Re: [ossec-list] ossec-Maild CPU Usage 95% +

[SHADO]

2020/04/01 12:54:01 ossec-maild [dns]: ERROR: connect() failed.
2020/04/01 12:54:01 ossec-maild: ERROR: DNS failure for smtpserver 
2020/04/01 12:54:01 ossec-maild: ERROR: No socket. 
2020/04/01 12:54:27 ossec-maild(1261): ERROR: Waiting for child process. (
status: 256). 
2020/04/01 12:54:27 ossec-maild(1223): ERROR: Error Sending email to mail.
DOMAIN.com. (smtp server) 
2020/04/01 12:58:02 ossec-maild: DEBUG: Running OS_Sendmail() 
2020/04/01 12:59:06 ossec-maild [dns]: ERROR: connect() failed. 
2020/04/01 12:59:06 ossec-maild: ERROR: DNS failure for smtpserver 
2020/04/01 12:59:06 ossec-maild: ERROR: No socket.



Not sure if it was my late night fat fingers but somehow smtp.DOMAIN.com 
became mail.DOMAIN.com.


Changed it back to smtp.DOMAIN.com, restarted OSSEC and the CPU seems to be 
back to its normal utilization levels.


Thanks for the nudge to look at the logs.  Was feeling a little lazy after 
what seemed like a never ending day.


Stay Safe.



On Wednesday, April 1, 2020 at 1:16:25 PM UTC-4, dan (ddpbsd) wrote:

> On Wed, Apr 1, 2020 at 12:58 PM SHADO > 
> wrote: 
> > 
> > Hi! 
> > 
> > Did a new install on Ubuntu 18.04 LTS and ossec-Maild is hogging the 
> CPU. 
> > 
> > 
> > ossecmPID 1 78 Mar31 ?07:34:06 
> /var/ossec/bin/ossec-maild 
> > 
> > 
> >  PID USERPRI   NI  VIRT   RESSHR   S  CPU%  MEM%   TIME+ 
>  Command 
> > 
> > PID ossecm 20   0 24756  2768  2512 R 96.0  0.0  7h38:20 
> /var/ossec/bin/ossec-maild 
> > 
> > 
> > 
> > 
> > Have stopped and restart. 
> > 
> > 
> > Have rebooted. 
> > 
> > 
> > CPU is low until ossec-maild kicks off. 
> > 
> > 
>
> Which version of OSSEC? 
> Anything in the ossec.log on the server? 
>
>
> > 
> > Suggestions? 
> > 
> > 
> > Regards 
> > 
> > SHADO 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/460a4b27-be7c-4c84-af3a-e1eaed037372%40googlegroups.com.
>  
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/a4bff135-626a-4563-9db8-d2d16cd995bd%40googlegroups.com.

Re: [ossec-list] ossec-Maild CPU Usage 95% +

[dan (ddp)]

On Wed, Apr 1, 2020 at 12:58 PM SHADO  wrote:
>
> Hi!
>
> Did a new install on Ubuntu 18.04 LTS and ossec-Maild is hogging the CPU.
>
>
> ossecmPID 1 78 Mar31 ?07:34:06 /var/ossec/bin/ossec-maild
>
>
>  PID USERPRI   NI  VIRT   RESSHR   S  CPU%  MEM%   TIME+  Command
>
> PID ossecm 20   0 24756  2768  2512 R 96.0  0.0  7h38:20 
> /var/ossec/bin/ossec-maild
>
>
>
>
> Have stopped and restart.
>
>
> Have rebooted.
>
>
> CPU is low until ossec-maild kicks off.
>
>

Which version of OSSEC?
Anything in the ossec.log on the server?


>
> Suggestions?
>
>
> Regards
>
> SHADO
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/460a4b27-be7c-4c84-af3a-e1eaed037372%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpuPR8SPp8X-hh%3DKMfcXC5REXXh4F%2BQUzyAokrtqarwyQ%40mail.gmail.com.

Re: [ossec-list] ossec-Maild CPU Usage 95% +

[Zach Vanderbilt]

What is your mail server doing? Is that responding okay? You could try
running ossec-maild in the foreground with the debug flag ( -d) to see if
anything interesting appears.

On Wed, Apr 1, 2020 at 9:58 AM SHADO  wrote:

> Hi!
>
> Did a new install on Ubuntu 18.04 LTS and ossec-Maild is hogging the CPU.
>
>
> ossecmPID 1 78 Mar31 ?07:34:06 /var/ossec/bin/ossec-maild
>
>
>  PID USERPRI   NI  VIRT   RESSHR   S  CPU%  MEM%   TIME+
> Command
> PID ossecm 20   0 24756  2768  2512 R 96.0  0.0  7h38:20 /var/ossec/
> bin/ossec-maild
>
>
>
>
> Have stopped and restart.
>
>
> Have rebooted.
>
>
> CPU is low until ossec-maild kicks off.
>
>
>
> Suggestions?
>
>
> Regards
>
> SHADO
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/460a4b27-be7c-4c84-af3a-e1eaed037372%40googlegroups.com
> 
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAPR9YNTK9nDkBL7xA%3D5U8er7nL%2BbHFdjbP62HNuxw3e5tvb9wg%40mail.gmail.com.

[ossec-list] ossec-Maild High CPU Usage

[SHADO]

Installed OSSEC on Ubuntu 18.04 LTS and  just noticed that ossec-Maild is 
causing the CPU to experience high CPU usage.

Restarting the service or rebooting the system only provides temporary for 
the CPU.

Any suggestions on what to look would be appreciated.

SHADO

 PID USER  PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command
PID ossecm 20   0  24756  2764  2512 R 96.7  0.0 10h46:36 /var/ossec/bin
/ossec-maild

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/fcadf0fb-34e7-4782-9f25-535a5961814e%40googlegroups.com.

[ossec-list] ossec-Maild CPU Usage 95% +

[SHADO]

Hi!

Did a new install on Ubuntu 18.04 LTS and ossec-Maild is hogging the CPU.


ossecmPID 1 78 Mar31 ?07:34:06 /var/ossec/bin/ossec-maild
 

 PID USERPRI   NI  VIRT   RESSHR   S  CPU%  MEM%   TIME+  
Command
PID ossecm 20   0 24756  2768  2512 R 96.0  0.0  7h38:20 /var/ossec/bin/
ossec-maild




Have stopped and restart.


Have rebooted.


CPU is low until ossec-maild kicks off.



Suggestions?


Regards

SHADO

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/460a4b27-be7c-4c84-af3a-e1eaed037372%40googlegroups.com.

Re: [ossec-list] ossec-maild?

[Glen Peterson]

I did that all again, but added:
$ sudo rm -rf /var/ossec/
Between the uninstall and reinstall.  Then created my keygen and client.key 
files from scratch.

and...

Oh...  Now I'm getting email alerts!!!  Wohoo!

Thanks so much for your help!

On Monday, March 30, 2020 at 3:49:42 PM UTC-4, Glen Peterson wrote:
>
> This is progress, I now have ossec-maild running, but still no email and 
> nothing from ossec in /var/log/mail.log.  Here's what I did:
>
> $ sudo /var/ossec/bin/ossec-control stop
> $ sudo apt purge ossec-hids-agent
> $ sudo apt purge ossec-hids-server
> $ sudo apt install ossec-hids-server
>
> My olds keygen file was still there, as was the client.key file.
>
> $ sudo vim /var/ossec/etc/ossec.conf
>
>   
> yes
> my.em...@company.com
> localhost
> root@localhost
>   
>
>
> $ sudo /var/ossec/bin/ossec-control start
> Starting OSSEC HIDS v3.6.0...
> Started ossec-maild...
> Started ossec-execd...
> Started ossec-analysisd...
> Started ossec-logcollector...
> Started ossec-remoted...
> Started ossec-syscheckd...
> Started ossec-monitord...
> Completed.
>
>
> No email.  Then I tried with:
> /usr/sbin/sendmail
>
> Still no email.
>
> $ sudo cat /var/ossec/logs/ossec.log
> ...
> 2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file.
> 2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631).
> 2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644).
> 2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649).
> 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661).
> 2020/03/30 15:38:24 IPv6: :: on port 1514
> 2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514
> 2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663).
> 2020/03/30 15:38:24 rootcheck: System audit file not configured.
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file.
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'rules_config.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'pam_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'sshd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'telnetd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'syslog_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'arpwatch_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'symantec-av_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'symantec-ws_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'pix_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'named_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'smbd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'vsftpd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'pure-ftpd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'proftpd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'ms_ftpd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'ftpd_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'hordeimp_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'roundcube_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'wordpress_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'cimserver_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'vpopmail_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'vmpop3d_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'courier_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'web_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'web_appsec_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'apache_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'nginx_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'php_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'mysql_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'postgresql_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'ids_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'squid_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'firewall_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'apparmor_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 'cisco-ios_rules.xml'
> 2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
> 

Re: [ossec-list] ossec-maild?

[Glen Peterson]

This is progress, I now have ossec-maild running, but still no email and 
nothing from ossec in /var/log/mail.log.  Here's what I did:

$ sudo /var/ossec/bin/ossec-control stop
$ sudo apt purge ossec-hids-agent
$ sudo apt purge ossec-hids-server
$ sudo apt install ossec-hids-server

My old keygen file was still there, as was the client.keys file.

$ sudo vim /var/ossec/etc/ossec.conf

  
yes
my.em...@company.com
localhost
root@localhost
  


$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.


No email.  Then I tried with:
/usr/sbin/sendmail

Still no email.

$ sudo cat /var/ossec/logs/ossec.log
...
2020/03/30 15:38:24 ossec-testrule: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-testrule: INFO: Started (pid: 17631).
2020/03/30 15:38:24 ossec-maild: INFO: Started (pid: 17644).
2020/03/30 15:38:24 ossec-execd: INFO: Started (pid: 17649).
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17661).
2020/03/30 15:38:24 IPv6: :: on port 1514
2020/03/30 15:38:24 Socket bound for IPv6: :: on port 1514
2020/03/30 15:38:24 ossec-remoted: INFO: Started (pid: 17663).
2020/03/30 15:38:24 rootcheck: System audit file not configured.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading local decoder file.
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pam_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sshd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'telnetd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'syslog_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'arpwatch_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'symantec-av_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'symantec-ws_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'named_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'smbd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vsftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'pure-ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'proftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ms_ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ftpd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'hordeimp_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'roundcube_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'wordpress_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'cimserver_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vpopmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'vmpop3d_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'courier_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'web_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'web_appsec_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'apache_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'nginx_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'php_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'mysql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'postgresql_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'ids_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'squid_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'firewall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'apparmor_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'cisco-ios_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'netscreenfw_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sonicwall_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'postfix_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'sendmail_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'imapd_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'mailscanner_rules.xml'
2020/03/30 15:38:24 ossec-analysisd: INFO: Reading rules file: 
'dovecot_rules.xml'
2020/03/30 

Re: [ossec-list] ossec-maild?

[dan (ddp)]

On Mon, Mar 30, 2020 at 2:11 PM Glen Peterson  wrote:
>
> I installed on Ubuntu 18.04 with according to this:
> https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
>
> I installed both agent and server.  Specifically:
> $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
>
> $ sudo apt update
>
> $ sudo apt install ossec-hids-server
> $ sudo apt install ossec-hids-agent
>

They should be mutually exclusive, so I'm guessing the agent removed the server.

> $ sudo -u ossec ssh-keygen
>
> $ sudo vim /var/ossec/etc/client.keys
> 001 server1 any 
>
> $ sudo chown root.ossec /var/ossec/etc/client.keys
>
> Then I edited ossec.conf as I wrote in my previous mail and started the 
> server.
>
> $ sudo /var/ossec/bin/ossec-control start
> Starting OSSEC HIDS v3.6.0...
> Started ossec-execd...
> 2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time 
> to reconnect: 1800
> 2020/03/30 14:05:04 going daemon
> Started ossec-agentd...
> Started ossec-logcollector...
> Started ossec-syscheckd...
> Completed.
>
>
>
> On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson  wrote:
>> >
>> > Sorry to be dense.  I just tried to post another message and don't see it 
>> > in google groups.  I'm noticing that other people have an ossec-maild, but 
>> > I don't:
>> > $ sudo ls -l /var/ossec/bin/
>> > total 1164
>> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth
>> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents
>> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd
>> > -r-xr-x--- 1 root ossec   4593 Feb 14 14:46 ossec-control
>> > -r-xr-x--- 1 root ossec  63504 Mar 15 15:02 ossec-execd
>> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector
>> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd
>> > -r-xr-x--- 1 root ossec   4503 Feb 14 14:46 util.sh
>> >
>> > I just installed ossec for the first time over the weekend.  I can't seem 
>> > to get it to send mail.  Am I missing an executable?
>> >
>>
>> This looks like an agent installation. The OSSEC server handles
>> sending out email.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqommpAOt%3D7BY7qkfRDjATx6-ieQigKt8sUHxd_9YLAUg%40mail.gmail.com.

Re: [ossec-list] ossec-maild?

[Glen Peterson]

I installed on Ubuntu 18.04 with according to this:
https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian

I installed both agent and server.  Specifically:
$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

$ sudo apt update

$ sudo apt install ossec-hids-server
$ sudo apt install ossec-hids-agent

$ sudo -u ossec ssh-keygen

$ sudo vim /var/ossec/etc/client.keys
001 server1 any 

$ sudo chown root.ossec /var/ossec/etc/client.keys

Then I edited ossec.conf as I wrote in my previous mail and started the 
server.

$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.6.0...
Started ossec-execd...
2020/03/30 14:05:04 ossec-agentd: INFO: Using notify time: 600 and max time 
to reconnect: 1800
2020/03/30 14:05:04 going daemon
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.



On Monday, March 30, 2020 at 2:01:35 PM UTC-4, dan (ddpbsd) wrote:
>
> On Mon, Mar 30, 2020 at 2:00 PM Glen Peterson  > wrote: 
> > 
> > Sorry to be dense.  I just tried to post another message and don't see 
> it in google groups.  I'm noticing that other people have an ossec-maild, 
> but I don't: 
> > $ sudo ls -l /var/ossec/bin/ 
> > total 1164 
> > -r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth 
> > -r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents 
> > -r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd 
> > -r-xr-x--- 1 root ossec   4593 Feb 14 14:46 ossec-control 
> > -r-xr-x--- 1 root ossec  63504 Mar 15 15:02 ossec-execd 
> > -r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector 
> > -r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd 
> > -r-xr-x--- 1 root ossec   4503 Feb 14 14:46 util.sh 
> > 
> > I just installed ossec for the first time over the weekend.  I can't 
> seem to get it to send mail.  Am I missing an executable? 
> > 
>
> This looks like an agent installation. The OSSEC server handles 
> sending out email. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.
>  
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/15f1956a-8065-4e5e-9dae-c428cb7f02e7%40googlegroups.com.

[ossec-list] ossec-maild?

[Glen Peterson]

Sorry to be dense.  I just tried to post another message and don't see it 
in google groups.  I'm noticing that other people have an ossec-maild, but 
I don't:
$ sudo ls -l /var/ossec/bin/
total 1164
-r-xr-x--- 1 root ossec 149632 Mar 15 15:02 agent-auth
-r-xr-x--- 1 root ossec 153728 Mar 15 15:02 manage_agents
-r-xr-x--- 1 root ossec 276704 Mar 15 15:02 ossec-agentd
-r-xr-x--- 1 root ossec   4593 Feb 14 14:46 ossec-control
-r-xr-x--- 1 root ossec  63504 Mar 15 15:02 ossec-execd
-r-xr-x--- 1 root ossec 235840 Mar 15 15:02 ossec-logcollector
-r-xr-x--- 1 root ossec 284864 Mar 15 15:02 ossec-syscheckd
-r-xr-x--- 1 root ossec   4503 Feb 14 14:46 util.sh

I just installed ossec for the first time over the weekend.  I can't seem 
to get it to send mail.  Am I missing an executable?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/3d55b1e6-ae3d-4030-9cf2-30872ea7557f%40googlegroups.com.

Re: [ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

[dan (ddp)]

On Nov 3, 2017 18:33,  wrote:

I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject'
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1
but neither worked.

Not sure what to try next.


Look at your postfix logs



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

[this . iz . not . a . drill]

I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject' 
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1 
but neither worked.

