Sending my IDS logs by email

Hello
I have recently configured the ipfire Mail service and can consistently receive test email however I’m having trouble setting up swatch. I have installed postfix and I used a configuration tutorial found here: wiki.ipfire.org - Swatch
But when I get to

Blockquote
tell swatch to use the 2 new lines as a separator:

/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator=’\n\n’ -t /var/log/snort/alert

Blockquote

It says
/usr/bin/swatch error no such file or directory

And I think alot of the directory’s in the wiki tutorial are wrong
Can anyone tell me what file to use? Or how to make work?
Thanks

I installed swatch via pakfire and went looking for “swatch”. maybe it is now called “swatchdog”.

[root@ipfire ~]# find / -iname swatch*

/opt/pakfire/db/rootfiles/swatch
/usr/lib/perl5/site_perl/5.32.1/Swatchdog
/usr/bin/swatchdog
/var/cache/pakfire/swatch-3.2.4-5.ipfire
[root@ipfire ~]# 
1 Like

Good point. They had to change the name as the Swiss Watch company wasn’t happy with their use of the name.

So wiki needs an update.

Ok so I changed the command to /usr/bin/swatchdog
and I changed the log files to /var/log/suricata/fast.log
and i keptthe config file /var/ipfire/snort/swatchrc now the file saved in /etc/sysconfig/rc.local
says /usr/bin/swatchdog --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/suricata/fast.log

now it says ./usr/bin/tail: /var/log/suricata/fast.log: file truncated
and im not getting any emails from ipfire yet

Let learn this together.

First

I have Mail set up at menu System > Mail Service. And I can click Send test mail and within a moment I get an email:

From: myemail@gmail.com 
Subject: IPFire Testmail
Date: May 23, 2021 at 5:52 PM 
To: myemail@gmail.com

This is the IPFire test mail.

Do you see the same?

Second

What is inside of the config file at: /var/ipfire/snort/swatchrc

1 Like

I’ve not used swatch/swatchdog before so just for “fun” I made my swatchrc config file easy and entered:

[root@ipfire ~]# cat /root/.swatchdogrc
watchfor  /DROP/
	echo=red
	mail=myemail@gmail.com,subject="the word DROP"

and then I entered:

/usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages

without the -daemon or the input-record-separator.

and start getting LOTS of lines of DROPs:

[root@ipfire ~]# /usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages

*** swatchdog version 3.2.4 (pid:8003) started at Sun May 23 06:57:59 PM CDT 2021

May 23 18:58:00 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0 
May 23 18:58:04 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0 
May 23 18:58:05 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0 
. . .
^CCaught a SIGINT -- sending a TERM signal to 8004
[root@ipfire ~]# 

So now I know swatch works...

So before it was exactly as the tutorial said but I’m emailing myself.
So I set it up that way and Now I’m seeing the IDs logs appear on screen and it says

sendmail: can not open auth file ‘/car/ipfire/dma/auth.conf’ : permission denied

This is what I see for the /var/ipfire/dma directory (but I am not sure if it is correct…).

[root@ipfire ~]# ls -al /var/ipfire/dma
total 20
drwxr-xr-x  2 nobody nobody 4096 Jan 13  2020 .
drwxr-xr-x 50 root   root   4096 May  4 06:15 ..
-rw-r-----  1 nobody root     43 Mar 17  2019 auth.conf
-rw-r--r--  1 nobody nobody  159 Mar 17  2019 dma.conf
-rw-r--r--  1 nobody nobody   70 Mar 17  2019 mail.conf
[root@ipfire ~]# 

Are you seeing the same permissions for auth.conf?

For the first 2 lines below total 20 it says
drwxr-xr-x 2 nobody nobody 4096 Apr 16 18:36 .
drwxr-xr-x 52 root root 4096 May 16 21:11

And the rest is all the same as yours
I rebooted in single user mode because the IDS system is running as an application not as a demon.

Hmmm. The directory privileges look right in the image.

And you should not need to reboot in single user mode. When you state “IDS” are you talking about Suricata and IPS? Or something else?

I hate to say this but your issue is beyond my skills. :frowning_face:

I probably can help with swatch but not beyond that. Hopefully someone else will stop by to help!

It seems I had to change permissions on auth.conf in order to run from daemon

-rw-r----- 1 nobody mail 43 May 8 10:12 auth.conf