Hi Sebastian, The problem is that your active-response script is expecting the "srcip", but it is not available in the log.
Try removing: <expect>srcip</expect> >From the "command" tag and your response should work. Note that there is no srcip from the log: " Src IP: (none) User: (none) MySQL log: 080312 18:15:05 mysqld ended " Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Mar 12, 2008 at 2:22 PM, Sebastian Kösters <[EMAIL PROTECTED]> wrote: > > Hi, > > i tested a bit with avtive-response but now i need help. > > I would like trigger a script when a mysql server went down. > > So i tried it with active-response. > > My Server is configured like this: > > <command> > <name>mysql</name> > <executable>mysql.sh</executable> > <expect>srcip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <command>mysql</command> > <location>local</location> > <level>20</level> > </active-response> > > The Script "mysql.sh" is working fine when i start it by hand (it sends > am message to a monitoring system). > > I also changed a rule to level 20 to match the active-response. > > <rule id="50120" level="20"> > <if_sid>50100</if_sid> > <match>mysqld ended|Shutdown complete</match> > <description>Database shutdown messge.</description> > <group>service_availability,</group> > </rule> > > My Client is configured like this: > > <localfile> > <log_format>mysql_log</log_format> > <location>/var/lib/mysql/mysql/host.mysql.err</location> > </localfile> > > i reeds the mysql logfile. > > When i now stop mysql i see a message on my server (alerts.log) > > > ** Alert 1205342106.48671: mail - mysql_log,service_availability, > 2008 Mar 12 18:15:06 (client) 10.10.170.9->/var/lib/mysql/host.mysql.err > Rule: 50120 (level 20) -> 'Database shutdown messge.' > Src IP: (none) > User: (none) > MySQL log: 080312 18:15:05 mysqld ended > > but the mysql.sh Script is not triggered and i dont know why?! > > I hope i can get Help here. > > Thanks in advanced! > > Kind regards > Sebastian > > > > > > > > > > -- > Mit freundlichen Grüßen > > > Sebastian Kösters > > systems architect > Trade Haven GmbH > In der Steele 37, 40599 Düsseldorf > T +49 211 749659 14 mailto:[EMAIL PROTECTED] > F +49 211 749659 29 http://www.tradehaven.de > -------------------------------------------------------------------- > Geschäftsführer: Michael Heck | Oliver Wagner Handelsregister Düsseldorf: > HRB 53379 > >
