On Mon, Sep 17, 2012 at 4:52 AM, kay kay <[email protected]> wrote: > I need to pass hostname to the active-response script. Here is the log test: > > **Phase 1: Completed pre-decoding. > full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 > 2012] "Failed to send <8937140> messages to remote log server > <192.168.0.1:3621> "' > hostname: 'someservername.local' > program_name: '(null)' > log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote > log server <192.168.0.1:3621> "' > > I tried to use the following construction: > > <command> > <name>log_error</name> > <executable>test.sh</executable> > <timeout_allowed>no</timeout_allowed> > <expect>hostname</expect> > </command> > > But ossec doesn't pass hostname to script. > /var/ossec/logs/active-responses.log: > the ip address is /var/ossec/active-response/bin/test.sh add - - > 1347870299.890849 100018 /var/log/remote.log > > P.S. Here is original text message in /var/log/remote.log: > > Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed to > send <8937140> messages to remote log server <192.168.0.1:3621> "
The only things you can really send to AR are srcip and user. Also, hostname doesn't show up in the log message, only the pre-decoded bits at the beginning.