Not sure what to try next. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[dan (ddp)]

On Wed, Sep 28, 2016 at 11:37 AM, Laura Herrera  wrote:
> Hi Dan,
>
> Yes, thank you, i have been trying to get this working all day.
>
> I am running ossec on an ubuntu 14.04 server and i need to be able to email
> alerts of course.
>
> I saw in a separate post that ossec actually needs smtp listening on the
> local server, and so i decided to use postfix as a relay.
> To make things more complicated, my mail server is in office 365.
>
> Here my configurations:
> /etc/postfix/main.cf   (changes from original)
>
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_generic_maps = hash:/etc/postfix/generic
>
> myhostname = ossec-1.example.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = localhost.localdomain, localhost
> relayhost = smtp.office365.com:587
> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>
> /etc/postfix/generic
> /.*/  u...@example.com
>
>
> /etc/postfix/sasl_passwd
> [smtp.office365.com]:587 u...@example.com:MyPassword
>
>
> ossec.conf
>   
> no
> yes
> localhost
> dev...@example.com
> u...@example.com
>   
>
> I am sure postfix is listening on port 25:
> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
> 947/master
>
> The error i get, even after enabling debug mode in ossec is not very helpful
> at all:
> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to
> 127.0.0.1 (smtp server)
>
> nothing before or after that can be of help...
>

Have you checked postfix's logs to see if it is logging the error?

> Sorry i don't know what else to say
>
> Thanks a lot, hope you can help
> Laura
>
>
> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>
>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>> >
>> > Hi Theresa,
>> >
>> > Please can i ask how did you solve this problem?
>> >
>>
>> If you're having issues, you could post details and we could try to help.
>>
>> > Thanks a lot,
>> > Laura
>> >
>> >
>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>> >>
>> >> OK, managed to fix this and face-palming myself
>> >>
>> >> i've tweaked the postfix config a bit, enabled the service and there we
>> >> go...
>> >> ossec-maild is now officially sending out alerts to my email address.
>> >>
>> >> theresa happy :)
>> >>
>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>> >>>
>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
>> >>> debug. It will increase log verbosity. Then restart OSSEC, and check
>> >>> /var/ossec/log/ossec.log.
>> >>> Also after restart try to issue command "ps aux | grep ossec", and
>> >>> check, that ossec-maild process is running.
>> >>>
>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>> 
>>  i've also tried disabling iptables, but that didn't help either...
>>  but then again i can send out emails with mailx just find, so i don't
>>  think it's iptables blocking anyway...
>> 
>>  any ideas?
>> 
>> 
>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>> >
>> > Hi Daniil,
>> >
>> > I've already done that. The maillog doesn't show the mail being
>> > sent, but there isn't an error either. It seems that the ossec-maild 
>> > isn't
>> > even relaying it to the local smtp mta (ssmtp) because as said before 
>> > I can
>> > send out mails with mailx just fine.
>> >
>> > The ossec.log doesn't even mention the ossec-maild even though the
>> > process is running...
>> > Hmm
>> 
>>  --
>> 
>>  ---
>>  You received this message because you are subscribed to the Google
>>  Groups "ossec-list" group.
>>  To unsubscribe from this group and stop receiving emails from it,
>>  send an email to ossec-list+...@googlegroups.com.
>>  For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> --
>> >>> С уважением, Светлов Даниил.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit 

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[dan (ddp)]

On Wed, Sep 28, 2016 at 12:56 PM, Laura Herrera  wrote:
> Hi Dan,
>
> Changing subject a bit,  do you know if it's possible to have alerts in
> ossec calling a script instead of sending an email directly?
>

Other than active response, no.

> Ta
> Laura
>
>
> On Wednesday, 28 September 2016 16:37:57 UTC+1, Laura Herrera wrote:
>>
>> Hi Dan,
>>
>> Yes, thank you, i have been trying to get this working all day.
>>
>> I am running ossec on an ubuntu 14.04 server and i need to be able to
>> email alerts of course.
>>
>> I saw in a separate post that ossec actually needs smtp listening on the
>> local server, and so i decided to use postfix as a relay.
>> To make things more complicated, my mail server is in office 365.
>>
>> Here my configurations:
>> /etc/postfix/main.cf   (changes from original)
>>
>> smtp_sasl_auth_enable = yes
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>> smtp_generic_maps = hash:/etc/postfix/generic
>>
>> myhostname = ossec-1.example.com
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> myorigin = /etc/mailname
>> mydestination = localhost.localdomain, localhost
>> relayhost = smtp.office365.com:587
>> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>>
>> /etc/postfix/generic
>> /.*/  u...@example.com
>>
>>
>> /etc/postfix/sasl_passwd
>> [smtp.office365.com]:587 u...@example.com:MyPassword
>>
>>
>> ossec.conf
>>   
>> no
>> yes
>> localhost
>> dev...@example.com
>> u...@example.com
>>   
>>
>> I am sure postfix is listening on port 25:
>> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
>> 947/master
>>
>> The error i get, even after enabling debug mode in ossec is not very
>> helpful at all:
>> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to
>> 127.0.0.1 (smtp server)
>>
>> nothing before or after that can be of help...
>>
>> Sorry i don't know what else to say
>>
>> Thanks a lot, hope you can help
>> Laura
>>
>>
>> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>>
>>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>>> >
>>> > Hi Theresa,
>>> >
>>> > Please can i ask how did you solve this problem?
>>> >
>>>
>>> If you're having issues, you could post details and we could try to help.
>>>
>>> > Thanks a lot,
>>> > Laura
>>> >
>>> >
>>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>>> >>
>>> >> OK, managed to fix this and face-palming myself
>>> >>
>>> >> i've tweaked the postfix config a bit, enabled the service and there
>>> >> we go...
>>> >> ossec-maild is now officially sending out alerts to my email address.
>>> >>
>>> >> theresa happy :)
>>> >>
>>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>> >>>
>>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
>>> >>> debug. It will increase log verbosity. Then restart OSSEC, and check
>>> >>> /var/ossec/log/ossec.log.
>>> >>> Also after restart try to issue command "ps aux | grep ossec", and
>>> >>> check, that ossec-maild process is running.
>>> >>>
>>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>>> 
>>>  i've also tried disabling iptables, but that didn't help either...
>>>  but then again i can send out emails with mailx just find, so i
>>>  don't think it's iptables blocking anyway...
>>> 
>>>  any ideas?
>>> 
>>> 
>>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>>> >
>>> > Hi Daniil,
>>> >
>>> > I've already done that. The maillog doesn't show the mail being
>>> > sent, but there isn't an error either. It seems that the ossec-maild 
>>> > isn't
>>> > even relaying it to the local smtp mta (ssmtp) because as said before 
>>> > I can
>>> > send out mails with mailx just fine.
>>> >
>>> > The ossec.log doesn't even mention the ossec-maild even though the
>>> > process is running...
>>> > Hmm
>>> 
>>>  --
>>> 
>>>  ---
>>>  You received this message because you are subscribed to the Google
>>>  Groups "ossec-list" group.
>>>  To unsubscribe from this group and stop receiving emails from it,
>>>  send an email to ossec-list+...@googlegroups.com.
>>>  For more options, visit https://groups.google.com/d/optout.
>>> >>>
>>> >>> --
>>> >>>
>>> >>> --
>>> >>> С уважением, Светлов Даниил.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[Laura Herrera]

Hi Dan,

Changing subject a bit,  do you know if it's possible to have alerts in 
ossec calling a script instead of sending an email directly?

