Re: [ossec-list] ossec-maild?

Glen Peterson Mon, 30 Mar 2020 12:50:20 -0700

This is progress, I now have ossec-maild running, but still no email and 
nothing from ossec in /var/log/mail.log.  Here's what I did:

$ sudo /var/ossec/bin/ossec-control stop
$ sudo apt purge ossec-hids-agent
$ sudo apt purge ossec-hids-server
$ sudo apt install ossec-hids-server

My old keygen file was still there, as was the client.keys file.

$ sudo vim /var/ossec/etc/ossec.conf

  <global>
    <email_notification>yes</email_notification>
    <email_to>my.em...@company.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>root@localhost</email_from>
  </global>

$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

No email.  Then I tried with:
<smtp_server>/usr/sbin/sendmail</smtp_server>

Still no email.

$ sudo cat /var/ossec/logs/ossec.log
...
2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631).
2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644).
2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649).
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661).
2020/03/30 15:38:24 IPv6: :: on port 1514
2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663).
2020/03/30 15:38:24 rootcheck: System audit file not configured.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pam_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sshd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'telnetd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'syslog_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'arpwatch_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'symantec-av_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'symantec-ws_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'named_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'smbd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vsftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pure-ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'proftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ms_ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'hordeimp_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'roundcube_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'wordpress_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'cimserver_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vpopmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vmpop3d_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'courier_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'web_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'web_appsec_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'apache_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'nginx_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'php_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'mysql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'postgresql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ids_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'squid_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'firewall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'apparmor_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'cisco-ios_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'netscreenfw_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sonicwall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'postfix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sendmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'imapd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'mailscanner_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'dovecot_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ms-exchange_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'racoon_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vpn_concentrator_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'spamd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'msauth_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'mcafee_av_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'trend-osce_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ms-se_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'zeus_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'solaris_bsm_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vmware_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ms_dhcp_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'asterisk_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ossec_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'attack_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'dropbear_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'unbound_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sysmon_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'opensmtpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'exim_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'openbsd-dhcpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'dnsmasq_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'local_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Total rules enabled: '1544'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: 
'/etc/mail/statistics'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.1'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.190'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.32'
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.10'
2020/03/30 15:38:24 ossec-analysisd: INFO: 5 IPs in the allow list for 
active response.
2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing Hostname: '::1'
2020/03/30 15:38:24 ossec-analysisd: INFO: 1 Hostname(s) in the allow list 
for active response.
2020/03/30 15:38:24 ossec-analysisd: INFO: Started (pid: 17653).
2020/03/30 15:38:25 ossec-monitord: INFO: Started (pid: 17673).
2020/03/30 15:38:25 ossec-remoted(4111): INFO: Maximum number of agents 
allowed: '16384'.
2020/03/30 15:38:25 ossec-remoted(1410): INFO: Reading authentication keys 
file.
2020/03/30 15:38:25 ossec-remoted: INFO: No previous counter available for 
'server1'.
2020/03/30 15:38:25 ossec-remoted: INFO: Assigning counter for agent 
server1: '0:0'.
2020/03/30 15:38:25 ossec-remoted: INFO: Assigning sender counter: 0:909
2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' 
(active-response queue)
2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to 
'/queue/alerts/execq' (exec queue)
2020/03/30 15:38:29 ossec-syscheckd: INFO: Started (pid: 17669).
2020/03/30 15:38:29 ossec-rootcheck: INFO: Started (pid: 17669).
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/etc', 
with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/bin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: 
'/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/bin', 
with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin', 
with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/boot', 
with options perm | size | owner | group | md5sum | sha1sum.
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mtab'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random-seed'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random.seed'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/adjtime'
2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs'
2020/03/30 15:38:29 ossec-syscheckd: INFO: No diff for file: 
'/etc/ssl/private.key'
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/messages' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/authlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/authlog'.
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/auth.log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/secure' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/xferlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/xferlog'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/maillog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/maillog'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/www/logs/access_log' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/www/logs/access_log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/www/logs/error_log' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/www/logs/error_log'.
2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file 
'/var/log/exim_mainlog' due to [(2)-(No such file or directory)].
2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/exim_mainlog'.
2020/03/30 15:38:30 ossec-logcollector: INFO: Started (pid: 17657).
2020/03/30 15:38:35 ossec-monitord: WARN: Process locked. Waiting for 
permission...
2020/03/30 15:38:44 ossec-logcollector: WARN: Process locked. Waiting for 
permission...
2020/03/30 15:39:31 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2020/03/30 15:39:31 ossec-syscheckd: WARN: Process locked. Waiting for 
permission...

On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote:
>
> On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson <glen.k...@gmail.com 
> <javascript:>> wrote: 
> > 
> > I installed on Ubuntu 18.04 with according to this: 
> > 
> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
>  
> > 
> > I installed both agent and server.  Specifically: 
> > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo 
> bash 
> > 
> > $ sudo apt update 
> > 
> > $ sudo apt install ossec-hids-server 
> > $ sudo apt install ossec-hids-agent 
> > 
>
> They should be mutually exclusive, so I'm guessing the agent removed the 
> server. 
>
> > $ sudo -u ossec ssh-keygen 
> > 
> > $ sudo vim /var/ossec/etc/client.keys 
> > 001 server1 any <some-passphrase-you-save-in-keepass> 
> > 
> > $ sudo chown root.ossec /var/ossec/etc/client.keys 
> > 
> > Then I edited ossec.conf as I wrote in my previous mail and started the 
> server. 
> > 
> > $ sudo /var/ossec/bin/ossec-control start 
> > Starting OSSEC HIDS v3.6.0... 
> > Started ossec-execd... 
> > 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max 
> time to reconnect: 1800 
> > 2020/03/30 14:05:04 going daemon 
> > Started ossec-agentd... 
> > Started ossec-logcollector... 
> > Started ossec-syscheckd... 
> > Completed. 
> > 
> > 
> > 
> > On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: 
> >> 
> >> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson <glen.k...@gmail.com> 
> wrote: 
> >> > 
> >> > Sorry to be dense.  I just tried to post another message and don't 
> see it in google groups.  I'm noticing that other people have an 
> ossec-maild, but I don't: 
> >> > $ sudo ls -l /var/ossec/bin/ 
> >> > total 1164 
> >> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth 
> >> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents 
> >> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd 
> >> > -r-xr-x--- 1 root ossec   4593 Feb 14 14:46 ossec-control 
> >> > -r-xr-x--- 1 root ossec  63504 Mar 15 15:02 ossec-execd 
> >> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector 
> >> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd 
> >> > -r-xr-x--- 1 root ossec   4503 Feb 14 14:46 util.sh 
> >> > 
> >> > I just installed ossec for the first time over the weekend.  I can't 
> seem to get it to send mail.  Am I missing an executable? 
> >> > 
> >> 
> >> This looks like an agent installation. The OSSEC server handles 
> >> sending out email. 
> >> 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec...@googlegroups.com. 
> >> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
>  
>
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec...@googlegroups.com <javascript:>. 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.
>  
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/9c69148a-8b84-487a-b469-c69aa6dc31ed%40googlegroups.com.

Re: [ossec-list] ossec-maild?

Reply via email to