How would I go about checking if AR is disabled on agents? Checking config
files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
on Ubuntu
On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams <tsinfo...@gmail.com
> <javascript:>> wrote:
> > Still no luck. Just to verify, the scripts should be located in
> > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
> > really telling me anything either.
> >
>
> Yep, that's where they go.
> AR isn't disabled on the agents is it?
> What version of OSSEC? What OS/distro are you using? I don't think
> I'll be able to setup anything to try and recreate this.
>
>
>
> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
> >>
> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant <cspit...@gmail.com>
> wrote:
> >> > Yes test.sh is on the agent. Execd is also running and yep the alert
> is
> >> > firing.
> >> >
> >>
> >> Try removing the level option and leave just the rules_id.
> >>
> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd)
> wrote:
> >> >>
> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant <cspit...@gmail.com>
> >> >> wrote:
> >> >> > Hello,
> >> >> >
> >> >> > I'm pretty new to OSSEC and I'm working to get some active
> responses
> >> >> > working. I have tried a number of different active responses but
> >> >> > cannot
> >> >> > seem
> >> >> > to get it to work anywhere (not on the server or agents). I'm now
> >> >> > trying
> >> >> > a
> >> >> > simple AR to just log to active-responses.log but it still does
> not
> >> >> > seem
> >> >> > to
> >> >> > be triggering. I do receive the email alert, but the AR does not
> >> >> > trigger.
> >> >> > Here is my config for the test active response:
> >> >> >
> >> >> > <command>
> >> >> >
> >> >> > <name>test</name>
> >> >> >
> >> >> > <executable>test.sh</executable>
> >> >> >
> >> >> > <expect></expect>
> >> >> >
> >> >> > <timeout_allowed>no</timeout_allowed>
> >> >> >
> >> >> > </command>
> >> >> >
> >> >> > (I've tried the location as local, all, and server but no luck)
> >> >> >
> >> >> > <active-response>
> >> >> >
> >> >> > <disabled>no</disabled>
> >> >> >
> >> >> > <command>test</command>
> >> >> >
> >> >> > <location>local</location>
> >> >> >
> >> >> > <rules_id>70999</rules_id>
> >> >> >
> >> >> > <level>0</level>
> >> >> >
> >> >> > </active-response>
> >> >> >
> >> >> >
> >> >> >
> >> >> > #!/bin/sh
> >> >> >
> >> >> > ACTION=$1
> >> >> > USER=$2
> >> >> > IP=$3
> >> >> > ALERTID=$4
> >> >> > RULEID=$5
> >> >> >
> >> >> > LOCAL=`dirname $0`;
> >> >> > cd $LOCAL
> >> >> > cd ../
> >> >> > PWD=`pwd`
> >> >> >
> >> >> >
> >> >> > # Logging the call
> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> >> >> > ${PWD}/../logs/active-responses.log
> >> >> >
> >> >> >
> >> >> >
> >> >> > The permissions on test.sh are correct with execute permission and
> I
> >> >> > added
> >> >> > them to ossec group as all other ARs seemed to have that.
> >> >> >
> >> >>
> >> >> Is test.sh on the system you're trying to run the AR on?
> >> >> Is execd running on the system you're trying to run the AR on?
> >> >> Is 70999 firing?
> >> >> With rules_id, I don't think you'll need the level option set.
> >> >>
> >> >> >
> >> >> > Thanks!
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > </active-response>
> >> >> >
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to ossec-list+...@googlegroups.com.
> >> >> > For more options, visit https://groups.google.com/d/optout.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
