Hi all, i have trouble as below.
how can i incert sophos log(form windows OSSEC client) in to ossec server archive log with using syslog. could anyone will help my above issue. On Fri, Jul 20, 2018 at 11:27 PM, <[email protected]> wrote: > Hello, > > I am trying a very basic active response which would terminate a > powershell process when it is created on a host (Windows 10) machine. > > I have a standalone SO configuration, with 3 OSSEC agents (V2.9) > connected, all Windows machines. > > I have verified that the script shutdown_powershell.cmd works, independent > of OSSEC active response. > > My ossec.conf file looks like this: > > <command> > <name>shutdown_powershell</name> > <executable>shutdown_powershell.cmd</executable> > <expect></expect> > </command> > > <active-response> > <command>shutdown_powershell</command> > <rules_id>100051</rules_id> > <location>defined-agent</location> > <agent_id>003</agent_id> > </active-response> > > I have verified that my rule 100051 (powershell_process_creation) works, > it populates in Sguil every time I open Powershell on any agent. > > I have restarted OSSEC on my server and agent several times and opening > Powershell on agent 003. I have recieved varying error messages in my agent > log: > > SET 1) > > 2018/07/17 15:35:33 ossec-execd: INFO: Active response command not > present: 'active-response/bin/restart-ossec.sh'. Not using it on this > system. > > 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not > present: 'active-response/bin/host-deny.sh'. Not using it on this system. > > 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not > present: 'active-response/bin/firewall-drop.sh'. Not using it on this > system. > > 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not > present: 'active-response/bin/shutdown_powershell.cmd'. Not using it on > this system. > > SET 2) > > 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not > present: 'active-response/bin/restart-ossec.sh'. Not using it on this > system. > > 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not > present: 'active-response/bin/host-deny.sh'. Not using it on this system. > > 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not > present: 'active-response/bin/firewall-drop.sh'. Not using it on this > system. > > SET 3) > > 2018/07/18 10:37:31 ossec-execd: ERROR: Unable to create active response > process. > > 2018/07/18 10:43:45 ossec-execd: ERROR: Unable to create active response > process. > > 2018/07/18 11:08:55 ossec-execd: ERROR: Unable to create active response > process. > > I seem to be having less and less success every time. Each set corresponds > to a time when I have opened Powershell, so the rule is definitely working > and my ossec.conf seems to have configured the active response correctly, > but ultimately the script is not running. > > Question: > > 1) For active response... do I need to place the active response script in > the folder C:\Program Files (x86)\ossec-agent\active-response\bin on the > host machine or in /var/ossec/active-response/bin on the server machine? I > have tried placing it in both. OSSEC documentation seems unclear on this > point > > Thanks, > > Clark > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Regard's BHASKAR PATEL +919998031132 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
