Why active-responces is not working ?
I receive email notification, but active responce had not started.
What may caused a problem?
#etc/shared/ar.conf:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
testar0 - testar.sh - 0
slack0 - slack.py - 0
#alert.log
** Alert 1456222573.17132: mail - syslog,sshdauthentication_success,
2016 Feb 23 05:16:13 serv-10244->/var/log/secure
Rule: 5715 (level 7) -> 'SSHD authentication success.'
Src IP: 104.131.225.112
User: root
Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from
104.131.225.112 port 47280 ssh2
#ossec.conf
<command>
<name>testar</name>
<expect></expect>
<executable>testar.sh</executable>
</command>
<command>
<name>slack</name>
<expect>user,srcip</expect>
<executable>slack.py</executable>
</command>
<active-response>
<command>testar</command>
<location>local</location>
<rules_id>5715,11309</rules_id>
</active-response>
<active-response>
<command>slack</command>
<location>local</location>
<rules_id>5715,11309</rules_id>
</active-response>
#ossec.log:
2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file.
2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157).
2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176).
2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file.
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192).
2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured.
2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193).
2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258'
2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184).
2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219).
2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication keys
file.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available for
'local'.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent local:
'0:0'.
2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter.
2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215).
2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory:
'/home/woodwork/public_html'.
# ps ax | grep ossec
15176 ? S 0:00 /var/ossec/bin/ossec-maild
15180 ? S 0:00 /var/ossec/bin/ossec-execd
15184 ? S 0:00 /var/ossec/bin/ossec-analysisd
15188 ? S 0:00 /var/ossec/bin/ossec-logcollector
15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted
15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd
15219 ? S 0:00 /var/ossec/bin/ossec-monitord
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
