On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant <cspitr....@gmail.com> wrote: > Hello, > > I'm pretty new to OSSEC and I'm working to get some active responses > working. I have tried a number of different active responses but cannot seem > to get it to work anywhere (not on the server or agents). I'm now trying a > simple AR to just log to active-responses.log but it still does not seem to > be triggering. I do receive the email alert, but the AR does not trigger. > Here is my config for the test active response: > > <command> > > <name>test</name> > > <executable>test.sh</executable> > > <expect></expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > (I've tried the location as local, all, and server but no luck) > > <active-response> > > <disabled>no</disabled> > > <command>test</command> > > <location>local</location> > > <rules_id>70999</rules_id> > > <level>0</level> > > </active-response> > > > > #!/bin/sh > > ACTION=$1 > USER=$2 > IP=$3 > ALERTID=$4 > RULEID=$5 > > LOCAL=`dirname $0`; > cd $LOCAL > cd ../ > PWD=`pwd` > > > # Logging the call > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > ${PWD}/../logs/active-responses.log > > > > The permissions on test.sh are correct with execute permission and I added > them to ossec group as all other ARs seemed to have that. >
Is test.sh on the system you're trying to run the AR on? Is execd running on the system you're trying to run the AR on? Is 70999 firing? With rules_id, I don't think you'll need the level option set. > > Thanks! > > > > > > > > > > > > > > > > > > > > > </active-response> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.