Email configuration issue

41 views
Skip to first unread message

Glen Peterson

unread,
Mar 30, 2020, 2:00:04 PM3/30/20
to ossec-list
I think my issue is my server's mail (postfix) configuration.  I can send an email from the command line like so:

$ sendmail -f root@localhost my.e...@company.com
This is a test.
.

I can see it get sent in /var/log/mail.log.  I get it (in my spam folder, but it's a start).

I added these settings to /var/ossec/etc/ossec.conf

  <global>
    <email_notification>yes</email_notification>
    <email_to>my.e...@company.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>root@localhost</email_from>
  </global>

Then:

sudo /var/ossec/bin/ossec-control stop

sudo /var/ossec/bin/ossec-control start
sudo tail -F /var/ossec/logs/ossec.log

It starts up fine - I can see a couple dozen new messages in the log (see the end of this email).  But there is no email, and no record of even an email attempt in /var/log/mail.log

I'm guessing that ossec doesn't send mail the same way I do when I test sendmail from the command line, but I don't know what it *does* do.

Then I tried:
$ whereis sendmail
sendmail: /usr/sbin/sendmail /usr/lib/sendmail /usr/share/man/man1/sendmail.1.gz
$ ls -l /usr/sbin/sendmail
-rwxr-xr-x 1 root root 26776 Oct 11  2018 /usr/sbin/sendmail

And changed
    <smtp_server>localhost</smtp_server>
to
    <smtp_server>/usr/sbin/sendmail</smtp_server>

stoped and started ossec-control: still no email.  Still no errors about emails.  Here is /var/ossec/logs/ossec.log from the latest attempt

2020/03/30 12:24:19 ossec-execd: INFO: Started (pid: 5337).
2020/03/30 12:24:19 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2020/03/30 12:24:19 going daemon
2020/03/30 12:24:19 starting imsg stuff
2020/03/30 12:24:19 Creating socketpair()
2020/03/30 12:24:19 agentd imsg_init()
2020/03/30 12:24:19 os_dns imsg_init()
2020/03/30 12:24:19 ossec-agentd(1410): INFO: Reading authentication keys file.
2020/03/30 12:24:19 ossec-agentd: INFO: No previous counter available for 'server1'.
2020/03/30 12:24:19 ossec-agentd: INFO: Assigning counter for agent server1: '0:0'.
2020/03/30 12:24:19 ossec-agentd: INFO: Assigning sender counter: 0:659
2020/03/30 12:24:19 rootcheck: System audit file not configured.
2020/03/30 12:24:19 ossec-agentd: INFO: Started (pid: 5341).
2020/03/30 12:24:19 ossec-agentd: INFO: Server 1: 172.24.16.158
2020/03/30 12:24:19 ossec-agentd: INFO: Trying to connect to server 172.24.16.158, port 1514.
2020/03/30 12:24:19 INFO: Connected to 172.24.16.158 at address 172.24.16.158, port 1514
2020/03/30 12:24:19 ossec-agentd: DEBUG: agt->sock: 11
2020/03/30 12:24:23 ossec-syscheckd: INFO: Started (pid: 5350).
2020/03/30 12:24:23 ossec-rootcheck: INFO: Started (pid: 5350).
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random.seed'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2020/03/30 12:24:23 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key'
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'.
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/access_log' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/access_log'.
2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/error_log' due to [(2)-(No such file or directory)].
2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/error_log'.
2020/03/30 12:24:25 ossec-logcollector: INFO: Started (pid: 5346).
2020/03/30 12:24:27 ossec-logcollector: WARN: Process locked. Waiting for permission...
2020/03/30 12:24:40 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '172.24.16.158'.
2020/03/30 12:24:42 ossec-agentd: INFO: Trying to connect to server 172.24.16.158, port 1514.
2020/03/30 12:24:42 INFO: Connected to 172.24.16.158 at address 172.24.16.158, port 1514
2020/03/30 12:24:42 ossec-agentd: DEBUG: agt->sock: 15
2020/03/30 12:25:03 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '172.24.16.158'.
2020/03/30 12:25:23 ossec-agentd: INFO: Trying to connect to server 172.24.16.158, port 1514.
2020/03/30 12:25:23 INFO: Connected to 172.24.16.158 at address 172.24.16.158, port 1514
2020/03/30 12:25:23 ossec-agentd: DEBUG: agt->sock: 18


José Manuel López del Río

unread,
Sep 16, 2020, 2:42:47 PM9/16/20
to ossec-list
Hello Glen,
By default, the email alerts, once configured are set to send emails only for the alerts with a level greater or equals than the one set in the following stanza found in your configuration file:

<alerts> 
     <log_alert_level>3</log_alert_level>
     <email_alert_level>12</email_alert_level> 
</alerts>  

Make sure that you are generating alerts with a level greater than the one you can find in that stanza.
You could also customize it and restart the service to apply the changes.

I hope it helps.
Regards,
Jose Manuel Lopez
Reply all
Reply to author
Forward
0 new messages