I'm trying to figure out why ossec is sometimes not emailing triggered 31122 alerts.
Here's a log entry in ossec's alerts log file: ** Alert 1554150564.41683927: mail - web,accesslog,system_error, > 2019 Apr 01 20:29:24 us-web->/log/jetty/2019_04_01.request.log > Rule: 31122 (level 5) -> 'Web server 500 error code (Internal Error).' > Src IP: 1.2.3.4 > 1.2.3.4 username - [01/Apr/2019:20:29:24 +0000] "POST /update.rest > HTTP/1.1" 500 12369 23 > However, here are two consecutive log entries in ossec.log: 2019/04/01 20:03:43 INFO: Connected to 127.0.0.1 at address 127.0.0.1, port > 25 > 2019/04/01 21:00:06 INFO: Connected to 127.0.0.1 at address 127.0.0.1, > port 25 > this mirrors the mail log entries (Postfix is running just for ossec): Apr 1 20:03:43 us-web postfix/qmgr[4488]: 4438D801A5: removed > Apr 1 21:00:06 us-web postfix/smtpd[127085]: connect from > localhost[127.0.0.1] > I double checked and the details for rule 31122 look correct: <rule id="31122" level="5"> > <if_sid>31120</if_sid> > <id>^500</id> > <options>alert_by_email</options> > <description>Web server 500 error code (Internal Error).</description> > <group>system_error,</group> > </rule> > Any idea what could be going on here? I see a <defunct> for the ossec-maild child process: ossecm 4957 0.0 0.0 16552 2156 ? S Apr06 0:04 > /var/ossec/bin/ossec-maild > ossec 4965 0.2 0.0 23176 3552 ? S Apr06 7:42 > /var/ossec/bin/ossec-analysisd > root 4969 0.0 0.0 6652 584 ? S Apr06 2:25 > /var/ossec/bin/ossec-logcollector > root 4981 0.0 0.0 7708 1924 ? S Apr06 1:29 > /var/ossec/bin/ossec-syscheckd > ossec 4986 0.0 0.0 15164 692 ? S Apr06 0:00 > /var/ossec/bin/ossec-monitord > ossecm 72611 0.0 0.0 0 0 ? Z 17:02 0:00 > [ossec-maild] <defunct> > but from what I can tell when I've ran ossec-maild -ddd -f, showing defunct on the child process is normal -- it will eventually end and a new one will be created the next time an alert needs to be delivered. Communication to postfix seems to be working fine. There are no errors in either the mail log or ossec's logs. Version info: > dpkg -s ossec > dpkg-query: package 'ossec' is not installed and no information is > available > Use dpkg --info (= dpkg-deb --info) to examine archive files, > and dpkg --contents (= dpkg-deb --contents) to list their contents. > root@us-web:/var/ossec/bin# dpkg -s ossec-hids-server > Package: ossec-hids-server > Status: hold ok installed > Priority: extra > Section: admin > Installed-Size: 4516 > Maintainer: Atomicorp <[email protected]> > Architecture: amd64 > Version: 2.9.4-5177trusty > Depends: libc6 (>= 2.15), libgeoip1, libmysqlclient18 (>= 5.5.24+dfsg-1), > libssl1.0.0 (>= 1.0.1), expect, debconf > Conflicts: ossec-hids-agent > Conffiles: > /var/ossec/etc/ossec.conf 45e1b4a4e4c9b62fdf4c8788e2579984 > Description: OSSEC Server - Host Based Intrusion Detection System > OSSEC HIDS for log analysis, integrity checking, rootkits detection and > active response. This package includes the server > Homepage: http://www.ossec.net > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
