Re: [ossec-list] Re: reindexing logs

2016-09-28 Thread Jose Luis Ruiz 
Hi Roberto,

Have you applied the custom mapping?

http://documentation.wazuh.com/en/latest/ossec_elk_elasticsearch.html#ossec-alerts-template

If you have the custom mapping applied, and the template in Logstash, you
need to wait until next day, when the next index is created with the new
mapping and template.

After that, probably you will need to reindex all your index to apply the
new template.


Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On September 28, 2016 at 3:26:38 PM,
roberto.mendo...@phoebustecnologia.com.br (
roberto.mendo...@phoebustecnologia.com.br) wrote:

Hi Pedro!

I am using the ossec wazuh, I have a question about indexes.
I had implemented the logstash without using the file "elastic-ossec-
template.json". But I saw it would be good to use it. I am wanting use some
indexes and Kibana shows "Analyzed Field", like "AgentName".

I put the template in the configuration of logstash and the index has not
changed to "not analized".


My logstash output :

output {

 #for archives.json log
 if [type] == "ossecall" {
   elasticsearch {
   hosts => "127.0.0.1:9200"
   index => "ossecall-%{+.MM.dd}"
   document_type => "ossecall"
   template => "/etc/logstash/elastic-ossec-template2.json"
   template_name => "ossecall"
   template_overwrite => true
   }
}
 #for alerts.json log
 else {
 elasticsearch {
  hosts => "127.0.0.1:9200"
  index => "ossec-%{+.MM.dd}"
  document_type => "ossec"
  template => "/etc/logstash/elastic-ossec-template.json"
  template_name => "ossec"
  template_overwrite => true
  }
  }
}

Can you help me?



Em quinta-feira, 2 de junho de 2016 08:25:09 UTC-3, Pedro S escreveu:
>
> Hi Maxim,
>
> How are you forwarding the alerts/archives to Kibana?
>
> I think you will need the archives JSON output setting, if you are using
> Wazuh , edit *ossec.conf* and add the following
> setting:
>
>   
>> *yes*
>>   
>
>
>
> Once you do it, you will find new archives.json events files at:
>
> /var/ossec/logs/archives/archives.json
>
>
>
> The next step is forward these archives events to Elasticsearch, in order
> to do it we need to edit Logstash configuration.
>
> My personal advice to index archives events is to create a dedicated index
> pattern just for them, so you will be able to distinguish between events
> and alerts, adding inside "output" section the following configuration:
>
> output {
> if [type] == "ossec-alerts" {
> elasticsearch {
>  hosts => ["127.0.0.1:9200"]
>  index => "ossec-%{+.MM.dd}"
>  document_type => "ossec"
>  template => "/etc/logstash/elastic-ossec-template.json"
>  template_name => "ossec"
>  template_overwrite => true
> }
> }
> if [type] == "ossec-archives" {
> elasticsearch {
>  hosts => ["127.0.0.1:9200"]
>  index => "ossec-archives-%{+.MM.dd}"
>  document_type => "ossec"
>  template => "/etc/logstash/elastic-ossec-template.json"
>  template_name => "ossec"
>  template_overwrite => true
> }
> }
> }
>
>
> Later in Kibana you will need to create a new index pattern
> (Settings->indices) matching for "ossec-archives-*".
>
> If you need to "reindex" or read the a log file from the beginning using
> Logstash, you can use the file input with option *start_position* set to
> *beginning* (+ info)
> 
>
>
>
> On Monday, May 30, 2016 at 4:53:10 PM UTC+2, Maxim Surdu wrote:
>>
>> i have this archives files with logs but in kibana i can not see them can
>> i reindex this files?
>> if i can, please help me step by step
>>
>> joi, 19 mai 2016, 10:17:51 UTC+3, Maxim Surdu a scris:
>>>
>>> Hi dear community,
>>>
>>> i had a problem with logstash, after i resolve it i saw what in kibana
>>> are missing logs, how can i resolve the problem and reindexing all my logs
>>> to kibana
>>> I will be thankful if someone will help me step by step
>>>
>>>
>>> i appreciate your help, and a lot of respect for developers and
>>> community!
>>>
>> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


autoGeneratedInlineImage1
Description: Binary data

[ossec-list] Re: reindexing logs

2016-09-28 Thread roberto . mendonca 
Hi Pedro!

