[ossec-list] Struggling with active reponse.

['James Vernon' via ossec-list]

*Hi guysI am wondering of anyone here can help me with an issue with active 
response.I have been struggling for the last few days to get active 
response working on an agent/server setupand I am at a complete loss. I am 
using version 2.8.1I have removed all cases of<disabled>yes</disabled>from 
my configsThe agent.conf file:-*
#########################################################################

<!-- THIS IS MANAGED BY PUPPET -->
<!-- If you are looking at this from a node -->
<!-- the config file is being disributed from -->
<!-- the ossec server, NOT puppet.... -->
<agent_config>
  <syscheck>
    <frequency>72000</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/home/test</directories>
    <directories check_all="yes">/home/test2</directories>
  </syscheck>

  <syscheck>
    <frequency>3600</frequency>
    <auto_ignore>no</auto_ignore>
    <directories check_all="yes">/var/ossec/etc/shared</directories>
  </syscheck>


  <localfile>
    <log_format>syslog</log_format>
    <location>/media/mylog.txt</location>
  </localfile>

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>

  <active-response>
    <command>restart-ossec</command>
    <location>local</location>
    <rules_id>510010</rules_id>
  </active-response>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

</agent_config>
#################################################################





*As you can see I have been testing a few things on here as this is the 
first time I have set this up,hence the random test of particular 
directories.I added the following rule to the ossec group in 
ossec_rules.xml under rule 598:-*


#################################################################
  
  <rule id="510010" level="10">
    <if_sid>550</if_sid>
    <match>/var/ossec/etc/shared/agent.conf</match>
    <description>agent.conf has been modified</description>
  </rule>

 ###############################################################

*  Below is a log from the server alert log.*
 
 ###############################################################
 
 ** Alert 1473414286.15146: mail  - ossec,
2016 Sep 09 10:44:46 (hh-d8-ossecagenttest04) any->syscheck
Rule: 510010 (level 10) -> 'agent.conf has been modified'
Integrity checksum changed for: '/var/ossec/etc/shared/agent.conf'
Size changed from '1128' to '1129'
Old md5sum was: '6b8224b9dc7e9fa8c34363cdf4d0bb34'
New md5sum is : '44bb782b8a6b9bb533aedeceefa5567d'
Old sha1sum was: '1d76592eed55802ca60cd75bee48f697886a3a3a'
New sha1sum is : 'ddeba7ff16ab1daae7833ade47743c45c73f06ce'

################################################################




*Nothing happends. It sees the rule, its correct but it does not trigger an 
active response.Below is the content of ar.conf from the agent*

###############################################################
 
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600


###############################################################






*The OS is debian 8.Am I missing something with these config files? I feel 
like I am making a really simple mistake but I cannot spot it.Running 
./agent_control -L on the server:-*

################################################################

OSSEC HIDS agent_control. Available active responses:

   Response name: host-deny600, command: host-deny.sh
   Response name: firewall-drop600, command: firewall-drop.sh





-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.