Thanks Victor. Feeling a little sheepish right now. I checked just about every log except that one... :-)
On Friday, April 7, 2017 at 4:16:27 AM UTC-4, Victor Fernandez wrote: > > Hi Felix, > > I followed your steps and got the same result. Maybe the OSSEC log could > help us: > > root@centos ~]# tail /var/ossec/logs/ossec.log > 2017/04/07 00:59:35 ossec-testrule: INFO: Reading local decoder file. > 2017/04/07 00:59:35 ossec-testrule: INFO: Started (pid: 2303). > 2017/04/07 00:59:50 ossec-maild(1501): ERROR: Invalid SMTP Server: > smtp.example.com. > 2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2017/04/07 00:59:50 ossec-maild(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > > I think that the problem is that email notifications are enabled but no > valid SMTP server is configured, so if you get the same error edit file > "/var/ossec/etc/ossec.conf" and try to configure the email settings, or > disable email notifications if you won't use them: > > <global> > *<email_notification>no</email_notification>* > <email_to>danie...@example.com <javascript:></email_to> > <smtp_server>smtp.example.com.</smtp_server> > <email_from>oss...@ossec.example.com <javascript:>.</email_from> > </global> > > > Then try to start OSSEC again: > > [root@centos ~]# systemctl start ossec-hids > > [root@centos ~]# systemctl status ossec-hids > > *●* ossec-hids.service - SYSV: OSSEC-HIDS is an Open Source Host-based > Intrusion Detection System. > > Loaded: loaded (/etc/rc.d/init.d/ossec-hids; bad; vendor preset: > disabled) > > Active: *active (running)* since Fri 2017-04-07 01:03:08 PDT; 6s ago > > Docs: man:systemd-sysv-generator(8) > > Process: 2386 ExecStart=/etc/rc.d/init.d/ossec-hids start (code=exited, > status=0/SUCCESS) > > CGroup: /system.slice/ossec-hids.service > > ├─2414 /var/ossec/bin/ossec-execd > > ├─2418 /var/ossec/bin/ossec-analysisd > > ├─2422 /var/ossec/bin/ossec-logcollector > > ├─2433 /var/ossec/bin/ossec-syscheckd > > └─2437 /var/ossec/bin/ossec-monitord > > > Hope it help. > > Best regards. > > > On Fri, Apr 7, 2017 at 4:12 AM, Felix Martel <martel...@gmail.com > <javascript:>> wrote: > >> Hello, >> >> Not finding any useful information regarding my problems anywhere. I'm >> new to OSSEC HIDS. I played around a little bit with an appliance version, >> but now want to install it on a DevOps host. >> >> I just did a fresh install of OSSEC HIDS from the atomicorp repo. Install >> seemed to go normally, although none of the usual installation questions >> were asked with respect to the questions asked by /install.sh in the manual >> (ie installation type, e-mail address, notifications, different engines, >> etc.). Haven't found any instructions on how to do those configuration >> steps post-install either. >> >> Anyways, I installed using the command >> >> yum install ossec-hids ossec-hids-server >> >> >> Everything seemed normal. No error messages during the installation. >> >> After the installation, I attempted to start OSSEC-HIDS with the command >> >> /etc/init.d/ossec-hids start >> >> At this point I got an error "Command not found". >> >> I rebooted the server and was then able to run the command. At this point >> I got the following errors: >> >> Starting ossec-hids (via systemctl): Job for ossec-hids.service failed >> because the control process exited with error code. See "systemctl >> status ossec-hids.service" and "journalctl -xe" for details. >> [FAILED] >> >> >> I then ran journalctl -xe and gotr the following output: >> >> -- Unit ossec-hids.service has begun starting up. >> Apr 06 21:35:48 RHEL7HOST realmd[1698]: quitting realmd service after >> timeout >> Apr 06 21:35:48 RHEL7HOST realmd[1698]: stopping service >> Apr 06 21:36:01 RHEL7HOST ossec-hids[2382]: Starting ossec-hids: [FAILED] >> Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service: control >> process exited, code=exited status=1 >> Apr 06 21:36:01 RHEL7HOST systemd[1]: Failed to start SYSV: OSSEC-HIDS is >> an Open Source Host-based Intrusion Detection System.. >> -- Subject: Unit ossec-hids.service has failed >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit ossec-hids.service has failed. >> -- >> -- The result is failed. >> Apr 06 21:36:01 RHEL7HOST systemd[1]: Unit ossec-hids.service entered >> failed state. >> Apr 06 21:36:01 RHEL7HOST systemd[1]: ossec-hids.service failed. >> >> I'm stumped. What I find really curious is the fact that realmd seems to >> stop (and immediately restarts after the failed start). Any help >> appreciated. >> >> >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
