Hi folks,
I was gearing up to start monitoring the OSSEC server and agent AR logs
when I ran into this apparent log path inconsistency in certain AR scripts.
As I understand, the OSSEC AR log path for Linux is:
/var/ossec/logs/active-responses.log
It appears that there are a few references to a possibly legacy AR log path:
/var/ossec/active-response/ossec-hids-responses.log
in both host-deny.sh and pf.sh. In the case of pf.sh, that script actually
references both the dominant and the alternative log file path.
It looks to me like the intention is for all Linux AR script output to go
to /var/ossec/logs/active-responses.log. If you concur, I request that
host-deny.sh and pf.sh be updated to reflect this in OSSEC 2.9.
Details:
root@SERVER:~# grep active-responses.log /var/ossec/active-response/bin/*
/var/ossec/active-response/bin/disable-account.sh:echo "`date` $0 $1 $2 $3
$4 $5" >> ${PWD}/../log/active-responses.log
/var/ossec/active-response/bin/firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
/var/ossec/active-response/bin/host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5"
>> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/host-deny.sh: echo "`date` Invalid
ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ip-customblock.sh:echo "`date` $0 $1 $2 $3
$4 $5" >> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5"
>> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4
$5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ossec-tweeter.sh: wget
--keep-session-cookies --http-user=$TWITTERUSER
--http-password=$TWITTERPASS
--post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
2>>${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ossec-tweeter.sh: curl -u
"$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG"
$SITE 2>>${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/ossec-tweeter.sh:echo "`date` $0: Unable to
find curl or wget." >> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4
$5" >> ${PWD}/../logs/active-responses.log
/var/ossec/active-response/bin/route-null.sh:echo "`date` $0 $1 $2 $3 $4
$5" >> ${PWD}/../logs/active-responses.log
root@SERVER:~# grep ossec-hids-responses.log
/var/ossec/active-response/bin/*
/var/ossec/active-response/bin/host-deny.sh: >>
${PWD}/ossec-hids-responses.log
/var/ossec/active-response/bin/pf.sh: echo "$0: invalid action:
${ACTION}" >> ${PWD}/ossec-hids-responses.log
/var/ossec/active-response/bin/pf.sh: echo "$0: PF not configured." >>
${PWD}/ossec-hids-responses.log
/var/ossec/active-response/bin/pf.sh: echo "$0: PF not configured."
>> ${PWD}/ossec-hids-responses.log
Thanks,
Kevin Branch
Branch Network Consulting
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
