On Mon, Apr 8, 2019 at 1:13 PM Ian Brown <zestys...@gmail.com> wrote: > > I'm trying to figure out why ossec is sometimes not emailing triggered 31122 > alerts. > > Here's a log entry in ossec's alerts log file: > >> ** Alert 1554150564.41683927: mail - web,accesslog,system_error, >> 2019 Apr 01 20:29:24 us-web->/log/jetty/2019_04_01.request.log >> Rule: 31122 (level 5) -> 'Web server 500 error code (Internal Error).' >> Src IP: 1.2.3.4 >> 1.2.3.4 username - [01/Apr/2019:20:29:24 +0000] "POST /update.rest HTTP/1.1" >> 500 12369 23 > > > However, here are two consecutive log entries in ossec.log: > >> 2019/04/01 20:03:43 INFO: Connected to 127.0.0.1 at address 127.0.0.1, port >> 25 >> 2019/04/01 21:00:06 INFO: Connected to 127.0.0.1 at address 127.0.0.1, port >> 25 > > > this mirrors the mail log entries (Postfix is running just for ossec): > >> Apr 1 20:03:43 us-web postfix/qmgr[4488]: 4438D801A5: removed >> Apr 1 21:00:06 us-web postfix/smtpd[127085]: connect from >> localhost[127.0.0.1] > > > I double checked and the details for rule 31122 look correct: > >> <rule id="31122" level="5"> >> <if_sid>31120</if_sid> >> <id>^500</id> >> <options>alert_by_email</options> >> <description>Web server 500 error code (Internal Error).</description> >> <group>system_error,</group> >> </rule> > > > Any idea what could be going on here? I see a <defunct> for the ossec-maild > child process: > >> ossecm 4957 0.0 0.0 16552 2156 ? S Apr06 0:04 >> /var/ossec/bin/ossec-maild >> ossec 4965 0.2 0.0 23176 3552 ? S Apr06 7:42 >> /var/ossec/bin/ossec-analysisd >> root 4969 0.0 0.0 6652 584 ? S Apr06 2:25 >> /var/ossec/bin/ossec-logcollector >> root 4981 0.0 0.0 7708 1924 ? S Apr06 1:29 >> /var/ossec/bin/ossec-syscheckd >> ossec 4986 0.0 0.0 15164 692 ? S Apr06 0:00 >> /var/ossec/bin/ossec-monitord >> ossecm 72611 0.0 0.0 0 0 ? Z 17:02 0:00 >> [ossec-maild] <defunct> > > > but from what I can tell when I've ran ossec-maild -ddd -f, showing defunct > on the child process is normal -- it will eventually end and a new one will > be created the next time an alert needs to be delivered. Communication to > postfix seems to be working fine. There are no errors in either the mail log > or ossec's logs. >
Usually when I see this, the ossed-maild process crashed in OS_Sendmail(), but I've been tearing all of that apart lately. > Version info: >> >> dpkg -s ossec >> dpkg-query: package 'ossec' is not installed and no information is available >> Use dpkg --info (= dpkg-deb --info) to examine archive files, >> and dpkg --contents (= dpkg-deb --contents) to list their contents. >> root@us-web:/var/ossec/bin# dpkg -s ossec-hids-server >> Package: ossec-hids-server >> Status: hold ok installed >> Priority: extra >> Section: admin >> Installed-Size: 4516 >> Maintainer: Atomicorp <supp...@atomicorp.com> >> Architecture: amd64 >> Version: 2.9.4-5177trusty So old >> Depends: libc6 (>= 2.15), libgeoip1, libmysqlclient18 (>= 5.5.24+dfsg-1), >> libssl1.0.0 (>= 1.0.1), expect, debconf >> Conflicts: ossec-hids-agent >> Conffiles: >> /var/ossec/etc/ossec.conf 45e1b4a4e4c9b62fdf4c8788e2579984 >> Description: OSSEC Server - Host Based Intrusion Detection System >> OSSEC HIDS for log analysis, integrity checking, rootkits detection and >> active response. This package includes the server >> Homepage: http://www.ossec.net >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
