Hello,
I'm pretty new to OSSEC and I'm working to get some active responses
working. I have tried a number of different active responses but cannot
seem to get it to work anywhere (not on the server or agents). I'm now
trying a simple AR to just log to active-responses.log but it still does
not seem to be triggering. I do receive the email alert, but the AR does
not trigger. Here is my config for the test active response:
<command>
<name>test</name>
<executable>test.sh</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
(I've tried the location as local, all, and server but no luck)
<active-response>
<disabled>no</disabled>
<command>test</command>
<location>local</location>
<rules_id>70999</rules_id>
<level>0</level>
</active-response>
#!/bin/sh
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
The permissions on test.sh are correct with execute permission and I added
them to ossec group as all other ARs seemed to have that.
Thanks!
</active-response>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
