(oops, hit 'send' too quick) https://subscription.packtpub.com/book/cloud_and_networking/9781782167648/1/ch01lvl1sec09/configuring-an-ossec-server-simple
On Mon, Oct 11, 2021 at 12:40 PM Rene Veerman < rene.veerman.netherla...@gmail.com> wrote: > i had made the mistake of installing only the server... > > this manual helped me a lot setting up a proper ossec system, on 2 > machines : > > On Sat, Oct 2, 2021 at 4:04 AM Rene Veerman < > rene.veerman.netherla...@gmail.com> wrote: > >> Hi. >> >> I'm new to ossec, and i'm having trouble getting emails from it. >> If someone here can help me with that, i'd appreciate it a lot. >> >> My OS is the lastest stable kubuntu, with iRedMail (which includes >> postfix) for email support. >> >> Here are some of the relevant logs, and the rules are added as attachment >> to this mail. >> >> root@parakeet:/var/ossec# systemctl status ossec.service >> ● ossec.service - LSB: Start and stop OSSEC HIDS >> Loaded: loaded (/etc/init.d/ossec; generated) >> Active: active (exited) since Fri 2021-10-01 20:29:48 CEST; 5h 58min >> ago >> Docs: man:systemd-sysv-generator(8) >> Process: 51972 ExecStart=/etc/init.d/ossec start (code=exited, >> status=0/SUCCESS) >> >> okt 01 20:29:45 parakeet ossec[51973]: Starting OSSEC HIDS v3.6.0... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-maild... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-execd... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-analysisd... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-logcollector... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-remoted... >> okt 01 20:29:46 parakeet ossec[51973]: Started ossec-syscheckd... >> okt 01 20:29:46 parakeet ossec[51973]: Started ossec-monitord... >> okt 01 20:29:48 parakeet ossec[51973]: Completed. >> okt 01 20:29:48 parakeet systemd[1]: Started LSB: Start and stop OSSEC >> HIDS. >> root@parakeet:/var/ossec# telnet localhost 25 >> Trying 127.0.0.1... >> Connected to smtp.example.com. >> Escape character is '^]'. >> 220 smtp.example.com ESMTP Postfix >> ^C^] >> telnet> quit >> Connection closed. >> root@parakeet:/var/ossec# /var/ossec/bin/agent_control -r -a >> 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to >> active response queue. >> >> ** Unable to connect to remoted. >> root@parakeet:/var/ossec# vi /etc/postfix/main.cf >> root@parakeet:/var/ossec# tail /var/log/postfix.log >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: from=< >> r...@smtp.example.com>, size=2007, nrcpt=1 (queue active) >> Oct 02 02:02:04 smtp postfix/local[87369]: 4HLnGN1LQ3zbbcs: to=< >> r...@smtp.example.com>, relay=local, delay=0.06, >> delays=0.03/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as >> 4HLnGN1dLmzbbcN) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1LQ3zbbcs: removed >> Oct 02 02:02:04 smtp postfix/pipe[87372]: 4HLnGN1brDzbbbZ: to=< >> postmas...@example.com>, orig_to=<r...@smtp.example.com>, relay=dovecot, >> delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via >> dovecot service) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1brDzbbbZ: removed >> Oct 02 02:02:04 smtp postfix/pipe[87373]: 4HLnGN1dLmzbbcN: to=< >> postmas...@example.com>, orig_to=<r...@smtp.example.com>, relay=dovecot, >> delay=0.17, delays=0.01/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via >> dovecot service) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: removed >> Oct 02 02:34:00 smtp postfix/smtpd[90923]: connect from smtp.example.com >> [127.0.0.1] >> Oct 02 02:34:09 smtp postfix/smtpd[90923]: lost connection after CONNECT >> from smtp.example.com[127.0.0.1] >> Oct 02 02:34:09 smtp postfix/smtpd[90923]: disconnect from >> smtp.example.com[127.0.0.1] commands=0/0 >> root@parakeet:/var/ossec# tail logs/ossec.log >> 2021/10/01 20:33:13 ossec-monitord(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-logcollector(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-remoted(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-syscheckd(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-analysisd(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-execd(1314): INFO: Shutdown received. Deleting >> responses. >> 2021/10/01 20:33:13 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to >> active response queue. >> root@parakeet:/var/ossec# cat /etc/ossec-init.conf | grep VERSION >> VERSION="v3.6.0" >> root@parakeet:/var/ossec/rules# ufw status >> Status: inactive >> >> If you need more information to help get this fixed, i'm most willing to >> provide it.. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/7c0b1d6a-96d2-4261-97cd-3fbb8b102d15n%40googlegroups.com >> <https://groups.google.com/d/msgid/ossec-list/7c0b1d6a-96d2-4261-97cd-3fbb8b102d15n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CACMzB5dWBZ7FdrdK3ttg8vDxCg%3DP8jS%2BQ4xmurVa8n2X4M2E5A%40mail.gmail.com.
