On Fri, Sep 9, 2016 at 4:04 AM, Ole Jakob Skjelten <[email protected]> wrote: > Actually, turns out, if you use a singe <disabled>yes</disabled> for ANY > active response, it disables ALL of them. This is intended but not reflected > in the documentation (why this is considered a good idea I do not > understand, but I'm sure there is a really good reason ;) ). >
This is documented here: https://ossec.github.io/docs/syntax/head_ossec_config.active-response.html?highlight=disabled#element-disabled > Hope this helps someone else. > > On Thursday, September 8, 2016 at 4:59:26 PM UTC+2, Ole Jakob Skjelten > wrote: >> >> Hi, >> >> Having fiddled perhaps a bit too much with the setup of OSSEC, my active >> responses on my server stopped working last night, and I'm unable to >> pinpoint the problem.I unfortunately, even with debug enabled, see any >> errors in ossec.log, and I'm quite unsure how to go about debugging this. >> >> If I, on the server look at the available active responses I get this: >> >> > agent_control -L >> OSSEC HIDS agent_control. Available active responses: >> Response name: notify-pushbullet0, command: notify-pushbullet.py >> Response name: firewall-honeypot0, command: firewall-honeypot.sh >> Response name: firewall-permaban0, command: firewall-permaban.sh >> >> So far, so good. >> >> Looking at my list of active agents I get: >> > agent_control -l >> OSSEC HIDS agent_control. >> List of available agents: ID: 000, Name: ShadowBUNT (server), IP: >> 127.0.0.1, Active/Local >> ... >> ... >> >> Now, if I try to trigger an active response on the server, everything >> looks fine: >> agent_control -u 000 -f notify-pushbullet0 -b 192.168.1.1 >> OSSEC HIDS agent_control: Running active response 'notify-pushbullet0' on: >> 000 >> >> However, nothing shows up in /var/ossec/logs/active-responses.log. And >> when I look at ossec.log, I find this one: >> 2016/09/08 16:25:02 ossec-remoted(1320): ERROR: Agent '000' not found. >> >> One possible explanation is that I reinstalled OSSEC and copied over my >> old config, but I suspect I didn't do it 100%, as I had to re-add all the >> agents. Since the server/agent doesn't have the option to remove/add/insert >> key/get key however, I didn't do anything with it. As far as I can tell, all >> other functionality is fine, including alerts. Though I notice that alerts >> on the server are listed with location "localhost" instead of "ShadowBUNT", >> which is the server name. I don't know if that's important. >> >> Since I rather not do another complete reinstall, I was hoping someone >> might know how I can fix this... >> >> >> OJ >> >> . >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