Ta
Laura

On Wednesday, 28 September 2016 16:37:57 UTC+1, Laura Herrera wrote:
>
> Hi Dan,
>
> Yes, thank you, i have been trying to get this working all day.
>
> I am running ossec on an ubuntu 14.04 server and i need to be able to 
> email alerts of course.
>
> I saw in a separate post that ossec actually needs smtp listening on the 
> local server, and so i decided to use postfix as a relay.
> To make things more complicated, my mail server is in office 365.
>
> Here my configurations:
> /etc/postfix/main.cf   (changes from original)
>
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_generic_maps = hash:/etc/postfix/generic
>
> myhostname = ossec-1.example.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = localhost.localdomain, localhost
> relayhost = smtp.office365.com:587
> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>
> /etc/postfix/generic
> /.*/  u...@example.com
>
>
> /etc/postfix/sasl_passwd
> [smtp.office365.com]:587 u...@example.com:MyPassword
>
>
> ossec.conf
>   
> no
> yes
> localhost
> dev...@example.com
> u...@example.com
>   
>
> I am sure postfix is listening on port 25:
> tcp0  0 0.0.0.0:25  0.0.0.0:*   
> LISTEN  947/master
>
> The error i get, even after enabling debug mode in ossec is not very 
> helpful at all:
> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to 
> 127.0.0.1 (smtp server)
>
> nothing before or after that can be of help...
>
> Sorry i don't know what else to say
>
> Thanks a lot, hope you can help
> Laura
>
>
> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>
>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>> >
>> > Hi Theresa,
>> >
>> > Please can i ask how did you solve this problem?
>> >
>>
>> If you're having issues, you could post details and we could try to help.
>>
>> > Thanks a lot,
>> > Laura
>> >
>> >
>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>> >>
>> >> OK, managed to fix this and face-palming myself
>> >>
>> >> i've tweaked the postfix config a bit, enabled the service and there 
>> we go...
>> >> ossec-maild is now officially sending out alerts to my email address.
>> >>
>> >> theresa happy :)
>> >>
>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>> >>>
>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable 
>> debug. It will increase log verbosity. Then restart OSSEC, and check 
>> /var/ossec/log/ossec.log.
>> >>> Also after restart try to issue command "ps aux | grep ossec", and 
>> check, that ossec-maild process is running.
>> >>>
>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>> 
>>  i've also tried disabling iptables, but that didn't help either...
>>  but then again i can send out emails with mailx just find, so i 
>> don't think it's iptables blocking anyway...
>> 
>>  any ideas?
>> 
>> 
>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>> >
>> > Hi Daniil, 
>> >
>> > I've already done that. The maillog doesn't show the mail being 
>> sent, but there isn't an error either. It seems that the ossec-maild isn't 
>> even relaying it to the local smtp mta (ssmtp) because as said before I can 
>> send out mails with mailx just fine. 
>> >
>> > The ossec.log doesn't even mention the ossec-maild even though the 
>> process is running... 
>> > Hmm
>> 
>>  -- 
>> 
>>  --- 
>>  You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>>  To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ossec-list+...@googlegroups.com.
>>  For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> -- 
>> >>>
>> >>> --
>> >>> С уважением, Светлов Даниил.
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[Laura Herrera]

Hi Dan,

Yes, thank you, i have been trying to get this working all day.

I am running ossec on an ubuntu 14.04 server and i need to be able to email 
alerts of course.

I saw in a separate post that ossec actually needs smtp listening on the 
local server, and so i decided to use postfix as a relay.
To make things more complicated, my mail server is in office 365.

Here my configurations:
/etc/postfix/main.cf   (changes from original)

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic

myhostname = ossec-1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.localdomain, localhost
relayhost = smtp.office365.com:587
mynetworks = 127.0.0.0/8, 10.0.0.0/8

/etc/postfix/generic
/.*/  u...@example.com


/etc/postfix/sasl_passwd
[smtp.office365.com]:587 u...@example.com:MyPassword


ossec.conf
  
no
yes
localhost
dev...@example.com
u...@example.com
  

I am sure postfix is listening on port 25:
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN 
 947/master

The error i get, even after enabling debug mode in ossec is not very 
helpful at all:
2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)

nothing before or after that can be of help...

Sorry i don't know what else to say

Thanks a lot, hope you can help
Laura


On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>
> On Sep 28, 2016 6:42 AM, "Laura Herrera"  
> wrote:
> >
> > Hi Theresa,
> >
> > Please can i ask how did you solve this problem?
> >
>
> If you're having issues, you could post details and we could try to help.
>
> > Thanks a lot,
> > Laura
> >
> >
> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
> >>
> >> OK, managed to fix this and face-palming myself
> >>
> >> i've tweaked the postfix config a bit, enabled the service and there we 
> go...
> >> ossec-maild is now officially sending out alerts to my email address.
> >>
> >> theresa happy :)
> >>
> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
> >>>
> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable 
> debug. It will increase log verbosity. Then restart OSSEC, and check 
> /var/ossec/log/ossec.log.
> >>> Also after restart try to issue command "ps aux | grep ossec", and 
> check, that ossec-maild process is running.
> >>>
> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
> 
>  i've also tried disabling iptables, but that didn't help either...
>  but then again i can send out emails with mailx just find, so i don't 
> think it's iptables blocking anyway...
> 
>  any ideas?
> 
> 
>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
> >
> > Hi Daniil, 
> >
> > I've already done that. The maillog doesn't show the mail being 
> sent, but there isn't an error either. It seems that the ossec-maild isn't 
> even relaying it to the local smtp mta (ssmtp) because as said before I can 
> send out mails with mailx just fine. 
> >
> > The ossec.log doesn't even mention the ossec-maild even though the 
> process is running... 
> > Hmm
> 
>  -- 
> 
>  --- 
>  You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
>  To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
>  For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> -- 
> >>>
> >>> --
> >>> С уважением, Светлов Даниил.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[dan (ddp)]

On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>
> Hi Theresa,
>
> Please can i ask how did you solve this problem?
>

If you're having issues, you could post details and we could try to help.

> Thanks a lot,
> Laura
>
>
> On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>>
>> OK, managed to fix this and face-palming myself
>>
>> i've tweaked the postfix config a bit, enabled the service and there we
go...
>> ossec-maild is now officially sending out alerts to my email address.
>>
>> theresa happy :)
>>
>> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>>
>>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
debug. It will increase log verbosity. Then restart OSSEC, and check
/var/ossec/log/ossec.log.
>>> Also after restart try to issue command "ps aux | grep ossec", and
check, that ossec-maild process is running.
>>>
>>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :

 i've also tried disabling iptables, but that didn't help either...
 but then again i can send out emails with mailx just find, so i don't
think it's iptables blocking anyway...

 any ideas?


 Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>
> Hi Daniil,
>
> I've already done that. The maillog doesn't show the mail being sent,
but there isn't an error either. It seems that the ossec-maild isn't even
relaying it to the local smtp mta (ssmtp) because as said before I can send
out mails with mailx just fine.
>
> The ossec.log doesn't even mention the ossec-maild even though the
process is running...
> Hmm

 --

 ---
 You received this message because you are subscribed to the Google
Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> --
>>> С уважением, Светлов Даниил.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[Laura Herrera]

Hi Theresa,

Please can i ask how did you solve this problem?

Thanks a lot,
Laura

On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>
> OK, managed to fix this and face-palming myself
>
> i've tweaked the postfix config a bit, enabled the service and there we 
> go...
> ossec-maild is now officially sending out alerts to my email address.
>
> theresa happy :)
>
> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>
>> Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. 
>> It will increase log verbosity. Then restart OSSEC, and check 
>> /var/ossec/log/ossec.log.
>> Also after restart try to issue command "ps aux | grep ossec", and check, 
>> that ossec-maild process is running.
>>
>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>>
>>> i've also tried disabling iptables, but that didn't help either...
>>> but then again i can send out emails with mailx just find, so i don't 
>>> think it's iptables blocking anyway...
>>>
>>> any ideas?
>>>
>>>
>>> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil, 

 I've already done that. The maillog doesn't show the mail being sent, 
 but there isn't an error either. It seems that the ossec-maild isn't even 
 relaying it to the local smtp mta (ssmtp) because as said before I can 
 send 
 out mails with mailx just fine. 

 The ossec.log doesn't even mention the ossec-maild even though the 
 process is running... 
 Hmm
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> -- 
>>
>> --
>> С уважением, Светлов Даниил.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

[Laura Herrera]

Hi Theresa,

Please could you explain how did you solve this?
Might be an epic fail for you, but it might help others  :)

