Ole would you mind sharing your notify-pushbullet script? On Thursday, September 8, 2016 at 3:59:26 PM UTC+1, Ole Jakob Skjelten wrote: > > Hi, > > Having fiddled perhaps a bit too much with the setup of OSSEC, my active > responses on my server stopped working last night, and I'm unable to > pinpoint the problem.I unfortunately, even with debug enabled, see any > errors in ossec.log, and I'm quite unsure how to go about debugging this. > > If I, on the server look at the available active responses I get this: > > > agent_control -L > OSSEC HIDS agent_control. Available active responses: > Response name: notify-pushbullet0, command: notify-pushbullet.py > Response name: firewall-honeypot0, command: firewall-honeypot.sh > Response name: firewall-permaban0, command: firewall-permaban.sh > > So far, so good. > > Looking at my list of active agents I get: > > agent_control -l > OSSEC HIDS agent_control. > List of available agents: ID: 000, Name: ShadowBUNT (server), IP: 127.0. > 0.1, Active/Local > ... > ... > > Now, if I try to trigger an active response on the server, everything > looks fine: > agent_control -u 000 -f notify-pushbullet0 -b 192.168.1.1 > OSSEC HIDS agent_control: Running active response 'notify-pushbullet0' on: > 000 > > However, nothing shows up in */var/ossec/logs/active-responses.log*. And > when I look at *ossec.log*, I find this one: > 2016/09/08 16:25:02 ossec-remoted(1320): ERROR: Agent '000' not found. > > One possible explanation is that I reinstalled OSSEC and copied over my > old config, but I suspect I didn't do it 100%, as I had to re-add all the > agents. Since the server/agent doesn't have the option to remove/add/insert > key/get key however, I didn't do anything with it. As far as I can tell, > all other functionality is fine, including alerts. Though I notice that > alerts on the server are listed with location "localhost" instead of > "ShadowBUNT", which is the server name. I don't know if that's important. > > Since I rather not do another complete reinstall, I was hoping someone > might know how I can fix this... > > > OJ > > . > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
