[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] ossec can't send e-mail

Subject: [Ossec-list] ossec can't send e-mail
From: pedrodrimel at gmail.com (Pedro Drimel Neto)
Date: Wed, 5 Apr 2006 18:24:03 -0300

I've had a problem with syslog_rules.xml, didn't have a </rule>

Anyway the Queue yet is with problem, below the ossec.log on server when 
ossec-control restart is executed

2006/04/05 18:22:13 ossec-maild(1225): SIGNAL Received. Exit Cleaning...
2006/04/05 18:22:13 ossec-execd(1225): SIGNAL Received. Exit Cleaning...
2006/04/05 18:22:13 ossec-maild: Started (pid: 2381).
2006/04/05 18:22:13 ossec-execd: Started (pid: 2385).
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/04/05 18:22:13 ossec-analysisd: Reading rules file: 
'sendmail_rules.xml'
2006/04/05 18:22:13 ossec-remoted: Started (pid: 2397).
2006/04/05 18:22:13 ossec-remoted: Started (pid: 2398).
2006/04/05 18:22:16 ossec-remoted(1210): Queue '/queue/ossec/queue' not 
accessible.
2006/04/05 18:22:16 ossec-remoted(1211): Unable to access queue: 
'/queue/ossec/queue'. Giving up..
2006/04/05 18:22:19 ossec-syscheckd(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:19 ossec-syscheckd(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:22 ossec-logcollector(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:22 ossec-logcollector(1211): Unable to access queue: 
'/usr/local/src/ossec/queue/ossec/queue'. Giving up..
2006/04/05 18:22:27 ossec-syscheckd(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:27 ossec-syscheckd(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:40 ossec-syscheckd(1210): Queue 
'/usr/local/src/ossec/queue/ossec/queue' not accessible.
2006/04/05 18:22:40 ossec-syscheckd(1211): Unable to access queue: 
'/usr/local/src/ossec/queue/ossec/queue'. Giving up..

ls -l /usr/local/src/ossec/queue/ossec/queue
srw-rw----  1 ossec ossec 0 Apr  5 18:22 
/usr/local/src/ossec/queue/ossec/queue

ps auwx |grep ossec
ossecm    2381  0.0  0.6   1624   636 ?        S    18:22   0:00 
/usr/local/src/ossec/bin/ossec-maild
root      2385  0.0  0.6   1640   600 ?        S    18:22   0:00 
/usr/local/src/ossec/bin/ossec-execd
root      2407  0.0  0.7   3756   688 pts/1    S+   18:24   0:00 grep ossec


Sorry for the messages but I don't know what means this "Queue" for ossec...

Thanks a lot...

Pedro.

----- Original Message ----- 
From: "Daniel Cid" <daniel.cid at gmail.com>
To: "Pedro Drimel Neto" <pedrodrimel at gmail.com>
Cc: <ossec-list at ossec.net>
Sent: Wednesday, April 05, 2006 5:49 PM
Subject: Re: [Ossec-list] ossec can't send e-mail


This queue is started by the ossec-analysisd. Is it running? What's the 
output
of ps auwx |grep ossec?  Just execute "/var/ossec/bin/ossec-control restart"
to restart everything...

Hope it helps.

