Hello @dan Thank you for your answer. Yes, it seems that ossec-execd is running on my agent : [root@hostname etc]# ps -edf | grep ossec-exec[d] root 20235 1 0 08:36 ? 00:00:00 /var/ossec/bin/ossec-execd And yes, the restart.sh is listed on the agent : [root@hostname etc]# cat /var/ossec/etc/shared/ar.conf 3restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 restart-ossec0 - restart-ossec.sh - 0 restart0 - restart.sh - 0 restart-remoted0 - check_process.sh - 0 But the script doens't start on my agent that triggered the rule. (I tried to make an echo in a file to debug, but nothing happened ...). Any ideas on why ? Thanks, Kevin
Le vendredi 9 octobre 2015 13:35:37 UTC+2, dan (ddpbsd) a écrit : > On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <[email protected] > <javascript:>> wrote: > > Hello (again) > > > > I made other tests to try to understand why it's not working. If I setup > the > > <localfile> section into my server ossec.conf file, and I try to stop > the > > NTPD process on my server, the rule is fired, and the active response is > > executed in my server. > > But, when the rules is fired by the agent, the active response is never > > executed (not in the server, neither on the agent). > > > > Is ossec-execd running on the agent? > Make sure the restart.sh is listed in the > /var/ossec/etc/shared/ar.conf file on the agent. > > > Any ideas ? > > Thanks, > > Kevin. > > > > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : > >> > >> Hi ! > >> > >> I have an OSSEC server, connected with a remote agent. And I want to > have > >> an active response setup on the agent, according to a process state > change. > >> For instance, I have a ntpd process running on my agent, and I want to > >> start it if the process change to the stop state (using the service > command > >> - it's only for test in order to realize a POC) > >> > >> So, I setup the following configuration into my ossec.conf file on the > >> agent side : > >> <localfile> > >> <log_format>full_command</log_format> > >> <command>service ntpd status</command> > >> </localfile> > >> > >> And, for the test, I create a script to start the ntpd service : > >> [root@agenthostname scripts]# ll > /var/ossec/active-response/bin/restart.sh > >> -r-xr-x--- 1 root ossec 40 Oct 6 13:33 > >> /var/ossec/active-response/bin/restart.sh > >> > >> [root@agenthostname scripts]# cat > >> /var/ossec/active-response/bin/restart.sh > >> #!/bin/bash > >> service ntpd start > >> exit 0 > >> > >> > >> > >> Then, on the server side, I setup the following rule : > >> <rule id="90000" level="7"> > >> <if_sid>530</if_sid> > >> <match>ossec: output: 'service ntpd status</match> > >> <check_diff /> > >> <description>ntpd change state - starting it</description> > >> </rule> > >> > >> And, on the ossec.conf on the server, I setup the following command, > and > >> active response : > >> <command> > >> <name>restart</name> > >> <executable>restart.sh</executable> > >> <expect></expect> > >> </command> > >> <active-response> > >> <command>restart</command> > >> <location>local</location> > >> <rules_id>90000</rules_id> > >> </active-response> > >> > >> So, when I stop the ntpd process on the server, some time later, I got > the > >> following message on my server alerts file : > >> ==> /var/ossec/logs/alerts/alerts.log <== > >> ** Alert 1444138866.25874: mail - ossec, > >> 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status > >> Rule: 90000 (level 7) -> 'automatic restart of agent to load new > >> configuration' > >> ossec: output: 'service ntpd status': > >> ntpd is stopped > >> Previous output: > >> ossec: output: 'service ntpd status': > >> ntpd (pid 1418) is running... > >> > >> > >> > >> So, the rule is detected, but it's all. The active response doesn't > start > >> on my agent. (the NTPD process is still stopped, and nothing appear in > the > >> client /var/ossec/logs/active-responses.log file ...) > >> Perhaps I have make a mistake on the active response setup ? > >> > >> Thank you, > >> Kevin > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