Thanks a lot
Laura

On Tuesday, 22 December 2015 10:53:55 UTC, theresa mic-snare wrote:
>
> *FACEPALM*
>
> problem solved.this is too embarrassing :(((
> epic fail!
>
> Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
>>
>> hmm it looks as so ossec-maild has a problem with my ssmtp
>> ssmtp works fine, because it sent me an automated/generated email at 2:43 
>> in the morning.
>> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
>> info to debug
>>
>> what surprises me is that on netstat ssmtp isn't showing any open 
>> connectings.
>> to me it looks like it's only opening a connection when it wants to send 
>> an email, there's no permanent open connection.
>>
>> here's my ssmtp.conf
>> AuthUser=xx...@gmail.com
>> AuthPass=x
>> FromLineOverride=YES
>> mailhub=smtp.gmail.com:587
>> UseSTARTTLS=YES
>> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
>> Debug=YES
>>
>> and my open connections:
>> netstat -tulpen
>> Active Internet connections (only servers)
>> Proto Recv-Q Send-Q Local Address   Foreign Address 
>> State   User   Inode  PID/Program name   
>> tcp0  0 0.0.0.0:33060.0.0.0:*   
>> LISTEN  27 37255941313/mysqld 
>> tcp0  0 0.0.0.0:22  0.0.0.0:*   
>> LISTEN  0  11227  1216/sshd   
>> tcp0  0 :::22   :::* 
>>LISTEN  0  11232  1216/sshd   
>> tcp0  0 :::8080 :::* 
>>LISTEN  0  11642  1550/httpd  
>> tcp0  0 :::80   :::* 
>>LISTEN  0  11638  1550/httpd  
>> udp0  0 0.0.0.0:15140.0.0.0:*   
>> 0  13181  1926/ossec-remoted  
>> udp0  0 78.41.116.116:123   0.0.0.0:*   
>> 0  11350  1256/ntpd   
>> udp0  0 127.0.0.1:123   0.0.0.0:*   
>> 0  11346  1256/ntpd   
>> udp0  0 0.0.0.0:123 0.0.0.0:*   
>> 0  11339  1256/ntpd   
>> udp0  0 ::1:123 :::* 
>>0  11352  1256/ntpd   
>> udp0  0 fe80::5054:ff:fef6:4b74:123 :::* 
>>0  11351  1256/ntpd   
>> udp0  0 :::123  :::* 
>>0  11340  1256/ntpd   
>>
>> I'm happy to do a TCPdump but at the moment I don't really know what to 
>> filter for...
>> is ossec--maild listening on a specific port or default 25 port for smtp?
>>
>> thanks,
>> theresa
>>
>> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>>>
>>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>>>  wrote: 
>>> > Hi everyone, 
>>> > 
>>> > today I've noticed a problem with the ossec-maild process. 
>>> > The ossec.log keeps saying 
>>> > 
>>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp 
>>> server) 
>>> > 
>>> > Of course I started troubleshooting the problem and tried to send 
>>> several 
>>> > test-emails from the ossec master. 
>>> > I'm using ssmtp through my google-mail account by the way. 
>>> > All test mails that I sent arrived immediately, so sending mails 
>>> through my 
>>> > MTA seems to work as usual. 
>>> > 
>>> > Then I checked the mail log /var/log/maillog-20151220 
>>> > which to my surprise has the latest mail entry from yesterday 19:30 
>>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 
>>> 2.0.0 
>>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
>>> > outbytes=1898 
>>> > 
>>> > changed the email address to b...@bla.org for demonstration 
>>> purposes... 
>>> > 
>>> > 
>>> > at least the two test emails that I just send should appear in this 
>>> log, 
>>> > right? 
>>> > 
>>> > I know that the root cause to this problem is NOT an ossec 
>>> problembut 
>>> > maybe you have an idea what the problem might be? 
>>> > I've checked the quota settings in my gmail account, (so far only 10% 
>>> > used...) 
>>> > I've also checked the disk space on my ossec master, still 21GB left 
>>> on / 
>>> > (where also /var is mounted) 
>>> > 
>>> > so I doubt it's a quota or diskspace problem. 
>>> > i've also restarted (stopped and started) ossec, to see if any zombie 
>>> > processes still allocated the filesystem, and it therefore showed that 
>>> > plenty of diskspace was available. 
>>> 

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

[theresa mic-snare]

hmm it looks as so ossec-maild has a problem with my ssmtp
ssmtp works fine, because it sent me an automated/generated email at 2:43 
in the morning.
i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
info to debug

what surprises me is that on netstat ssmtp isn't showing any open 
connectings.
to me it looks like it's only opening a connection when it wants to send an 
email, there's no permanent open connection.

here's my ssmtp.conf
AuthUser=xx...@gmail.com
AuthPass=x
FromLineOverride=YES
mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
Debug=YES

and my open connections:
netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address 
State   User   Inode  PID/Program name   
tcp0  0 0.0.0.0:33060.0.0.0:*   
LISTEN  27 37255941313/mysqld 
tcp0  0 0.0.0.0:22  0.0.0.0:*   
LISTEN  0  11227  1216/sshd   
tcp0  0 :::22   :::*   
 LISTEN  0  11232  1216/sshd   
tcp0  0 :::8080 :::*   
 LISTEN  0  11642  1550/httpd  
tcp0  0 :::80   :::*   
 LISTEN  0  11638  1550/httpd  
udp0  0 0.0.0.0:15140.0.0.0:*   
0  13181  1926/ossec-remoted  
udp0  0 78.41.116.116:123   0.0.0.0:*   
0  11350  1256/ntpd   
udp0  0 127.0.0.1:123   0.0.0.0:*   
0  11346  1256/ntpd   
udp0  0 0.0.0.0:123 0.0.0.0:*   
0  11339  1256/ntpd   
udp0  0 ::1:123 :::*   
 0  11352  1256/ntpd   
udp0  0 fe80::5054:ff:fef6:4b74:123 :::*   
 0  11351  1256/ntpd   
udp0  0 :::123  :::*   
 0  11340  1256/ntpd   

I'm happy to do a TCPdump but at the moment I don't really know what to 
filter for...
is ossec--maild listening on a specific port or default 25 port for smtp?

thanks,
theresa

Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>
> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>  wrote: 
> > Hi everyone, 
> > 
> > today I've noticed a problem with the ossec-maild process. 
> > The ossec.log keeps saying 
> > 
> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server) 
> > 
> > Of course I started troubleshooting the problem and tried to send 
> several 
> > test-emails from the ossec master. 
> > I'm using ssmtp through my google-mail account by the way. 
> > All test mails that I sent arrived immediately, so sending mails through 
> my 
> > MTA seems to work as usual. 
> > 
> > Then I checked the mail log /var/log/maillog-20151220 
> > which to my surprise has the latest mail entry from yesterday 19:30 
> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org 
>  (221 2.0.0 
> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
> > outbytes=1898 
> > 
> > changed the email address to b...@bla.org  for 
> demonstration purposes... 
> > 
> > 
> > at least the two test emails that I just send should appear in this log, 
> > right? 
> > 
> > I know that the root cause to this problem is NOT an ossec 
> problembut 
> > maybe you have an idea what the problem might be? 
> > I've checked the quota settings in my gmail account, (so far only 10% 
> > used...) 
> > I've also checked the disk space on my ossec master, still 21GB left on 
> / 
> > (where also /var is mounted) 
> > 
> > so I doubt it's a quota or diskspace problem. 
> > i've also restarted (stopped and started) ossec, to see if any zombie 
> > processes still allocated the filesystem, and it therefore showed that 
> > plenty of diskspace was available. 
> > but even after the restart of ossec it still shows that it has plenty of 
> > diskspace available. 
> > 
> > any other ideas how I could troubleshoot this problem? 
> > 
>
> Make sure ssmtp is still listening on 127.0.0.1. 
> Use tcpdump or something similar to sniff the traffic between 
> ossec-maild and ssmtp. 
> Turn on debugging on ssmtp? 
>
> > thanks, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

[theresa mic-snare]

*FACEPALM*

problem solved.this is too embarrassing :(((
epic fail!

