On Tue, Jul 5, 2016 at 6:37 AM, Barry Kaplan <[email protected]> wrote:
> In one our clients at /var/ossec/logs we have the following:
>
> root@ops-bastion-1:/var/ossec/logs# ll
> total 56
> -rw-r----- 1 root ossec 0 Jul 4 06:23 active-response.log
> -rw-r--r-- 1 root ossec 21296 Jul 5 10:33 active-responses.log
> -rw-rw-r-- 1 ossec ossec 17632 Jul 5 10:16 ossec.log
>
> From what I can tell in all the ossec configs, only the singular
> active-response.log is defined. Where is the plural file coming from?
>
Are you using any of these AR scripts?
[ddp@ix] :; pwd
/home/ddp/src/projects/git/github/ddpbsd/ossec-hids/active-response
[ddp@ix] :; grep -r 'active-responses.log' *
disable-account.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../log/active-responses.log
firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
firewalld-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
firewalls/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/npf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
host-deny.sh: echo "`date` Invalid ip/hostname entry: ${IP}" >>
${PWD}/../logs/active-responses.log
ip-customblock.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
ossec-slack.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
ossec-slack.sh: wget --keep-session-cookies
--post-data="${PAYLOAD}" ${SITE}
2>>${PWD}/../logs/active-responses.log
ossec-slack.sh: curl -X POST --data-urlencode "payload=${PAYLOAD}"
${SITE} 2>>${PWD}/../logs/active-responses.log
ossec-slack.sh:echo "`date` $0: Unable to find curl or wget." >>
${PWD}/../logs/active-responses.log
ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
ossec-tweeter.sh: wget --keep-session-cookies
--http-user=$TWITTERUSER --http-password=$TWITTERPASS
--post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
2>>${PWD}/../logs/active-responses.log
ossec-tweeter.sh: curl -u "$TWITTERUSER:$TWITTERPASS" -d
"source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
2>>${PWD}/../logs/active-responses.log
ossec-tweeter.sh:echo "`date` $0: Unable to find curl or wget." >>
${PWD}/../logs/active-responses.log
restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
route-null.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
win/netsh.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >>
active-response/active-responses.log
win/restart-ossec.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9
>> active-response/active-responses.log
win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
"%OSSECPATH%active-response\active-responses.log"
> On this host, in ossec.conf:
>
> ossec.conf: <location>/var/ossec/logs/active-response.log</location>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