I am using the ossec wazuh, I have a question about indexes.
I had implemented the logstash without using the file "elastic-ossec-
template.json". But I saw it would be good to use it. I am wanting use some 
indexes and Kibana shows "Analyzed Field", like "AgentName".

I put the template in the configuration of logstash and the index has not 
changed to "not analized".


My logstash output :

output {

 #for archives.json log
 if [type] == "ossecall" {
   elasticsearch {
   hosts => "127.0.0.1:9200"
   index => "ossecall-%{+.MM.dd}"
   document_type => "ossecall"
   template => "/etc/logstash/elastic-ossec-template2.json"
   template_name => "ossecall"
   template_overwrite => true
   }
}
 #for alerts.json log
 else {
 elasticsearch {
  hosts => "127.0.0.1:9200"
  index => "ossec-%{+.MM.dd}"
  document_type => "ossec"
  template => "/etc/logstash/elastic-ossec-template.json"
  template_name => "ossec"
  template_overwrite => true
  }
  }
}

Can you help me?



Em quinta-feira, 2 de junho de 2016 08:25:09 UTC-3, Pedro S escreveu:
>
> Hi Maxim, 
>
> How are you forwarding the alerts/archives to Kibana?
>
> I think you will need the archives JSON output setting, if you are using 
> Wazuh , edit *ossec.conf *and add the following 
> setting:
>
>   
>> *yes*
>>   
>
>
>
> Once you do it, you will find new archives.json events files at:
>
> /var/ossec/logs/archives/archives.json
>
>
>
> The next step is forward these archives events to Elasticsearch, in order 
> to do it we need to edit Logstash configuration.
>
> My personal advice to index archives events is to create a dedicated index 
> pattern just for them, so you will be able to distinguish between events 
> and alerts, adding inside "output" section the following configuration:
>
> output {
> if [type] == "ossec-alerts" {
> elasticsearch {
>  hosts => ["127.0.0.1:9200"]
>  index => "ossec-%{+.MM.dd}"
>  document_type => "ossec"
>  template => "/etc/logstash/elastic-ossec-template.json"
>  template_name => "ossec"
>  template_overwrite => true
> }
> }
> if [type] == "ossec-archives" {
> elasticsearch {
>  hosts => ["127.0.0.1:9200"]
>  index => "ossec-archives-%{+.MM.dd}"
>  document_type => "ossec"
>  template => "/etc/logstash/elastic-ossec-template.json"
>  template_name => "ossec"
>  template_overwrite => true
> }
> }
> }
>
>
> Later in Kibana you will need to create a new index pattern 
> (Settings->indices) matching for "ossec-archives-*".
>
> If you need to "reindex" or read the a log file from the beginning using 
> Logstash, you can use the file input with option *start_position *set to 
> *beginning 
> *(+ info) 
> 
>
>
>
> On Monday, May 30, 2016 at 4:53:10 PM UTC+2, Maxim Surdu wrote:
>>
>> i have this archives files with logs but in kibana i can not see them can 
>> i reindex this files?
>> if i can, please help me step by step
>>
>> joi, 19 mai 2016, 10:17:51 UTC+3, Maxim Surdu a scris:
>>>
>>> Hi dear community,
>>>
>>> i had a problem with logstash, after i resolve it i saw what in kibana 
>>> are missing logs, how can i resolve the problem and reindexing all my logs 
>>> to kibana
>>> I will be thankful if someone will help me step by step
>>>
>>>
>>> i appreciate your help, and a lot of respect for developers and 
>>> community!
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Using active-response instead of email alerts

2016-09-28 Thread Laura Herrera 
Hi guys,

I need to get ossec to use a script every time that an alert is fired by 
any of my servers.

There is an example of this 
in http://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-custom.html
which uses a script on the server when a specific rule is fired.

How can i make that generic, so that this script gets called every time 
there is any alert for which an email would've been sent?

Thanks a lot
Laura

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2016-09-28 Thread Laura Herrera 
Hi Dan,

Changing subject a bit,  do you know if it's possible to have alerts in 
ossec calling a script instead of sending an email directly?

