Actually, I did figure it out but thanks for the reply. I did have a permissions issue on the file after all. Mostly I just wanted to know if there was a way to turn on debugging for active response scripts. I see debug for rootcheck, agent, and syscheck, but not much for troubleshooting active response scripts. Maybe I am missing something somewhere.
On Aug 8, 7:39 pm, JM <[email protected]> wrote: > On Fri, Jul 23, 2010 at 13:00, reg <[email protected]> wrote: > > [trim] > > > > > Here is my command and active response configuration. Even though I do > > not need any data from the rule itself, the > > <expect> tags were required for OSSEC to start, but that's another > > issue(I think). > > > <command> > > <name>mailtest</name> > > <executable>mailtest.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > <active-response> > > <command>svncheck</command> > > <location>defined-agent</location> > > <agent_id>349</agent_id> > > <rules_id>5712</rules_id> > > </active-response> > > I realize I'm a bit late to this thread, and you may have already > figured this out, but if I understand correctly, the <command> element > inside <active-response> must match the <name> element inside the > previous command block. > > Above, you configure a command called "mailtest", but then call a > command "svncheck". > > I believe your active-response block should look more like: > > <active-response> > <command>mailtest</command> > <location>defined-agent</location> > <agent_id>349</agent_id> > <rules_id>5712</rules_id> > </active-response> > > Again, forgive me if you already got past this, but that is the way I > understand the Active Response documentation from the book. > > JM
