Configure OSSEC to send alerts from Gmail

Setting up any system analyzer, we want to always keep a track on all events happened in our machines. The best way to make that – email alerts. It means every time when application gets alert, it’s going to forward the copy of it to your email.

By default applications like OSSEC supports only local mail servers. But what if we just don’t have them? What if we use only tools like Gmail, Yahoo etc.? At that rate we could build mail relay listening on 25 port for applications work.

What is the OSSEC?

OSSEC is the HIDS which means host-based intrusion detection system. This software basically has client-server architecture. So, you can connect to one server (manager) all your nodes as agents and watch all these activity. At first, OSSEC tracks any system actions suspected as malicious. It could be multiple SSH authentication attempts or /etc/passwd file change. The main OSSEC subjects are:

  • logfile analysis (like /var/log/auth.log to analyse SSH connections);
  • file integrity control (send alerts when MD5 file checksum has been changed). Useful to monitor PATH-directories from which you run commands.
  • rootkit detection. OSSEC generates an alert when something strange happened in your system.

Generally OSSEC has much more features than I described. To get started, you would be better to read software documentation.

Setup packages

Just find out ssmtp and postfix packages in your package manager It could be…

sudo apt-get install -y ssmtp mailutils postfix


sudo yum install -y ssmtp mailutils postfix

Configure ssmtp

Add the following lines to your ssmtp configuration at /etc/ssmtp/ssmtp.conf.

Now postfix server could use these credentials to let Gmail account automatically ship alerts.

Send test email

Try to use mail command. It should use 25 port to make the test email.

echo "This is a test" | mail -s "Test"

Look at your mail inbox to verify that it works.

Configure OSSEC

Open the main OSSEC config /var/ossec/etc/ossec.conf and change the settings of email configuration.


Yes, you have to point localhost as SMTP server. Don’t worry! Local postfix will redirect all delivery requests to gmail user set in SSMTP.

After configuration restart OSSEC service to apply configuration changes.

sudo service ossec restart

..or for CentOS/Debian…

sudo systemctl restart ossec

Check the mail inbox

Now you should receive security alerts generated by OSSEC.


It might be such useful if you configured OSSEC agents on your nodes. This is just a file integrity alert. This event is not a big deal, because I have daily mysqldump backup at this period of time. But sometimes this sort of events seems unexpected for you. Watch out on this kind of events. Binary files, configs in /etc could be modified unexpectedly, so it will probably mean hacker attack.

Will it work with other applications?

Generally, yes. For security reasons you can also customize Fail2ban to prevent attacks from single IP. It also provides email alerts and also needs to have 25 port listening. The same thing matters almost every alert-used application like monitoring systems, cron etc..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s