How to setup mail alert in Security Onion

Building SIEM at Home

How to setup mail alert in Security Onion
Ngoc Vuong's photo
Ngoc Vuong

Published on Jun 16, 2021

2 min read

Email Configuration

In this stage, we will setup mail alert such as: Sguild, Wazuh, Zeek,...

Using smtp server in your localhost Setup postfix and mailutils

sudo apt-get install postfix mailutils

Create your password file with

vi /etc/postfix/sasl_passwd

Populate the password file. Example:

[smtp.gmail.com]:587 myusername@gmail.com:mypassword

Secure the file by running

chmod 600 /etc/postfix/sasl_passwd

Replace the contents of the config file by running

vi /etc/postfix/main.cf

Place the following in the file:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Encode password file by running

postmap /etc/postfix/sasl_passwd

Restart postfix service by running

systemctl restart postfix.service

Replace with your email in the following code and test sending mail:

echo "Test mail from postfix" | mail -s "Test Postfix" you@example.com

Give google a min to process. You should see the sent mail in your sent folder for your gmail account and in the inbox of the specified destination account. If the mail doesn't come, check

tail -f /var/log/mail.log

image.png

Automatically Setup

If you want to configure email, you can run so-email and it will automatically configure automated server-side email for you as described below. Simply run the following command and follow the prompts:

sudo so-email

image.png

image.png

image.png Select email you want to recieve email

Enter your email image.png Enter your smtp server (localhost is my SMTP server) Select daily report

image.png

Another for Sguil, OSSEC

image.png

Click Yes and waiting for setup

image.png

Testing DDOS using hping3:

image.png

View result in email

image.png

Write up by Fr0st

 
Share this