Hello Glen, By default, the email alerts, once configured are set to send emails only for the alerts with a level greater or equals than the one set in the following stanza found in your configuration file:
*<alerts> * * <log_alert_level>3</log_alert_level>* * <email_alert_level>12</email_alert_level> * *</alerts> * Make sure that you are generating alerts with a level greater than the one you can find in that stanza. You could also customize it and restart the service to apply the changes. I hope it helps. Regards, Jose Manuel Lopez On Monday, March 30, 2020 at 8:00:04 PM UTC+2 [email protected] wrote: > I think my issue is my server's mail (postfix) configuration. I can send > an email from the command line like so: > > $ sendmail -f root@localhost [email protected] > This is a test. > . > > I can see it get sent in /var/log/mail.log. I get it (in my spam folder, > but it's a start). > > I added these settings to /var/ossec/etc/ossec.conf > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>localhost</smtp_server> > <email_from>root@localhost</email_from> > </global> > > Then: > > sudo /var/ossec/bin/ossec-control stop > > sudo /var/ossec/bin/ossec-control start > sudo tail -F /var/ossec/logs/ossec.log > > It starts up fine - I can see a couple dozen new messages in the log (see > the end of this email). But there is no email, and no record of even an > email attempt in /var/log/mail.log > > I'm guessing that ossec doesn't send mail the same way I do when I test > sendmail from the command line, but I don't know what it *does* do. > > Then I tried: > $ whereis sendmail > sendmail: /usr/sbin/sendmail /usr/lib/sendmail > /usr/share/man/man1/sendmail.1.gz > $ ls -l /usr/sbin/sendmail > -rwxr-xr-x 1 root root 26776 Oct 11 2018 /usr/sbin/sendmail > > And changed > <smtp_server>localhost</smtp_server> > to > <smtp_server>/usr/sbin/sendmail</smtp_server> > > stoped and started ossec-control: still no email. Still no errors about > emails. Here is /var/ossec/logs/ossec.log from the latest attempt > > 2020/03/30 12:24:19 ossec-execd: INFO: Started (pid: 5337). > 2020/03/30 12:24:19 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > 2020/03/30 12:24:19 going daemon > 2020/03/30 12:24:19 starting imsg stuff > 2020/03/30 12:24:19 Creating socketpair() > 2020/03/30 12:24:19 agentd imsg_init() > 2020/03/30 12:24:19 os_dns imsg_init() > 2020/03/30 12:24:19 ossec-agentd(1410): INFO: Reading authentication keys > file. > 2020/03/30 12:24:19 ossec-agentd: INFO: No previous counter available for > 'server1'. > 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning counter for agent > server1: '0:0'. > 2020/03/30 12:24:19 ossec-agentd: INFO: Assigning sender counter: 0:659 > 2020/03/30 12:24:19 rootcheck: System audit file not configured. > 2020/03/30 12:24:19 ossec-agentd: INFO: Started (pid: 5341). > 2020/03/30 12:24:19 ossec-agentd: INFO: Server 1: 172.24.16.158 > 2020/03/30 12:24:19 ossec-agentd: INFO: Trying to connect to server > 172.24.16.158, port 1514. > 2020/03/30 12:24:19 INFO: Connected to 172.24.16.158 at address > 172.24.16.158, port 1514 > 2020/03/30 12:24:19 ossec-agentd: DEBUG: agt->sock: 11 > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Started (pid: 5350). > 2020/03/30 12:24:23 ossec-rootcheck: INFO: Started (pid: 5350). > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/etc', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/bin', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: Monitoring directory: '/boot', > with options perm | size | owner | group | md5sum | sha1sum. > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/mail/statistics' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/random.seed' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > 2020/03/30 12:24:23 ossec-syscheckd: INFO: No diff for file: > '/etc/ssl/private.key' > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/messages' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/authlog' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/authlog'. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/auth.log'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/secure' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/xferlog' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/xferlog'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/log/maillog' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/www/logs/access_log' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/access_log'. > 2020/03/30 12:24:25 ossec-logcollector(1103): ERROR: Could not open file > '/var/www/logs/error_log' due to [(2)-(No such file or directory)]. > 2020/03/30 12:24:25 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/error_log'. > 2020/03/30 12:24:25 ossec-logcollector: INFO: Started (pid: 5346). > 2020/03/30 12:24:27 ossec-logcollector: WARN: Process locked. Waiting for > permission... > 2020/03/30 12:24:40 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '172.24.16.158'. > 2020/03/30 12:24:42 ossec-agentd: INFO: Trying to connect to server > 172.24.16.158, port 1514. > 2020/03/30 12:24:42 INFO: Connected to 172.24.16.158 at address > 172.24.16.158, port 1514 > 2020/03/30 12:24:42 ossec-agentd: DEBUG: agt->sock: 15 > 2020/03/30 12:25:03 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '172.24.16.158'. > 2020/03/30 12:25:23 ossec-agentd: INFO: Trying to connect to server > 172.24.16.158, port 1514. > 2020/03/30 12:25:23 INFO: Connected to 172.24.16.158 at address > 172.24.16.158, port 1514 > 2020/03/30 12:25:23 ossec-agentd: DEBUG: agt->sock: 18 > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e7626d16-44e3-4f85-88e9-2c5413e8a9c6n%40googlegroups.com.
