On Tue, Jul 5, 2016 at 6:49 AM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 5, 2016 at 6:37 AM, Barry Kaplan <[email protected]> wrote: >> In one our clients at /var/ossec/logs we have the following: >> >> root@ops-bastion-1:/var/ossec/logs# ll >> total 56 >> -rw-r----- 1 root ossec 0 Jul 4 06:23 active-response.log >> -rw-r--r-- 1 root ossec 21296 Jul 5 10:33 active-responses.log >> -rw-rw-r-- 1 ossec ossec 17632 Jul 5 10:16 ossec.log >> >> From what I can tell in all the ossec configs, only the singular >> active-response.log is defined. Where is the plural file coming from? >> > > Are you using any of these AR scripts? > > [ddp@ix] :; pwd > /home/ddp/src/projects/git/github/ddpbsd/ossec-hids/active-response > [ddp@ix] :; grep -r 'active-responses.log' * > disable-account.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../log/active-responses.log > firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log" > firewalld-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log" > firewalls/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > firewalls/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > firewalls/npf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > firewalls/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > host-deny.sh: echo "`date` Invalid ip/hostname entry: ${IP}" >> > ${PWD}/../logs/active-responses.log > ip-customblock.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > ossec-slack.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > ${PWD}/../logs/active-responses.log > ossec-slack.sh: wget --keep-session-cookies > --post-data="${PAYLOAD}" ${SITE} > 2>>${PWD}/../logs/active-responses.log > ossec-slack.sh: curl -X POST --data-urlencode "payload=${PAYLOAD}" > ${SITE} 2>>${PWD}/../logs/active-responses.log > ossec-slack.sh:echo "`date` $0: Unable to find curl or wget." >> > ${PWD}/../logs/active-responses.log > ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > ${PWD}/../logs/active-responses.log > ossec-tweeter.sh: wget --keep-session-cookies > --http-user=$TWITTERUSER --http-password=$TWITTERPASS > --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE > 2>>${PWD}/../logs/active-responses.log > ossec-tweeter.sh: curl -u "$TWITTERUSER:$TWITTERPASS" -d > "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE > 2>>${PWD}/../logs/active-responses.log > ossec-tweeter.sh:echo "`date` $0: Unable to find curl or wget." >> > ${PWD}/../logs/active-responses.log > restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > route-null.sh:echo "`date` $0 $1 $2 $3 $4 $5" >> > ${PWD}/../logs/active-responses.log > win/netsh.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> > active-response/active-responses.log > win/restart-ossec.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >>> active-response/active-responses.log > win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >> > "%OSSECPATH%active-response\active-responses.log" > win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >> > "%OSSECPATH%active-response\active-responses.log" > win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> > "%OSSECPATH%active-response\active-responses.log" > win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> > "%OSSECPATH%active-response\active-responses.log" >
Interestingly: [ddp@ix] :; grep -r 'active-response.log' * [ddp@ix] :; So it looks like active-responses.log is the proper log location? > > >> On this host, in ossec.conf: >> >> ossec.conf: <location>/var/ossec/logs/active-response.log</location> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
