Is sendEvent.sh executable? Yes, sendEvent.sh can execute, i can received the ossec server alert on telegram, but can't received ossec agent alert.
Does anything get logged to active-responses.log? Example active-responses.log on Ossec server: Mon Nov 5 06:24:01 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541370241.4026 550 syscheck - Mon Nov 5 07:06:08 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541372768.4456 550 syscheck - Mon Nov 5 07:48:15 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541375295.4886 550 syscheck - Mon Nov 5 08:30:23 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541377823.5316 550 syscheck - Mon Nov 5 09:12:30 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541380350.5746 550 syscheck - Mon Nov 5 09:32:15 HKT 2018 /var/ossec/active-response/bin/sendEvent.sh add - - 1541381535.11330 550 syscheck - Is ossec-execd running on the agent and server? Yes, ossec-execd is running on server and agent. Is ossec-monitord running on the server? Yes, ossec-monitord is running on the server. On Friday, 2 November 2018 18:50:52 UTC+8, dan (ddpbsd) wrote: > > On Thu, Nov 1, 2018 at 4:25 AM <[email protected] <javascript:>> > wrote: > > > > Hi All, > > After i configured the active-response on ossec server for telegram bot > to send Alert, it is successfully received ossec server alert. but unable > to receive ossec agent alert. > > (Ossec Server configuration) > > Ossec.conf > >> > >> <command> > >> <name>send-event</name> > >> <executable>sendEvent.sh</executable> > >> <expect></expect> > >> </command> > >> > >> <active-response> > >> <disabled>no</disabled> > >> <command>send-event</command> > >> <location>local</location> > >> <level>7</level> > >> > >> </active-response> > > > > > > sendEvent.sh > > > > TOKEN="xxxxxx" > > CHAT_ID="xxxxxx" > > ACTION=$1 > > USER=$2 > > IP=$3 > > ALERTID=$4 > > RULEID=$5 > > LOCAL=`dirname $0`; > > cd $LOCAL > > cd ../ > > PWD=`pwd` > > # Logging the call > > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > ${PWD}/../logs/active-responses.log > > # Getting alert time > > ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` > > # Getting end of alert > > ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` > > # Getting full alert > > #ALERT='grep -A 5 "$ALERTIME" ${PWD} /../logs/alerts/alerts.log | grep > -v ". $ALERTLAST :"' > > ALERT=`grep -A 15 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep > -v ".$ALERTLAST :" -A 15 ` > > curl -s \ > > -X POST \ > > https://api.telegram.org/bot$TOKEN/sendMessage \ > > -d text="$ALERT" \ > > -d chat_id=$CHAT_ID > > > > Ossec Agent server > > ar.conf > >> > >> restart-ossec0 - restart-ossec.sh - 0 > >> restart-ossec0 - restart-ossec.cmd - 0 > >> send-event0 - sendEvent.sh - 0 > > > > > > What i miss? > > > > Is sendEvent.sh executable? > Does anything get logged to active-responses.log? > Is ossec-execd running on the agent and server? > Is ossec-monitord running on the server? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