Am Dienstag, 22. Dezember 2015 10:54:45 UTC+1 schrieb theresa mic-snare:
>
> hmm it looks as so ossec-maild has a problem with my ssmtp
> ssmtp works fine, because it sent me an automated/generated email at 2:43 
> in the morning.
> i've set DEBUGGING=yes in the ssmtp.conf but the logs don't show any more 
> info to debug
>
> what surprises me is that on netstat ssmtp isn't showing any open 
> connectings.
> to me it looks like it's only opening a connection when it wants to send 
> an email, there's no permanent open connection.
>
> here's my ssmtp.conf
> AuthUser=xx...@gmail.com
> AuthPass=x
> FromLineOverride=YES
> mailhub=smtp.gmail.com:587
> UseSTARTTLS=YES
> TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt
> Debug=YES
>
> and my open connections:
> netstat -tulpen
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address   Foreign Address   
>   State   User   Inode  PID/Program name   
> tcp0  0 0.0.0.0:33060.0.0.0:* 
>   LISTEN  27 37255941313/mysqld 
> tcp0  0 0.0.0.0:22  0.0.0.0:* 
>   LISTEN  0  11227  1216/sshd   
> tcp0  0 :::22   :::* 
>LISTEN  0  11232  1216/sshd   
> tcp0  0 :::8080 :::* 
>LISTEN  0  11642  1550/httpd  
> tcp0  0 :::80   :::* 
>LISTEN  0  11638  1550/httpd  
> udp0  0 0.0.0.0:15140.0.0.0:* 
>   0  13181  1926/ossec-remoted  
> udp0  0 78.41.116.116:123   0.0.0.0:* 
>   0  11350  1256/ntpd   
> udp0  0 127.0.0.1:123   0.0.0.0:* 
>   0  11346  1256/ntpd   
> udp0  0 0.0.0.0:123 0.0.0.0:* 
>   0  11339  1256/ntpd   
> udp0  0 ::1:123 :::* 
>0  11352  1256/ntpd   
> udp0  0 fe80::5054:ff:fef6:4b74:123 :::* 
>0  11351  1256/ntpd   
> udp0  0 :::123  :::* 
>0  11340  1256/ntpd   
>
> I'm happy to do a TCPdump but at the moment I don't really know what to 
> filter for...
> is ossec--maild listening on a specific port or default 25 port for smtp?
>
> thanks,
> theresa
>
> Am Montag, 21. Dezember 2015 14:00:56 UTC+1 schrieb dan (ddpbsd):
>>
>> On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare 
>>  wrote: 
>> > Hi everyone, 
>> > 
>> > today I've noticed a problem with the ossec-maild process. 
>> > The ossec.log keeps saying 
>> > 
>> > ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp 
>> server) 
>> > 
>> > Of course I started troubleshooting the problem and tried to send 
>> several 
>> > test-emails from the ossec master. 
>> > I'm using ssmtp through my google-mail account by the way. 
>> > All test mails that I sent arrived immediately, so sending mails 
>> through my 
>> > MTA seems to work as usual. 
>> > 
>> > Then I checked the mail log /var/log/maillog-20151220 
>> > which to my surprise has the latest mail entry from yesterday 19:30 
>> > Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 
>> 2.0.0 
>> > closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
>> > outbytes=1898 
>> > 
>> > changed the email address to b...@bla.org for demonstration 
>> purposes... 
>> > 
>> > 
>> > at least the two test emails that I just send should appear in this 
>> log, 
>> > right? 
>> > 
>> > I know that the root cause to this problem is NOT an ossec 
>> problembut 
>> > maybe you have an idea what the problem might be? 
>> > I've checked the quota settings in my gmail account, (so far only 10% 
>> > used...) 
>> > I've also checked the disk space on my ossec master, still 21GB left on 
>> / 
>> > (where also /var is mounted) 
>> > 
>> > so I doubt it's a quota or diskspace problem. 
>> > i've also restarted (stopped and started) ossec, to see if any zombie 
>> > processes still allocated the filesystem, and it therefore showed that 
>> > plenty of diskspace was available. 
>> > but even after the restart of ossec it still shows that it has plenty 
>> of 
>> > diskspace available. 
>> > 
>> > any other ideas how I could troubleshoot this problem? 
>> > 
>>
>> Make sure ssmtp is still listening on 127.0.0.1. 
>> Use tcpdump or something similar to sniff the traffic between 
>> ossec-maild and ssmtp. 

Re: [ossec-list] ossec-maild Error Sending email to 127.0.0.1

[dan (ddp)]

On Sun, Dec 20, 2015 at 7:50 AM, theresa mic-snare
 wrote:
> Hi everyone,
>
> today I've noticed a problem with the ossec-maild process.
> The ossec.log keeps saying
>
> ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
>
> Of course I started troubleshooting the problem and tried to send several
> test-emails from the ossec master.
> I'm using ssmtp through my google-mail account by the way.
> All test mails that I sent arrived immediately, so sending mails through my
> MTA seems to work as usual.
>
> Then I checked the mail log /var/log/maillog-20151220
> which to my surprise has the latest mail entry from yesterday 19:30
> Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 2.0.0
> closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache
> outbytes=1898
>
> changed the email address to b...@bla.org for demonstration purposes...
>
>
> at least the two test emails that I just send should appear in this log,
> right?
>
> I know that the root cause to this problem is NOT an ossec problembut
> maybe you have an idea what the problem might be?
> I've checked the quota settings in my gmail account, (so far only 10%
> used...)
> I've also checked the disk space on my ossec master, still 21GB left on /
> (where also /var is mounted)
>
> so I doubt it's a quota or diskspace problem.
> i've also restarted (stopped and started) ossec, to see if any zombie
> processes still allocated the filesystem, and it therefore showed that
> plenty of diskspace was available.
> but even after the restart of ossec it still shows that it has plenty of
> diskspace available.
>
> any other ideas how I could troubleshoot this problem?
>

Make sure ssmtp is still listening on 127.0.0.1.
Use tcpdump or something similar to sniff the traffic between
ossec-maild and ssmtp.
Turn on debugging on ssmtp?

> thanks,
> theresa
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-maild Error Sending email to 127.0.0.1

[theresa mic-snare]

Hi everyone,

today I've noticed a problem with the ossec-maild process.
The ossec.log keeps saying

ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

Of course I started troubleshooting the problem and tried to send several 
test-emails from the ossec master.
I'm using ssmtp through my google-mail account by the way.
All test mails that I sent arrived immediately, so sending mails through my 
MTA seems to work as usual.

Then I checked the mail log /var/log/maillog-20151220
which to my surprise has the latest mail entry from yesterday 19:30
Dec 19 19:30:03 tron sSMTP[3943]: Sent mail for b...@bla.org (221 2.0.0 
closing connection u126sm11888435wme.3 - gsmtp) uid=48 username=apache 
outbytes=1898

changed the email address to b...@bla.org for demonstration purposes...


at least the two test emails that I just send should appear in this log, 
right?

I know that the root cause to this problem is NOT an ossec problembut 
maybe you have an idea what the problem might be?
I've checked the quota settings in my gmail account, (so far only 10% 
used...) 
I've also checked the disk space on my ossec master, still 21GB left on / 
(where also /var is mounted)

so I doubt it's a quota or diskspace problem.
i've also restarted (stopped and started) ossec, to see if any zombie 
processes still allocated the filesystem, and it therefore showed that 
plenty of diskspace was available.
but even after the restart of ossec it still shows that it has plenty of 
diskspace available.

any other ideas how I could troubleshoot this problem?

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[theresa mic-snare]

OK, managed to fix this and face-palming myself

i've tweaked the postfix config a bit, enabled the service and there we 
go...
ossec-maild is now officially sending out alerts to my email address.

theresa happy :)

Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:

 Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. 
 It will increase log verbosity. Then restart OSSEC, and check 
 /var/ossec/log/ossec.log.
 Also after restart try to issue command ps aux | grep ossec, and check, 
 that ossec-maild process is running.

 сб, 4 июля 2015 г. в 19:13, theresa mic-snare rockpr...@gmail.com 
 javascript::

 i've also tried disabling iptables, but that didn't help either...
 but then again i can send out emails with mailx just find, so i don't 
 think it's iptables blocking anyway...

 any ideas?


 Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil, 

 I've already done that. The maillog doesn't show the mail being sent, 
 but there isn't an error either. It seems that the ossec-maild isn't even 
 relaying it to the local smtp mta (ssmtp) because as said before I can send 
 out mails with mailx just fine. 

 The ossec.log doesn't even mention the ossec-maild even though the 
 process is running... 
 Hmm

  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.

 -- 

 --
 С уважением, Светлов Даниил.
  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[theresa mic-snare]

Hi Daniil,

thank you very much for the advice with enabling debug!!
I've now looked into the ossec.log and it says:

*2015/07/05 03:34:02 ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)*
2015/07/05 15:03:18 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/05 15:16:37 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/05 15:21:37 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/05 15:24:22 ossec-rootcheck: INFO: Ending rootcheck scan.
2015/07/06 11:19:22 ossec-syscheckd: INFO: Starting syscheck scan.
2015/07/06 11:32:41 ossec-syscheckd: INFO: Ending syscheck scan.
2015/07/06 11:37:41 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/07/06 11:40:28 ossec-rootcheck: INFO: Ending rootcheck scan.
*2015/07/06 19:03:11 ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)*
2015/07/06 19:03:14 ossec-monitord(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:14 ossec-logcollector(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:14 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:14 ossec-analysisd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:14 ossec-maild(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:14 ossec-execd(1314): INFO: Shutdown received. Deleting 
responses.
2015/07/06 19:03:14 ossec-execd(1225): INFO: SIGNAL Received. Exit 
Cleaning...
2015/07/06 19:03:15 ossec-testrule: INFO: Reading local decoder file.
2015/07/06 19:03:15 ossec-testrule: INFO: Started (pid: 1900).


