Wazuh Dashaboard Email Channel Report scheduling with option to send Email

[Machos65]

Hello
I was configuring email notification channel for scheduled report then i got error testthe email not sent
then i added the keystore according with opensearch instructions after i restarted wazuh-dashboard i got this error

{"type":"log","@timestamp":"2025-01-28T14:39:23Z","tags":["fatal","root"],"pid":855,"message":"ValidationError: [config validation of [opensearch].notifications]: definition for this key>Jan 28 14:39:23 wazuh opensearch-dashboards[855]: FATAL ValidationError: [config validation of [opensearch].notifications]: definition for this key is missing

anyone with workaround please

[Desvelao]

According to the error, this seems that could be related to the opensearch.notifications setting is missing in the Wazuh dashboard side.

But, I am not sure if that setting is in the Wazuh dashboard core or this is required by a non-core plugin of Wazuh dashboard. Or maybe the problem could be in the configuration of the Wazuh indexer.

From your message referring to the configuration of the keystore, I guess you could have used this guide to configure the email channel: https://opensearch.org/docs/2.16/observing-your-data/notifications/index/#email-as-a-channel-type, that has some commands

Could you provide the following information?

1. What version of Wazuh dashboard and Wazuh indexer are you using?
2. Describe the steps or provide a guide to configure the notification email channel you followed.
3. Any additional consideration (additional configuration done to the default configuration/installation of Wazuh stack central components, etc...)

[Machos65]

1. What version of Wazuh dashboard and Wazuh indexer are you using?

-am using Version 7.10.2 (indexer) 2.16.0 (opensearch dashboard), 4.10.1 (wazuh version)

2. Describe the steps or provide a guide to configure the notification email channel you followed.

I defined my email parameters in the frontend where i configured the SMTP Sender then I went on the backend and added my user name and password trhough this command
"
/usr/share/opensearch/bin/opensearch-keystore add opensearch.notifications.core.email.<sender_name>.username
/usr/share/opensearch/bin/opensearch-keystore add opensearch.notifications.core.email.<sender_name>.password
"
now the soon i restart the wazuh dashboard is where it gives that error but when i remove those parameter i mean the above one the dashboard service works fine

3.Any additional consideration (additional configuration done to the default configuration/installation of Wazuh stack central components, etc...)
-No

[Desvelao]

What version of Wazuh dashboard and Wazuh indexer are you using?
-am using Version 7.10.2 (indexer) 2.16.0 (opensearch dashboard), 4.10.1 (wazuh version)

I am not sure what you mean by 7.10.2 (indexer) 2.16.0 (opensearch dashboard) and it is not clear to me if you are using Wazuh dashboard and Wazuh indexer or your could be using OpenSearch and/or OpenSearch Dashboards.

1. Could you clarify what applications and versions are you using?

2. Did you install some external plugin to Wazuh dashboard or Wazuh indexer? Share the plugins list of Wazuh dashboard/Opensearch dashboards and Wazuh indexer/OpenSearch you have installed:

• Wazuh dashboards list plugins:

sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list --allow-root

• Wazuh indexer list plugins:

sudo /usr/share/wazuh-indexer/bin/opensearch-plugin list

If you are using some OpenSearch applications, the commands could be similar but different path.

3. Additionally, you could try to replicate the problem and take a look to the Wazuh indexer and Wazuh dashboard logs:

3.1. Review the Wazuh indexer logs:

cat /var/log/wazuh-indexer/<CLUSTER_NAME>.log

Review the logs with date related to the change with the settings in the keystore. Ensure the application of the settings was done, in the https://opensearch.org/docs/2.16/observing-your-data/notifications/index/#email-as-a-channel-type guide explain how to do it.

replace the <CLUSTER_NAME> placeholder by the Wazuh indexer cluster name.

3.2. Review the Wazuh dashboard logs.

Taking into account the message related to the Wazuh dashboard can not start when you define that settings in the Wazuh indexer keystore side commented here: #506 (comment), maybe you could try to enable the verbosity of Wazuh dashboard logs with the following setting in the Wazuh dashboard configuration file (opensearch_dashboards.yml):

logging.verbose: true

4. Share the configuration of Wazuh dashboard and Wazuh indexer , obfuscating the sensitive data.

5. List the keys in the Wazuh indexer and dashboard keystores:

sudo /usr/share/wazuh-indexer/bin/opensearch-keystore list
sudo /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore list --allow-root

Test replication

I tried to replicate the problem using a Wazuh stack 4.10.1:

• Wazuh dashboard 4.10.1
• Wazuh indexer 4.10.1
• Wazuh server 4.10.1

I could not replicate the mentioned problem.

Steps:

• Deploy Wazuh stack 4.10.1 (Wazuh dashboard, Wazuh indexer, Wazuh server)
• Configure a SMTP server using postfix: https://documentation.wazuh.com/4.10/user-manual/manager/alert-management.html#smtp-server-with-authentication
• Create the notification channel through Wazuh dashboard
  • Create SMTP sender
  • Create recipient group
• Add the following settings to the Wazuh indexer keystore using the keystore binary of Wazuh indexer /usr/share/wazuh-indexer/bin/opensearch-keystore:

opensearch.notifications.core.email.<sender_name>.username
opensearch.notifications.core.email.<sender_name>.password

• Reload the settings through the API request https://opensearch.org/docs/2.16/observing-your-data/notifications/index/#email-as-a-channel-type

Then I restarted the Wazuh dashboard and I did not get the mentioned problem.

Evidences

Wazuh dashboard logs filtering by missing:

root@ubuntu-2204:/home/vagrant# journalctl -u wazuh-dashboard | grep missing
root@ubuntu-2204:/home/vagrant# 

No result were found.

Wazuh indexer keystore list keys:

root@ubuntu-2204:/home/vagrant# /usr/share/wazuh-indexer/bin/opensearch-keystore list
keystore.seed
opensearch.notifications.core.email.localhost_smtp.password
opensearch.notifications.core.email.localhost_smtp.username