I need to pass hostname to the active-response script. Here is the log test:
**Phase 1: Completed pre-decoding. full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "' hostname: 'someservername.local' program_name: '(null)' log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "' I tried to use the following construction: <command> <name>log_error</name> <executable>test.sh</executable> <timeout_allowed>no</timeout_allowed> <expect>hostname</expect> </command> But ossec doesn't pass hostname to script. /var/ossec/logs/active-responses.log: the ip address is /var/ossec/active-response/bin/test.sh add - - 1347870299.890849 100018 /var/log/remote.log P.S. Here is original text message in /var/log/remote.log: Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "
