To configure email alerts in Wazuh you need to install Postfix as a local SMTP relay and connect it to Gmail or Microsoft 365 using an app password. Then you define in ossec.conf which rules trigger the email and who the recipient is.
Why does Wazuh need Postfix to send email?
Wazuh can send email alerts when specific rules fire. To do this you need a local mail server (Postfix) that relays through the SMTP service of Gmail or Microsoft 365. In this article we set everything up step by step.
Get the full video with our Wazuh services
How do you create the app password in Gmail?
Gmail does not allow you to use your normal password for SMTP. You need an app password:
Prerequisite
You must have two-step verification enabled on your Google account. Without it, you cannot create app passwords.
- Go to myaccount.google.com/security
- Turn on two-step verification if you have not already
- Go straight to App passwords
- Type a descriptive name (e.g. "Wazuh SIEM") and click "Create"
- Save the 16-character password it generates (no spaces)
How do you install and configure Postfix?
Install Postfix and the SASL modules for authentication:
apt update && apt install -y postfix libsasl2-modulesDuring the installation, select "Internet Site" and enter your server name.
How do you configure the relay to Gmail?
Edit /etc/postfix/main.cf and add at the end:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crtHow do you create the credentials file?
nano /etc/postfix/sasl_passwdAdd this line (with your email and app password):
[smtp.gmail.com]:587 tucuenta@gmail.com:contraseña_de_16_caracteresSecure the file and generate the hash:
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
systemctl restart postfixHow do you configure Postfix with Microsoft 365?
If you use Microsoft instead of Gmail, change the relayhost:
relayhost = [smtp.office365.com]:587And in /etc/postfix/sasl_passwd:
[smtp.office365.com]:587 tucuenta@tudominio.com:tu_contraseñaHow do you configure email alerts in Wazuh?
On the Wazuh server, edit /var/ossec/etc/ossec.conf and configure the email alerts:
<global>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>wazuh@tuservidor.com</email_from>
</global>How do you send per-rule alerts to different recipients?
You can send specific alerts to different recipients depending on the rule:
<!-- Alert for rule 100072: user Juan deletes a file -->
<email_alerts>
<email_to>ResponsableDeInformacion@tudominio.com</email_to>
<rule_id>100072</rule_id>
<format>full</format>
</email_alerts>
<!-- Alert for rule 100073: specific IP modifies a file -->
<email_alerts>
<email_to>sistemasTI@tudominio.com</email_to>
<rule_id>100073</rule_id>
<format>full</format>
</email_alerts>Explanation:
email_to: The email recipientrule_id: ID of the rule that triggers the alertformat: "full" includes every detail of the event
Restart the manager:
systemctl restart wazuh-managerHow do you test that email delivery works?
Check that Postfix sends correctly:
echo "Prueba de Wazuh" | mail -s "Test Postfix" tucorreo@ejemplo.comCheck the Postfix log:
tail -f /var/log/mail.logSummary
| Provider | SMTP Server | Port |
| Gmail | smtp.gmail.com | 587 |
| Microsoft 365 | smtp.office365.com | 587 |
Which ISO 27001:2022 controls does this setup cover?
Configuring email alerts in Wazuh directly contributes to compliance with several controls in Annex A of ISO 27001:2022:
| Control | Name | How alerts help |
| A.5.24 | Incident management planning and preparation | Immediate notification to the responsible team when an incident occurs |
| A.5.25 | Assessment and decision on incidents | Detailed information in the email lets you assess severity quickly |
| A.5.26 | Response to information security incidents | Shorter response time thanks to real-time alerts |
| A.8.15 | Logging | Emails act as a secondary record of critical events |
| A.8.16 | Monitoring activities | Active monitoring with automatic notification to the people in charge |
Which ENS measures does the email alert system cover?
For organizations subject to the Spanish ENS (RD 311/2022), email alerts are essential to comply with:
| Measure | Name | How alerts help |
| op.mon.1 | Intrusion detection | Immediate notification when suspicious activity is detected |
| op.mon.3 | Surveillance | Active surveillance system with escalation to the people in charge |
| op.exp.7 | Incident management | Automated notification process for incident management |
| op.exp.9 | Incident management logging | Emails provide documentary evidence of the alerts generated |
ENS response times
The ENS sets maximum response times based on the system category. Email alerts help you meet op.mon.3 by guaranteeing that security staff are notified in real time, dramatically reducing detection and response time.
Why are email alerts important in Wazuh?
- Fast response: The security team gets immediate notifications without constantly checking the dashboard
- Automatic escalation: You can route alerts to different people depending on the type of incident
- Documentary evidence: Emails act as a secondary record for audits
- 24/7 availability: Alerts arrive even when no one is actively monitoring
- Regulatory compliance: Demonstrates that an operational incident notification system exists
Next steps
Sending alerts to Discord and Slack via webhooks is another option worth setting up. Discover our Wazuh services.