Configuring email alerts is a nerve racking endeavor

[fredrik-nti-johanneberg]

Ubuntu Server 24.04
OSSEC HIDS v3.8.0
msmtp version 1.8.24

I have gone through countless attempts of getting OSSEC 3.8.0 to send email alerts from a GMail account through the msmtp client (SMTP relay) on Ubuntu 24.04. Among various OSSEC github issues, OSSEC-list threads, blog pages, etc, have I also consulted the following resources:

https://ossec-documentation.readthedocs.io
https://www.ossec.net/docs/manual/output/standard-email-output.html
https://www.ossec.net/docs/docs/syntax/head_ossec_config.email_alerts.html
https://www.ossec.net/docs/docs/programs/ossec-maild.html

Here are my and sections of the /var/ossec/etc/ossec.conf configuration:

<global>
    <email_notification>yes</email_notification>
    <email_to>***@gmail.com</email_to>
    <smtp_server>/usr/bin/msmtp -t</smtp_server>
    <email_from>***@gmail.com</email_from>
</global>

<alerts>
    <log_alert_level>5</log_alert_level>
    <email_alert_level>5</email_alert_level>
</alerts>

A failed SSH login attempt looks like this i my /var/ossec/logs/alerts/alerts.log:

** Alert 1764953151.4665: mail  - syslog,sshd,invalid_login,authentication_failed,
2025 Dec 05 16:45:51 lazy->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 192.168.181.1
2025-12-05T16:45:49.419320+00:00 lazy sshd[189723]: Failed password for invalid user cmkdslcmks from 192.168.181.1 port 51312 ssh2

You will soon run into troubles when trying to configure OSSEC with an email account that demands SSL transfer and SMTP authentication. It is a relatively well hidden feature that the <global> <smtp_server> entry as of v2.9.0 supports call to an external mailer. The v2.9.0 release notes states that: the <smtp_server> field can now be prepended with “/” to designate a local binary. Example: <smtp_server>/usr/sbin/sendmail -t</smtp_server>.

I believe that Postfix or msmtp are the two most common external mailer alternatives. Installing msmtp and configuring the client with a GMail account (with an application password) is very straightforward. When sending messages from an unprivileged account you need a .msmtprc in that particular user's home directory. OSSEC uses three different accounts: ossec, ossecm and ossecr which all share the same home directory /var/ossec.

I have tried (to no avail) placing a copy of my working msmtp configuration (/etc/msmtprc) in /var/ossec/.msmtprc and also in /var/ossec/etc/msmtprc. I also added the same configuration to /root/.msmtprc, just in case.

I have also (as suggested from various sources) tried adding the three ossec* user accounts to the group msmtp and setting the SGID-flag and ownership of the msmtp binary like so:

-rwxr-sr-x 1 root msmtp 139192 Apr 1 2024 /usr/bin/msmtp

I have tried a dry run of the ossec-maild with arguments -t (test configuration) and -d (debug mode) which only results in the following output (also written to OSSEC logs):

2025/12/05 17:16:15 ossec-maild: DEBUG: Starting ...

As suggested from the documentation and other sources, I have placed copies of the following files in /var/ossec/etc:

/etc/resolv.conf
/etc/services
/etc/hosts

Why is configuring a crucial feature of a well known IDS/IPS software package so hard? To me the documentation is a hodgepodge of inconsistent information pointing in different directions. I would really like this to work. I believe a lot of users would be very thankful for an improved documentation with sample configurations for various options.

[atomicturtle]

related to #1564