Ta
Laura

On Wednesday, 28 September 2016 16:37:57 UTC+1, Laura Herrera wrote:
>
> Hi Dan,
>
> Yes, thank you, i have been trying to get this working all day.
>
> I am running ossec on an ubuntu 14.04 server and i need to be able to 
> email alerts of course.
>
> I saw in a separate post that ossec actually needs smtp listening on the 
> local server, and so i decided to use postfix as a relay.
> To make things more complicated, my mail server is in office 365.
>
> Here my configurations:
> /etc/postfix/main.cf   (changes from original)
>
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_generic_maps = hash:/etc/postfix/generic
>
> myhostname = ossec-1.example.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = localhost.localdomain, localhost
> relayhost = smtp.office365.com:587
> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>
> /etc/postfix/generic
> /.*/  u...@example.com
>
>
> /etc/postfix/sasl_passwd
> [smtp.office365.com]:587 u...@example.com:MyPassword
>
>
> ossec.conf
>   
> no
> yes
> localhost
> dev...@example.com
> u...@example.com
>   
>
> I am sure postfix is listening on port 25:
> tcp0  0 0.0.0.0:25  0.0.0.0:*   
> LISTEN  947/master
>
> The error i get, even after enabling debug mode in ossec is not very 
> helpful at all:
> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to 
> 127.0.0.1 (smtp server)
>
> nothing before or after that can be of help...
>
> Sorry i don't know what else to say
>
> Thanks a lot, hope you can help
> Laura
>
>
> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>
>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>> >
>> > Hi Theresa,
>> >
>> > Please can i ask how did you solve this problem?
>> >
>>
>> If you're having issues, you could post details and we could try to help.
>>
>> > Thanks a lot,
>> > Laura
>> >
>> >
>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>> >>
>> >> OK, managed to fix this and face-palming myself
>> >>
>> >> i've tweaked the postfix config a bit, enabled the service and there 
>> we go...
>> >> ossec-maild is now officially sending out alerts to my email address.
>> >>
>> >> theresa happy :)
>> >>
>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>> >>>
>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable 
>> debug. It will increase log verbosity. Then restart OSSEC, and check 
>> /var/ossec/log/ossec.log.
>> >>> Also after restart try to issue command "ps aux | grep ossec", and 
>> check, that ossec-maild process is running.
>> >>>
>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>> 
>>  i've also tried disabling iptables, but that didn't help either...
>>  but then again i can send out emails with mailx just find, so i 
>> don't think it's iptables blocking anyway...
>> 
>>  any ideas?
>> 
>> 
>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>> >
>> > Hi Daniil, 
>> >
>> > I've already done that. The maillog doesn't show the mail being 
>> sent, but there isn't an error either. It seems that the ossec-maild isn't 
>> even relaying it to the local smtp mta (ssmtp) because as said before I can 
>> send out mails with mailx just fine. 
>> >
>> > The ossec.log doesn't even mention the ossec-maild even though the 
>> process is running... 
>> > Hmm
>> 
>>  -- 
>> 
>>  --- 
>>  You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>>  To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ossec-list+...@googlegroups.com.
>>  For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> -- 
>> >>>
>> >>> --
>> >>> С уважением, Светлов Даниил.
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC 2.8.3 in SOLARIS 10 ./MAKEALL ALL failed

2016-09-28 Thread Aj Navarro 
Running install.sh in SunOS 5.10 appears the next error message: 
 
5- Installing the system
 - Running the Makefile
./Makeall: test: argument expected
*** Error code 1
The following command caused the error:
/bin/sh ./Makeall all
make: Fatal error: Command failed for target `all'
 Error 0x5.
 Building error. Unable to finish the installation.
 
When I running sh -x Makeaall appears the next message:
 
-bash-3.2# sh -x Makeall all
ARGV=all
+ [ Xall = X ] 
+ [ Xall = Xsetmaxagents ] 
CJSONV=external/cJSON/
LUAV=external/lua/
LUA_PLAT=posix
+ uname -m 
MACH=sun4v
+ uname 
OS=SunOS
+ cat ./VERSION 
VERSION=v2.8.3
MSG=
LIBS=os_xml os_regex os_net os_crypto
SOURCES=shared config
BINARIES=os_maild os_dbd os_csyslogd agentlessd os_execd analysisd 
logcollector remoted client-agent addagent util rootcheck syscheckd 
monitord os_auth
ROOTCHECKBIN=rootcheck
DIRECTORIES=
+ [ XSunOS = XSunOS ] 
PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/xpg4/bin:/opt/csw/gcc3/bin:/opt/csw/bin:/usr/sfw/bin
+ export PATH 
+ [ Xall = Xall -o Xall = Xtest -o Xall = Xrootcheck -o Xall = Xlibs ] 
+ ls ./Config.OS 
+ [ ! 0 = 0 ] 
+ [ -e /usr/include/openssl/opensslconf.h ] 
Makeall: test: argument expected
 
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Windows SSTP VPN rule.

