Ossec installation confirmation

newbie14 · 12-28-2012, 11:12 PM

I have just installed the ossec accordingly as the server when it asked for my email i put in my gmail and for the smtp I was not sure just put as localhost first. Then it run a number of commands accordingly finally it states this

Code:

In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:

   /var/ossec/bin/manage_agents

Another thing I did this /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

So what error is it telling me about the configuration?

I am new to ossec installation. I tried to installed it as manager and new I did this /var/ossec/bin/ossec-control start

Code:

Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Part of config file is as below.

Code:

<global>
    <email_notification>yes</email_notification>
    <email_to>*****@gmail.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>ossecm@localhost.localdomain</email_from>
  </global>

I managed to solve the issue by using this command ln s /var/ossec/bin/osseclogtest /var/ossec/ossec-logtest . What I need to verify is that should I set the agentless setting and how test if the ossec is working and able to send me emails? Thank you.

Noway2 · 01-02-2013, 08:36 AM

Quote:

What I need to verify is that should I set the agentless setting and how test if the ossec is working and able to send me emails?

I am not entirely sure what you mean by agentless setting. Ossec can either be installed as a standalone system, which is the most common and typical installation, or a client-server. Unless you are running multiple servers that you want monitored and reported by one location, go with the integrated, stand alone, installation.

As far as emailing, you should have received an email saying "ossec server started" when your system was initialized. I noticed that you are sending your emails to @gmail.com which could be problematic. Unless you have taken steps to either make your system a regular mail server that gmail will accept under normal circumstances or are using an SMTP relay such as through your ISP, you face a very high likelihood that your mail will be rejected by gmail. I would suggest you start by letting ossec send mail to root or another local account and then see if you receive those, then work on getting gmail to accept your messages.

newbie14 · 01-02-2013, 09:03 AM

Dear Noway2,
Ok lets go first with the installation type in the begining it ask me is it a manager I type as manager so what should I do in the very first step what type of installation and how to to setup the standalone installation? Where I could have gone wrong?

Regarding the email how should the setup be if I need to just send to local root? What changes should I do then? I will go with your suggestion get the root to receive the email first. Thank you.