I am using the full script, I just didn't copy and paste the whole thing, only the relevant portion where I changed things.
On Jul 24, 8:27 am, Jeremy Rossi <[email protected]> wrote: > --On July 23, 2010 11:00:21 AM -0700 reg <[email protected]> wrote: > > > I am trying to write a custom active response based upon the > > instructions here. > > >http://www.ossec.net/wiki/Know_How:CustomActiveResponses > > > To test, I copied this text exactly and ran it on the server no > > problem. However, I would > > like to have this script ran on a remote host. To test, I copied the > > script to a remote host, added > > it to the /var/ossec/active-response/bin directory, checked the > > permissions, then modified the > > script to only execute this: > > > echo "test" |mail $MAILADDRESS -s "OSSEC Alert" > > If this is the only contents of the active responce it will always fail. > The variable $MAILADDRESS is created far earlier in the script. > > Use the full script from the we page > <http://www.ossec.net/wiki/Know_How:CustomActiveResponses#3-Create_act...> > and just change line 5 MAILADDRESS="[email protected]" > > > > > > > I have verified that the rule I am using to test work, I do see the > > alerts coming in. However, the active-response > > is not kicking off on the remote host and I am not sure why. I turned > > on debug=2 for the agent on both the OSSEC > > server and the client I am trying to kick off the action, but nothing > > is coming up. > > > Here is my command and active response configuration. Even though I do > > not need any data from the rule itself, the > > <expect> tags were required for OSSEC to start, but that's another > > issue(I think). > > > <command> > > <name>mailtest</name> > > <executable>mailtest.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > <active-response> > > <command>svncheck</command> > > <location>defined-agent</location> > > <agent_id>349</agent_id> > > <rules_id>5712</rules_id> > > </active-response> > > > Can someone give me an idea what I am doing wrong, or some way to turn > > on further debugging to locate where this is dying? > > > -R