2016-09-28 Thread namobuddhaonion 
I'm wondering if anyone has done an OSSEC Windows SSTP VPN rule?
I want to start tracking and logging them, GEO tracking would be awesome?

Has anyone already done this, or could they suggest a rule?

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] What is the best way to make ossec ignore alerts caused by new packages (unatended upgrades)?

2016-09-28 Thread 'James Vernon' via ossec-list 
As the title sais, is there a defined best practice for this?

If unattended upgrades runs and upgrades any packages, ossec spams emails 
about changed files (as expected). Is there a tried and true method to make 
ossec aware that the packages were updated via unattended upgrades so it 
doesn't generate alerts or something similar outside of ossec (I 
acknowledge that this can be abused, but I would like to see if its 
possible)? I'm quite new to this software so you will have to forgive me.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2016-09-28 Thread Laura Herrera 
Hi Dan,

Yes, thank you, i have been trying to get this working all day.

I am running ossec on an ubuntu 14.04 server and i need to be able to email 
alerts of course.

I saw in a separate post that ossec actually needs smtp listening on the 
local server, and so i decided to use postfix as a relay.
To make things more complicated, my mail server is in office 365.

Here my configurations:
/etc/postfix/main.cf   (changes from original)

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic

myhostname = ossec-1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.localdomain, localhost
relayhost = smtp.office365.com:587
mynetworks = 127.0.0.0/8, 10.0.0.0/8

/etc/postfix/generic
/.*/  u...@example.com


/etc/postfix/sasl_passwd
[smtp.office365.com]:587 u...@example.com:MyPassword


ossec.conf
  
no
yes
localhost
dev...@example.com
u...@example.com
  

I am sure postfix is listening on port 25:
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN 
 947/master

The error i get, even after enabling debug mode in ossec is not very 
helpful at all:
2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)

nothing before or after that can be of help...

Sorry i don't know what else to say

Thanks a lot, hope you can help
Laura


On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>
> On Sep 28, 2016 6:42 AM, "Laura Herrera"  
> wrote:
> >
> > Hi Theresa,
> >
> > Please can i ask how did you solve this problem?
> >
>
> If you're having issues, you could post details and we could try to help.
>
> > Thanks a lot,
> > Laura
> >
> >
> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
> >>
> >> OK, managed to fix this and face-palming myself
> >>
> >> i've tweaked the postfix config a bit, enabled the service and there we 
> go...
> >> ossec-maild is now officially sending out alerts to my email address.
> >>
> >> theresa happy :)
> >>
> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
> >>>
> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable 
> debug. It will increase log verbosity. Then restart OSSEC, and check 
> /var/ossec/log/ossec.log.
> >>> Also after restart try to issue command "ps aux | grep ossec", and 
> check, that ossec-maild process is running.
> >>>
> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
> 
>  i've also tried disabling iptables, but that didn't help either...
>  but then again i can send out emails with mailx just find, so i don't 
> think it's iptables blocking anyway...
> 
>  any ideas?
> 
> 
>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
> >
> > Hi Daniil, 
> >
> > I've already done that. The maillog doesn't show the mail being 
> sent, but there isn't an error either. It seems that the ossec-maild isn't 
> even relaying it to the local smtp mta (ssmtp) because as said before I can 
> send out mails with mailx just fine. 
> >
> > The ossec.log doesn't even mention the ossec-maild even though the 
> process is running... 
> > Hmm
> 
>  -- 
> 
>  --- 
>  You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
>  To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
>  For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> -- 
> >>>
> >>> --
> >>> С уважением, Светлов Даниил.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to monitor file a Powershell script is writing to

2016-09-28 Thread Brian Kellogg 
Thanks Josh, I'll give it a go tonight.

