Re: [ossec-list] What to make of ossec-hosts.* files
Hi, Did this ever get answered? I have the same question about the files, I decided to just reopen this rather than make a new post as I cannot find the answer. I was considering making a cron job to remove them every week, but I want to be sure deleting these files won't impact OSSEC. On Tuesday, December 16, 2014 at 5:19:47 PM UTC-5, finid wrote: > > Thanks. > > Since they are all empty files, nothing should break if they are all > deleted, right? > > > -- > finid > > > > On 2014-12-16 15:28, Brent Morris wrote: > > I think what you're seeing is what is described in CVE-2014-5284 - > > http://www.ossec.net/?p=1135 > > > > Basically, they were in /tmp, and then a vulnerability was > > disclosed... so those files were moved from /tmp to /var/ossec in > > 2.8.1 > > > > On Tuesday, December 16, 2014 1:19:15 PM UTC-8, finid wrote: > > > >> On 2014-12-16 14:59, fi...@vivaldi.net wrote: > >>> Hi, > >>> > >>> I see a bunch of files in /var/ossec with names of the form > >>> ossec-hosts.*. what are they and how can I stop the system from > >>> creating them? > >>> > >>> Here are a few examples. > >>> > >>> ossec-hosts.1i6uugNQB3 > >>> ossec-hosts.BFHjPh9dwg > >>> ossec-hosts.i4EvjkDXUh > >>> ossec-hosts.U3thtpzm6b > >>> ossec-hosts.1MeJfr9MGt > >>> > >>> > >> > >> So those files appear to be temporary files. Shouldn't they be in > >> /tmp, > >> instead of /var/ossec? > >> > >> -- > >> finid > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout [1]. > > > > > > Links: > > -- > > [1] https://groups.google.com/d/optout > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)
OK, managed to fix this and face-palming myself i've tweaked the postfix config a bit, enabled the service and there we go... ossec-maild is now officially sending out alerts to my email address. theresa happy :) Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov: > > Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. > It will increase log verbosity. Then restart OSSEC, and check > /var/ossec/log/ossec.log. > Also after restart try to issue command "ps aux | grep ossec", and check, > that ossec-maild process is running. > > сб, 4 июля 2015 г. в 19:13, theresa mic-snare >: > >> i've also tried disabling iptables, but that didn't help either... >> but then again i can send out emails with mailx just find, so i don't >> think it's iptables blocking anyway... >> >> any ideas? >> >> >> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare: >>> >>> Hi Daniil, >>> >>> I've already done that. The maillog doesn't show the mail being sent, >>> but there isn't an error either. It seems that the ossec-maild isn't even >>> relaying it to the local smtp mta (ssmtp) because as said before I can send >>> out mails with mailx just fine. >>> >>> The ossec.log doesn't even mention the ossec-maild even though the >>> process is running... >>> Hmm >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- > > -- > С уважением, Светлов Даниил. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)
Hi Daniil, thank you very much for the advice with enabling debug!! I've now looked into the ossec.log and it says: *2015/07/05 03:34:02 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)* 2015/07/05 15:03:18 ossec-syscheckd: INFO: Starting syscheck scan. 2015/07/05 15:16:37 ossec-syscheckd: INFO: Ending syscheck scan. 2015/07/05 15:21:37 ossec-rootcheck: INFO: Starting rootcheck scan. 2015/07/05 15:24:22 ossec-rootcheck: INFO: Ending rootcheck scan. 2015/07/06 11:19:22 ossec-syscheckd: INFO: Starting syscheck scan. 2015/07/06 11:32:41 ossec-syscheckd: INFO: Ending syscheck scan. 2015/07/06 11:37:41 ossec-rootcheck: INFO: Starting rootcheck scan. 2015/07/06 11:40:28 ossec-rootcheck: INFO: Ending rootcheck scan. *2015/07/06 19:03:11 ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)* 2015/07/06 19:03:14 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:14 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:14 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:14 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:14 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:14 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2015/07/06 19:03:14 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/07/06 19:03:15 ossec-testrule: INFO: Reading local decoder file. 2015/07/06 19:03:15 ossec-testrule: INFO: Started (pid: 1900). *2015/07/06 19:03:15 ossec-maild: DEBUG: Starting ...2015/07/06 19:03:15 ossec-maild: INFO: Chrooted to directory: /var/ossec, using user: ossecm2015/07/06 19:03:15 ossec-maild: INFO: Started (pid: 1921).* 2015/07/06 19:03:15 ossec-analysisd: DEBUG: Starting ... 2015/07/06 19:03:15 ossec-analysisd: DEBUG: Found user/group ... 2015/07/06 19:03:15 ossec-analysisd: DEBUG: Active response initialized ... I've no idea why it says it can't send mails to localhost. Do you think this could be an IPtables or SeLinux issue? Although I've set SeLinux to Status "Permissive" so it actually shouldn't block anything. I have an assumption why it's not working. when I do a netstat -plntu I can only see the server listening to the SSH port. For my mail setup I only use SSMTP (to relay it to gmail.com) do I also need postfix setup for local mailing? The postfix config let's you relay mails locally... What is your mail setup on the server? I think the ossec-maild needs a local MTA listening on port 25 to send emails out to ssmtp ?! what do you think? please help! Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov: > > Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. > It will increase log verbosity. Then restart OSSEC, and check > /var/ossec/log/ossec.log. > Also after restart try to issue command "ps aux | grep ossec", and check, > that ossec-maild process is running. > > сб, 4 июля 2015 г. в 19:13, theresa mic-snare >: > >> i've also tried disabling iptables, but that didn't help either... >> but then again i can send out emails with mailx just find, so i don't >> think it's iptables blocking anyway... >> >> any ideas? >> >> >> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare: >>> >>> Hi Daniil, >>> >>> I've already done that. The maillog doesn't show the mail being sent, >>> but there isn't an error either. It seems that the ossec-maild isn't even >>> relaying it to the local smtp mta (ssmtp) because as said before I can send >>> out mails with mailx just fine. >>> >>> The ossec.log doesn't even mention the ossec-maild even though the >>> process is running... >>> Hmm >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- > > -- > С уважением, Светлов Даниил. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
