Re: [ossec-list] Active Response not working at all
Hi, you are right Tony. The syntax for *ossec.conf* is not user-friendly. You must think in the following way: If it is a setting like yes/no, it will be overwritten if the parser found the same setting below. Example: yes no The final value will be 'no'. However, if the setting is like a *list*, it will be append it if the parser found the same setting below. Example: /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt The final value will be: /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/system_audit_ssh.txt This kind of merge only happens for some sections. For example, it doesn't happen for *localfile, agentless, command, remote *and* syslog_output.* I hope some day we can improve the syntax: yes 10.10.10.10 ... ... Regards. On Thursday, April 27, 2017 at 11:27:49 PM UTC+2, Tony Bryant wrote: > > For anyone curious it was an incredibly simple fix :(. Apparently if any > active-responses in your ossec.config file are disabled, it will disable > all of the active responses. I had 4 enabled and 1 disabled, but because of > that 1, they all were disabled. > > On Wednesday, April 19, 2017 at 3:42:46 PM UTC-7, Tony Bryant wrote: >> >> Hmm, ok, is this the only active-response config on your agent? I'm not >> seeing any so that may be my problem. Is it one active-response config for >> all (like the one you posted below should serve all future ARs)? And what I >> posted was on the server. I'll give this a try though >> >> On Wednesday, April 19, 2017 at 2:54:55 PM UTC-7, dan (ddpbsd) wrote: >>> >>> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant >>> wrote: >>> > How would I go about checking if AR is disabled on agents? Checking >>> config >>> > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, >>> this >>> > on Ubuntu >>> > >>> >>> I think it's enabled by default. This is all I have on one of my agents: >>> >>> no >>> 15,60,1440,86400 >>> >>> >>> >>> > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: >>> >> >>> >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams >>> wrote: >>> >> > Still no luck. Just to verify, the scripts should be located in >>> >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs >>> aren't >>> >> > really telling me anything either. >>> >> > >>> >> >>> >> Yep, that's where they go. >>> >> AR isn't disabled on the agents is it? >>> >> What version of OSSEC? What OS/distro are you using? I don't think >>> >> I'll be able to setup anything to try and recreate this. >>> >> >>> >> >>> >> >>> >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) >>> wrote: >>> >> >> >>> >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant >>> >> >> wrote: >>> >> >> > Yes test.sh is on the agent. Execd is also running and yep the >>> alert >>> >> >> > is >>> >> >> > firing. >>> >> >> > >>> >> >> >>> >> >> Try removing the level option and leave just the rules_id. >>> >> >> >>> >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) >>> >> >> > wrote: >>> >> >> >> >>> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant < >>> cspit...@gmail.com> >>> >> >> >> wrote: >>> >> >> >> > Hello, >>> >> >> >> > >>> >> >> >> > I'm pretty new to OSSEC and I'm working to get some active >>> >> >> >> > responses >>> >> >> >> > working. I have tried a number of different active responses >>> but >>> >> >> >> > cannot >>> >> >> >> > seem >>> >> >> >> > to get it to work anywhere (not on the server or agents). I'm >>> now >>> >> >> >> > trying >>> >> >> >> > a >>> >> >> >> > simple AR to just log to active-responses.log but it still >>> does >>> >> >> >> > not >>> >> >> >> > seem >>> >> >> >> > to >>> >> >> >> > be triggering. I do receive the email alert, but the AR does >>> not >>> >> >> >> > trigger. >>> >> >> >> > Here is my config for the test active response: >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> >test >>> >> >> >> > >>> >> >> >> >test.sh >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> >no >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > (I've tried the location as local, all, and server but no >>> luck) >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> >no >>> >> >> >> > >>> >> >> >> >test >>> >> >> >> > >>> >> >> >> >local >>> >> >> >> > >>> >> >> >> >70999 >>> >> >> >> > >>> >> >> >> >0 >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > #!/bin/sh >>> >> >> >> > >>> >> >> >> > ACTION=$1 >>> >> >> >> > USER=$2 >>> >> >> >> > IP=$3 >>> >> >> >> > ALERTID=$4 >>> >> >> >> > RULEID=$5 >>> >> >> >> > >>> >> >> >> > LOCAL=`dirname $0`; >>> >> >> >> > cd $LOCAL >>> >> >> >> > cd ../ >>> >> >> >> > PWD=`pwd` >>> >> >> >> > >>> >> >> >> > >>> >> >> >>
Re: [ossec-list] Active Response not working at all
