search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.42k stars 1.03k forks source link

ossec maild stopped working after OS patch install #1436

Open holly1954 opened 6 years ago

holly1954 commented 6 years ago

Ossec version 2.9.3-1

OS CentOS 7.5.1804

After latest round of patches maild no longer mailing alerts

Debug shows 2018/06/14 08:15:14 ossec-maild: DEBUG: Starting ... 2018/06/14 08:15:14 ossec-maild: INFO: Chrooted to directory: /var/ossec

Then nothing

I can email as ossecm directly

No output via tcpdump for email

Not sure how to move forward troubleshooting since logging doesn’t have any failures

ddpbsd commented 6 years ago

You could add more logging to ossec-maild. I'm not using the 2.9 branch, so I'm not sure what else to do there.

holly1954 commented 6 years ago

How do I add more logging. I already did the enable debug but that ga e no additonal detail.

From: Dan Parriott notifications@github.com<mailto:notifications@github.com> Date: Friday, Jul 06, 2018, 8:57 AM To: ossec/ossec-hids ossec-hids@noreply.github.com<mailto:ossec-hids@noreply.github.com> Cc: Lund, Holly (CONTR) holly.lund@hq.doe.gov<mailto:holly.lund@hq.doe.gov>, Author author@noreply.github.com<mailto:author@noreply.github.com> Subject: Re: [ossec/ossec-hids] ossec maild stopped working after OS patch install (#1436)

You could add more logging to ossec-maild. I'm not using the 2.9 branch, so I'm not sure what else to do there.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ossec/ossec-hids/issues/1436#issuecomment-403026397, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AkSKbelPwy4rwbms7QV5WCvKMldxaNR8ks5uD16_gaJpZM4Upe3y.

ddpbsd commented 6 years ago

Go through the source code to see where it could possibly be failing and add some debugging there. Then recompile and start it up.

ddpbsd commented 6 years ago

I guess something else to check on is make sure events are being written to alerts.log. maild is supposed to read that file and send messages based on the alerts there.

holly1954 commented 6 years ago

There are lots of alerts there

From: Dan Parriott notifications@github.com<mailto:notifications@github.com> Date: Friday, Jul 06, 2018, 12:26 PM To: ossec/ossec-hids ossec-hids@noreply.github.com<mailto:ossec-hids@noreply.github.com> Cc: Lund, Holly (CONTR) holly.lund@hq.doe.gov<mailto:holly.lund@hq.doe.gov>, Author author@noreply.github.com<mailto:author@noreply.github.com> Subject: Re: [ossec/ossec-hids] ossec maild stopped working after OS patch install (#1436)

I guess something else to check on is make sure events are being written to alerts.log. maild is supposed to read that file and send messages based on the alerts there.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ossec/ossec-hids/issues/1436#issuecomment-403082616, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AkSKbeD65ynrbrO49A0KEUZEm6uOvfq-ks5uD4-8gaJpZM4Upe3y.