On Tue, Sep 11, 2018 at 12:20 PM Monah Baki <[email protected]> wrote: > > Hi all, > > I just installed ossec 3.0.0 on Redhat 6. My ossec.conf has the following > entry > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>support@xxxxx</email_to> > <smtp_server>xxxxxxx</smtp_server> > <email_from>ossecm@xxxxx</email_from> > </global> >
Does your smtp server require authentication? Are there any `ossec-maild` entries in the ossec.log? Can you look at the maillog on your smtp server? > and > > <directories realtime="yes" report_changes="yes" > check_all="yes">/opt/modx</directories> > > > Besides this, nothing has changed, went with the default since my main > concern are /var/log/nginx/access.log and /opt/modx > > > In my ossec.log I see the following: > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: '/etc', with > options perm | size | owner | group | md5sum | sha1sum. > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', > with options perm | size | owner | group | md5sum | sha1sum. > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', > with options perm | size | owner | group | md5sum | sha1sum. > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: '/opt/modx', > with options perm | size | owner | group | md5sum | sha1sum | realtime | > report_changes. > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mnttab' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/utmpx' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/wtmpx' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/cups/certs' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/dumpdates' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/svc/volatile' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/var/ossec' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/bin' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/sbin' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/bin' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/sbin' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/boot' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/opt/modx/core/cache/logs' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/opt/modx/downloads' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/System32/LogFiles' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Debug' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/WindowsUpdate.log' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/iis6.log' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/wbem/Logs' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/wbem/Repository' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Prefetch' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/SoftwareDistribution' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Temp' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/config' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/spool' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/CatRoot' > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/opt/modx'. > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/nginx/access.log'. > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/nginx/error.log'. > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring output of > command(360): df -P > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output of > command(360): netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sort > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output of > command(360): last -n 5 > 2018/09/11 10:58:57 ossec-logcollector: INFO: Started (pid: 5025). > 2018/09/11 10:59:16 INFO: Connected to xxxxxxx at address 10.124.229.22, port > 25 > 2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck scan (forwarding > database). > 2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2018/09/11 11:04:31 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2018/09/11 11:32:10 ossec-syscheckd: INFO: Real time file monitoring started. > 2018/09/11 11:32:10 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2018/09/11 11:32:22 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2018/09/11 11:32:42 rootcheck: INFO: Starting rootcheck scan. > 2018/09/11 11:44:56 rootcheck: INFO: Ending rootcheck scan. > > > In my alert.log file > > ** Alert 1536679973.596: - ossec,rootcheck, > 2018 Sep 11 11:32:53 switchover->rootcheck > Rule: 516 (level 3) -> 'System Audit event.' > System Audit: PHP - Expose PHP is enabled. File: /etc/php.ini. > > ** Alert 1536679973.792: - ossec,rootcheck, > 2018 Sep 11 11:32:53 switchover->rootcheck > Rule: 516 (level 3) -> 'System Audit event.' > System Audit: PHP - Allow URL fopen is enabled. File: /etc/php.ini. > > ** Alert 1536680164.993: - web,accesslog, > 2018 Sep 11 11:36:04 switchover->/var/log/nginx/access.log > Rule: 31101 (level 5) -> 'Web server 400 error code.' > Src IP: 58.218.66.227 > 58.218.66.227 - - [11/Sep/2018:11:36:03 -0400] "PUT /txtpd35313.txt HTTP/1.1" > 403 162 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-" > > ** Alert 1536680164.1325: - apache, > 2018 Sep 11 11:36:04 switchover->/var/log/nginx/error.log > Rule: 31301 (level 3) -> 'Nginx error message.' > Src IP: 58.218.66.227 > 2018/09/11 11:36:03 [error] 2668#0: *389736 NAXSI_FMT: > ip=58.218.66.227&server=www.frgt.com&uri=/txtpd35313.txt&learning=0&vers=0.56&total_processed=3438&total_blocked=120&block=1&zone0=BODY&id0=11&var_name0=, > client: 58.218.66.227, server: www.frgt.com, request: "PUT /txtpd35313.txt > HTTP/1.1", host: "www.frgt.com" > > ** Alert 1536681139.2657: - apache, > 2018 Sep 11 11:52:19 switchover->/var/log/nginx/error.log > Rule: 31301 (level 3) -> 'Nginx error message.' > Src IP: 54.153.176.224 > 2018/09/11 11:52:17 [error] 2665#0: *390291 NAXSI_FMT: > ip=54.153.176.224&server=www.frgt.com&uri=/installer-backup.php&learning=0&vers=0.56&total_processed=8733&total_blocked=351&block=1&zone0=BODY&id0=16&var_name0=, > client: 54.153.176.224, server: www.frgt.com, request: "POST > /installer-backup.php HTTP/1.1", host: "www.frgt.com", referrer: > "www.frgt.com/wp-admin/admin-ajax.php" > > ** Alert 1536681796.4185: - apache, > 2018 Sep 11 12:03:16 switchover->/var/log/nginx/error.log > Rule: 31301 (level 3) -> 'Nginx error message.' > Src IP: 18.184.209.31 > 2018/09/11 12:03:15 [error] 2662#0: *390610 NAXSI_FMT: > ip=18.184.209.31&server=www.frgt.com&uri=/rss/RSSCategoryItemList.aspx&learning=0&vers=0.56&total_processed=4340&total_blocked=179&block=1&cscore0=$SQL&score0=8&zone0=ARGS&id0=1015&var_name0=catname, > client: 18.184.209.31, server: www.frgt.com, request: "GET > /rss/RSSCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control > HTTP/1.1", host: "www.frgt.com" > > > > > > I do not see any email alerts come in, even after I touched a file in > /opt/modx > > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
