ossec-maild not sending out any alerts (relaying through ssmtp)
2,474 views
Skip to first unread message
theresa mic-snare
Jul 3, 2015, 12:19:13 PM7/3/15
to ossec...@googlegroups.com
hi ossec'ers,
my problem is I can't send out any emails/alert notifications with the ossec-maild process. I'm relaying my emails through ssmtp, the configuration is valid because I'm able to send out mails to external addresses through mailx for instance. But for some reason OSSEC just won't send any emails out.
I have the following in my global ossec.conf
<email_notification>yes</email_notification>
<email_to>x...@gmail.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>x...@gmail.com</email_from>
</global>
So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right?
Does the email_from field require to be a ossecm@realdomain? Or can this be a gmail address as well? So does it mean the ossecm user needs to send out these alerts?
Again tests to send out emails through ssmtp via mailx have been successful. so I doubt it's a ssmtp issue here.
Also what I find a little odd is that when i restart ossec through ossec-control all the services/processes should be restarted in a specific order, right? however when I look at the ossec.log in /var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all.... the process itself runs though, when i do a ps -ef |grep ossec-maild
my question now: how can I get the email notifcation in ossec to work?!
thanks!
Daniil Svetlov
Jul 4, 2015, 8:40:14 AM7/4/15
to ossec...@googlegroups.com
Hello, Theresa!
First of all check spam folder in your gmail account. Probably gmail just in it mail from OSSEC, because they not look valid.
If you use SMTP server on localhost, check logs of MTA. It must be in /var/log/maillog.
пт, 3 июля 2015 г. в 19:19, theresa mic-snare <rockpr...@gmail.com>:
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
С уважением, Светлов Даниил.
theresa mic-snare
Jul 4, 2015, 10:41:47 AM7/4/15
to ossec...@googlegroups.com
Hi Daniil,
I've already done that. The maillog doesn't show the mail being sent, but there isn't an error either. It seems that the ossec-maild isn't even relaying it to the local smtp mta (ssmtp) because as said before I can send out mails with mailx just fine.
The ossec.log doesn't even mention the ossec-maild even though the process is running...
Hmm
I've already done that. The maillog doesn't show the mail being sent, but there isn't an error either. It seems that the ossec-maild isn't even relaying it to the local smtp mta (ssmtp) because as said before I can send out mails with mailx just fine.
The ossec.log doesn't even mention the ossec-maild even though the process is running...
Hmm
theresa mic-snare
Jul 4, 2015, 12:13:20 PM7/4/15
to ossec...@googlegroups.com
i've also tried disabling iptables, but that didn't help either...
but then again i can send out emails with mailx just find, so i don't think it's iptables blocking anyway...
any ideas?
but then again i can send out emails with mailx just find, so i don't think it's iptables blocking anyway...
any ideas?
Daniil Svetlov
Jul 5, 2015, 8:02:29 AM7/5/15
to ossec...@googlegroups.com
Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. It will increase log verbosity. Then restart OSSEC, and check /var/ossec/log/ossec.log.
Also after restart try to issue command "ps aux | grep ossec", and check, that ossec-maild process is running.
сб, 4 июля 2015 г. в 19:13, theresa mic-snare <rockpr...@gmail.com>:
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
theresa mic-snare
Jul 6, 2015, 1:35:03 PM7/6/15
to ossec...@googlegroups.com
Hi Daniil,
thank you very much for the advice with enabling debug!!
I've now looked into the ossec.log and it says:
2015/07/05 03:34:02 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
2015/07/05 15:03:18 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/05 15:16:37 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/05 15:21:37 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/05 15:24:22 ossec-rootcheck: INFO: Ending rootcheck scan.
2015/07/06 11:19:22 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/06 11:32:41 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/06 11:37:41 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/06 11:40:28 ossec-rootcheck: INFO: Ending rootcheck scan.
2015/07/06 19:03:11 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
2015/07/06 19:03:14 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2015/07/06 19:03:14 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:15 ossec-testrule: INFO: Reading local decoder file.
2015/07/06 19:03:15 ossec-testrule: INFO: Started (pid: 1900).
2015/07/06 19:03:15 ossec-maild: DEBUG: Starting ...
2015/07/06 19:03:15 ossec-maild: INFO: Chrooted to directory: /var/ossec, using user: ossecm
2015/07/06 19:03:15 ossec-maild: INFO: Started (pid: 1921).
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Starting ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Found user/group ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Active response initialized ...
I've no idea why it says it can't send mails to localhost.
Do you think this could be an IPtables or SeLinux issue? Although I've set SeLinux to Status "Permissive" so it actually shouldn't block anything.
I have an assumption why it's not working.
when I do a netstat -plntu I can only see the server listening to the SSH port.
For my mail setup I only use SSMTP (to relay it to gmail.com) do I also need postfix setup for local mailing? The postfix config let's you relay mails locally...
What is your mail setup on the server?
I think the ossec-maild needs a local MTA listening on port 25 to send emails out to ssmtp ?!
what do you think?
please help!
thank you very much for the advice with enabling debug!!
