Hello, I'm pretty new to OSSEC and I'm working to get some active responses working. I have tried a number of different active responses but cannot seem to get it to work anywhere (not on the server or agents). I'm now trying a simple AR to just log to active-responses.log but it still does not seem to be triggering. I do receive the email alert, but the AR does not trigger. Here is my config for the test active response:
<command> <name>test</name> <executable>test.sh</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> (I've tried the location as local, all, and server but no luck) <active-response> <disabled>no</disabled> <command>test</command> <location>local</location> <rules_id>70999</rules_id> <level>0</level> </active-response> #!/bin/sh ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 LOCAL=`dirname $0`; cd $LOCAL cd ../ PWD=`pwd` # Logging the call echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log The permissions on test.sh are correct with execute permission and I added them to ossec group as all other ARs seemed to have that. Thanks! </active-response> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.