AIDE installation problem

newbie14 · 05-24-2012, 08:12 AM

Dear Grim,
The funny part is before this it send me for few hours to my email box with this message Couldn't open file /var/lib/aide/aide.db.gz for reading from root root@localhost.localdomain. The funny part when I checked my email again now I saw one email again in this time with all the analysis details. But why is it not on timely as per hour basis.Normally where can I check all the errors related to cron jobs?

grim76 · 05-24-2012, 09:16 AM

You can check /var/log/cron to see when your job executes. Also check /var/log/maillog to see when the mail was sent out. Could be a delay between mail hosts.

newbie14 · 05-24-2012, 09:33 AM

Dear Grim,
Under /var/log/cron.

I could see something like this for every hour.I have actually change to a gmail today.

May 24 08:00:01 localhost CROND[30676]: (root) CMD (/usr/sbin/aide --check | mail -s "AIDE ALERTs" *****@gmail.com)

I could see this in my /var/log/mail . I only receive the one send on 21:00 the other not received.

Quote:

May 24 18:13:20 localhost postfix/pickup[20738]: 4C08A241630: uid=0 from=<root>
May 24 18:13:20 localhost postfix/cleanup[19206]: 4C08A241630: message-id=<20120524101320.4C08A241630@localhost.localdomain>
May 24 18:13:20 localhost postfix/qmgr[1743]: 4C08A241630: from=<root@localhost.localdomain>, size=19043, nrcpt=1 (queue active)
May 24 18:13:25 localhost postfix/smtp[19209]: 4C08A241630: to=<****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=5.6, delays=0.24/0.01/3.2/2.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1337854194 hs4si646843pbc.26)
May 24 18:13:25 localhost postfix/qmgr[1743]: 4C08A241630: removed
May 24 19:13:24 localhost postfix/pickup[20738]: E2587241630: uid=0 from=<root>
May 24 19:13:25 localhost postfix/cleanup[18009]: E2587241630: message-id=<20120524111324.E2587241630@localhost.localdomain>
May 24 19:13:25 localhost postfix/qmgr[1743]: E2587241630: from=<root@localhost.localdomain>, size=19043, nrcpt=1 (queue active)
May 24 19:13:29 localhost postfix/smtp[18012]: E2587241630: to=<****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=5.2, delays=0.25/0.01/3.3/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK 1337857799 ir6si904252pbc.322)
May 24 19:13:29 localhost postfix/qmgr[1743]: E2587241630: removed
May 24 20:13:07 localhost postfix/pickup[18080]: 40687241630: uid=0 from=<root>
May 24 20:13:07 localhost postfix/cleanup[16776]: 40687241630: message-id=<20120524121307.40687241630@localhost.localdomain>
May 24 20:13:07 localhost postfix/qmgr[1743]: 40687241630: from=<root@localhost.localdomain>, size=19043, nrcpt=1 (queue active)
May 24 20:13:12 localhost postfix/smtp[16779]: 40687241630: to=<*****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=5.2, delays=0.18/0.05/3.3/1.7, dsn=2.0.0, status=sent (250 2.0.0 OK 1337861381 kc7si935200pbc.111)
May 24 20:13:12 localhost postfix/qmgr[1743]: 40687241630: removed
May 24 21:13:28 localhost postfix/pickup[17291]: 9FBAF241260: uid=0 from=<root>
May 24 21:13:28 localhost postfix/cleanup[15585]: 9FBAF241260: message-id=<20120524131328.9FBAF241260@localhost.localdomain>
May 24 21:13:28 localhost postfix/qmgr[1743]: 9FBAF241260: from=<root@localhost.localdomain>, size=19043, nrcpt=1 (queue active)
May 24 21:13:33 localhost postfix/smtp[15588]: 9FBAF241260: to=<*****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.26]:25, delay=4.9, delays=0.25/0.05/3.4/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1337865002 rh5si1196140pbc.209)
May 24 21:13:33 localhost postfix/qmgr[1743]: 9FBAF241260: removed
May 24 22:13:23 localhost postfix/pickup[17291]: 91B40241260: uid=0 from=<root>
May 24 22:13:23 localhost postfix/cleanup[14391]: 91B40241260: message-id=<20120524141323.91B40241260@localhost.localdomain>
May 24 22:13:23 localhost postfix/qmgr[1743]: 91B40241260: from=<root@localhost.localdomain>, size=19044, nrcpt=1 (queue active)
May 24 22:13:28 localhost postfix/smtp[14394]: 91B40241260: to=<****@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.27]:25, delay=4.9, delays=0.23/0.05/3.3/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1337868597 ks6si1344196pbc.350)
May 24 22:13:28 localhost postfix/qmgr[1743]: 91B40241260: removed

