I did that all again, but added: $ sudo rm -rf /var/ossec/ Between the uninstall and reinstall. Then created my keygen and client.key files from scratch.
and... Ohhhhh... Now I'm getting email alerts!!! Wohoo! Thanks so much for your help! On Monday, March 30, 2020 at 3:49:42 PM UTC-4, Glen Peterson wrote: > > This is progress, I now have ossec-maild running, but still no email and > nothing from ossec in /var/log/mail.log. Here's what I did: > > $ sudo /var/ossec/bin/ossec-control stop > $ sudo apt purge ossec-hids-agent > $ sudo apt purge ossec-hids-server > $ sudo apt install ossec-hids-server > > My olds keygen file was still there, as was the client.key file. > > $ sudo vim /var/ossec/etc/ossec.conf > > <global> > <email_notification>yes</email_notification> > <email_to>my.em...@company.com</email_to> > <smtp_server>localhost</smtp_server> > <email_from>root@localhost</email_from> > </global> > > > $ sudo /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v3.6.0... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > > No email. Then I tried with: > <smtp_server>/usr/sbin/sendmail</smtp_server> > > Still no email. > > $ sudo cat /var/ossec/logs/ossec.log > ... > 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631). > 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644). > 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649). > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661). > 2020/03/30 15:38:24 IPv6: :: on port 1514 > 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514 > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663). > 2020/03/30 15:38:24 rootcheck: System audit file not configured. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'apparmor_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms-exchange_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'trend-osce_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms-se_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'dropbear_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'unbound_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sysmon_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'opensmtpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'exim_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'openbsd-dhcpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'dnsmasq_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Total rules enabled: '1544' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: > '/etc/mail/statistics' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: > '/etc/random-seed' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: > '/etc/random.seed' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '127.0.0.1' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.1' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: > '192.168.2.190' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.32' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing IP: '192.168.2.10' > 2020/03/30 15:38:24 ossec-analysisd: INFO: 5 IPs in the allow list for > active response. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Allow listing Hostname: '::1' > 2020/03/30 15:38:24 ossec-analysisd: INFO: 1 Hostname(s) in the allow list > for active response. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Started (pid: 17653). > 2020/03/30 15:38:25 ossec-monitord: INFO: Started (pid: 17673). > 2020/03/30 15:38:25 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '16384'. > 2020/03/30 15:38:25 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2020/03/30 15:38:25 ossec-remoted: INFO: No previous counter available for > 'server1'. > 2020/03/30 15:38:25 ossec-remoted: INFO: Assigning counter for agent > server1: '0:0'. > 2020/03/30 15:38:25 ossec-remoted: INFO: Assigning sender counter: 0:909 > 2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to '/queue/alerts/ar' > (active-response queue) > 2020/03/30 15:38:27 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Started (pid: 17669). > 2020/03/30 15:38:29 ossec-rootcheck: INFO: Started (pid: 17669). > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/etc', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/bin', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/sbin', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: Monitoring directory: '/boot', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > 2020/03/30 15:38:29 ossec-syscheckd: INFO: No diff for file: > '/etc/ssl/private.key' > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/messages' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/authlog' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/authlog'. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/auth.log'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/secure' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/xferlog' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/xferlog'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/maillog' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/www/logs/access_log' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/access_log'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/www/logs/error_log' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/error_log'. > 2020/03/30 15:38:30 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/exim_mainlog' due to [(2)-(No such file or directory)]. > 2020/03/30 15:38:30 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/exim_mainlog'. > 2020/03/30 15:38:30 ossec-logcollector: INFO: Started (pid: 17657). > 2020/03/30 15:38:35 ossec-monitord: WARN: Process locked. Waiting for > permission... > 2020/03/30 15:38:44 ossec-logcollector: WARN: Process locked. Waiting for > permission... > 2020/03/30 15:39:31 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2020/03/30 15:39:31 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > > > > > On Monday, March 30, 2020 at 2:50:58 PM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson <glen.k...@gmail.com> >> wrote: >> > >> > I installed on Ubuntu 18.04 with according to this: >> > >> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian >> >> > >> > I installed both agent and server. Specifically: >> > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo >> bash >> > >> > $ sudo apt update >> > >> > $ sudo apt install ossec-hids-server >> > $ sudo apt install ossec-hids-agent >> > >> >> They should be mutually exclusive, so I'm guessing the agent removed the >> server. >> >> > $ sudo -u ossec ssh-keygen >> > >> > $ sudo vim /var/ossec/etc/client.keys >> > 001 server1 any <some-passphrase-you-save-in-keepass> >> > >> > $ sudo chown root.ossec /var/ossec/etc/client.keys >> > >> > Then I edited ossec.conf as I wrote in my previous mail and started the >> server. >> > >> > $ sudo /var/ossec/bin/ossec-control start >> > Starting OSSEC HIDS v3.6.0... >> > Started ossec-execd... >> > 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max >> time to reconnect: 1800 >> > 2020/03/30 14:05:04 going daemon >> > Started ossec-agentd... >> > Started ossec-logcollector... >> > Started ossec-syscheckd... >> > Completed. >> > >> > >> > >> > On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson <glen.k...@gmail.com> >> wrote: >> >> > >> >> > Sorry to be dense. I just tried to post another message and don't >> see it in google groups. I'm noticing that other people have an >> ossec-maild, but I don't: >> >> > $ sudo ls -l /var/ossec/bin/ >> >> > total 1164 >> >> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth >> >> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents >> >> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd >> >> > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control >> >> > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd >> >> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector >> >> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd >> >> > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh >> >> > >> >> > I just installed ossec for the first time over the weekend. I can't >> seem to get it to send mail. Am I missing an executable? >> >> > >> >> >> >> This looks like an agent installation. The OSSEC server handles >> >> sending out email. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send an email to ossec...@googlegroups.com. >> >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com. >> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/db82caa4-91f7-4d97-a9dd-3c92a3ca945f%40googlegroups.com.
