Re: [ossec-list] Active Response not working at all

Wed, 19 Apr 2017 11:30:47 -0700 

On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant <cspitr....@gmail.com> wrote:
> Hello,
>
> I'm pretty new to OSSEC and I'm working to get some active responses
> working. I have tried a number of different active responses but cannot seem
> to get it to work anywhere (not on the server or agents). I'm now trying a
> simple AR to just log to active-responses.log but it still does not seem to
> be triggering. I do receive the email alert, but the AR does not trigger.
> Here is my config for the test active response:
>
> <command>
>
>    <name>test</name>
>
>    <executable>test.sh</executable>
>
>    <expect></expect>
>
>    <timeout_allowed>no</timeout_allowed>
>
> </command>
>
> (I've tried the location as local, all, and server but no luck)
>
> <active-response>
>
>    <disabled>no</disabled>
>
>    <command>test</command>
>
>    <location>local</location>
>
>    <rules_id>70999</rules_id>
>
>    <level>0</level>
>
> </active-response>
>
>
>
> #!/bin/sh
>
> ACTION=$1
> USER=$2
> IP=$3
> ALERTID=$4
> RULEID=$5
>
> LOCAL=`dirname $0`;
> cd $LOCAL
> cd ../
> PWD=`pwd`
>
>
> # Logging the call
> echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> ${PWD}/../logs/active-responses.log
>
>
>
> The permissions on test.sh are correct with execute permission and I added
> them to ossec group as all other ARs seemed to have that.
>

Is test.sh on the system you're trying to run the AR on?
Is execd running on the system you're trying to run the AR on?
Is 70999 firing?
With rules_id, I don't think you'll need the level option set.

>
> Thanks!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>   </active-response>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to