Well, you could start with using a rule for that user first. Then you could change the "<level>2</level>" option you're using to <rules_id>100001</rules_id>, assuming that's your rule ID.
Then you can just configure the script to do something, either block the IP, lock the user account, etc. Hope that helps. On Jan 25, 1:38 pm, "Carrie Poole" <[email protected]> wrote: > I'm trying to set an Active Response alert based on a particular user > login, and I'm not sure how to write the script. > > Anyone out there have any ideas? > > What I need it to do is email an alert when a certain user account logs > into any one of the agents. > > I think I got the command config and active response config correct, but > I don't know how to write the script so it sets off on only that user: > > <command> > > <name>beeper-login-Notification</name> > > <executable> beeper-login.sh</executable> > > <expect>username</expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > <active-response> > > <disabled>no</disabled> > > <command>beeper-login-Notification</command> > > <location>all</location> > > <level>2</level> > > <rules_group>authentication_success</rules_group> > > </active-response > > Carrie Poole, > > Network Engineer > > (610) 821-8980 ext 559 > > (610)841-5559 (Direct) > > Fax: (610)821-1245 > > [email protected] > > CONFIDENTIALITY NOTICE: This e-mail is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing > or copying of this e-mail is strictly prohibited. If you received this e-mail > in error, please delete it from your computer and contact the sender. > > image001.gif > 4KViewDownload
