[ossec-list] Re: Snort vs. OSSEC
Snort is slightly ahead of OSSEC because of its ability to operate on cross platforms. Snort also works along with your existing infra and doesn't put any burden on you for putting in any extra costs for replacement. Snort also filters data packets in real-time whereas OSSEC checks log files for detection of any threat. https://wisdomplexus.com/blogs/snort-vs-ossec/ On Friday, September 1, 2006 at 9:08:19 PM UTC+5:30, Marty E. Hillman wrote: > > I am not trying to start a flame war here - just trying to get a better > sense of direction no how to best protect my network. Does anyone know > what the advantage to using OSSEC HIDS over Snort is? > > I have been playing with OSSEC quite successfully for the past week in a > demo environment, but it seems to have stopped sending email alerts > sometime last evening. I thought since I would have to do a bunch of > rebuilding that I might give other products a shot. > > I need to monitor Windows and Cisco devices and like the aggregation of > data and alerting functions within OSSEC. Does anyone have experiences > with other products that they would be willing to share? > > Marty > > This electronic mail (including any attachments) may contain information > that > is privileged, confidential, and/or otherwise protected from disclosure to > anyone other than its intended recipient(s). Any dissemination or use of > this > electronic email or its contents (including any attachments) by persons > other > than the intended recipient(s) is strictly prohibited. If you have > received > this message in error, please notify us immediately by reply email so that > we > may correct our internal records. Please then delete the original message > (including any attachments) in its entirety. Thank you. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/969e5290-b8dc-49ed-a07c-45027e8eb371%40googlegroups.com.
[ossec-list] ossec-maild?
Sorry to be dense. I just tried to post another message and don't see it in google groups. I'm noticing that other people have an ossec-maild, but I don't: $ sudo ls -l /var/ossec/bin/ total 1164 -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh I just installed ossec for the first time over the weekend. I can't seem to get it to send mail. Am I missing an executable? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
[ossec-list] Email configuration issue
I think my issue is my server's mail (postfix) configuration. I can send an email from the command line like so: $ sendmail -f root@localhost my.em...@company.com This is a test. . I can see it get sent in /var/log/mail.log. I get it (in my spam folder, but it's a start). I added these settings to /var/ossec/etc/ossec.conf yes my.em...@company.com localhost root@localhost Then: sudo /var/ossec/bin/ossec-control stop sudo /var/ossec/bin/ossec-control start sudo tail -F /var/ossec/logs/ossec.log It starts up fine - I can see a couple dozen new messages in the log (see the end of this email). But there is no email, and no record of even an email attempt in /var/log/mail.log I'm guessing that ossec doesn't send mail the same way I do when I test sendmail from the command line, but I don't know what it *does* do. Then I tried: $ whereis sendmail sendmail: /usr/sbin/sendmail /usr/lib/sendmail /usr/share/man/man1/sendmail.1.gz $ ls -l /usr/sbin/sendmail -rwxr-xr-x 1 root root 26776 Oct 11 2018 /usr/sbin/sendmail And changed localhost to /usr/sbin/sendmail stoped and started ossec-control: still no email. Still no errors about emails. Here is /var/ossec/logs/ossec.log from the latest attempt 2020/03/30 12:24:19 ossec-execd: INFO: Started (pid: 5337). 2020/03/30 12:24:19 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2020/03/30 12:24:19 going daemon 2020/03/30 12:24:19 starting imsg stuff 2020/03/30 12:24:19 Creating socketpair() 2020/03/30 12:24:19 agentd imsg_init() 2020/03/30 12:24:19 os_dns imsg_init() 2020/03/30 12:24:19 ossec-agentd(1410): INFO: Reading authentication keys file. 2020/03/30 12:24:19 ossec-agentd: INFO: No previous counter available for 'server1'. 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning counter for agent server1: '0:0'. 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning sender counter: 0:659 2020/03/30 12:24:19 rootcheck: System audit file not configured. 2020/03/30 12:24:19 ossec-agentd: INFO: Started (pid: 5341). 2020/03/30 12:24:19 ossec-agentd: INFO: Server 1: 172.24.16.158 2020/03/30 12:24:19 ossec-agentd: INFO: Trying to connect to server 172.24.16.158, port 1514. 2020/03/30 12:24:19 INFO: Connected to 172.24.16.158 at address 172.24.16.158, port 1514 2020/03/30 12:24:19 ossec-agentd: DEBUG: agt->sock: 11 2020/03/30 12:24:23 ossec-syscheckd: INFO: Started (pid: 5350). 2020/03/30 12:24:23 ossec-rootcheck: INFO: Started (pid: 5350). 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum. 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mtab' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' 2020/03/30 12:24:23 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key' 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/messages' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/authlog' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/auth.log'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/secure' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/xferlog' due to [(2)-(No such file or directory)]. 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog'. 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file '/var/log/maillog' due to [(2)-(No such file or
Re: [ossec-list] ossec-maild?
On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson wrote: > > Sorry to be dense. I just tried to post another message and don't see it in > google groups. I'm noticing that other people have an ossec-maild, but I > don't: > $ sudo ls -l /var/ossec/bin/ > total 1164 > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh > > I just installed ossec for the first time over the weekend. I can't seem to > get it to send mail. Am I missing an executable? > This looks like an agent installation. The OSSEC server handles sending out email. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrA6ORQPqa4ztsdMZXfsfUEhhZQmSfOdU7t_Sz%3DJfHwkA%40mail.gmail.com.
Re: [ossec-list] ossec-maild?