For anyone curious it was an incredibly simple fix :(. Apparently if any active-responses in your ossec.config file are disabled, it will disable all of the active responses. I had 4 enabled and 1 disabled, but because of that 1, they all were disabled. On Wednesday, April 19, 2017 at 3:42:46 PM UTC-7, Tony Bryant wrote: > > Hmm, ok, is this the only active-response config on your agent? I'm not > seeing any so that may be my problem. Is it one active-response config for > all (like the one you posted below should serve all future ARs)? And what I > posted was on the server. I'll give this a try though > > On Wednesday, April 19, 2017 at 2:54:55 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: >> > How would I go about checking if AR is disabled on agents? Checking >> config >> > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, >> this >> > on Ubuntu >> > >> >> I think it's enabled by default. This is all I have on one of my agents: >> >> no >> 15,60,1440,86400 >> >> >> >> > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams >> wrote: >> >> > Still no luck. Just to verify, the scripts should be located in >> >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs >> aren't >> >> > really telling me anything either. >> >> > >> >> >> >> Yep, that's where they go. >> >> AR isn't disabled on the agents is it? >> >> What version of OSSEC? What OS/distro are you using? I don't think >> >> I'll be able to setup anything to try and recreate this. >> >> >> >> >> >> >> >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) >> wrote: >> >> >> >> >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant >> >> >> wrote: >> >> >> > Yes test.sh is on the agent. Execd is also running and yep the >> alert >> >> >> > is >> >> >> > firing. >> >> >> > >> >> >> >> >> >> Try removing the level option and leave just the rules_id. >> >> >> >> >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant >> >> >> >> >> wrote: >> >> >> >> > Hello, >> >> >> >> > >> >> >> >> > I'm pretty new to OSSEC and I'm working to get some active >> >> >> >> > responses >> >> >> >> > working. I have tried a number of different active responses >> but >> >> >> >> > cannot >> >> >> >> > seem >> >> >> >> > to get it to work anywhere (not on the server or agents). I'm >> now >> >> >> >> > trying >> >> >> >> > a >> >> >> >> > simple AR to just log to active-responses.log but it still >> does >> >> >> >> > not >> >> >> >> > seem >> >> >> >> > to >> >> >> >> > be triggering. I do receive the email alert, but the AR does >> not >> >> >> >> > trigger. >> >> >> >> > Here is my config for the test active response: >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> >test >> >> >> >> > >> >> >> >> >test.sh >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> >no >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > (I've tried the location as local, all, and server but no >> luck) >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> >no >> >> >> >> > >> >> >> >> >test >> >> >> >> > >> >> >> >> >local >> >> >> >> > >> >> >> >> >70999 >> >> >> >> > >> >> >> >> >0 >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > #!/bin/sh >> >> >> >> > >> >> >> >> > ACTION=$1 >> >> >> >> > USER=$2 >> >> >> >> > IP=$3 >> >> >> >> > ALERTID=$4 >> >> >> >> > RULEID=$5 >> >> >> >> > >> >> >> >> > LOCAL=`dirname $0`; >> >> >> >> > cd $LOCAL >> >> >> >> > cd ../ >> >> >> >> > PWD=`pwd` >> >> >> >> > >> >> >> >> > >> >> >> >> > # Logging the call >> >> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >> >> >> >> > ${PWD}/../logs/active-responses.log >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > The permissions on test.sh are correct with execute permission >> and >> >> >> >> > I >> >> >> >> > added >> >> >> >> > them to ossec group as all other ARs seemed to have that. >> >> >> >> > >> >> >> >> >> >> >> >> Is test.sh on the system you're trying to run the AR on? >> >> >> >> Is execd running on the system you're trying to run the AR on? >> >> >> >> Is 70999 firing? >> >> >> >> With rules_id, I don't think you'll need the level option set. >> >> >> >> >> >> >> >> > >> >> >> >> > Thanks! >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >
Re: [ossec-list] Active Response not working at all
Hmm, ok, is this the only active-response config on your agent? I'm not seeing any so that may be my problem. Is it one active-response config for all (like the one you posted below should serve all future ARs)? And what I posted was on the server. I'll give this a try though On Wednesday, April 19, 2017 at 2:54:55 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant > wrote: > > How would I go about checking if AR is disabled on agents? Checking > config > > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, > this > > on Ubuntu > > > > I think it's enabled by default. This is all I have on one of my agents: > > no > 15,60,1440,86400 > > > > > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams > wrote: > >> > Still no luck. Just to verify, the scripts should be located in > >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs > aren't > >> > really telling me anything either. > >> > > >> > >> Yep, that's where they go. > >> AR isn't disabled on the agents is it? > >> What version of OSSEC? What OS/distro are you using? I don't think > >> I'll be able to setup anything to try and recreate this. > >> > >> > >> > >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) > wrote: > >> >> > >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant > >> >> wrote: > >> >> > Yes test.sh is on the agent. Execd is also running and yep the > alert > >> >> > is > >> >> > firing. > >> >> > > >> >> > >> >> Try removing the level option and leave just the rules_id. > >> >> > >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) > >> >> > wrote: > >> >> >> > >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > > >> >> >> wrote: > >> >> >> > Hello, > >> >> >> > > >> >> >> > I'm pretty new to OSSEC and I'm