On Thu, Jun 30, 2016 at 6:32 PM, Kevin Branch
<[email protected]> wrote:
> Hi folks,
>
> I was gearing up to start monitoring the OSSEC server and agent AR logs when
> I ran into this apparent log path inconsistency in certain AR scripts.
>
> As I understand, the OSSEC AR log path for Linux is:
>
> /var/ossec/logs/active-responses.log
>
>
> It appears that there are a few references to a possibly legacy AR log path:
>
> /var/ossec/active-response/ossec-hids-responses.log
>
It looks like the things that are logged here aren't active-responses,
but errors from the scripts.
I'm not sure how I feel about changing something like this so late in
the process.
Does this bother anyone else? Does anyone use ossec-hids-responses.log?
> in both host-deny.sh and pf.sh. In the case of pf.sh, that script actually
> references both the dominant and the alternative log file path.
>
> It looks to me like the intention is for all Linux AR script output to go to
> /var/ossec/logs/active-responses.log. If you concur, I request that
> host-deny.sh and pf.sh be updated to reflect this in OSSEC 2.9.
>
> Details:
>
> root@SERVER:~# grep active-responses.log /var/ossec/active-response/bin/*
> /var/ossec/active-response/bin/disable-account.sh:echo "`date` $0 $1 $2 $3
> $4 $5" >> ${PWD}/../log/active-responses.log
> /var/ossec/active-response/bin/firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
> /var/ossec/active-response/bin/host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5"
>>> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/host-deny.sh: echo "`date` Invalid
> ip/hostname entry: ${IP}" >> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ip-customblock.sh:echo "`date` $0 $1 $2 $3 $4
> $5" >> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5"
>>> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4
> $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ossec-tweeter.sh: wget
> --keep-session-cookies --http-user=$TWITTERUSER --http-password=$TWITTERPASS
> --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
> 2>>${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ossec-tweeter.sh: curl -u
> "$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG"
> $SITE 2>>${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/ossec-tweeter.sh:echo "`date` $0: Unable to
> find curl or wget." >> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4
> $5" >> ${PWD}/../logs/active-responses.log
> /var/ossec/active-response/bin/route-null.sh:echo "`date` $0 $1 $2 $3 $4 $5"
>>> ${PWD}/../logs/active-responses.log
>
> root@SERVER:~# grep ossec-hids-responses.log
> /var/ossec/active-response/bin/*
> /var/ossec/active-response/bin/host-deny.sh: >>
> ${PWD}/ossec-hids-responses.log
> /var/ossec/active-response/bin/pf.sh: echo "$0: invalid action: ${ACTION}"
>>> ${PWD}/ossec-hids-responses.log
> /var/ossec/active-response/bin/pf.sh: echo "$0: PF not configured." >>
> ${PWD}/ossec-hids-responses.log
> /var/ossec/active-response/bin/pf.sh: echo "$0: PF not configured."
>>> ${PWD}/ossec-hids-responses.log
>
> Thanks,
> Kevin Branch
> Branch Network Consulting
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
