Yep, that was it. Thanks Dan. On Friday, 9 September 2016 11:35:41 UTC+1, dan (ddpbsd) wrote: > > On Fri, Sep 9, 2016 at 6:10 AM, 'James Vernon' via ossec-list > <[email protected] <javascript:>> wrote: > > Hi guys > > > > I am wondering of anyone here can help me with an issue with active > > response. > > > > I have been struggling for the last few days to get active response > working > > on an agent/server setup > > and I am at a complete loss. I am using version 2.8.1 > > > > > > I have removed all cases of > > > > <disabled>yes</disabled> > > > > from my configs > > > > The agent.conf file:- > > > ######################################################################### > > > > <!-- THIS IS MANAGED BY PUPPET --> > > <!-- If you are looking at this from a node --> > > <!-- the config file is being disributed from --> > > <!-- the ossec server, NOT puppet.... --> > > <agent_config> > > <syscheck> > > <frequency>72000</frequency> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/home/test</directories> > > <directories check_all="yes">/home/test2</directories> > > </syscheck> > > > > <syscheck> > > <frequency>3600</frequency> > > <auto_ignore>no</auto_ignore> > > <directories check_all="yes">/var/ossec/etc/shared</directories> > > </syscheck> > > > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/media/mylog.txt</location> > > </localfile> > > > > <command> > > <name>restart-ossec</name> > > <executable>restart-ossec.sh</executable> > > <expect></expect> > > </command> > > > > <active-response> > > <command>restart-ossec</command> > > <location>local</location> > > <rules_id>510010</rules_id> > > </active-response> > > > > Active response configuration (in an agent/server setup) belongs in > the OSSEC server's ossec.conf. > I don't believe these configuration options have any effect when run > in an agent's configuration. > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/ossec/logs/active-responses.log</location> > > </localfile> > > > > </agent_config> > > ################################################################# > > > > > > As you can see I have been testing a few things on here as this is the > first > > time I have set this up, > > hence the random test of particular directories. > > > > I added the following rule to the ossec group in ossec_rules.xml under > rule > > 598:- > > > > > > ################################################################# > > > > <rule id="510010" level="10"> > > <if_sid>550</if_sid> > > <match>/var/ossec/etc/shared/agent.conf</match> > > <description>agent.conf has been modified</description> > > </rule> > > > > ############################################################### > > > > Below is a log from the server alert log. > > > > ############################################################### > > > > ** Alert 1473414286.15146: mail - ossec, > > 2016 Sep 09 10:44:46 (hh-d8-ossecagenttest04) any->syscheck > > Rule: 510010 (level 10) -> 'agent.conf has been modified' > > Integrity checksum changed for: '/var/ossec/etc/shared/agent.conf' > > Size changed from '1128' to '1129' > > Old md5sum was: '6b8224b9dc7e9fa8c34363cdf4d0bb34' > > New md5sum is : '44bb782b8a6b9bb533aedeceefa5567d' > > Old sha1sum was: '1d76592eed55802ca60cd75bee48f697886a3a3a' > > New sha1sum is : 'ddeba7ff16ab1daae7833ade47743c45c73f06ce' > > > > ################################################################ > > > > > > Nothing happends. It sees the rule, its correct but it does not trigger > an > > active response. > > > > Below is the content of ar.conf from the agent > > > > ############################################################### > > > > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec0 - restart-ossec.cmd - 0 > > host-deny600 - host-deny.sh - 600 > > firewall-drop600 - firewall-drop.sh - 600 > > > > > > ############################################################### > > > > The OS is debian 8. > > > > Am I missing something with these config files? I feel like I am making > a > > really simple mistake > > but I cannot spot it. > > > > Running ./agent_control -L on the server:- > > > > ################################################################ > > > > OSSEC HIDS agent_control. Available active responses: > > > > Response name: host-deny600, command: host-deny.sh > > Response name: firewall-drop600, command: firewall-drop.sh > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
