This is progress, I now have ossec-maild running, but still no email and nothing from ossec in /var/log/mail.log. Here's what I did:
$ sudo /var/ossec/bin/ossec-control stop $ sudo apt purge ossec-hids-agent $ sudo apt purge ossec-hids-server $ sudo apt install ossec-hids-server My old keygen file was still there, as was the client.keys file. $ sudo vim /var/ossec/etc/ossec.conf <global> <email_notification>yes</email_notification> <email_to>my.em...@company.com</email_to> <smtp_server>localhost</smtp_server> <email_from>root@localhost</email_from> </global> $ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. No email. Then I tried with: <smtp_server>/usr/sbin/sendmail</smtp_server> Still no email. $ sudo cat /var/ossec/logs/ossec.log ... 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file. 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631). 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644). 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649). 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661). 2020/03/30 15:38:24 IPv6: :: on port 1514 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663). 2020/03/30 15:38:24 rootcheck: System audit file not configured. 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file. 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apparmor_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms-exchange_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'trend-osce_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dropbear_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'unbound_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sysmon_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'opensmtpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'exim_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'openbsd-dhcpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dnsmasq_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Total rules enabled: '1544' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1' 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.1' 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.190' 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.32' 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.10' 2020/03/30 15:38:24 ossec-analysisd: INFO: 5 IPs in the allow list for active response. 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing Hostname: '::1' 2020/03/30 15:38:24 ossec-analysisd: INFO: 1 Hostname(s) in the allow list for active response. 2020/03/30 15:38:24 ossec-analysisd: INFO: Started (pid: 17653). 2020/03/30 15:38:25 ossec-monitord: INFO: Started (pid: 17673). 2020/03/30 15:38:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '16384'. 2020/03/30 15:38:25 ossec-remoted(1410): INFO: Reading authentication keys file. 2020/03/30 15:38:25 ossec-remoted: INFO: No previous counter available for 'server1'. 2020/03/30 15:38:25 ossec-remoted: INFO: Assigning counter for agent server1: '0:0'. 2020/03/30 15:38:25 ossec-remoted: INFO: Assigning sender counter: 0:909 2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' (active-response queue) 2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) 2020/03/30 15:38:29 ossec-syscheckd: INFO: Started (pid: 17669). 2020/03/30 15:38:29 ossec-rootcheck: INFO: Started (pid: 17669). 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mtab' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' 2020/03/30 15:38:29 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/access_log' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/access_log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/www/logs/error_log' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/www/logs/error_log'. 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file '/var/log/exim_mainlog' due to [(2)-(No such file or directory)]. 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/exim_mainlog'. 2020/03/30 15:38:30 ossec-logcollector: INFO: Started (pid: 17657). 2020/03/30 15:38:35 ossec-monitord: WARN: Process locked. Waiting for permission... 2020/03/30 15:38:44 ossec-logcollector: WARN: Process locked. Waiting for permission... 2020/03/30 15:39:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2020/03/30 15:39:31 ossec-syscheckd: WARN: Process locked. Waiting for permission... On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson <glen.k...@gmail.com > <javascript:>> wrote: > > > > I installed on Ubuntu 18.04 with according to this: > > > https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian > > > > > I installed both agent and server. Specifically: > > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo > bash > > > > $ sudo apt update > > > > $ sudo apt install ossec-hids-server > > $ sudo apt install ossec-hids-agent > > > > They should be mutually exclusive, so I'm guessing the agent removed the > server. > > > $ sudo -u ossec ssh-keygen > > > > $ sudo vim /var/ossec/etc/client.keys > > 001 server1 any <some-passphrase-you-save-in-keepass> > > > > $ sudo chown root.ossec /var/ossec/etc/client.keys > > > > Then I edited ossec.conf as I wrote in my previous mail and started the > server. > > > > $ sudo /var/ossec/bin/ossec-control start > > Starting OSSEC HIDS v3.6.0... > > Started ossec-execd... > > 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > > 2020/03/30 14:05:04 going daemon > > Started ossec-agentd... > > Started ossec-logcollector... > > Started ossec-syscheckd... > > Completed. > > > > > > > > On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson <glen.k...@gmail.com> > wrote: > >> > > >> > Sorry to be dense. I just tried to post another message and don't > see it in google groups. I'm noticing that other people have an > ossec-maild, but I don't: > >> > $ sudo ls -l /var/ossec/bin/ > >> > total 1164 > >> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth > >> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents > >> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd > >> > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control > >> > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd > >> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector > >> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd > >> > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh > >> > > >> > I just installed ossec for the first time over the weekend. I can't > seem to get it to send mail. Am I missing an executable? > >> > > >> > >> This looks like an agent installation. The OSSEC server handles > >> sending out email. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9c69148a-8b84-487a-b469-c69aa6dc31ed%40googlegroups.com.