I've now looked into the ossec.log and it says:
2015/07/05 03:34:02 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
2015/07/05 15:03:18 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/05 15:16:37 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/05 15:21:37 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/05 15:24:22 ossec-rootcheck: INFO: Ending rootcheck scan.
2015/07/06 11:19:22 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/06 11:32:41 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/06 11:37:41 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/06 11:40:28 ossec-rootcheck: INFO: Ending rootcheck scan.
2015/07/06 19:03:11 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
2015/07/06 19:03:14 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:14 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2015/07/06 19:03:14 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2015/07/06 19:03:15 ossec-testrule: INFO: Reading local decoder file.
2015/07/06 19:03:15 ossec-testrule: INFO: Started (pid: 1900).
2015/07/06 19:03:15 ossec-maild: DEBUG: Starting ...
2015/07/06 19:03:15 ossec-maild: INFO: Chrooted to directory: /var/ossec, using user: ossecm
2015/07/06 19:03:15 ossec-maild: INFO: Started (pid: 1921).
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Starting ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Found user/group ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Active response initialized ...
I've no idea why it says it can't send mails to localhost.
Do you think this could be an IPtables or SeLinux issue? Although I've set SeLinux to Status "Permissive" so it actually shouldn't block anything.
I have an assumption why it's not working.
when I do a netstat -plntu I can only see the server listening to the SSH port.
For my mail setup I only use SSMTP (to relay it to gmail.com) do I also need postfix setup for local mailing? The postfix config let's you relay mails locally...
What is your mail setup on the server?
I think the ossec-maild needs a local MTA listening on port 25 to send emails out to ssmtp ?!
what do you think?
please help!
theresa mic-snare
Jul 6, 2015, 1:35:50 PM7/6/15
to ossec...@googlegroups.com
OK, managed to fix this and face-palming myself....
i've tweaked the postfix config a bit, enabled the service and there we go...
ossec-maild is now officially sending out alerts to my email address.
theresa happy :)
i've tweaked the postfix config a bit, enabled the service and there we go...
ossec-maild is now officially sending out alerts to my email address.
theresa happy :)
Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
Daniil Svetlov
Jul 7, 2015, 6:15:10 PM7/7/15
to ossec...@googlegroups.com
Nice to see that you find solution!
пн, 6 июля 2015 г. в 20:35, theresa mic-snare <rockpr...@gmail.com>:
Laura Herrera
Sep 28, 2016, 6:42:25 AM9/28/16
to ossec-list
Hi Theresa,
Please can i ask how did you solve this problem?
Thanks a lot,
Laura
dan (ddp)
Sep 28, 2016, 6:47:20 AM9/28/16
to ossec...@googlegroups.com
On Sep 28, 2016 6:42 AM, "Laura Herrera" <peq...@gmail.com> wrote:
>
> Hi Theresa,
>
> Please can i ask how did you solve this problem?
>
If you're having issues, you could post details and we could try to help.
Laura Herrera
Sep 28, 2016, 11:37:57 AM9/28/16
to ossec-list
Hi Dan,
Yes, thank you, i have been trying to get this working all day.
I am running ossec on an ubuntu 14.04 server and i need to be able to email alerts of course.
I saw in a separate post that ossec actually needs smtp listening on the local server, and so i decided to use postfix as a relay.
To make things more complicated, my mail server is in office 365.
Here my configurations:
/etc/postfix/main.cf (changes from original)
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic
myhostname = ossec-1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.localdomain, localhost
relayhost = smtp.office365.com:587
mynetworks = 127.0.0.0/8, 10.0.0.0/8
/etc/postfix/generic
/.*/ us...@example.com
/etc/postfix/sasl_passwd
[smtp.office365.com]:587 us...@example.com:MyPassword
ossec.conf
<global>
<jsonout_output>no</jsonout_output>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_to>dev...@example.com</email_to>
<email_from>us...@example.com</email_from>
</global>
I am sure postfix is listening on port 25:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 947/master
The error i get, even after enabling debug mode in ossec is not very helpful at all:
2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
nothing before or after that can be of help...
Sorry i don't know what else to say
Thanks a lot, hope you can help
Laura
Laura Herrera
Sep 28, 2016, 12:56:16 PM9/28/16
to ossec-list
Hi Dan,
Changing subject a bit, do you know if it's possible to have alerts in ossec calling a script instead of sending an email directly?
Ta
Laura
dan (ddp)
Sep 29, 2016, 10:15:34 AM9/29/16
to ossec...@googlegroups.com
dan (ddp)
Sep 29, 2016, 10:15:38 AM9/29/16
to ossec...@googlegroups.com
On Wed, Sep 28, 2016 at 12:56 PM, Laura Herrera <peq...@gmail.com> wrote:
> Hi Dan,
>
> Changing subject a bit, do you know if it's possible to have alerts in
> ossec calling a script instead of sending an email directly?
>
Other than active response, no.
> Hi Dan,
>
> Changing subject a bit, do you know if it's possible to have alerts in
> ossec calling a script instead of sending an email directly?
>
Reply all
Reply to author
Forward
0 new messages