Yes, ossec requires a smtp daemon listening somewhere (either at localhost or external system). Since you need authenticated smtp (which we don't support yet), I would recommend using an active response module instead. Take a look at this page in our wiki:
http://www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses It explains how to create custom active responses and on the example we use the local mail command... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Sep 24, 2008 at 3:44 PM, cryogen <[EMAIL PROTECTED]> wrote: > > No go. Here's what I have in the e-mail config: > > <global> > <email_notification>yes</email_notification> > <email_to>[EMAIL PROTECTED]</email_to> > <smtp_server>127.0.0.1</smtp_server> > <email_from>[EMAIL PROTECTED]</email_from> > </global> > > and here's what the logs say: > 2008/09/24 09:34:59 ossec-maild(1223): ERROR: Error Sending email to > 127.0.0.1 (smtp server) > > Do you have an smtp daemon listening on localhost? I just have a > lightweight MTA to get mail off the system (ssmtp to be specific, > nobody uses mail functionality besides root). > > On Sep 24, 2008, at 7:36 AM, MdMonk wrote: > >> >> I have localhost set for my smtp server in ossec, and it uses the >> local smtp server to send alerts. >> >> <ossec_config> >> <global> >> ...... >> <smtp_server>127.0.0.1</smtp_server> >> ..... >> </global> >> .... >> </ossec_config> >> >> -Chuck (MdMonk) >> >> On Tue, Sep 23, 2008 at 10:57 PM, cryogen <[EMAIL PROTECTED]> >> wrote: >>> >>> Greetings, >>> >>> I have a couple questions regarding the ossec-maild program. My >>> university recently changed its policy regarding outgoing mail and >>> we're no longer able to send unauthenticated mail, even internally. >>> This broke the very useful e-mail alerts function in ossec on our >>> site. What I was wondering is if someone could give me some ideas >>> for how to unbreak it? >>> >>> There are several other unrelated services in use here that rely on >>> the same mail functionality just mentioned, and I've worked around >>> those by modifying the local sendmail. However, according to the >>> wiki, ossec never touches the local sendmail. Is there a way to get >>> ossec to use the system's sendmail? >>> >>> If not, is there a way to use ossec with an authenticated mail >>> service? I've tried sending e-mail alerts out to a gmail account as >>> suggested in the wiki, but it didn't work and I really don't like >>> doing that anyway. Using a gmail account for ossec, while not >>> strictly against our security policy, is not exactly encouraged. >>> >>> I've considered setting up an industrial strength MTA like exim or >>> postfix to relay mail off the local machine, but that is serious >>> overkill for us since ossec would pretty much be the only thing using >>> it. I've also looked at smaller MTA's but none of them seem capable >>> of communicating with ossec, i.e. they can't deamonize like ossec >>> seems to need. >>> >>> Does anyone have some suggestions? >>> >>> --cryogen >>> > >
