try to configured the next active response: On Ossec Server:
<command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>021</agent_id> <rules_id>5712</rules_id> <timeout>1800</timeout> </active-response> On Ossec agent. (id 021) <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-responses.log</location> </localfile> I made a trial failed a few times the access with root account but the alert is not generated and active-responses.log on the agent is empty -bash-3.2# ls -l /var/ossec/logs total 86 -rw-r--r-- 1 root root 0 Oct 17 14:30 active-responses.log -rw-rw-r-- 1 ossec ossec 44032 Oct 17 14:29 ossec.log It’s the same in the server: -bash-3.2# ls -l /var/ossec/logs total 7432 -rw-rw---- 1 ossec ossec 0 May 19 10:01 active-responses.log drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 alerts drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 archives drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 firewall -rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log What I need to do for the alert appears in the Ossec GUI and the IP blocked? Only I see the next messages in /var/ossec/logs/alers/alerts.log ** Alert 1476724188.107242: mail - syslog,errors, 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' ** Alert 1476724188.107669: mail - syslog,errors, 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 audit(1476724188.016:36149379): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 terminal=ssh res=failed' ** Alert 1476724194.108074: mail - syslog,errors, 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 audit(1476724192.625:36149380): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' ** Alert 1476724194.108501: mail - syslog,errors, 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 audit(1476724192.626:36149381): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 terminal=ssh res=failed' ** Alert 1476724194.108906: mail - syslog,errors, 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 audit(1476724192.626:36149382): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=maxtries exceeded acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 terminal=ssh res=failed' ** Alert 1476724194.109320: mail - syslog,errors, 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Oct 17 12:09:52 ixtrtc42scf kernel: type=1112 audit(1476724192.627:36149387): user pid=6141 uid=0 auid=4294967295 ses=4294967295 msg= 'op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 terminal=ssh res=failed' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
