Hello (again) I made other tests to try to understand why it's not working. If I setup the <localfile> section into my server ossec.conf file, and I try to stop the NTPD process on my server, the rule is fired, and the active response is executed in my server. But, when the rules is fired by the agent, the active response is never executed (not in the server, neither on the agent). Any ideas ? Thanks, Kevin.
Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : > Hi ! > > I have an OSSEC server, connected with a remote agent. And I want to have > an active response setup on the agent, according to a process state change. > For instance, I have a ntpd process running on my agent, and I want to > start it if the process change to the stop state (using the service command > - it's only for test in order to realize a POC) > > So, I setup the following configuration into my ossec.conf file on the > agent side : > <localfile> > <log_format>full_command</log_format> > <command>service ntpd status</command> > </localfile> > > And, for the test, I create a script to start the ntpd service : > [root@agenthostname scripts]# ll /var/ossec/active-response/bin/restart.sh > -r-xr-x--- 1 root ossec 40 Oct 6 13:33 > /var/ossec/active-response/bin/restart.sh > > [root@agenthostname scripts]# cat /var/ossec/active-response/bin/restart.sh > #!/bin/bash > service ntpd start > exit 0 > > > > Then, on the server side, I setup the following rule : > <rule id="90000" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'service ntpd status</match> > <check_diff /> > <description>ntpd change state - starting it</description> > </rule> > > And, on the ossec.conf on the server, I setup the following command, and > active response : > <command> > <name>restart</name> > <executable>restart.sh</executable> > <expect></expect> > </command> > <active-response> > <command>restart</command> > <location>local</location> > <rules_id>90000</rules_id> > </active-response> > > So, when I stop the ntpd process on the server, some time later, I got the > following message on my server alerts file : > ==> /var/ossec/logs/alerts/alerts.log <== > ** Alert 1444138866.25874: mail - ossec, > 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status > Rule: 90000 (level 7) -> 'automatic restart of agent to load new > configuration' > ossec: output: 'service ntpd status': > ntpd is stopped > Previous output: > ossec: output: 'service ntpd status': > ntpd (pid 1418) is running... > > > > So, the rule is detected, but it's all. The active response doesn't start > on my agent. (the NTPD process is still stopped, and nothing appear in the > client /var/ossec/logs/active-responses.log file ...) > Perhaps I have make a mistake on the active response setup ? > > Thank you, > Kevin > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
