Hi.
I'm new to ossec, and i'm having trouble getting emails from it.
If someone here can help me with that, i'd appreciate it a lot.
My OS is the lastest stable kubuntu, with iRedMail (which includes postfix)
for email support.
Here are some of the relevant logs, and the rules are added as attachment
to this mail.
root@parakeet:/var/ossec# systemctl status ossec.service
● ossec.service - LSB: Start and stop OSSEC HIDS
Loaded: loaded (/etc/init.d/ossec; generated)
Active: active (exited) since Fri 2021-10-01 20:29:48 CEST; 5h 58min
ago
Docs: man:systemd-sysv-generator(8)
Process: 51972 ExecStart=/etc/init.d/ossec start (code=exited,
status=0/SUCCESS)
okt 01 20:29:45 parakeet ossec[51973]: Starting OSSEC HIDS v3.6.0...
okt 01 20:29:45 parakeet ossec[51973]: Started ossec-maild...
okt 01 20:29:45 parakeet ossec[51973]: Started ossec-execd...
okt 01 20:29:45 parakeet ossec[51973]: Started ossec-analysisd...
okt 01 20:29:45 parakeet ossec[51973]: Started ossec-logcollector...
okt 01 20:29:45 parakeet ossec[51973]: Started ossec-remoted...
okt 01 20:29:46 parakeet ossec[51973]: Started ossec-syscheckd...
okt 01 20:29:46 parakeet ossec[51973]: Started ossec-monitord...
okt 01 20:29:48 parakeet ossec[51973]: Completed.
okt 01 20:29:48 parakeet systemd[1]: Started LSB: Start and stop OSSEC HIDS.
root@parakeet:/var/ossec# telnet localhost 25
Trying 127.0.0.1...
Connected to smtp.example.com.
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
^C^]
telnet> quit
Connection closed.
root@parakeet:/var/ossec# /var/ossec/bin/agent_control -r -a
2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Connection refused'.
2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to active
response queue.
** Unable to connect to remoted.
root@parakeet:/var/ossec# vi /etc/postfix/main.cf
root@parakeet:/var/ossec# tail /var/log/postfix.log
Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN:
from=<r...@smtp.example.com>, size=2007, nrcpt=1 (queue active)
Oct 02 02:02:04 smtp postfix/local[87369]: 4HLnGN1LQ3zbbcs:
to=<r...@smtp.example.com>, relay=local, delay=0.06,
delays=0.03/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as
4HLnGN1dLmzbbcN)
Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1LQ3zbbcs: removed
Oct 02 02:02:04 smtp postfix/pipe[87372]: 4HLnGN1brDzbbbZ:
to=<postmas...@example.com>, orig_to=<r...@smtp.example.com>,
relay=dovecot, delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent
(delivered via dovecot service)
Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1brDzbbbZ: removed
Oct 02 02:02:04 smtp postfix/pipe[87373]: 4HLnGN1dLmzbbcN:
to=<postmas...@example.com>, orig_to=<r...@smtp.example.com>,
relay=dovecot, delay=0.17, delays=0.01/0.01/0/0.15, dsn=2.0.0, status=sent
(delivered via dovecot service)
Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: removed
Oct 02 02:34:00 smtp postfix/smtpd[90923]: connect from
smtp.example.com[127.0.0.1]
Oct 02 02:34:09 smtp postfix/smtpd[90923]: lost connection after CONNECT
from smtp.example.com[127.0.0.1]
Oct 02 02:34:09 smtp postfix/smtpd[90923]: disconnect from
smtp.example.com[127.0.0.1] commands=0/0
root@parakeet:/var/ossec# tail logs/ossec.log
2021/10/01 20:33:13 ossec-monitord(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-logcollector(1225): INFO: SIGNAL
[(15)-(Terminated)] Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-remoted(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-syscheckd(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-analysisd(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/01 20:33:13 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
2021/10/01 20:33:13 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)]
Received. Exit Cleaning...
2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Connection refused'.
2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to active
response queue.
root@parakeet:/var/ossec# cat /etc/ossec-init.conf | grep VERSION
VERSION="v3.6.0"
root@parakeet:/var/ossec/rules# ufw status
Status: inactive
If you need more information to help get this fixed, i'm most willing to
provide it..
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/7c0b1d6a-96d2-4261-97cd-3fbb8b102d15n%40googlegroups.com.
yes
rene.veerman.netherla...@gmail.com
localhost
os...@nicer.app
rules_config.xml
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
arpwatch_rules.xml
symantec-av_rules.xml
symantec-ws_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
ms_ftpd_rules.xml
ftpd_rules.xml
hordeimp_rules.xml
roundcube_rules.xml
wordpress_rules.xml
cimserver_rules.xml
vpopmail_rules.xml
vmpop3d_rules.xml
courier_rules.xml
web_rules.xml
web_appsec_rules.xml
apache_rules.xml
nginx_rules.xml
php_rules.xml
mysql_rules.xml
postgresql_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
apparmor_rules.xml
cisco-ios_rules.xml
netscreenfw_rules.xml
sonicwall_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
mailscanner_rules.xml
dovecot_rules.xml
ms-exchange_rules.xml
racoon_rules.xml
vpn_concentrator_rules.xml
spamd_rules.xml
msauth_rules.xml
mcafee_av_rules.xml
trend-osce_rules.xml
ms-se_rules.xml
zeus_rules.xml
solaris_bsm_rules.xml
vmware_rules.xml
ms_dhcp_rules.xml
asterisk_rules.xml
ossec_rules.xml
attack_rules.xml
dropbear_rules.xml
unbound_rules.xml
sysmon_rules.xml
opensmtpd_rules.xml
exim_rules.xml
openbsd-dhcpd_rules.xml
dnsmasq_rules.xml
local_rules.xml
1800
yes
/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/home/rene/data1
/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/random.seed
/etc/adjtime
/etc/httpd/logs
/etc/ssl/private.key
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
127.0.0.1
::1
192.168.2.1
192.168.2.190
192.168.2.32
192.168.2.10
secure
1
7
host-deny
host-deny.sh
srcip
yes
firewall-drop
firewall-drop.sh
srcip
yes
disable-account
disable-account.sh
user
yes
host-deny
local
7
600
firewall-drop
local
7
600
syslog
/var/log/messages
syslog
/var/log/authlog
syslog
/var/log/auth.log
syslog
/var/log/secure
syslog
/var/log/xferlog
syslog
/var/log/maillog
apache
/var/www/logs/access_log
apache
/var/www/logs/error_log
syslog
/var/log/exim_mainlog
5711
192.0.2.1
Example of rule that will ignore sshd
failed logins from IP 1.1.1.1.
ossec
syscheck_new_entry
File added to the system.
syscheck,
