[ossec-list] Ossec active response on agent

Tue, 06 Oct 2015 07:03:08 -0700 

Hi !
 
I have an OSSEC server, connected with a remote agent. And I want to have 
an active response setup on the agent, according to a process state change.
For instance, I have a ntpd process running on my agent, and I want to 
start it if the process change to the stop state (using the service command 
- it's only for test in order to realize a POC)
 
So, I setup the following configuration into my ossec.conf file on the 
agent side :
<localfile>
    <log_format>full_command</log_format>
    <command>service ntpd status</command>
</localfile>
 
And, for the test, I create a script to start the ntpd service :
[root@agenthostname scripts]# ll /var/ossec/active-response/bin/restart.sh
-r-xr-x--- 1 root ossec 40 Oct  6 13:33 
/var/ossec/active-response/bin/restart.sh

[root@agenthostname scripts]# cat /var/ossec/active-response/bin/restart.sh
#!/bin/bash
service ntpd start
exit 0
 
 
 
Then, on the server side, I setup the following rule :
 <rule id="90000" level="7">
   <if_sid>530</if_sid>
    <match>ossec: output: 'service ntpd status</match>
    <check_diff />
    <description>ntpd change state - starting it</description>
  </rule>
 
And, on the ossec.conf on the server, I setup the following command, and 
active response :
   <command>
    <name>restart</name>
    <executable>restart.sh</executable>
    <expect></expect>
  </command>
 <active-response>
    <command>restart</command>
    <location>local</location>
    <rules_id>90000</rules_id>
  </active-response>
 
So, when I stop the ntpd process on the server, some time later, I got the 
following message on my server alerts file :
==> /var/ossec/logs/alerts/alerts.log <==
** Alert 1444138866.25874: mail  - ossec,
2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status
Rule: 90000 (level 7) -> 'automatic restart of agent to load new 
configuration'
ossec: output: 'service ntpd status':
ntpd is stopped
Previous output:
ossec: output: 'service ntpd status':
ntpd (pid  1418) is running...
 
 
 
So, the rule is detected, but it's all. The active response doesn't start 
on my agent. (the NTPD process is still stopped, and nothing appear in the 
client /var/ossec/logs/active-responses.log file ...)
Perhaps I have make a mistake on the active response setup ?
 
Thank you,
Kevin
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to