No email notifications from OSSEC-HIDS

[andyh2451]

Hi Guys,
I have successfully installed and configured OSSEC-HIDS on one of my boxes but despite trying numerous combinations of email addresses and SMTP addresses I can't get any output. I am running Postfix with SSMTP. The current combination is as follows:-

<ossec_config>
  <global>
  <email_notification>yes</email_notification>
  <email_to>andy.hounsome@sky.com</email_to>
  <smtp_server>pop.tools.sky.com</smtp_server>
  <email_from>andy.hounsome@sky.com</email_from>
  </global>

The OSSEC log file gives me this:-

2016/01/12 14:04:34 ossec-maild(1223): ERROR: Error Sending email to 188.125.69.46 (smtp server)

Any help would be gratefully received.

 

[SirDice]

I don't use either one but is it possible Postfix requires login/authentication? In that cause you would need to configure OSSEC to use authentication when connecting to the mailserver. If that's not possible you may need to configure Postfix to allow unauthenticated mail submission from the IP address of the OSSEC host.

 

[andyh2451]

Hi SirDice,
thanks for getting back to me on this - it's a real puzzler. A you quite rightly pointed out - how can I expect email from OSSEC when there is no authenticating user and password tucked away somewhere in the config. I did some more digging and followed this guide:-

https://www.digitalocean.com/commun...-agents-using-an-ossec-server-on-ubuntu-14-04

I know this is for Ubuntu but I thought it might give me some insight. It didn't really help, but here's the changes I made to the OSSEC conf file:-

<ossec_config>
  <global>
  <email_notification>yes</email_notification>
  <email_to>andyhounsome@gmail.com</email_to>
  <smtp_server>localhost</smtp_server>
  <email_from>andyhounsome@gmail.com</email_from>
  </global>

I also changed the rc.conf file to enable sendmail:-

hostname="tinman"
ifconfig_bge0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
squid_enable=yes
apache24_enable="yes"
mysql_enable="yes"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
sendmail_enable="YES"
sendmail_submit_enable="YES"
sendmail_outbound_enable="YES"
sendmail_msp_queue_enable="YES"
sendmail_enable="YES"
sendmail_submit_enable="YES"
sendmail_outbound_enable="YES"
sendmail_msp_queue_enable="YES"
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="22 80 465 3128"
firewall_allowservices="any"
firewall_logdeny="YES"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
# For OSSEC HIDS
ossechids_enable="YES"

In addition I checked the SSMTP conf file which contains the necessary auth user and password:-

root=destinationemail@gmail.com
mailhub=smtp.gmail.com:587
AuthUser=andyhounsome@gmail.com
AuthPass=#################
UseSTARTTLS=YES

and finally used this to test what was going on behind the scenes from a command line request to send mail:-

root@tinman:/usr/local/ossec-hids/etc # echo test | mail -v -s "testing ssmtp setup" andyhounsome@gmail.com
[<-] 220 smtp.gmail.com ESMTP i196sm7142141wmf.23 - gsmtp
[->] EHLO tinman
[<-] 250 SMTPUTF8
[->] STARTTLS
[<-] 220 2.0.0 Ready to start TLS
[->] EHLO tinman
[<-] 250 SMTPUTF8
[->] AUTH LOGIN
[<-] 334 VXNlcm5hbWU6
[->] YW5keWhvdW5zb21lQGdtYWlsLmNvbQ==
[<-] 334 UGFzc3dvcmQ6
[<-] 235 2.7.0 Accepted
[->] MAIL FROM:<root@tinman>
[<-] 250 2.1.0 OK i196sm7142141wmf.23 - gsmtp
[->] RCPT TO:<andyhounsome@gmail.com>
[<-] 250 2.1.5 OK i196sm7142141wmf.23 - gsmtp
[->] DATA
[<-] 354  Go ahead i196sm7142141wmf.23 - gsmtp
[->] Received: by tinman (sSMTP sendmail emulation); Sat, 16 Jan 2016 14:41:54 +0000
[->] From: "sysadmin" <root@tinman>
[->] Date: Sat, 16 Jan 2016 14:41:54 +0000
[->] To: andyhounsome@gmail.com
[->] Subject: testing ssmtp setup
[->]
[->] test
[->] .
[<-] 250 2.0.0 OK 1452955316 i196sm7142141wmf.23 - gsmtp
[->] QUIT
[<-] 221 2.0.0 closing connection i196sm7142141wmf.23 - gsmtp

This worked as expected.

I hope that gives some insight into the problem because it certainly has me stumped!