Actually, turns out, if you use a singe *<disabled>yes</disabled>* for ANY active response, it disables ALL of them. This is intended but not reflected in the documentation (why this is considered a good idea I do not understand, but I'm sure there is a really good reason ;) ).
Hope this helps someone else. On Thursday, September 8, 2016 at 4:59:26 PM UTC+2, Ole Jakob Skjelten wrote: > > Hi, > > Having fiddled perhaps a bit too much with the setup of OSSEC, my active > responses on my server stopped working last night, and I'm unable to > pinpoint the problem.I unfortunately, even with debug enabled, see any > errors in ossec.log, and I'm quite unsure how to go about debugging this. > > If I, on the server look at the available active responses I get this: > > > agent_control -L > OSSEC HIDS agent_control. Available active responses: > Response name: notify-pushbullet0, command: notify-pushbullet.py > Response name: firewall-honeypot0, command: firewall-honeypot.sh > Response name: firewall-permaban0, command: firewall-permaban.sh > > So far, so good. > > Looking at my list of active agents I get: > > agent_control -l > OSSEC HIDS agent_control. > List of available agents: ID: 000, Name: ShadowBUNT (server), IP: 127.0. > 0.1, Active/Local > ... > ... > > Now, if I try to trigger an active response on the server, everything > looks fine: > agent_control -u 000 -f notify-pushbullet0 -b 192.168.1.1 > OSSEC HIDS agent_control: Running active response 'notify-pushbullet0' on: > 000 > > However, nothing shows up in */var/ossec/logs/active-responses.log*. And > when I look at *ossec.log*, I find this one: > 2016/09/08 16:25:02 ossec-remoted(1320): ERROR: Agent '000' not found. > > One possible explanation is that I reinstalled OSSEC and copied over my > old config, but I suspect I didn't do it 100%, as I had to re-add all the > agents. Since the server/agent doesn't have the option to remove/add/insert > key/get key however, I didn't do anything with it. As far as I can tell, > all other functionality is fine, including alerts. Though I notice that > alerts on the server are listed with location "localhost" instead of > "ShadowBUNT", which is the server name. I don't know if that's important. > > Since I rather not do another complete reinstall, I was hoping someone > might know how I can fix this... > > > OJ > > . > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