*2015/07/06 19:03:15 ossec-maild: DEBUG: Starting ...2015/07/06 19:03:15 
ossec-maild: INFO: Chrooted to directory: /var/ossec, using user: 
ossecm2015/07/06 19:03:15 ossec-maild: INFO: Started (pid: 1921).*
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Starting ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Found user/group ...
2015/07/06 19:03:15 ossec-analysisd: DEBUG: Active response initialized ...

I've no idea why it says it can't send mails to localhost.
Do you think this could be an IPtables or SeLinux issue? Although I've set 
SeLinux to Status Permissive so it actually shouldn't block anything.

I have an assumption why it's not working.
when I do a netstat -plntu I can only see the server listening to the SSH 
port. 

For my mail setup I only use SSMTP (to relay it to gmail.com) do I also 
need postfix setup for local mailing? The postfix config let's you relay 
mails locally...
What is your mail setup on the server?
I think the ossec-maild needs a local MTA listening on port 25 to send 
emails out to ssmtp ?!

what do you think?
please help!

Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:

 Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. 
 It will increase log verbosity. Then restart OSSEC, and check 
 /var/ossec/log/ossec.log.
 Also after restart try to issue command ps aux | grep ossec, and check, 
 that ossec-maild process is running.

 сб, 4 июля 2015 г. в 19:13, theresa mic-snare rockpr...@gmail.com 
 javascript::

 i've also tried disabling iptables, but that didn't help either...
 but then again i can send out emails with mailx just find, so i don't 
 think it's iptables blocking anyway...

 any ideas?


 Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil, 

 I've already done that. The maillog doesn't show the mail being sent, 
 but there isn't an error either. It seems that the ossec-maild isn't even 
 relaying it to the local smtp mta (ssmtp) because as said before I can send 
 out mails with mailx just fine. 

 The ossec.log doesn't even mention the ossec-maild even though the 
 process is running... 
 Hmm

  -- 

 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/d/optout.

 -- 

 --
 С уважением, Светлов Даниил.
  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[Daniil Svetlov]

Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. It
will increase log verbosity. Then restart OSSEC, and check
/var/ossec/log/ossec.log.
Also after restart try to issue command ps aux | grep ossec, and check,
that ossec-maild process is running.

сб, 4 июля 2015 г. в 19:13, theresa mic-snare rockprinz...@gmail.com:

 i've also tried disabling iptables, but that didn't help either...
 but then again i can send out emails with mailx just find, so i don't
 think it's iptables blocking anyway...

 any ideas?


 Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil,

 I've already done that. The maillog doesn't show the mail being sent, but
 there isn't an error either. It seems that the ossec-maild isn't even
 relaying it to the local smtp mta (ssmtp) because as said before I can send
 out mails with mailx just fine.

 The ossec.log doesn't even mention the ossec-maild even though the
 process is running...
 Hmm

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[theresa mic-snare]

Hi Daniil,

I've already done that. The maillog doesn't show the mail being sent, but there 
isn't an error either. It seems that the ossec-maild isn't even relaying it to 
the local smtp mta (ssmtp) because as said before I can send out mails with 
mailx just fine.

The ossec.log doesn't even mention the ossec-maild even though the process is 
running...
Hmm

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[theresa mic-snare]

i've also tried disabling iptables, but that didn't help either...
but then again i can send out emails with mailx just find, so i don't think 
it's iptables blocking anyway...

any ideas?

Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:

 Hi Daniil, 

 I've already done that. The maillog doesn't show the mail being sent, but 
 there isn't an error either. It seems that the ossec-maild isn't even 
 relaying it to the local smtp mta (ssmtp) because as said before I can send 
 out mails with mailx just fine. 

 The ossec.log doesn't even mention the ossec-maild even though the process 
 is running... 
 Hmm

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[Daniil Svetlov]

Hello, Theresa!

First of all check spam folder in your gmail account. Probably gmail just
in it mail from OSSEC, because they not look valid.

If you use SMTP server on localhost, check  logs of MTA. It must be in
/var/log/maillog.

пт, 3 июля 2015 г. в 19:19, theresa mic-snare rockprinz...@gmail.com:

 hi ossec'ers,


 my problem is I can't send out any emails/alert notifications with the
 ossec-maild process. I'm relaying my emails through ssmtp, the
 configuration is valid because I'm able to send out mails to external
 addresses through mailx for instance. But for some reason OSSEC just won't
 send any emails out.

 I have the following in my global ossec.conf


   global
 email_notificationyes/email_notification
 email_tox...@gmail.com/email_to
 smtp_serverlocalhost/smtp_server
 email_fromx...@gmail.com/email_from
   /global

 So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right?


 Does the email_from field require to be a ossecm@realdomain? Or can this
 be a gmail address as well? So does it mean the ossecm user needs to send
 out these alerts?

 Again tests to send out emails through ssmtp via mailx have been
 successful. so I doubt it's a ssmtp issue here.

 Also what I find a little odd is that when i restart ossec through
 ossec-control all the services/processes should be restarted in a specific
 order, right? however when I look at the ossec.log in
 /var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all the
 process itself runs though, when i do a ps -ef |grep ossec-maild

 my question now: how can I get the email notifcation in ossec to work?!


 thanks!

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[theresa mic-snare]

 

hi ossec'ers,


my problem is I can't send out any emails/alert notifications with the 
ossec-maild process. I'm relaying my emails through ssmtp, the 
configuration is valid because I'm able to send out mails to external 
addresses through mailx for instance. But for some reason OSSEC just won't 
send any emails out.

I have the following in my global ossec.conf


  global
email_notificationyes/email_notification
email_tox...@gmail.com/email_to
smtp_serverlocalhost/smtp_server
email_fromx...@gmail.com/email_from
  /global

So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right?


Does the email_from field require to be a ossecm@realdomain? Or can this be 
a gmail address as well? So does it mean the ossecm user needs to send out 
these alerts?

Again tests to send out emails through ssmtp via mailx have been 
successful. so I doubt it's a ssmtp issue here.

Also what I find a little odd is that when i restart ossec through 
ossec-control all the services/processes should be restarted in a specific 
order, right? however when I look at the ossec.log in 
/var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all the 
process itself runs though, when i do a ps -ef |grep ossec-maild

my question now: how can I get the email notifcation in ossec to work?!


thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild tags

[dan (ddp)]

On Thu, Mar 13, 2014 at 3:01 AM, Gaurav Rajput gx1...@gmail.com wrote:
 Hi,

 I have 3 different infrastructures (Development, Production and Testing),
 running the same configuration (with same ip-address and subnet) and nodes.
 I have 3 ossec-servers running. Each ossec-server is sending the mails to a
 central gmail account.

 All I want is, to categorize the mails from each infrastructure. In other
 words I want to tag the emails with Dev, Prod or Test. Is there any way to
 do this, as I searched a lot in the configuration file ???


I think your best bet is to have them sent from different email addresses.

 Thanks.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild tags

[Christian Beer]

Or you could change this file:
https://github.com/ossec/ossec-hids/blob/master/src/os_maild/sendmail.c
on each server and add something to SUBJECT so you can filter that out
on gmail.

I always have to change this file as my local mailserver is very strict
about the HELOMSG and I have to change it to the servername.

Regards
Christian


Am 14.03.2014 13:09, schrieb dan (ddp):
 On Thu, Mar 13, 2014 at 3:01 AM, Gaurav Rajput gx1...@gmail.com wrote:
 Hi,

 I have 3 different infrastructures (Development, Production and Testing),
 running the same configuration (with same ip-address and subnet) and nodes.
 I have 3 ossec-servers running. Each ossec-server is sending the mails to a
 central gmail account.

 All I want is, to categorize the mails from each infrastructure. In other
 words I want to tag the emails with Dev, Prod or Test. Is there any way to
 do this, as I searched a lot in the configuration file ???

 
 I think your best bet is to have them sent from different email addresses.
 
 Thanks.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild tags

[Ryan Schulze]

Hi,

We had a similar requirement here. I just added an additional option to 
the ossec.conf that get's added into the mail headers (X-IDS-OSSEC: 
$value) to be able to use that to sort the emails from the different 
masters.


I currently don't have a patch file with only that change (for stupid 
reasons all our changes are currently lumped into one big patch file), 
but If you can wait until next week I'm planning on having a look at git 
and forks and all that fun. So I should, at the very least, have a patch 
file or fork with that feature singled out.


Ryan


On 3/13/2014 2:01 AM, Gaurav Rajput wrote:

Hi,

I have 3 different infrastructures (Development, Production and 
Testing), running the same configuration (with same ip-address and 
subnet) and nodes. I have 3 ossec-servers running. Each ossec-server 
is sending the mails to a central gmail account.


