Hi,
I installed ossec-hids and ossec-hids-server vesion 8.0 on an al2023 EC2 instance. It seems to have installed successfully and the daemons are running however I cannot get it to send email.
It has the same configs that we use from our RHEL 7 systems.
We're using "127.0.0.1" for the SMTP server.
We're able to send email with the "mail" utility.
Is ossec-hids compatible with al2023?
Any suggestions for getting this to work?
I don't see any related errors in the log files (ossec.log, messages, maillog, etc...)
Any help is appreciated!
Ossec on AL2023 not sending email
-
- New Forum User
- Posts: 2
- Joined: Mon Jan 27, 2025 10:26 pm
Re: Ossec on AL2023 not sending email
1. Verify OSSEC Email Alert Configuration
Check the email-related settings in the ossec.conf file, typically located at /var/ossec/etc/ossec.conf. Look for the following tags:
Ensure <email_notification> is set to yes.
<email_to> should point to the desired recipient.
<email_from> should be an address allowed by your local mail server (it doesn't need to be valid but should not be blocked).
<smtp_server> is set to 127.0.0.1, which is correct if you are using the local mail server.
After making changes, restart OSSEC
Check the email-related settings in the ossec.conf file, typically located at /var/ossec/etc/ossec.conf. Look for the following tags:
Code: Select all
<global>
<email_notification>yes</email_notification>
<email_to>your-email@example.com</email_to>
<email_from>ossec@example.com</email_from>
<smtp_server>127.0.0.1</smtp_server>
</global>
Ensure <email_notification> is set to yes.
<email_to> should point to the desired recipient.
<email_from> should be an address allowed by your local mail server (it doesn't need to be valid but should not be blocked).
<smtp_server> is set to 127.0.0.1, which is correct if you are using the local mail server.
After making changes, restart OSSEC
Code: Select all
sudo systemctl restart ossec
-
- New Forum User
- Posts: 2
- Joined: Mon Jan 27, 2025 10:26 pm
Re: Ossec on AL2023 not sending email
Thank you for your response. We do have ossec-hids running on several other RHEL 7 EC2's. This is a new AL2023 installation and we do have the email config as you suggested:
Started ossec-maild in debug:
/var/ossec/bin/ossec-maild -f -dddddd
Output:
2025/01/27 17:44:29 ossec-maild: DEBUG: Starting ...
2025/01/27 17:44:29 ossec-maild: INFO: Chrooted to directory: /var/ossec
2025/01/27 17:44:29 ossec-maild: INFO: Using user: ossecm
2025/01/27 17:44:29 ossec-maild: INFO: Started (pid: 477697).
^C2025/01/27 17:44:57 ossec-maild(1225): INFO: SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...
So no output from debug or from ossec log files.
Code: Select all
head /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>doc-IT.alerts@workday.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@ce-test-rpmbuild</email_from>
</global>
<rules>
/code]
I have also tried to run ossec-maild in debug mode and added a test alert .xml file in /var/ossec/queue/alerts/
$ cat testalert.xml
[code]
<alert level="7" timestamp="1674837120">
<rule id="5715" level="7" firedtimes="1" mailto="earl.sanchez@workday.com"/>
<user>root</user>
<srcip>192.168.1.10</srcip>
<description>sshd: Failed password for root from 192.168.1.10 port 58342 ssh2</description>
</alert>
/var/ossec/bin/ossec-maild -f -dddddd
Output:
2025/01/27 17:44:29 ossec-maild: DEBUG: Starting ...
2025/01/27 17:44:29 ossec-maild: INFO: Chrooted to directory: /var/ossec
2025/01/27 17:44:29 ossec-maild: INFO: Using user: ossecm
2025/01/27 17:44:29 ossec-maild: INFO: Started (pid: 477697).
^C2025/01/27 17:44:57 ossec-maild(1225): INFO: SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...
So no output from debug or from ossec log files.
Re: Ossec on AL2023 not sending email
Can you please confirm the version of ossec you are on?
-
- New Forum User
- Posts: 2
- Joined: Mon Jan 27, 2025 10:26 pm
Re: Ossec on AL2023 not sending email
Installed Packages
Name : ossec-hids
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 146 k
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm
Installed Packages
Name : ossec-hids-server
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 10 M
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm
Name : ossec-hids
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 146 k
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm
Installed Packages
Name : ossec-hids-server
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 10 M
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm
Last edited by earlsanchez on Wed Jan 29, 2025 5:27 pm, edited 1 time in total.