How to Create Email Alerts with OpenSearch and Wazuh SIEM
Wazuh and OpenSearch are powerful tools for centralizing logs, and sometimes you need to be notified by email when specific logs appear. This post will guide you through setting up email alerts on both tools. Since both Wazuh and OpenSearch are built on Elasticsearch, the setup process is almost identical.
What We Will Do
- Set up an SMTP sender using an SMTP server or relay.
- Create a Notification Channel to define who will receive the email.
- Create a Monitor to track specific logs and trigger email notifications.
Step 1: Create an SMTP Sender
To send email notifications, you need to set up an SMTP server or relay. Here’s how to configure the SMTP sender:
- In Wazuh, go to the “OpenSearch Plugins” section in the menu and select “Notifications”. In OpenSearch, you can find “Notifications” under “Management”.
- On the left sidebar, click on “Email senders”, and then click on “Create SMTP sender”.
- Fill in the details of your SMTP server (like server address, port, credentials, etc.) and click “Create” to set up the sender.
Step 2: Create the Notification Channel
Next, you need to specify who will receive the alerts and from which sender they will receive them.
-
In the left sidebar, go to “Channels”, and then click “Create channel”.
-
Fill in the channel details, including the email recipients and the SMTP sender created in the previous step.
-
Once everything is filled out, click “Create” to save the notification channel.
Step 3: Create the Log Monitor
Now that we have both the sender and the recipient defined, we can create a monitor to track specific logs and send email notifications.
-
In Wazuh or OpenSearch, go to “Alerting” in the side menu, and from the top menu, choose “Monitors”.
-
Click on “Create monitor” and select the options that suit your needs. Here’s an example configuration:
- Monitor type: Per query monitor
- Definition method: Extraction query editor
- Schedule: Set the interval (e.g., run every 5 minutes)
- Index: Specify the relevant index, like `wazuh-alerts* if you are using Wazuh.
- In the query field, enter the query to monitor your specific log. For example, if I want to track the last 10
PHP Warninglogs from the last 5 minutes onproxmox.local.home, I would use the following query:
{
"query": {
"bool": {
"must": [
{
"match_phrase": {
"message": "PHP Warning"
}
},
{
"match": {
"fromhost": "proxmox.local.home"
}
},
{
"range": {
"timegenerated": {
"from": "now-5m",
"to": "now",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
]
}
},
"size": 10
}
- Click on “Add trigger” to set conditions and actions for the monitor
-
Name your trigger, and configure the condition to fit your needs (you can use the default condition if it’s suitable).
-
Under Actions, name the action, choose the notification channel you created earlier, and provide a subject and body for the email. You can also send a test email to make sure everything works.
- Once everything is set up, click “Create” to finalize the monitor.
Conclusion
By following these steps, you can easily set up email alerts on Wazuh or OpenSearch for specific logs. This ensures you stay informed about critical events in real-time, allowing for quick responses to potential issues. Happy monitoring!