Hi,
Having fiddled perhaps a bit too much with the setup of OSSEC, my active
responses on my server stopped working last night, and I'm unable to
pinpoint the problem.I unfortunately, even with debug enabled, see any
errors in ossec.log, and I'm quite unsure how to go about debugging this.
If I, on the server look at the available active responses I get this:
> agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: notify-pushbullet0, command: notify-pushbullet.py
Response name: firewall-honeypot0, command: firewall-honeypot.sh
Response name: firewall-permaban0, command: firewall-permaban.sh
So far, so good.
Looking at my list of active agents I get:
> agent_control -l
OSSEC HIDS agent_control.
List of available agents: ID: 000, Name: ShadowBUNT (server), IP: 127.0.0.1
, Active/Local
...
...
Now, if I try to trigger an active response on the server, everything looks
fine:
agent_control -u 000 -f notify-pushbullet0 -b 192.168.1.1
OSSEC HIDS agent_control: Running active response 'notify-pushbullet0' on:
000
However, nothing shows up in */var/ossec/logs/active-responses.log*. And
when I look at *ossec.log*, I find this one:
2016/09/08 16:25:02 ossec-remoted(1320): ERROR: Agent '000' not found.
One possible explanation is that I reinstalled OSSEC and copied over my old
config, but I suspect I didn't do it 100%, as I had to re-add all the
agents. Since the server/agent doesn't have the option to remove/add/insert
key/get key however, I didn't do anything with it. As far as I can tell,
all other functionality is fine, including alerts. Though I notice that
alerts on the server are listed with location "localhost" instead of
"ShadowBUNT", which is the server name. I don't know if that's important.
Since I rather not do another complete reinstall, I was hoping someone
might know how I can fix this...
OJ
.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
