Hi, The daemon in charge of executing active-response scripts is *"ossec-execd",* I think your conf is good*,* active-response should be active and working, try to force some response and check active-response.log.
Check ossec.log for entires like: 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for active response. 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list for active response. If you really want to check if active-response is active, try this: Enable debug mode: /var/ossec/bin/ossec-control enable debug Restart OSSEC and check for line: 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ... The scripts should be placed on /var/ossec/active-response/bin with execution permissions. Regards, Pedro S. On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, [email protected] wrote: > > Why active-responces is not working ? > I receive email notification, but active responce had not started. > What may caused a problem? > > #etc/shared/ar.conf: > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > testar0 - testar.sh - 0 > slack0 - slack.py - 0 > > > #alert.log > ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success, > 2016 Feb 23 05:16:13 serv-10244->/var/log/secure > Rule: 5715 (level 7) -> 'SSHD authentication success.' > Src IP: 104.131.225.112 > User: root > Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from > 104.131.225.112 port 47280 ssh2 > > #ossec.conf > <command> > <name>testar</name> > <expect></expect> > <executable>testar.sh</executable> > </command> > > <command> > <name>slack</name> > <expect>user,srcip</expect> > <executable>slack.py</executable> > </command> > > <active-response> > <command>testar</command> > <location>local</location> > <rules_id>5715,11309</rules_id> > </active-response> > > > <active-response> > <command>slack</command> > <location>local</location> > <rules_id>5715,11309</rules_id> > </active-response> > > > #ossec.log: > 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file. > 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157). > 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176). > 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180). > 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file. > 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192). > 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured. > 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193). > 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258' > 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184). > 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219). > 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents > allowed: '256'. > 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication keys > file. > 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available for > 'local'. > 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent > local: '0:0'. > 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter. > 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0 > 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188). > 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215). > 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215). > 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: > '/home/woodwork/public_html'. > > > # ps ax | grep ossec > 15176 ? S 0:00 /var/ossec/bin/ossec-maild > 15180 ? S 0:00 /var/ossec/bin/ossec-execd > 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd > 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector > 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted > 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd > 15219 ? S 0:00 /var/ossec/bin/ossec-monitord > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
