On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro <ajnavarro1...@gmail.com> wrote: > try to configured the next active response: > > On Ossec Server: > > <command> > > <name>firewall-drop</name> > > <executable>firewall-drop.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > <active-response> > > <disabled>no</disabled> > > <command>firewall-drop</command> > > <location>defined-agent</location> > > <agent_id>021</agent_id> > > <rules_id>5712</rules_id> > > <timeout>1800</timeout> > > </active-response> > > On Ossec agent. (id 021) > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/ossec/logs/active-responses.log</location> > > </localfile> > > I made a trial failed a few times the access with root account but the alert > is not generated and active-responses.log on the agent is empty > > -bash-3.2# ls -l /var/ossec/logs > > total 86 > > -rw-r--r-- 1 root root 0 Oct 17 14:30 active-responses.log > > -rw-rw-r-- 1 ossec ossec 44032 Oct 17 14:29 ossec.log > > It’s the same in the server: > > -bash-3.2# ls -l /var/ossec/logs > > total 7432 > > -rw-rw---- 1 ossec ossec 0 May 19 10:01 active-responses.log > > drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 alerts > > drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 archives > > drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 firewall > > -rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log > > What I need to do for the alert appears in the Ossec GUI and the IP blocked? > > Only I see the next messages in /var/ossec/logs/alers/alerts.log > > ** Alert 1476724188.107242: mail - syslog,errors, > > 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 > audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" > hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' >
These log messages are not triggering 5712. In fact OSSEC isn't sure what to do with these log messages. Is there anything in your auth log? > ** Alert 1476724188.107669: mail - syslog,errors, > > 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 > audit(1476724188.016:36149379): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 > terminal=ssh res=failed' > > ** Alert 1476724194.108074: mail - syslog,errors, > > 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 > audit(1476724192.625:36149380): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" > hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' > > ** Alert 1476724194.108501: mail - syslog,errors, > > 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 > audit(1476724192.626:36149381): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 > terminal=ssh res=failed' > > ** Alert 1476724194.108906: mail - syslog,errors, > > 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:52 ixtrtc42scf kernel: type=1100 > audit(1476724192.626:36149382): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=maxtries exceeded acct="root" exe="/usr/sbin/sshd" hostname=? > addr=10.188.62.176 terminal=ssh res=failed' > > ** Alert 1476724194.109320: mail - syslog,errors, > > 2016 Oct 17 12:09:54 ixtrtc42scf->/var/log/messages > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Oct 17 12:09:52 ixtrtc42scf kernel: type=1112 > audit(1476724192.627:36149387): user pid=6141 uid=0 auid=4294967295 > ses=4294967295 msg= > > 'op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.188.62.176 > terminal=ssh res=failed' > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.