I am testing OSSEC HIDS in a Virtual machine on Ubuntu 18.04 server.
First of all I installed and configured ssmtp as follows:
root=my...@gmail.com
mailhub=smtp.gmail.com:587
rewriteDomain=gmail.com
hostname=localhost
TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
UseTLS=Yes
UseSTARTTLS=Yes
AuthUser=my...@gmail.com
AuthPass=password
AuthMethod=LOGIN
FromLineOverride=yes
Emails from command line are sent and received, however there are some
issues with OSSEC email alerts.
Below is part of /var/ossec/etc/ossec.conf:
<global>
<email_notification>yes</email_notification>
<email_to>my...@gmail.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@myserver</email_from>
<email_maxperhour>1</email_maxperhour>
</global>
According to OSSEC's documentation the software should sent an email at
startup and when it stops. I received an email after the first startup, in
the spam folder, probably because the email_from directive was set to an
invalid email address. That email contained two notifications, one about
"Partition usage reached 100% (disk space monitor)." and the other about
OSSEC start. So I told Gmail that that was not spam, I changed the
email_from directive to my...@gmail.com, stopped OSSEC and restarted it.
Unfortunately that was the only alert I received. After that I stopped and
started OSSEC several times without receiving any email alert. I do not
understand why this happens: am I blackholed by Gmail? As I said emails
from command line are received without issues. Would OSSEC receive the same
treatment on a production server with valid domain?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/87b79ecd-e30a-4c7d-a9f4-50701bb9a519%40googlegroups.com.
