On Sun, Mar 20, 2016 at 11:33 AM, sandeep dubey <sandeep.san...@gmail.com> wrote: > Hi, > > I don't see any error in mail.log, Yes sendmail service is running on > localhost to relay mails. Below is the mail log. > > Mar 13 07:10:19 ossec sm-mta[26311]: u2D7AIrJ026309: > to=<ops.inter...@domain.com>, ctladdr=<oss...@ossec.domain.com> (1002/1001), > delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=120600, > relay=aspmx.l.google.com. [173.194.205.27], dsn=2.0.0, stat=Sent (OK > 1457852802 y20si16203940qka.117 - gsmtp) > Mar 13 07:10:34 ossec sm-mta[26323]: u2D7AYkx026323: localhost [127.0.0.1] > did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4 > Mar 13 07:10:49 ossec sm-mta[26377]: u2D7AnAU026377: > from=<oss...@ossec.domain.com>, size=4425, class=0, nrcpts=1, > msgid=<201603130710.u2d7anau026...@ossec.domain.com>, proto=SMTP, > daemon=MTA-v4, relay=localhost [127.0.0.1] > Mar 13 07:10:49 ossec sm-mta[26379]: STARTTLS=client, > relay=aspmx.l.google.com., version=TLSv1/SSLv3, verify=FAIL, > cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128 > > There is nothing in mailq or any mail related info in mail log. As stated > earlier in this thread, that above mail log tries to send mail to a group > but not landing in inbox. However when i changed the mail address to my own > email (individual email id), it works but that too is landing in SPAM > folder. >
Ok, so it works when you use an individual email address, but not when you use a group? Which system handles the group email address? Can you check the logs there? > One more observation is that, even though email alerts is configured for > level 8, I am still getting alerts for level 2,3,4 etc. > That's very strange. I trust you've verified that the rules of level < 8 that trigger email alerts don't have "<options>alert_by_email</options>" set. Which rules with level < 8 are triggering emails? > On Sun, Mar 20, 2016 at 6:38 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> On Mar 18, 2016 9:33 PM, "sandeep dubey" <sandeep.san...@gmail.com> wrote: >> > >> > Yes, it attempts but emails are not landing in inbox. >> > >> >> Is ossec-maild sending to a local (to the server) mailbox? If so, check >> the maillog. If not, use tcpdump to see why it is failing. >> >> > On Fri, Mar 18, 2016 at 8:13 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey >> >> <sandeep.san...@gmail.com> wrote: >> >> > Hi, >> >> > >> >> > I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS EC2. >> >> > Recently i >> >> > noticed that alerts are not being sent from ossec, not even single. >> >> > It was >> >> > working fine couple of days earlier. While digging into this i >> >> > observed that >> >> > it not working for an email group but working for individual email >> >> > ids. >> >> > >> >> > Can some help to identify the issue and fix it. The same setup with >> >> > same >> >> > email group is working at another system. The only different between >> >> > these >> >> > two setups are that one has 100+ server where is has stopped working >> >> > and >> >> > another has 15-20 nodes where it is working. >> >> > >> >> > I tried by restarting ossec services, ossec-maild is working, local >> >> > sendmail >> >> > service is also working, test emails are going fine. >> >> > >> >> >> >> Does ossec-maild attempt to send anything? >> >> >> >> > >> >> > Current configuration is - >> >> > >> >> > <global> >> >> > <email_notification>yes</email_notification> >> >> > <email_to>x...@domain.com</email_to> >> >> > <email_to>a...@domain.com</email_to> >> >> > <email_to>1...@domain.com</email_to> >> >> > <smtp_server>localhost</smtp_server> >> >> > <email_from>oss...@ossec.domain.com</email_from> >> >> > </global> >> >> > - >> >> > - >> >> > - >> >> > - >> >> > <alerts> >> >> > <log_alert_level>1</log_alert_level> >> >> > <email_alert_level>8</email_alert_level> >> >> > </alerts> >> >> > >> >> > <email_alerts> >> >> > <email_to>cloud-t...@domain.com</email_to> >> >> > <level>8</level> >> >> > <do_not_delay /> >> >> > </email_alerts> >> >> > >> >> > -- >> >> > Regards, >> >> > Sandeep >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send an >> >> > email to ossec-list+unsubscr...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > Regards, >> > Sandeep >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Regards, > Sandeep > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