Thanks,

Daniel

On 4/5/06, Pedro Drimel Neto <pedrodrimel at gmail.com> wrote:
> <allowed-ip> wasn't on the server with the ip of agent, thanks but
> ossec-agentd was not on serverup like show de ossec.log
>
> 2006/04/05 17:25:14 ossec-remoted: Started (pid: 2069).
> 2006/04/05 17:25:14 ossec-remoted: Started (pid: 2070).
> 2006/04/05 17:25:17 ossec-remoted(1210): Queue '/queue/ossec/queue' not
> accessible.
> 2006/04/05 17:25:17 ossec-remoted(1211): Unable to access queue:
> '/queue/ossec/queue'. Giving up..
> 2006/04/05 17:25:18 ossec-remoted: Started (pid: 2075).
> 2006/04/05 17:25:18 ossec-remoted: Started (pid: 2076).
> 2006/04/05 17:25:21 ossec-remoted(1210): Queue '/queue/ossec/queue' not
> accessible.
> 2006/04/05 17:25:21 ossec-remoted(1211): Unable to access queue:
> '/queue/ossec/queue'. Giving up..
>
> What about this queue ?
>
> Any idea ?
>
> Thanks a lot.
>
> ----- Original Message -----
> From: "Ahmet Ozturk" <oahmet at metu.edu.tr>
> To: <ossec-list at ossec.net>
> Sent: Wednesday, April 05, 2006 5:07 PM
> Subject: Re: [Ossec-list] ossec can't send e-mail
>
>
> > Hi Pedro,
> >
> > Please be sure that, you have <allowed-ips> entries in global section
> > of your ossec.conf on server to allow your clients to send messages.
> > I mean your ossec.conf should look like:
> >
> > <global>
> >  <email_notification>yes</email_notification>
> >  <email_to>root at queen.mydomain</email_to>
> >  <smtp_server>192.168.1.1</smtp_server>
> >  <email_from>ossect at queen</email_from>
> >  <allowed-ips>192.168.1.3/32</allowed-ips>
> >  <allowed-ips>192.168.1.5/32</allowed-ips>
> >  <allowed-ips>192.168.2.0/24</allowed-ips>
> > </global>
> > ....
> >
> > Please see the documentation: http://www.ossec.net/en/manual.html#config
> >
> > Hope this helps.
> >
> > Regards,
> >
> > Ahmet Ozturk.
> >
> > Alinti Pedro Drimel Neto <pedrodrimel at gmail.com>
> >
> >> I'm having problem with agent too
> >>
> >> In the ossec.log of agent says:
> >>
> >> 2006/04/05 18:45:02 ossec-agentd(1218): Unable to send message to 
> >> server.
> >> 2006/04/05 18:45:04 ossec-agentd(1218): Unable to send message to 
> >> server.
> >> 2006/04/05 18:45:04 ossec-agentd(1218): Unable to send message to 
> >> server.
> >> 2006/04/05 18:45:05 ossec-agentd(1218): Unable to send message to 
> >> server.
> >> 2006/04/05 18:45:07 ossec-agentd(1218): Unable to send message to 
> >> server.
> >> 2006/04/05 18:45:08 ossec-agentd(1218): Unable to send message to 
> >> server.
> >>
> >> There isn't firewall rules on agent and on the server, the ping has a
> >> response and the clients.keys are right..
> >>
> >> Any idea?
> >>
> >> Thanks a lot.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Ahmet Ozturk" <oahmet at metu.edu.tr>
> >> To: <ossec-list at ossec.net>
> >> Sent: Wednesday, April 05, 2006 4:32 PM
> >> Subject: Re: [Ossec-list] ossec can't send e-mail
> >>
> >>
> >>> Hi Nico,
> >>>
> >>> Your SMTP server probably performs helo check I think. Ossec-HIDS 
> >>> sends
> >>> "notify.ossec.net" to helo SMTP server, and if SMTP server checks the
> >>> hostname given by helo command, it will notice that the machine trying
> >>> to send e-mail is not actually the "notify.ossec.net", and it rejects
> >>> the client for bogus helo. I've read something about "bogus_helo"
> >>> checks on debian by searching google.
> >>>
> >>> Also some people mentioned that this problem occured in an environment
> >>> that sendmail is behind a firewall. Does this fit your case?
> >>>
> >>> Btw, there should be some entries in you mail logs for these
> >>> unsuccessful attempts. Can you send us your sendmail.cg and
> >>> corresponding log entries?
> >>>
> >>> Regards,
> >>>
> >>> Ahmet Ozturk.
> >>>
> >>>
> >>> Alinti Nico De Ranter <nico at sonycom.com>
> >>>
> >>>>
> >>>> Hi
> >>>>
> >>>> I'm trying out ossec-hids on Debian (sid). I've got 1 server and 2
> >>>> agents configured. However in the ossec.log file on the server I see 
> >>>> a
> >>>> lot of messages like:
> >>>>
> >>>> 2006/04/05 15:58:30 os_sendmail(1703): Hello not accepted by 
> >>>> server:220
> >>>> xxxxxxx.xxxxx.xxx ESMTP Sendmail 8.12.10/8.12.10; Wed, 5 Apr 2006
> >>>> 15:58:30 +0200 (MEST)
> >>>> 2006/04/05 15:58:30 ossec-maild(1223): Error Sending email to
> >>>> xx.xx.xx.xx (smtp server)
> >>>>
> >>>> I don't understand why I get this message. I can send e-mail from the
> >>>> command-line using mailx without problems. I tried doing a telnet to
> >>>> port 25 on the mail server and doing 'helo myserver.mydomain.com' and
> >>>> that was accepted also. Why can't ossec send e-mail?
> >>>>
> >>>> Nico
> >>>>
> >>>> --
> >>>> Nico De Ranter
> >>>> Senior System Administrator
> >>>> Sony Service Center (NSCE)
> >>>> The Corporate Village, Da Vincilaan 7-D1
> >>>> B-1935 Zaventem, Belgium
> >>>> Telephone: +32 (0)2 700 86 41 Fax: +32 (0)2 700 86 22
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> ossec-list mailing list
> >>>> ossec-list at ossec.net
> >>>> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --------------------------------------------------------------------------------
> >>
> >>
> >>> _______________________________________________
> >>> ossec-list mailing list
> >>> ossec-list at ossec.net
> >>> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> >>>
> >>
> >> _______________________________________________
> >> ossec-list mailing list
> >> ossec-list at ossec.net
> >> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> >>
> >
> >
> >
>
>
> --------------------------------------------------------------------------------
>
>
> > _______________________________________________
> > ossec-list mailing list
> > ossec-list at ossec.net
> > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> >
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

References:
- [Ossec-list] ossec can't send e-mail
  - From: Nico De Ranter
- [Ossec-list] ossec can't send e-mail
  - From: Ahmet Ozturk
- [Ossec-list] ossec can't send e-mail
  - From: Pedro Drimel Neto
- [Ossec-list] ossec can't send e-mail
  - From: Ahmet Ozturk
- [Ossec-list] ossec can't send e-mail
  - From: Pedro Drimel Neto
- [Ossec-list] ossec can't send e-mail
  - From: Daniel Cid

Prev by Date: [Ossec-list] ossec can't send e-mail
Next by Date: [Ossec-list] ossec-hids-0.7p1 questions
Previous by thread: [Ossec-list] ossec can't send e-mail
Next by thread: [Ossec-list] ossec can't send e-mail
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.