Re: [ossec-list] i'm not getting any emails from ossec..
(oops, hit 'send' too quick) https://subscription.packtpub.com/book/cloud_and_networking/9781782167648/1/ch01lvl1sec09/configuring-an-ossec-server-simple On Mon, Oct 11, 2021 at 12:40 PM Rene Veerman < [email protected]> wrote: > i had made the mistake of installing only the server... > > this manual helped me a lot setting up a proper ossec system, on 2 > machines : > > On Sat, Oct 2, 2021 at 4:04 AM Rene Veerman < > [email protected]> wrote: > >> Hi. >> >> I'm new to ossec, and i'm having trouble getting emails from it. >> If someone here can help me with that, i'd appreciate it a lot. >> >> My OS is the lastest stable kubuntu, with iRedMail (which includes >> postfix) for email support. >> >> Here are some of the relevant logs, and the rules are added as attachment >> to this mail. >> >> root@parakeet:/var/ossec# systemctl status ossec.service >> ● ossec.service - LSB: Start and stop OSSEC HIDS >> Loaded: loaded (/etc/init.d/ossec; generated) >> Active: active (exited) since Fri 2021-10-01 20:29:48 CEST; 5h 58min >> ago >>Docs: man:systemd-sysv-generator(8) >> Process: 51972 ExecStart=/etc/init.d/ossec start (code=exited, >> status=0/SUCCESS) >> >> okt 01 20:29:45 parakeet ossec[51973]: Starting OSSEC HIDS v3.6.0... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-maild... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-execd... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-analysisd... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-logcollector... >> okt 01 20:29:45 parakeet ossec[51973]: Started ossec-remoted... >> okt 01 20:29:46 parakeet ossec[51973]: Started ossec-syscheckd... >> okt 01 20:29:46 parakeet ossec[51973]: Started ossec-monitord... >> okt 01 20:29:48 parakeet ossec[51973]: Completed. >> okt 01 20:29:48 parakeet systemd[1]: Started LSB: Start and stop OSSEC >> HIDS. >> root@parakeet:/var/ossec# telnet localhost 25 >> Trying 127.0.0.1... >> Connected to smtp.example.com. >> Escape character is '^]'. >> 220 smtp.example.com ESMTP Postfix >> ^C^] >> telnet> quit >> Connection closed. >> root@parakeet:/var/ossec# /var/ossec/bin/agent_control -r -a >> 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to >> active response queue. >> >> ** Unable to connect to remoted. >> root@parakeet:/var/ossec# vi /etc/postfix/main.cf >> root@parakeet:/var/ossec# tail /var/log/postfix.log >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: from=< >> [email protected]>, size=2007, nrcpt=1 (queue active) >> Oct 02 02:02:04 smtp postfix/local[87369]: 4HLnGN1LQ3zbbcs: to=< >> [email protected]>, relay=local, delay=0.06, >> delays=0.03/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as >> 4HLnGN1dLmzbbcN) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1LQ3zbbcs: removed >> Oct 02 02:02:04 smtp postfix/pipe[87372]: 4HLnGN1brDzbbbZ: to=< >> [email protected]>, orig_to=, relay=dovecot, >> delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via >> dovecot service) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1brDzbbbZ: removed >> Oct 02 02:02:04 smtp postfix/pipe[87373]: 4HLnGN1dLmzbbcN: to=< >> [email protected]>, orig_to=, relay=dovecot, >> delay=0.17, delays=0.01/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via >> dovecot service) >> Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: removed >> Oct 02 02:34:00 smtp postfix/smtpd[90923]: connect from smtp.example.com >> [127.0.0.1] >> Oct 02 02:34:09 smtp postfix/smtpd[90923]: lost connection after CONNECT >> from smtp.example.com[127.0.0.1] >> Oct 02 02:34:09 smtp postfix/smtpd[90923]: disconnect from >> smtp.example.com[127.0.0.1] commands=0/0 >> root@parakeet:/var/ossec# tail logs/ossec.log >> 2021/10/01 20:33:13 ossec-monitord(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-logcollector(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-remoted(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-syscheckd(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-analysisd(1225): INFO: SIGNAL >> [(15)-(Terminated)] Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/01 20:33:13 ossec-execd(1314): INFO: Shutdown received. Deleting >> responses. >> 2021/10/01 20:33:13 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] >> Received. Exit Cleaning... >> 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to >> active response queue. >> root@parakeet:/var/ossec# cat /etc/ossec-in
Re: [ossec-list] i'm not getting any emails from ossec..
