I'm doing some more research into why my install of OSSEC isn't sending
e-mails when alerts are detected.
I found a problem with my install of sendmail, so I installed the latest
version and got that working properly (the machine I'm working with is
going to become a production server, but is still in the install stages).
Watching /var/ossec/logs/ossec.log revealed many lines looking like:
2006/09/14 09:38:12 os_sendmail(1703): Hello not accepted by
server:12.11/8.12.10; Thu, 14 Sep 2006 09:38:07 -0700 (PDT)^M
2006/09/14 09:38:12 ossec-maild(1223): Error Sending email to
216.177.75.74 (smtp server)
A Google search for "Hello not accepted by server" lead me to
http://ossec.underlinux.com.br/ossec-list/2006-April/msg00005.html.
Following the advice in that post I enabled the MAIL_DEBUG_FLAG in
sendmail.c. I see that calls to MAIL_DEBUG get mapped to "merror". There
are a lot of files present in ossec; which one defines merror? Or more
to the point, into which log file will sendmail.c write it's mail debug
messages?
After making that change and restarting OSSEC, I'm now getting messages
that look like:
2006/09/14 09:42:47 DEBUG: Received banner: '220
mail.trinetsolutions.com ESMTP Sendmail 8.'
2006/09/14 09:42:47 os_sendmail(1703): Hello not accepted by
server:12.11/8.12.10; Thu, 14 Sep 2006 09:42:42 -0700 (PDT)^M
2006/09/14 09:42:47 ossec-maild(1223): Error Sending email to
216.177.75.74 (smtp server)
Is that DEBUG: line the only thing that gets logged by enabling the
MAIL_DEBUG_FLAG, or can I find more useful info in another log file?
