Ossec on AL2023 not sending email

Support/Development for OSSEC
earlsanchez
New Forum User
New Forum User
Posts: 2
Joined: Mon Jan 27, 2025 10:26 pm

Ossec on AL2023 not sending email

Unread post by earlsanchez »

Hi,
I installed ossec-hids and ossec-hids-server vesion 8.0 on an al2023 EC2 instance. It seems to have installed successfully and the daemons are running however I cannot get it to send email.
It has the same configs that we use from our RHEL 7 systems.
We're using "127.0.0.1" for the SMTP server.
We're able to send email with the "mail" utility.
Is ossec-hids compatible with al2023?
Any suggestions for getting this to work?
I don't see any related errors in the log files (ossec.log, messages, maillog, etc...)

Any help is appreciated!
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 63
Joined: Fri Oct 09, 2020 9:41 am

Re: Ossec on AL2023 not sending email

Unread post by cponton »

1. Verify OSSEC Email Alert Configuration
Check the email-related settings in the ossec.conf file, typically located at /var/ossec/etc/ossec.conf. Look for the following tags:

Code: Select all

<global>
  <email_notification>yes</email_notification>
  <email_to>your-email@example.com</email_to>
  <email_from>ossec@example.com</email_from>
  <smtp_server>127.0.0.1</smtp_server>
</global>

Ensure <email_notification> is set to yes.
<email_to> should point to the desired recipient.
<email_from> should be an address allowed by your local mail server (it doesn't need to be valid but should not be blocked).
<smtp_server> is set to 127.0.0.1, which is correct if you are using the local mail server.
After making changes, restart OSSEC

Code: Select all

sudo systemctl restart ossec
earlsanchez
New Forum User
New Forum User
Posts: 2
Joined: Mon Jan 27, 2025 10:26 pm

Re: Ossec on AL2023 not sending email

Unread post by earlsanchez »

Thank you for your response. We do have ossec-hids running on several other RHEL 7 EC2's. This is a new AL2023 installation and we do have the email config as you suggested:

Code: Select all

head /var/ossec/etc/ossec.conf
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>doc-IT.alerts@workday.com</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossecm@ce-test-rpmbuild</email_from>
  </global>

  <rules>
/code]

I have also tried to run ossec-maild in debug mode and added a test alert .xml file in /var/ossec/queue/alerts/
$ cat testalert.xml
[code]
<alert level="7" timestamp="1674837120">
  <rule id="5715" level="7" firedtimes="1" mailto="earl.sanchez@workday.com"/>
  <user>root</user>
  <srcip>192.168.1.10</srcip>
  <description>sshd: Failed password for root from 192.168.1.10 port 58342 ssh2</description>
</alert>
Started ossec-maild in debug:
/var/ossec/bin/ossec-maild -f -dddddd

Output:
2025/01/27 17:44:29 ossec-maild: DEBUG: Starting ...
2025/01/27 17:44:29 ossec-maild: INFO: Chrooted to directory: /var/ossec
2025/01/27 17:44:29 ossec-maild: INFO: Using user: ossecm
2025/01/27 17:44:29 ossec-maild: INFO: Started (pid: 477697).
^C2025/01/27 17:44:57 ossec-maild(1225): INFO: SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...

So no output from debug or from ossec log files.
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 63
Joined: Fri Oct 09, 2020 9:41 am

Re: Ossec on AL2023 not sending email

Unread post by cponton »

Can you please confirm the version of ossec you are on?
earlsanchez
New Forum User
New Forum User
Posts: 2
Joined: Mon Jan 27, 2025 10:26 pm

Re: Ossec on AL2023 not sending email

Unread post by earlsanchez »

Installed Packages
Name : ossec-hids
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 146 k
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm

Installed Packages
Name : ossec-hids-server
Epoch : 1
Version : 3.8.0
Release : 35114.amzn2023.art
Architecture : x86_64
Size : 10 M
Source : ossec-hids-3.8.0-35114.amzn2023.art.src.rpm
Last edited by earlsanchez on Wed Jan 29, 2025 5:27 pm, edited 1 time in total.
Post Reply