i had made the mistake of installing only the server... this manual helped me a lot setting up a proper ossec system, on 2 machines : On Sat, Oct 2, 2021 at 4:04 AM Rene Veerman < [email protected]> wrote: > Hi. > > I'm new to ossec, and i'm having trouble getting emails from it. > If someone here can help me with that, i'd appreciate it a lot. > > My OS is the lastest stable kubuntu, with iRedMail (which includes > postfix) for email support. > > Here are some of the relevant logs, and the rules are added as attachment > to this mail. > > root@parakeet:/var/ossec# systemctl status ossec.service > ● ossec.service - LSB: Start and stop OSSEC HIDS > Loaded: loaded (/etc/init.d/ossec; generated) > Active: active (exited) since Fri 2021-10-01 20:29:48 CEST; 5h 58min > ago >Docs: man:systemd-sysv-generator(8) > Process: 51972 ExecStart=/etc/init.d/ossec start (code=exited, > status=0/SUCCESS) > > okt 01 20:29:45 parakeet ossec[51973]: Starting OSSEC HIDS v3.6.0... > okt 01 20:29:45 parakeet ossec[51973]: Started ossec-maild... > okt 01 20:29:45 parakeet ossec[51973]: Started ossec-execd... > okt 01 20:29:45 parakeet ossec[51973]: Started ossec-analysisd... > okt 01 20:29:45 parakeet ossec[51973]: Started ossec-logcollector... > okt 01 20:29:45 parakeet ossec[51973]: Started ossec-remoted... > okt 01 20:29:46 parakeet ossec[51973]: Started ossec-syscheckd... > okt 01 20:29:46 parakeet ossec[51973]: Started ossec-monitord... > okt 01 20:29:48 parakeet ossec[51973]: Completed. > okt 01 20:29:48 parakeet systemd[1]: Started LSB: Start and stop OSSEC > HIDS. > root@parakeet:/var/ossec# telnet localhost 25 > Trying 127.0.0.1... > Connected to smtp.example.com. > Escape character is '^]'. > 220 smtp.example.com ESMTP Postfix > ^C^] > telnet> quit > Connection closed. > root@parakeet:/var/ossec# /var/ossec/bin/agent_control -r -a > 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to > active response queue. > > ** Unable to connect to remoted. > root@parakeet:/var/ossec# vi /etc/postfix/main.cf > root@parakeet:/var/ossec# tail /var/log/postfix.log > Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: from=< > [email protected]>, size=2007, nrcpt=1 (queue active) > Oct 02 02:02:04 smtp postfix/local[87369]: 4HLnGN1LQ3zbbcs: to=< > [email protected]>, relay=local, delay=0.06, delays=0.03/0.01/0/0.02, > dsn=2.0.0, status=sent (forwarded as 4HLnGN1dLmzbbcN) > Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1LQ3zbbcs: removed > Oct 02 02:02:04 smtp postfix/pipe[87372]: 4HLnGN1brDzbbbZ: to=< > [email protected]>, orig_to=, relay=dovecot, > delay=0.14, delays=0.01/0.01/0/0.13, dsn=2.0.0, status=sent (delivered via > dovecot service) > Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1brDzbbbZ: removed > Oct 02 02:02:04 smtp postfix/pipe[87373]: 4HLnGN1dLmzbbcN: to=< > [email protected]>, orig_to=, relay=dovecot, > delay=0.17, delays=0.01/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via > dovecot service) > Oct 02 02:02:04 smtp postfix/qmgr[40221]: 4HLnGN1dLmzbbcN: removed > Oct 02 02:34:00 smtp postfix/smtpd[90923]: connect from smtp.example.com > [127.0.0.1] > Oct 02 02:34:09 smtp postfix/smtpd[90923]: lost connection after CONNECT > from smtp.example.com[127.0.0.1] > Oct 02 02:34:09 smtp postfix/smtpd[90923]: disconnect from > smtp.example.com[127.0.0.1] commands=0/0 > root@parakeet:/var/ossec# tail logs/ossec.log > 2021/10/01 20:33:13 ossec-monitord(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-logcollector(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-remoted(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-syscheckd(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-analysisd(1225): INFO: SIGNAL > [(15)-(Terminated)] Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-maild(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > 2021/10/01 20:33:13 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > 2021/10/01 20:33:13 ossec-execd(1225): INFO: SIGNAL [(15)-(Terminated)] > Received. Exit Cleaning... > 2021/10/02 02:48:33 agent_control(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2021/10/02 02:48:33 agent_control(1301): ERROR: Unable to connect to > active response queue. > root@parakeet:/var/ossec# cat /etc/ossec-init.conf | grep VERSION > VERSION="v3.6.0" > root@parakeet:/var/ossec/rules# ufw status > Status: inactive > > If you need more information to help get this fixed, i'm most willing to > provide it.. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop rec
