Ossec on AL2023 not sending email

[earlsanchez]

Hi,
I installed ossec-hids and ossec-hids-server vesion 8.0 on an al2023 EC2 instance. It seems to have installed successfully and the daemons are running however I cannot get it to send email.
It has the same configs that we use from our RHEL 7 systems.
We're using "127.0.0.1" for the SMTP server.
We're able to send email with the "mail" utility.
Is ossec-hids compatible with al2023?
Any suggestions for getting this to work?
I don't see any related errors in the log files (ossec.log, messages, maillog, etc...)

Any help is appreciated!

[cponton]

1. Verify OSSEC Email Alert Configuration
Check the email-related settings in the ossec.conf file, typically located at /var/ossec/etc/ossec.conf. Look for the following tags:

Code: Select all

<global>
  <email_notification>yes</email_notification>
  <email_to>your-email@example.com</email_to>
  <email_from>ossec@example.com</email_from>
  <smtp_server>127.0.0.1</smtp_server>
</global>

Ensure <email_notification> is set to yes.
<email_to> should point to the desired recipient.
<email_from> should be an address allowed by your local mail server (it doesn't need to be valid but should not be blocked).
<smtp_server> is set to 127.0.0.1, which is correct if you are using the local mail server.
After making changes, restart OSSEC

Code: Select all

sudo systemctl restart ossec

[earlsanchez]

Thank you for your response. We do have ossec-hids running on several other RHEL 7 EC2's. This is a new AL2023 installation and we do have the email config as you suggested:

Code: Select all

head /var/ossec/etc/ossec.conf
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>doc-IT.alerts@workday.com</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossecm@ce-test-rpmbuild</email_from>
  </global>

  <rules>
/code]

I have also tried to run ossec-maild in debug mode and added a test alert .xml file in /var/ossec/queue/alerts/
$ cat testalert.xml
[code]
<alert level="7" timestamp="1674837120">
  <rule id="5715" level="7" firedtimes="1" mailto="earl.sanchez@workday.com"/>
  <user>root</user>
  <srcip>192.168.1.10</srcip>
  <description>sshd: Failed password for root from 192.168.1.10 port 58342 ssh2</description>
</alert>

Started ossec-maild in debug:
/var/ossec/bin/ossec-maild -f -dddddd

Output:
2025/01/27 17:44:29 ossec-maild: DEBUG: Starting ...
2025/01/27 17:44:29 ossec-maild: INFO: Chrooted to directory: /var/ossec
2025/01/27 17:44:29 ossec-maild: INFO: Using user: ossecm
2025/01/27 17:44:29 ossec-maild: INFO: Started (pid: 477697).
^C2025/01/27 17:44:57 ossec-maild(1225): INFO: SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...

So no output from debug or from ossec log files.

[cponton]

Can you please confirm the version of ossec you are on?

[earlsanchez]

Installed Packages
Name : ossec-hids
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 146 k
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm

Installed Packages
Name : ossec-hids-server
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 10 M
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm

[michealhope]

Hi,
I installed ossec-hids and ossec-hids-server vesion 8.0 on an al2023 EC2 instance. It seems to have installed successfully and the daemons are running however I cannot get it to send email.
It has the same configs that we use from our RHEL 7 systems.
We're using "127.0.0.1" for the SMTP server.
We're able to send email with the "mail" utility.
Is ossec-hids compatible with al2023?
Any suggestions for getting this to work?
I don't see any related errors in the log files (ossec.log, messages, maillog, etc...)
gogoanime.io app download ios
Any help is appreciated!

Hi earlsanchez,

Thanks for reaching out!

Yes, OSSEC-HIDS should generally be compatible with Amazon Linux 2023, though AL2023 introduces some changes compared to RHEL 7, especially in how it handles mail services and system libraries.

Since you're able to send mail using the mail utility with the same SMTP config (127.0.0.1), here are a few things you might want to check:

1. Check if OSSEC is configured to send alerts via email
In your /var/ossec/etc/ossec.conf, make sure you have something like:

xml
Copy
Edit
<global>
<email_notification>yes</email_notification>
<email_to>your@email.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
</global>
Also make sure the <alerts> section is configured correctly and <email_alerts> is enabled.

2. Ensure local MTA is available
Even if mail works, OSSEC may require an actual MTA (Mail Transfer Agent) like Postfix or Sendmail to relay messages to 127.0.0.1. Verify it's installed and running:

bash
Copy
Edit
sudo systemctl status postfix
If it's not installed, try:

bash
Copy
Edit
sudo dnf install postfix
sudo systemctl enable --now postfix
3. Check SELinux/AppArmor or firewalls
AL2023 may have SELinux or other security tools enabled that block local SMTP access from OSSEC. Try running:

bash
Copy
Edit
getenforce
If it's Enforcing, temporarily set it to Permissive and test:

bash
Copy
Edit
sudo setenforce 0
4. Enable OSSEC debug mode
Enable debug mode to get more insights:

bash
Copy
Edit
/var/ossec/bin/ossec-control enable debug
tail -f /var/ossec/logs/ossec.log
Trigger an alert and watch for any errors or skipped messages.

Let me know what you find from the steps above. We’ll get it working!

Best regards,
Micheal Hope