ossec-maild?
35 views
Skip to first unread message
Glen Peterson
Mar 30, 2020, 2:00:04 PM3/30/20
to ossec-list
Sorry to be dense. I just tried to post another message and don't see it in google groups. I'm noticing that other people have an ossec-maild, but I don't:
$ sudo ls -l /var/ossec/bin/
total 1164
-r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth
-r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents
-r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd
-r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control
-r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd
-r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector
-r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd
-r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh
I just installed ossec for the first time over the weekend. I can't seem to get it to send mail. Am I missing an executable?
dan (ddp)
Mar 30, 2020, 2:01:35 PM3/30/20
to ossec...@googlegroups.com
sending out email.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
Glen Peterson
Mar 30, 2020, 2:11:07 PM3/30/20
to ossec-list
I installed on Ubuntu 18.04 with according to this:
On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote:
I installed both agent and server. Specifically:
$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
$ sudo apt update
$ sudo apt install ossec-hids-server
$ sudo apt install ossec-hids-agent
$ sudo -u ossec ssh-keygen
$ sudo vim /var/ossec/etc/client.keys
001 server1 any <some-passphrase-you-save-in-keepass>
$ sudo chown root.ossec /var/ossec/etc/client.keys
Then I edited ossec.conf as I wrote in my previous mail and started the server.
$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-execd...
2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2020/03/30 14:05:04 going daemon
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.
On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote:
On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson <Glen.K...@gmail.com> wrote:
>
> Sorry to be dense. I just tried to post another message and don't see it in google groups. I'm noticing that other people have an ossec-maild, but I don't:
> $ sudo ls -l /var/ossec/bin/
> total 1164
> -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth
> -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents
> -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd
> -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control
> -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd
> -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector
> -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd
> -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh
>
> I just installed ossec for the first time over the weekend. I can't seem to get it to send mail. Am I missing an executable?
>
This looks like an agent installation. The OSSEC server handles
sending out email.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.
dan (ddp)
Mar 30, 2020, 2:50:58 PM3/30/20
to ossec...@googlegroups.com
On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson <Glen.K....@gmail.com> wrote:
>
> I installed on Ubuntu 18.04 with according to this:
> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
>
> I installed both agent and server. Specifically:
> $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
>
> $ sudo apt update
>
> $ sudo apt install ossec-hids-server
> $ sudo apt install ossec-hids-agent
>
They should be mutually exclusive, so I'm guessing the agent removed the server.
>
> I installed on Ubuntu 18.04 with according to this:
> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
>
> I installed both agent and server. Specifically:
> $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
>
> $ sudo apt update
>
> $ sudo apt install ossec-hids-server
> $ sudo apt install ossec-hids-agent
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.
Glen Peterson
Mar 30, 2020, 3:49:42 PM3/30/20
to ossec-list
This is progress, I now have ossec-maild running, but still no email and nothing from ossec in /var/log/mail.log. Here's what I did:
On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote:
$ sudo /var/ossec/bin/ossec-control stop
$ sudo apt purge ossec-hids-agent
$ sudo apt purge ossec-hids-server
$ sudo apt install ossec-hids-server
My old keygen file was still there, as was the client.keys file.
$ sudo vim /var/ossec/etc/ossec.conf
<global>
<email_notification>yes</email_notification>
<email_to>my.e...@company.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>root@localhost</email_from>
</global>
$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
No email. Then I tried with:
<smtp_server>/usr/sbin/sendmail</smtp_server>
Still no email.
$ sudo cat /var/ossec/logs/ossec.log
...
2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631).
2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644).
2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649).
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661).
2020/03/30 15:38:24 IPv6: :: on port 1514
2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663).
2020/03/30 15:38:24 rootcheck: System audit file not configured.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apparmor_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'unbound_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sysmon_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'opensmtpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'exim_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'openbsd-dhcpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dnsmasq_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Total rules enabled: '1544'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.1'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.190'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.32'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.10'
2020/03/30 15:38:24 ossec-analysisd: INFO: 5 IPs in the allow list for active response.
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing Hostname: '::1'
2020/03/30 15:38:24 ossec-analysisd: INFO: 1 Hostname(s) in the allow list for active response.
2020/03/30 15:38:24 ossec-analysisd: INFO: Started (pid: 17653).
2020/03/30 15:38:25 ossec-monitord: INFO: Started (pid: 17673).
2020/03/30 15:38:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'.
2020/03/30 15:38:25 ossec-remoted(1410): INFO: Reading authentication keys file.
2020/03/30 15:38:25 ossec-remoted: INFO: No previous counter available for 'server1'.
2020/03/30 15:38:25 ossec-remoted: INFO: Assigning counter for agent server1: '0:0'.
2020/03/30 15:38:25 ossec-remoted: INFO: Assigning sender counter: 0:909
2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue)
2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue)
2020/03/30 15:38:29 ossec-syscheckd: INFO: Started (pid: 17669).
2020/03/30 15:38:29 ossec-rootcheck: INFO: Started (pid: 17669).
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random.seed'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2020/03/30 15:38:29 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key'
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'.
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/access_log' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/access_log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/error_log' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/error_log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/exim_mainlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/exim_mainlog'.
2020/03/30 15:38:30 ossec-logcollector: INFO: Started (pid: 17657).
2020/03/30 15:38:35 ossec-monitord: WARN: Process locked. Waiting for permission...
2020/03/30 15:38:44 ossec-logcollector: WARN: Process locked. Waiting for permission...
2020/03/30 15:39:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2020/03/30 15:39:31 ossec-syscheckd: WARN: Process locked. Waiting for permission...
On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote:
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.
Glen Peterson
Mar 30, 2020, 4:02:06 PM3/30/20
to ossec-list
I did that all again, but added:
$ sudo rm -rf /var/ossec/
Between the uninstall and reinstall. Then created my keygen and client.key files from scratch.
and...
Ohhhhh... Now I'm getting email alerts!!! Wohoo!
Thanks so much for your help!
On Monday, March 30, 2020 at 3:49:42 PM UTC-4, Glen Peterson wrote:
This is progress, I now have ossec-maild running, but still no email and nothing from ossec in /var/log/mail.log. Here's what I did:
$ sudo /var/ossec/bin/ossec-control stop$ sudo apt purge ossec-hids-agent$ sudo apt purge ossec-hids-server$ sudo apt install ossec-hids-server
My olds keygen file was still there, as was the client.key file.
Reply all
Reply to author
Forward
0 new messages