From OSSEC Wiki

Why am I not receiving emails from my ossec server?

• by Marty Hillman <mehillman ( at ) tech-pro.com>

First, you do not "need" to run a mail server on the OSSEC machine. It does not use it. If you need it for other purposes, then by all means keep it installed. OSSEC will connect to the mail server listed in ossec.conf on port 25 and try to deliver the mail directly. It will never touch the local sendmail, postfix or other mail server. The <smtp_server> directive is used for the server that you are connecting to and not for the server you expect to be sending from.

If you already have a mail server running on your network, you will need to know its address. The IP address of this server should be entered in the <smtp_server> directive. Run a test ping from your OSSEC machine to ensure that it can see the mail server. You can telnet to port 25 on the mail server to ensure that it is able to directly communicate with the mail server.

Make sure that the <email_notification> directive is set to yes as follows:

       <email_notification>yes</email_notification>

I know it sounds obvious, but I have seen people miss that particular one.

On the destination server, modify any mail filter rules or the mail server itself if configured to filter to allow emails from both the public IP address of the OSSEC server AND the email address listed in the <email_from> directive. For me, Exchange server was blocking one and GFI MailEssentials the other. Because of how the email is sent from my FreeBSD OSSEC box, it looked like the email address was spoofed.

As a test, you can configure your filtering software to redirect all filtered emails to a separate mailbox for review as needed. This will also help you verify that there are no false positives from your filters. If you find the OSSEC emails in that mailbox, you will need to modify your filters accordingly.