Phase 6: Wazuh Logging

Phase 6: Wazuh Logging

Objective

Forward postfix/dovecot/milter logs to Wazuh, write custom decoders and rules for mail security events, build a dashboard. This mirrors the ESA syslog → QRadar logging path that CHLA is retiring.

Maps to Work

Lab CHLA

Postfix syslog → Wazuh agent

Cisco ESA syslog → QRadar (current state, being retired)

Wazuh decoders for postfix format

QRadar log source parsing for ESA events

Wazuh rules (SPF fail, DKIM fail, relay attempt)

QRadar/Sentinel analytics rules for email security

Wazuh dashboard

Sentinel workbook for email security monitoring

Install Wazuh Agent

# On mail-01
curl -s https://packages.wazuh.com/4.x/yum/wazuh.repo | sudo tee /etc/yum.repos.d/wazuh.repo
sudo dnf install -y wazuh-agent

# Configure manager address
sudo sed -i 's|<address>.*</address>|<address>10.50.1.120</address>|' /etc/ossec.conf

# Monitor mail logs
sudo tee -a /etc/ossec.conf <<'EOF'
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/maillog</location>
</localfile>
EOF

sudo systemctl enable --now wazuh-agent

Custom Decoders

Create custom decoders for postfix log events:

<!-- /var/ossec/etc/decoders/local_decoder.xml on Wazuh manager -->

<decoder name="postfix-auth-result">
  <parent>postfix</parent>
  <regex>Authentication-Results:.*(spf=\S+).*(dkim=\S+).*(dmarc=\S+)</regex>
  <order>spf_result,dkim_result,dmarc_result</order>
</decoder>

<decoder name="postfix-reject">
  <parent>postfix</parent>
  <regex>NOQUEUE: reject: RCPT from (\S+)\[(\S+)\]: (\d+)</regex>
  <order>client_hostname,client_ip,reject_code</order>
</decoder>

Custom Rules

<!-- /var/ossec/etc/rules/local_rules.xml on Wazuh manager -->

<group name="mail,postfix,">

  <rule id="100100" level="5">
    <decoded_as>postfix</decoded_as>
    <match>spf=fail</match>
    <description>Mail: SPF verification failed — sender IP not authorized for domain</description>
  </rule>

  <rule id="100101" level="5">
    <decoded_as>postfix</decoded_as>
    <match>dkim=fail</match>
    <description>Mail: DKIM verification failed — message signature invalid</description>
  </rule>

  <rule id="100102" level="7">
    <decoded_as>postfix</decoded_as>
    <match>dmarc=fail</match>
    <description>Mail: DMARC policy failure — both SPF and DKIM alignment failed</description>
  </rule>

  <rule id="100103" level="10">
    <decoded_as>postfix</decoded_as>
    <match>NOQUEUE: reject</match>
    <match>Relay access denied</match>
    <description>Mail: Relay attempt denied — potential open relay probe</description>
  </rule>

  <rule id="100104" level="3">
    <decoded_as>postfix</decoded_as>
    <match>status=sent</match>
    <description>Mail: Message delivered successfully</description>
  </rule>

  <rule id="100105" level="8">
    <decoded_as>postfix</decoded_as>
    <match>authentication failed</match>
    <description>Mail: SASL authentication failure — potential brute force</description>
    <frequency>5</frequency>
    <timeframe>120</timeframe>
  </rule>

</group>

Restart Wazuh Manager

# On Wazuh manager (k3s)
sudo /var/ossec/bin/wazuh-control restart

Test Alert Generation

# Generate SPF fail — send from unauthorized IP (if possible in lab)
# Generate relay attempt
telnet 10.50.1.91 25 <<EOF
HELO attacker.example.com
MAIL FROM:<evil@example.com>
RCPT TO:<victim@external.com>
EOF

# Check Wazuh for alerts
# Wazuh dashboard → Security Events → filter: rule.groups = "mail"

Verification Checklist

  • Wazuh agent running on mail-01: systemctl is-active wazuh-agent

  • Agent registered with manager: check Wazuh dashboard

  • /var/log/maillog being monitored: grep maillog /etc/ossec.conf

  • Custom decoders loaded: no errors in /var/ossec/logs/ossec.log

  • Relay attempt triggers rule 100103

  • Successful delivery triggers rule 100104