That's a very good idea, and it's much cleaner than what I'd been trying to do. Thanks! I'll tackle that in the morning.
On Sep 25, 2008, at 11:19 AM, Daniel Cid wrote: > > Yes, ossec requires a smtp daemon listening somewhere (either at > localhost or external system). Since > you need authenticated smtp (which we don't support yet), I would > recommend using an active response > module instead. Take a look at this page in our wiki: > > http://www.ossec.net/wiki/index.php/Know_How:CustomActiveResponses > > It explains how to create custom active responses and on the example > we use the local mail command... > > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Wed, Sep 24, 2008 at 3:44 PM, cryogen <[EMAIL PROTECTED]> > wrote: >> >> No go. Here's what I have in the e-mail config: >> >> <global> >> <email_notification>yes</email_notification> >> <email_to>[EMAIL PROTECTED]</email_to> >> <smtp_server>127.0.0.1</smtp_server> >> <email_from>[EMAIL PROTECTED]</email_from> >> </global> >> >> and here's what the logs say: >> 2008/09/24 09:34:59 ossec-maild(1223): ERROR: Error Sending email to >> 127.0.0.1 (smtp server) >> >> Do you have an smtp daemon listening on localhost? I just have a >> lightweight MTA to get mail off the system (ssmtp to be specific, >> nobody uses mail functionality besides root). >> >> On Sep 24, 2008, at 7:36 AM, MdMonk wrote: >> >>> >>> I have localhost set for my smtp server in ossec, and it uses the >>> local smtp server to send alerts. >>> >>> <ossec_config> >>> <global> >>> ...... >>> <smtp_server>127.0.0.1</smtp_server> >>> ..... >>> </global> >>> .... >>> </ossec_config> >>> >>> -Chuck (MdMonk) >>> >>> On Tue, Sep 23, 2008 at 10:57 PM, cryogen <[EMAIL PROTECTED]> >>> wrote: >>>> >>>> Greetings, >>>> >>>> I have a couple questions regarding the ossec-maild program. My >>>> university recently changed its policy regarding outgoing mail and >>>> we're no longer able to send unauthenticated mail, even internally. >>>> This broke the very useful e-mail alerts function in ossec on our >>>> site. What I was wondering is if someone could give me some ideas >>>> for how to unbreak it? >>>> >>>> There are several other unrelated services in use here that rely on >>>> the same mail functionality just mentioned, and I've worked around >>>> those by modifying the local sendmail. However, according to the >>>> wiki, ossec never touches the local sendmail. Is there a way to >>>> get >>>> ossec to use the system's sendmail? >>>> >>>> If not, is there a way to use ossec with an authenticated mail >>>> service? I've tried sending e-mail alerts out to a gmail >>>> account as >>>> suggested in the wiki, but it didn't work and I really don't like >>>> doing that anyway. Using a gmail account for ossec, while not >>>> strictly against our security policy, is not exactly encouraged. >>>> >>>> I've considered setting up an industrial strength MTA like exim or >>>> postfix to relay mail off the local machine, but that is serious >>>> overkill for us since ossec would pretty much be the only thing >>>> using >>>> it. I've also looked at smaller MTA's but none of them seem >>>> capable >>>> of communicating with ossec, i.e. they can't deamonize like ossec >>>> seems to need. >>>> >>>> Does anyone have some suggestions? >>>> >>>> --cryogen >>>> >> >>
