ElastAlert Email

[fillipino2]

I need some help. I would like to have email alerts. I created a rule to alert when I receive a severity level. I ran so-elastalert-test -a and it says it is successful so I know the rule works but I am still not receiving an email. (I am using my own mail server)

email:

• "[email protected]"
  smtp_host: "x.x.x.x"
  smtp_port: 25
  from_addr: "[email protected]"

This is already in my rule that I created in /opt/so/rules/elastalert

Do I need to add anything to the config yaml in /opt/so/conf/elastalert/elasticalert_config.yaml ?

Anything hints will help. Thank you

[dougburks]

From your Security Onion box, can you ping your smtp_host?

Can you connect to port 25 on your smtp_host using a tool like telnet or nc?

[peterlymo]

interesting on this question to., i had trouble making elastalert2 work, in addition @fillipino2 could you please help me with working rule so i can use as example thanks,

[weslambert]

There is an example here for both internal and external email/SMTP relays:

https://docs.securityonion.net/en/2.3/elastalert.html#email-internal

[cuscsmc2]

Hi all,

I am a newbie with Security Onion. I could successfully install Security Onion but don't know how to enable the email alert function even I have gone through this link https://docs.securityonion.net/en/2.3/elastalert.html#email-internal.

My questions are:

1. Could I use any filename (e.g. email.yaml) in /opt/so/rules/elastalert folder as a configuration file?

2. Do I need to create a cron job for regularly checking the log and generating the email alerts?

3. I have created the following yaml file. Can anyone help me verify it?

   1 alert:
   2 - "modules.so.playbook-es.PlaybookESAlerter"
   3 - "email"
   4 email:
   5 - "[email protected]"
   6 smtp_host: "mx01.xxx.com"
   7 smtp_port: 25
   8 smtp_ssl: false
   9 from_addr: "[email protected]"
   10
   11 elasticsearch_host: "10.0.0.1:9200"
   12 play_title: ""
   13 play_id: ""
   14 event.module: "playbook"
   15 event.dataset: "alert"
   16 event.severity: 3
   17 rule.category:
   18 play_url: "https://10.0.0.1/playbook/issues/6000"
   19 kibana_pivot: "https://10.0.0.1/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:aut o,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"
   20 soc_pivot: "https://10.0.0.1/#/hunt"
   21 sigma_level: ""

Thank you