i'm not getting any emails from ossec..

[Rene Veerman]

Hi.

I'm new to ossec, and i'm having trouble getting emails from it.

If someone here can help me with that, i'd appreciate it a lot.

My OS is the lastest stable kubuntu, with iRedMail (which includes postfix) for email support.

Here are some of the relevant logs, and the rules are added as attachment to this mail.

root@parakeet:/var/ossec# systemctl status ossec.service

● ossec.service - LSB: Start and stop OSSEC HIDS

     Loaded: loaded (/etc/init.d/ossec; generated)

     Active: active (exited) since Fri 2021-10-01 20:29:48 CEST; 5h 58min ago

       Docs: man:systemd-sysv-generator(8)

    Process: 51972 ExecStart=/etc/init.d/ossec start (code=exited, status=0/SUCCESS)

okt 01 20:29:45 parakeet ossec[51973]: Starting OSSEC HIDS v3.6.0...

okt 01 20:29:45 parakeet ossec[51973]: Started ossec-maild...

okt 01 20:29:45 parakeet ossec[51973]: Started ossec-execd...

okt 01 20:29:45 parakeet ossec[51973]: Started ossec-analysisd...

okt 01 20:29:45 parakeet ossec[51973]: Started ossec-logcollector...

okt 01 20:29:45 parakeet ossec[51973]: Started ossec-remoted...

okt 01 20:29:46 parakeet ossec[51973]: Started ossec-syscheckd...

okt 01 20:29:46 parakeet ossec[51973]: Started ossec-monitord...

okt 01 20:29:48 parakeet ossec[51973]: Completed.

okt 01 20:29:48 parakeet systemd[1]: Started LSB: Start and stop OSSEC HIDS.

root@parakeet:/var/ossec# telnet localhost 25

Trying 127.0.0.1...

Connected to smtp.example.com.

Escape character is '^]'.

220 smtp.example.com ESMTP Postfix

^C^]

telnet> quit

Connection closed.

root@parakeet:/var/ossec# /var/ossec/bin/agent_control -r -a

2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.

2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to active response queue.

** Unable to connect to remoted.

root@parakeet:/var/ossec# vi /etc/postfix/main.cf

root@parakeet:/var/ossec# tail /var/log/postfix.log 

Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: from=<ro...@smtp.example.com>, size=2007, nrcpt=1 (queue active)

Oct 02 02:02:04 smtp postfix/local[87369]: 4HLnGN1LQ3zbbcs: to=<ro...@smtp.example.com>, relay=local, delay=0.06, delays=0.03/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as 4HLnGN1dLmzbbcN)

Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1LQ3zbbcs: removed

Oct 02 02:02:04 smtp postfix/pipe[87372]: 4HLnGN1brDzbbbZ: to=<postm...@example.com>, orig_to=<ro...@smtp.example.com>, relay=dovecot, delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)

Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1brDzbbbZ: removed

Oct 02 02:02:04 smtp postfix/pipe[87373]: 4HLnGN1dLmzbbcN: to=<postm...@example.com>, orig_to=<ro...@smtp.example.com>, relay=dovecot, delay=0.17, delays=0.01/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via dovecot service)

Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: removed

Oct 02 02:34:00 smtp postfix/smtpd[90923]: connect from smtp.example.com[127.0.0.1]

Oct 02 02:34:09 smtp postfix/smtpd[90923]: lost connection after CONNECT from smtp.example.com[127.0.0.1]

Oct 02 02:34:09 smtp postfix/smtpd[90923]: disconnect from smtp.example.com[127.0.0.1] commands=0/0

root@parakeet:/var/ossec# tail logs/ossec.log 

2021/10/01 20:33:13 ossec-monitord(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-logcollector(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-remoted(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-syscheckd(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-analysisd(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/01 20:33:13 ossec-execd(1314): INFO: Shutdown received. Deleting responses.

2021/10/01 20:33:13 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...

2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.

2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to active response queue.

root@parakeet:/var/ossec# cat /etc/ossec-init.conf | grep VERSION

VERSION="v3.6.0"

root@parakeet:/var/ossec/rules# ufw status

Status: inactive

If you need more information to help get this fixed, i'm most willing to provide it..

[Rene Veerman]

i had made the mistake of installing only the server...

this manual helped me a lot setting up a proper ossec system, on 2 machines : 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7c0b1d6a-96d2-4261-97cd-3fbb8b102d15n%40googlegroups.com.

[Rene Veerman]

(oops, hit 'send' too quick)

https://subscription.packtpub.com/book/cloud_and_networking/9781782167648/1/ch01lvl1sec09/configuring-an-ossec-server-simple