I now remember a previous post you mentioned this in.  Thanks for reminding 
me!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to monitor file a Powershell script is writing to

2016-09-28 Thread DefensiveDepth 
Make sure that the file you are writing to is ASCII. I have had issues with 
OSSEC reading a file that PS writes to without specifically encoding it as 
ASCII... From my Autoruns Normalize script, this is what I am doing:

#Appends the resulting message in ascii (OSSEC Windows Client does not 
support Unicode logs)
Out-File -Append -Encoding ascii -FilePath ar-normalized.log

Side note - after you make this change in your PS script, delete the log 
file and let it re-create it.

If that still doesn't work, enable debug mode for your OSSEC windows agent, 
restart the agent and try again. Then view the agent logs - the debug logs 
should give you some further ideas of what is going on.

-Josh

On Tuesday, September 27, 2016 at 9:24:37 PM UTC-4, Brian Kellogg wrote:
>
> I've configured the OSSEC agent 2.8.3 to read a file being written to by a 
> Powershell script.  It is a log file with each log entry on its own line. 
>  Can't get Powershell to read the file.  Never see the logs come into the 
> OSSEC server archive.log file.  Using the syslog file type to access this 
> local file.
>
> I've tried Powershell Out-File and Add-Content cmdlets with no success. 
>  Has anyone had success doing this or something similiar?  Out-File is 
> supposed to allow reading of the file while it is being written to.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2016-09-28 Thread dan (ddp) 
On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>
> Hi Theresa,
>
> Please can i ask how did you solve this problem?
>

If you're having issues, you could post details and we could try to help.

> Thanks a lot,
> Laura
>
>
> On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>>
>> OK, managed to fix this and face-palming myself
>>
>> i've tweaked the postfix config a bit, enabled the service and there we
go...
>> ossec-maild is now officially sending out alerts to my email address.
>>
>> theresa happy :)
>>
>> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>>
>>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
debug. It will increase log verbosity. Then restart OSSEC, and check
/var/ossec/log/ossec.log.
>>> Also after restart try to issue command "ps aux | grep ossec", and
check, that ossec-maild process is running.
>>>
>>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :

 i've also tried disabling iptables, but that didn't help either...
 but then again i can send out emails with mailx just find, so i don't
think it's iptables blocking anyway...

 any ideas?


 Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>
> Hi Daniil,
>
> I've already done that. The maillog doesn't show the mail being sent,
but there isn't an error either. It seems that the ossec-maild isn't even
relaying it to the local smtp mta (ssmtp) because as said before I can send
out mails with mailx just fine.
>
> The ossec.log doesn't even mention the ossec-maild even though the
process is running...
> Hmm

 --

 ---
 You received this message because you are subscribed to the Google
Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> --
>>> С уважением, Светлов Даниил.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2016-09-28 Thread Laura Herrera 
Hi Theresa,

Please can i ask how did you solve this problem?

Thanks a lot,
Laura

On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>
> OK, managed to fix this and face-palming myself
>
> i've tweaked the postfix config a bit, enabled the service and there we 
> go...
> ossec-maild is now officially sending out alerts to my email address.
>
> theresa happy :)
>
> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>
>> Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. 
>> It will increase log verbosity. Then restart OSSEC, and check 
>> /var/ossec/log/ossec.log.
>> Also after restart try to issue command "ps aux | grep ossec", and check, 
>> that ossec-maild process is running.
>>
>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>>
>>> i've also tried disabling iptables, but that didn't help either...
>>> but then again i can send out emails with mailx just find, so i don't 
>>> think it's iptables blocking anyway...
>>>
>>> any ideas?
>>>
>>>
>>> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil, 

 I've already done that. The maillog doesn't show the mail being sent, 
 but there isn't an error either. It seems that the ossec-maild isn't even 
 relaying it to the local smtp mta (ssmtp) because as said before I can 
 send 
 out mails with mailx just fine. 