grim76 · 05-24-2012, 01:43 PM

The removed to me indicates that the mail has moved on to the next step in the process and that would be google getting the mail to you. Doesn't appear to be much you can do at this point.

newbie14 · 05-24-2012, 09:13 PM

Dear Grim,
Thank you I monitor and update here ok.

newbie14 · 05-25-2012, 10:22 PM

Dear Grim,
Ok I found it is due to gmail is taking this email address root <root@localhost.localdomain> from the cron as spam. Is it possible to change the sending email address?

grim76 · 05-26-2012, 08:10 AM

Yes it is possible to change the sending email address. You will have to look into your smtp server configuration.

newbie14 · 05-26-2012, 11:41 AM

Dear Grim,
Actually I did not do any mail settings and I guess is the default smtp sendmail is sending the email. I did some google some said adjust the /etc/host the first line and some say adjust the /etc/mail/aliases. What do you suggest?

unSpawn · 05-27-2012, 08:04 AM

To rewrite the sender address see http://www.postfix.org/ADDRESS_REWRITING_README.html and http://www.cyberciti.biz/tips/howto-...l-address.html.

newbie14 · 05-27-2012, 08:30 AM

Dear unSpawn,
I was going through both the link.
Ok first I can do this add to the last this smtp_generic_maps = hash:/etc/postfix/generic
Then next I open vi /etc/postfix/generic what should I do with this file now? What to add I am a bit confuse herE?

unSpawn · 05-27-2012, 08:59 AM

Quote:

Originally Posted by newbie14

I open vi /etc/postfix/generic what should I do with this file now?

It's where he changes "tom-01@server01.hosting.com" to "tom@domain.com". So you can mask "root@localhost.localdomain" as a user name and a fully qualified domain name that are valid. Not that I use Postfix though.

newbie14 · 05-27-2012, 10:17 AM

Dear unSpawn,
To be frank I do not know how AIDE is sending the report via? Is it via sendmail or postfix how to determine ? I have not setup any smtp on my server either just using it as it is?

unSpawn · 05-28-2012, 04:25 AM

Quote:

Originally Posted by newbie14

I do not know how AIDE is sending the report via? Is it via sendmail or postfix how to determine ? I have not setup any smtp on my server either just using it as it is?

Apparently, as you're editing /etc/postfix/generic, it is Postfix. (Sendmail uses stuff in the /etc/mail/ directory.) Usually a MTA is drawn in on installation as a dependency of any application that requires sending email.

newbie14 · 05-28-2012, 06:38 AM

Dear unspawn,
What I want to learn here is that on default the cron is using the sendmail or postfix to send those AIDE emails to me? Kind of lost here. Is there a mechanism to determine that before I go further to edit on the email address?

unSpawn · 05-28-2012, 07:02 AM

Quote:

Originally Posted by newbie14

What I want to learn here is that on default the cron is using the sendmail or postfix to send those AIDE emails to me? Kind of lost here. Is there a mechanism to determine that before I go further to edit on the email address?

I know English is not your native language but I already gave you the test: Postfix uses files in the /etc/postfix directory and Sendmail uses files in the /etc/mail directory. Another way is to run 'readlink -f /etc/alternatives/mta' and then 'rpm -qf' the result should show you the package name.