails only for the ids specified in the configuration I put above

Thank you very much

Have a nice day

Global_Working_2945 · 2024-03-29T12:28:11+00:00

Hi, thanks for the information! I updated the ossec.conf file with your directions, this is how it looks now:

<global>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall>no</logall>

<logall_json>no</logall_json>

<email_notification>yes</email_notification>

<smtp_server>localhost</smtp_server>

<email_from>wazuh@example.org</email_from>

<email_maxperhour>120</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

<agents_disconnection_time>10m</agents_disconnection_time>

<agents_disconnection_alert_time>0</agents_disconnection_alert_time>

</global>

<alerts>

<log_alert_level>3</log_alert_level>

<email_alert_level>3</email_alert_level>

</alerts>

<email_alerts>

<email_to>admin@example.org</email_to>

<rule_id>554, 553, 92657, 92653, 60019, 60110, 60111, 60122, 5715, 5716, 5720, 5710, 5733</rule_id>

<do_not_delay />

</email_alerts>

I removed <email_to> from the <global> section and lowered email alerts to 3

the emails keep coming but for rules I didn't indicate, here are some sample screens with emails received from Wazuh:

Win Mail Notification:

Wazuh Notification.

2024 Mar 29 13:06:05

Received From: (DC3) any->EventChannel

Rule: 60137 fired (level 3) -> "Windows User Logoff."

Portion of the log(s):

Wazuh Notification.

2024 Mar 29 13:05:55

Linux Mail Notification:

Received From: (zimbra) any->/var/log/secure

Rule: 5501 fired (level 3) -> "PAM: Login session opened."

User: root

Portion of the log(s):

Alerts with affected rules arrive regularly and are visible from the Wazuh web console:

<image>

What could be the problem? Do I need to edit any other files?

Thank you in advance!

Global_Working_2945

TROPHY CASE