 The ossec.log doesn't even mention the ossec-maild even though the 
 process is running... 
 Hmm
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> -- 
>>
>> --
>> С уважением, Светлов Даниил.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

2016-09-28 Thread Laura Herrera 
Hi Theresa,

Please could you explain how did you solve this?
Might be an epic fail for you, but it might help others  :)

Thanks a lot
Laura

On Tuesday, 22 December 2015 10:53:55 UTC, theresa mic-snare wrote:
>
> *FACEPALM*
>
> problem solved.this is too embarrassing :(((
> epic fail!
>
> Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
>>
>> hmm it looks as so ossec-maild has a problem with my ssmtp
>> ssmtp works fine, because it sent me an automated/generated email at 2:43 
>> in the morning.
>> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
>> info to debug
>>
>> what surprises me is that on netstat ssmtp isn't showing any open 
>> connectings.
>> to me it looks like it's only opening a connection when it wants to send 
>> an email, there's no permanent open connection.
>>
>> here's my ssmtp.conf
>> AuthUser=xx...@gmail.com
>> AuthPass=x
>> FromLineOverride=YES
>> mailhub=smtp.gmail.com:587
>> UseSTARTTLS=YES
>> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
>> Debug=YES
>>
>> and my open connections:
>> netstat -tulpen
>> Active Internet connections (only servers)
>> Proto Recv-Q Send-Q Local Address   Foreign Address 
>> State   User   Inode  PID/Program name   
>> tcp0  0 0.0.0.0:33060.0.0.0:*   
>> LISTEN  27 37255941313/mysqld 
>> tcp0  0 0.0.0.0:22  0.0.0.0:*   
>> LISTEN  0  11227  1216/sshd   
>> tcp0  0 :::22   :::* 
>>LISTEN  0  11232  1216/sshd   
>> tcp0  0 :::8080 :::* 
>>LISTEN  0  11642  1550/httpd  
>> tcp0  0 :::80   :::* 
>>LISTEN  0  11638  1550/httpd  
>> udp0  0 0.0.0.0:15140.0.0.0:*   
>> 0  13181  1926/ossec-remoted  
>> udp0  0 78.41.116.116:123   0.0.0.0:*   
>> 0  11350  1256/ntpd   
>> udp0  0 127.0.0.1:123   0.0.0.0:*   
>> 0  11346  1256/ntpd   
>> udp0  0 0.0.0.0:123 0.0.0.0:*   
>> 0  11339  1256/ntpd   
>> udp0  0 ::1:123 :::* 
>>0  11352  1256/ntpd   
>> udp0  0 fe80::5054:ff:fef6:4b74:123 :::* 
>>0  11351  1256/ntpd   
>> udp0  0 :::123  :::* 
>>0  11340  1256/ntpd   
>>
>> I'm happy to do a TCPdump but at the moment I don't really know what to 
>> filter for...
>> is ossec--maild listening on a specific port or default 25 port for smtp?
>>
>> thanks,
>> theresa
>>
>> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>>>
>>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>>>  wrote: 
>>> > Hi everyone, 
>>> > 
>>> > today I've noticed a problem with the ossec-maild process. 
>>> > The ossec.log keeps saying 
>>> > 
>>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp 
>>> server) 
>>> > 
>>> > Of course I started troubleshooting the problem and tried to send 
>>> several 
>>> > test-emails from the ossec master. 
>>> > I'm using ssmtp through my google-mail account by the way. 
>>> > All test mails that I sent arrived immediately, so sending mails 
>>> through my 
>>> > MTA seems to work as usual. 
>>> > 
>>> > Then I checked the mail log /var/log/maillog-20151220 
>>> > which to my surprise has the latest mail entry from yesterday 19:30 
>>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 
>>> 2.0.0 
>>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
>>> > outbytes=1898 
>>> > 
>>> > changed the email address to b...@bla.org for demonstration 
>>> purposes... 
>>> > 
>>> > 
>>> > at least the two test emails that I just send should appear in this 
>>> log, 
>>> > right? 
>>> > 
>>> > I know that the root cause to this problem is NOT an ossec 
>>> problembut 
>>> > maybe you have an idea what the problem might be? 
>>> > I've checked the quota settings in my gmail account, (so far only 10% 
>>> > used...) 
>>> > I've also checked the disk space on my ossec master, still 21GB left 
>>> on / 
>>> > (where also /var is mounted) 
>>> > 
>>> > so I doubt it's a quota or diskspace problem. 
>>> > i've also restarted (stopped and started) ossec, to see if any zombie 
>>> > processes still allocated the filesystem, and it therefore showed that 
>>> > plenty of diskspace was available. 
>>>