Hi all, I have finally tracked down why I am not getting any emails from ossec at all by enabling debugging in sendmail.c and recompiling maild as suggested here:
http://www.ossec.net/wiki/Tweaking_OSSEC#How_to_trace_sending_mail The debug info I have is: 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/02/02 10:49:30 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/02/02 10:50:44 DEBUG: Received banner: '220 (smtpserver) ESMTP ready. ' 2012/02/02 10:50:44 DEBUG: Sent 'Helo notify.ossec.net ', received: '250 (smtpserver) Hello notify.ossec.net [172.16.0.154] ' 2012/02/02 10:50:44 DEBUG: Sent 'Mail From: <(root@ossecserver)> ', received: '250 OK ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: <(valid_email)> ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'Rcpt To: <(valid_email)> ', received: '250 Accepted ' 2012/02/02 10:50:44 DEBUG: Sent 'DATA ', received: '354 Enter message, ending with "." on a line by itself ' 2012/02/02 10:54:40 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/02/02 10:54:52 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). It looks to me that ossec simply doesn't send a message at all and doesn't end the message sending properly either. I am running ossec-hids-2.6 on Debian 6.0.3 32-bit (server, the 1 client so far is the same OS) Any advice appreciated. Thank you.
