On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz <[email protected]> wrote: > Hello @dan > > Thank you for your answer. > > Yes, it seems that ossec-execd is running on my agent : > [root@hostname etc]# ps -edf | grep ossec-exec[d] > root 20235 1 0 08:36 ? 00:00:00 /var/ossec/bin/ossec-execd > > And yes, the restart.sh is listed on the agent : > [root@hostname etc]# cat /var/ossec/etc/shared/ar.conf > 3restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > restart-ossec0 - restart-ossec.sh - 0 > restart0 - restart.sh - 0 > restart-remoted0 - check_process.sh - 0 > > But the script doens't start on my agent that triggered the rule. (I tried > to make an echo in a file to debug, but nothing happened ...). Any ideas on > why ? >
Does the script exist on the agent, and is it executable? > Thanks, > Kevin > > Le vendredi 9 octobre 2015 13:35:37 UTC+2, dan (ddpbsd) a écrit : >> >> On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <[email protected]> wrote: >> > Hello (again) >> > >> > I made other tests to try to understand why it's not working. If I setup >> > the >> > <localfile> section into my server ossec.conf file, and I try to stop >> > the >> > NTPD process on my server, the rule is fired, and the active response is >> > executed in my server. >> > But, when the rules is fired by the agent, the active response is never >> > executed (not in the server, neither on the agent). >> > >> >> Is ossec-execd running on the agent? >> Make sure the restart.sh is listed in the >> /var/ossec/etc/shared/ar.conf file on the agent. >> >> > Any ideas ? >> > Thanks, >> > Kevin. >> > >> > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : >> >> >> >> Hi ! >> >> >> >> I have an OSSEC server, connected with a remote agent. And I want to >> >> have >> >> an active response setup on the agent, according to a process state >> >> change. >> >> For instance, I have a ntpd process running on my agent, and I want to >> >> start it if the process change to the stop state (using the service >> >> command >> >> - it's only for test in order to realize a POC) >> >> >> >> So, I setup the following configuration into my ossec.conf file on the >> >> agent side : >> >> <localfile> >> >> <log_format>full_command</log_format> >> >> <command>service ntpd status</command> >> >> </localfile> >> >> >> >> And, for the test, I create a script to start the ntpd service : >> >> [root@agenthostname scripts]# ll >> >> /var/ossec/active-response/bin/restart.sh >> >> -r-xr-x--- 1 root ossec 40 Oct 6 13:33 >> >> /var/ossec/active-response/bin/restart.sh >> >> >> >> [root@agenthostname scripts]# cat >> >> /var/ossec/active-response/bin/restart.sh >> >> #!/bin/bash >> >> service ntpd start >> >> exit 0 >> >> >> >> >> >> >> >> Then, on the server side, I setup the following rule : >> >> <rule id="90000" level="7"> >> >> <if_sid>530</if_sid> >> >> <match>ossec: output: 'service ntpd status</match> >> >> <check_diff /> >> >> <description>ntpd change state - starting it</description> >> >> </rule> >> >> >> >> And, on the ossec.conf on the server, I setup the following command, >> >> and >> >> active response : >> >> <command> >> >> <name>restart</name> >> >> <executable>restart.sh</executable> >> >> <expect></expect> >> >> </command> >> >> <active-response> >> >> <command>restart</command> >> >> <location>local</location> >> >> <rules_id>90000</rules_id> >> >> </active-response> >> >> >> >> So, when I stop the ntpd process on the server, some time later, I got >> >> the >> >> following message on my server alerts file : >> >> ==> /var/ossec/logs/alerts/alerts.log <== >> >> ** Alert 1444138866.25874: mail - ossec, >> >> 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status >> >> Rule: 90000 (level 7) -> 'automatic restart of agent to load new >> >> configuration' >> >> ossec: output: 'service ntpd status': >> >> ntpd is stopped >> >> Previous output: >> >> ossec: output: 'service ntpd status': >> >> ntpd (pid 1418) is running... >> >> >> >> >> >> >> >> So, the rule is detected, but it's all. The active response doesn't >> >> start >> >> on my agent. (the NTPD process is still stopped, and nothing appear in >> >> the >> >> client /var/ossec/logs/active-responses.log file ...) >> >> Perhaps I have make a mistake on the active response setup ? >> >> >> >> Thank you, >> >> Kevin >> >> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