All I want is, to categorize the mails from each infrastructure. In 
other words I want to tag the emails with Dev, Prod or Test. Is there 
any way to do this, as I searched a lot in the configuration file ???


Thanks.
--

---
You received this message because you are subscribed to the Google 
Groups ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
mailto:ossec-list+unsubscr...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.




smime.p7s
Description: S/MIME Cryptographic Signature

[ossec-list] ossec-maild tags

[Gaurav Rajput]

Hi,

I have 3 different infrastructures (Development, Production and Testing), 
running the same configuration (with same ip-address and subnet) and nodes. 
I have 3 ossec-servers running. Each ossec-server is sending the mails to a 
central gmail account.

All I want is, to categorize the mails from each infrastructure. In other 
words I want to tag the emails with Dev, Prod or Test. Is there any way to 
do this, as I searched a lot in the configuration file ??? 

Thanks.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ossec-maild Failed to start

[Ian Martinez]

Hello 

Recently i keep getting when i try to start ossec-control start 

*Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)...*
*Started ossec-agentlessd...*
*ossec-maild did not start correctly.*

This is what i get from the log:

*ossec-maild: DEBUG: Starting ...*
*ssec-maild(2301): ERROR: Definition not found for: 'maild.geoip'.*

Any idea what can it be? Is there a way reconfigure ossec server without 
losing all my agents?

thanks in advance

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec-maild Failed to start

[dan (ddp)]

On Fri, Jan 17, 2014 at 3:24 PM, Ian Martinez ian.marti...@gmail.com wrote:
 Hello

 Recently i keep getting when i try to start ossec-control start

 Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)...
 Started ossec-agentlessd...
 ossec-maild did not start correctly.

 This is what i get from the log:

 ossec-maild: DEBUG: Starting ...
 ssec-maild(2301): ERROR: Definition not found for: 'maild.geoip'.

 Any idea what can it be? Is there a way reconfigure ossec server without
 losing all my agents?


It looks like you don't have the geoip stuff compiled in. Remove the
geoip stuff from the configuration or recompile with geoip support and
you should be good to go.

 thanks in advance

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Ossec-maild Failed to start

[Ian Martinez]

Thank you ill try that

On Friday, January 17, 2014 2:27:27 PM UTC-6, dan (ddpbsd) wrote:

 On Fri, Jan 17, 2014 at 3:24 PM, Ian Martinez 
 ian.ma...@gmail.comjavascript: 
 wrote: 
  Hello 
  
  Recently i keep getting when i try to start ossec-control start 
  
  Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)... 
  Started ossec-agentlessd... 
  ossec-maild did not start correctly. 
  
  This is what i get from the log: 
  
  ossec-maild: DEBUG: Starting ... 
  ssec-maild(2301): ERROR: Definition not found for: 'maild.geoip'. 
  
  Any idea what can it be? Is there a way reconfigure ossec server without 
  losing all my agents? 
  

 It looks like you don't have the geoip stuff compiled in. Remove the 
 geoip stuff from the configuration or recompile with geoip support and 
 you should be good to go. 

  thanks in advance 
  
  -- 
  
  --- 
  You received this message because you are subscribed to the Google 
 Groups 
  ossec-list group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to ossec-list+...@googlegroups.com javascript:. 
  For more options, visit https://groups.google.com/groups/opt_out. 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Ossec-maild failed to start

[Ian Martinez]

I recently got this error starting my ossec server
# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.7.1 (by Trend Micro Inc.)...
Started ossec-agentlessd...
ossec-maild did not start correctly.

This is what i get from /var/ossec/logs/ossec.log
ossec-maild(2301): ERROR: Definition not found for: 'maild.geoip'.


Any ideas how to fix it or what is causing the problem? Is there any idea i 
can reconfigure ossec server without losing my agents?

Thank you in advance.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] ossec-maild segfault

[biciunas]

From /var/log/messages
Jul 30 13:11:12 server name kernel: ossec-maild[10096]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 13:11:32 server name kernel: ossec-maild[10097]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10188]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10189]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10190]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10191]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10192]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4
Jul 30 16:00:04 server name kernel: ossec-maild[10193]: segfault at 
 rip 2add4f72322c rsp 7fff577262e0 error 4

Running OSSEC HIDS v2.7 on CentOS 6.4 server. No other messages relating to 
ossec-maild in any other log. The only change I had made was in ossec.conf, 
I commented out the default email address in global 
  global
email_notificationyes/email_notification
!--
email_tof...@bar.com/email_to
--
smtp_serverbaz-mailer/smtp_server
email_fromfoo...@baz.com/email_from
  /global

Other than that, I made no other changes. There are alerts that meet the 
email thresholds at or about the time of segfaults. 

Any ideas?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-maild segfault

[dan (ddp)]

On Thu, Aug 1, 2013 at 7:52 AM, biciunas p...@biciunas.com wrote:
 From /var/log/messages
 Jul 30 13:11:12 server name kernel: ossec-maild[10096]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 13:11:32 server name kernel: ossec-maild[10097]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10188]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10189]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10190]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10191]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10192]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4
 Jul 30 16:00:04 server name kernel: ossec-maild[10193]: segfault at
  rip 2add4f72322c rsp 7fff577262e0 error 4

 Running OSSEC HIDS v2.7 on CentOS 6.4 server. No other messages relating to
 ossec-maild in any other log. The only change I had made was in ossec.conf,
 I commented out the default email address in global 

If you correct that mistake does it work?

   global
 email_notificationyes/email_notification
 !--
 email_tof...@bar.com/email_to
 --
 smtp_serverbaz-mailer/smtp_server
 email_fromfoo...@baz.com/email_from
   /global

 Other than that, I made no other changes. There are alerts that meet the
 email thresholds at or about the time of segfaults.

 Any ideas?

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-maild segfault

[biciunas]

On Thursday, August 1, 2013 9:33:50 AM UTC-4, dan (ddpbsd) wrote:

 On Thu, Aug 1, 2013 at 7:52 AM, biciunas pa...@biciunas.com javascript: 
 wrote: 
  From /var/log/messages 
  Jul 30 13:11:12 server name kernel: ossec-maild[10096]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 13:11:32 server name kernel: ossec-maild[10097]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10188]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10189]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10190]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10191]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10192]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  Jul 30 16:00:04 server name kernel: ossec-maild[10193]: segfault at 
   rip 2add4f72322c rsp 7fff577262e0 error 4 
  
  Running OSSEC HIDS v2.7 on CentOS 6.4 server. No other messages relating 
 to 
  ossec-maild in any other log. The only change I had made was in 
 ossec.conf, 
  I commented out the default email address in global  

 If you correct that mistake does it work? 


I reverted the file so the email_to element is no longer commented out, and 
restarted ossec; it's been running for over 3 hours without segfaulting. 
I guess my question now is, why would commenting out that line cause a 
segfault (assuming that that's the cause)?
 

global 
  email_notificationyes/email_notification 
  !-- 
  email_tof...@bar.com javascript:/email_to 
  -- 
  smtp_serverbaz-mailer/smtp_server 
  email_fromfoo...@baz.com javascript:/email_from 
/global 
  
  Other than that, I made no other changes. There are alerts that meet the 
  email thresholds at or about the time of segfaults. 
  
  Any ideas? 
  
  -- 
  
  --- 
  You received this message because you are subscribed to the Google 
 Groups 
  ossec-list group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to ossec-list+...@googlegroups.com javascript:. 
  For more options, visit https://groups.google.com/groups/opt_out. 
  
  


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] ossec-maild version 2.4.1 dies frequently

[dan (ddp)]

Anything in the logs around the time of the crash?

On Thu, Jun 24, 2010 at 2:05 PM, Gil Vidals gvid...@gmail.com wrote:
 After upgrading my server to OSSEC Version 2.4.1, the ossec-maild daemon
 dies frequently each day. Nothing else I am aware of in my system has
 changed. Is anyone else experiencing ossec-maild dying? Is there a solution
 to this problem you are aware of?

 Thanks,

 Gil Vidals
 VM Racks - ESX Hosting

[ossec-list] ossec-maild version 2.4.1 dies frequently

[Gil Vidals]

After upgrading my server to OSSEC Version 2.4.1, the ossec-maild daemon
dies frequently each day. Nothing else I am aware of in my system has
changed. Is anyone else experiencing ossec-maild dying? Is there a solution
to this problem you are aware of?

Thanks,

Gil Vidals
VM Racks - ESX Hosting