I installed on Ubuntu 18.04 with according to this: https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian I installed both agent and server. Specifically: $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash $ sudo apt update $ sudo apt install ossec-hids-server $ sudo apt install ossec-hids-agent $ sudo -u ossec ssh-keygen $ sudo vim /var/ossec/etc/client.keys 001 server1 any $ sudo chown root.ossec /var/ossec/etc/client.keys Then I edited ossec.conf as I wrote in my previous mail and started the server. $ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-execd... 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2020/03/30 14:05:04 going daemon Started ossec-agentd... Started ossec-logcollector... Started ossec-syscheckd... Completed. On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson > wrote: > > > > Sorry to be dense. I just tried to post another message and don't see > it in google groups. I'm noticing that other people have an ossec-maild, > but I don't: > > $ sudo ls -l /var/ossec/bin/ > > total 1164 > > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth > > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents > > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd > > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control > > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd > > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector > > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd > > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh > > > > I just installed ossec for the first time over the weekend. I can't > seem to get it to send mail. Am I missing an executable? > > > > This looks like an agent installation. The OSSEC server handles > sending out email. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec...@googlegroups.com . > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.
Re: [ossec-list] ossec-maild?
On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson wrote: > > I installed on Ubuntu 18.04 with according to this: > https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian > > I installed both agent and server. Specifically: > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash > > $ sudo apt update > > $ sudo apt install ossec-hids-server > $ sudo apt install ossec-hids-agent > They should be mutually exclusive, so I'm guessing the agent removed the server. > $ sudo -u ossec ssh-keygen > > $ sudo vim /var/ossec/etc/client.keys > 001 server1 any > > $ sudo chown root.ossec /var/ossec/etc/client.keys > > Then I edited ossec.conf as I wrote in my previous mail and started the > server. > > $ sudo /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v3.6.0... > Started ossec-execd... > 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time > to reconnect: 1800 > 2020/03/30 14:05:04 going daemon > Started ossec-agentd... > Started ossec-logcollector... > Started ossec-syscheckd... > Completed. > > > > On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson wrote: >> > >> > Sorry to be dense. I just tried to post another message and don't see it >> > in google groups. I'm noticing that other people have an ossec-maild, but >> > I don't: >> > $ sudo ls -l /var/ossec/bin/ >> > total 1164 >> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth >> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents >> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd >> > -r-xr-x--- 1 root ossec 4593 Feb 14 14:46 ossec-control >> > -r-xr-x--- 1 root ossec 63504 Mar 15 15:02 ossec-execd >> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector >> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd >> > -r-xr-x--- 1 root ossec 4503 Feb 14 14:46 util.sh >> > >> > I just installed ossec for the first time over the weekend. I can't seem >> > to get it to send mail. Am I missing an executable? >> > >> >> This looks like an agent installation. The OSSEC server handles >> sending out email. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to ossec...@googlegroups.com. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqommpAOt%3D7BY7qkfRDjATx6-ieQigKt8sUHxd_9YLAUg%40mail.gmail.com.
Re: [ossec-list] ossec-maild?
This is progress, I now have ossec-maild running, but still no email and nothing from ossec in /var/log/mail.log. Here's what I did: $ sudo /var/ossec/bin/ossec-control stop $ sudo apt purge ossec-hids-agent $ sudo apt purge ossec-hids-server $ sudo apt install ossec-hids-server My old keygen file was still there, as was the client.keys file. $ sudo vim /var/ossec/etc/ossec.conf yes my.em...@company.com localhost root@localhost $ sudo /var/ossec/bin/ossec-control start Starting OSSEC HIDS v3.6.0... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. No email. Then I tried with: /usr/sbin/sendmail Still no email. $ sudo cat /var/ossec/logs/ossec.log ... 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file. 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631). 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644). 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649). 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661). 2020/03/30 15:38:24 IPv6: :: on port 1514 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663). 2020/03/30 15:38:24 rootcheck: System audit file not configured. 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file. 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'pure-ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cimserver_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'web_appsec_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'apparmor_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'cisco-ios_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2020/03/30 15:38:24
Re: [ossec-list] ossec-maild?
I did that all again, but added: $ sudo rm -rf /var/ossec/ Between the uninstall and reinstall. Then created my keygen and client.key files from scratch. and... Oh... Now I'm getting email alerts!!! Wohoo! Thanks so much for your help! On Monday, March 30, 2020 at 3:49:42 PM UTC-4, Glen Peterson wrote: > > This is progress, I now have ossec-maild running, but still no email and > nothing from ossec in /var/log/mail.log. Here's what I did: > > $ sudo /var/ossec/bin/ossec-control stop > $ sudo apt purge ossec-hids-agent > $ sudo apt purge ossec-hids-server > $ sudo apt install ossec-hids-server > > My olds keygen file was still there, as was the client.key file. > > $ sudo vim /var/ossec/etc/ossec.conf > > > yes > my.em...@company.com > localhost > root@localhost > > > > $ sudo /var/ossec/bin/ossec-control start > Starting OSSEC HIDS v3.6.0... > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > > No email. Then I tried with: > /usr/sbin/sendmail > > Still no email. > > $ sudo cat /var/ossec/logs/ossec.log > ... > 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631). > 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644). > 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649). > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661). > 2020/03/30 15:38:24 IPv6: :: on port 1514 > 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514 > 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663). > 2020/03/30 15:38:24 rootcheck: System audit file not configured. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file. > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'apparmor_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: > 'n