Hi Felix,
I followed your steps and got the same result. Maybe the OSSEC log could
help us:
root@centos ~]# tail /var/ossec/logs/ossec.log
2017/04/07 00:59:35 ossec-testrule: INFO: Reading local decoder file.
2017/04/07 00:59:35 ossec-testrule: INFO: Started (pid: 2303).
2017/04/07 00:59:50 ossec-maild(1501): ERROR: Invalid SMTP Server:
smtp.example.com.
2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
I think that the problem is that email notifications are enabled but no
valid SMTP server is configured, so if you get the same error edit file
"/var/ossec/etc/ossec.conf" and try to configure the email settings, or
disable email notifications if you won't use them:
<global>
*<email_notification>no</email_notification>*
<email_to>daniel....@example.com</email_to>
<smtp_server>smtp.example.com.</smtp_server>
<email_from>oss...@ossec.example.com.</email_from>
</global>
Then try to start OSSEC again:
[root@centos ~]# systemctl start ossec-hids
[root@centos ~]# systemctl status ossec-hids
*●* ossec-hids.service - SYSV: OSSEC-HIDS is an Open Source Host-based
Intrusion Detection System.
Loaded: loaded (/etc/rc.d/init.d/ossec-hids; bad; vendor preset:
disabled)
Active: *active (running)* since Fri 2017-04-07 01:03:08 PDT; 6s ago
Docs: man:systemd-sysv-generator(8)
Process: 2386 ExecStart=/etc/rc.d/init.d/ossec-hids start (code=exited,
status=0/SUCCESS)
CGroup: /system.slice/ossec-hids.service
├─2414 /var/ossec/bin/ossec-execd
├─2418 /var/ossec/bin/ossec-analysisd
├─2422 /var/ossec/bin/ossec-logcollector
├─2433 /var/ossec/bin/ossec-syscheckd
└─2437 /var/ossec/bin/ossec-monitord
Hope it help.
Best regards.
On Fri, Apr 7, 2017 at 4:12 AM, Felix Martel <martel.fe...@gmail.com> wrote:
> Hello,
>
> Not finding any useful information regarding my problems anywhere. I'm new
> to OSSEC HIDS. I played around a little bit with an appliance version, but
> now want to install it on a DevOps host.
>
> I just did a fresh install of OSSEC HIDS from the atomicorp repo. Install
> seemed to go normally, although none of the usual installation questions
> were asked with respect to the questions asked by /install.sh in the manual
> (ie installation type, e-mail address, notifications, different engines,
> etc.). Haven't found any instructions on how to do those configuration
> steps post-install either.
>
> Anyways, I installed using the command
>
> yum install ossec-hids ossec-hids-server
>
>
> Everything seemed normal. No error messages during the installation.
>
> After the installation, I attempted to start OSSEC-HIDS with the command
>
> /etc/init.d/ossec-hids start
>
> At this point I got an error "Command not found".
>
> I rebooted the server and was then able to run the command. At this point
> I got the following errors:
>
> Starting ossec-hids (via systemctl): Job for ossec-hids.service failed
> because the control process exited with error code. See "systemctl status
> ossec-hids.service" and "journalctl -xe" for details.
> [FAILED]
>
>
> I then ran journalctl -xe and gotr the following output:
>
> -- Unit ossec-hids.service has begun starting up.
> Apr 06 21:35:48 RHEL7HOST realmd[1698]: quitting realmd service after
> timeout
> Apr 06 21:35:48 RHEL7HOST realmd[1698]: stopping service
> Apr 06 21:36:01 RHEL7HOST ossec-hids[2382]: Starting ossec-hids: [FAILED]
> Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service: control process
> exited, code=exited status=1
> Apr 06 21:36:01 RHEL7HOST systemd[1]: Failed to start SYSV: OSSEC-HIDS is
> an Open Source Host-based Intrusion Detection System..
> -- Subject: Unit ossec-hids.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit ossec-hids.service has failed.
> --
> -- The result is failed.
> Apr 06 21:36:01 RHEL7HOST systemd[1]: Unit ossec-hids.service entered
> failed state.
> Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service failed.
>
> I'm stumped. What I find really curious is the fact that realmd seems to
> stop (and immediately restarts after the failed start). Any help
> appreciated.
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