working to get some active > >> >> >> > responses > >> >> >> > working. I have tried a number of different active responses > but > >> >> >> > cannot > >> >> >> > seem > >> >> >> > to get it to work anywhere (not on the server or agents). I'm > now > >> >> >> > trying > >> >> >> > a > >> >> >> > simple AR to just log to active-responses.log but it still does > >> >> >> > not > >> >> >> > seem > >> >> >> > to > >> >> >> > be triggering. I do receive the email alert, but the AR does > not > >> >> >> > trigger. > >> >> >> > Here is my config for the test active response: > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> >test > >> >> >> > > >> >> >> >test.sh > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> >no > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > (I've tried the location as local, all, and server but no luck) > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> >no > >> >> >> > > >> >> >> >test > >> >> >> > > >> >> >> >local > >> >> >> > > >> >> >> >70999 > >> >> >> > > >> >> >> >0 > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > #!/bin/sh > >> >> >> > > >> >> >> > ACTION=$1 > >> >> >> > USER=$2 > >> >> >> > IP=$3 > >> >> >> > ALERTID=$4 > >> >> >> > RULEID=$5 > >> >> >> > > >> >> >> > LOCAL=`dirname $0`; > >> >> >> > cd $LOCAL > >> >> >> > cd ../ > >> >> >> > PWD=`pwd` > >> >> >> > > >> >> >> > > >> >> >> > # Logging the call > >> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > >> >> >> > ${PWD}/../logs/active-responses.log > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > The permissions on test.sh are correct with execute permission > and > >> >> >> > I > >> >> >> > added > >> >> >> > them to ossec group as all other ARs seemed to have that. > >> >> >> > > >> >> >> > >> >> >> Is test.sh on the system you're trying to run the AR on? > >> >> >> Is execd running on the system you're trying to run the AR on? > >> >> >> Is 70999 firing? > >> >> >> With rules_id, I don't think you'll need the level option set. > >> >> >> > >> >> >> > > >> >> >> > Thanks! > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google
Re: [ossec-list] Active Response not working at all
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote: > On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: >> How would I go about checking if AR is disabled on agents? Checking config >> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this >> on Ubuntu >> > > I think it's enabled by default. This is all I have on one of my agents: > > no > 15,60,1440,86400 > > I guess the only other things I can think of are: * Make sure the configs you posted are on the OSSEC server, not the agents. * Make sure you restart the OSSEC processes on the server after you added that configuration. > >> On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: >>> >>> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: >>> > Still no luck. Just to verify, the scripts should be located in >>> > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't >>> > really telling me anything either. >>> > >>> >>> Yep, that's where they go. >>> AR isn't disabled on the agents is it? >>> What version of OSSEC? What OS/distro are you using? I don't think >>> I'll be able to setup anything to try and recreate this. >>> >>> >>> >>> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: >>> >> >>> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant >>> >> wrote: >>> >> > Yes test.sh is on the agent. Execd is also running and yep the alert >>> >> > is >>> >> > firing. >>> >> > >>> >> >>> >> Try removing the level option and leave just the rules_id. >>> >> >>> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) >>> >> > wrote: >>> >> >> >>> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant >>> >> >> wrote: >>> >> >> > Hello, >>> >> >> > >>> >> >> > I'm pretty new to OSSEC and I'm working to get some active >>> >> >> > responses >>> >> >> > working. I have tried a number of different active responses but >>> >> >> > cannot >>> >> >> > seem >>> >> >> > to get it to work anywhere (not on the server or agents). I'm now >>> >> >> > trying >>> >> >> > a >>> >> >> > simple AR to just log to active-responses.log but it still does >>> >> >> > not >>> >> >> > seem >>> >> >> > to >>> >> >> > be triggering. I do receive the email alert, but the AR does not >>> >> >> > trigger. >>> >> >> > Here is my config for the test active response: >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> >test >>> >> >> > >>> >> >> >test.sh >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> >no >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > (I've tried the location as local, all, and server but no luck) >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> >no >>> >> >> > >>> >> >> >test >>> >> >> > >>> >> >> >local >>> >> >> > >>> >> >> >70999 >>> >> >> > >>> >> >> >0 >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > #!/bin/sh >>> >> >> > >>> >> >> > ACTION=$1 >>> >> >> > USER=$2 >>> >> >> > IP=$3 >>> >> >> > ALERTID=$4 >>> >> >> > RULEID=$5 >>> >> >> > >>> >> >> > LOCAL=`dirname $0`; >>> >> >> > cd $LOCAL >>> >> >> > cd ../ >>> >> >> > PWD=`pwd` >>> >> >> > >>> >> >> > >>> >> >> > # Logging the call >>> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >>> >> >> > ${PWD}/../logs/active-responses.log >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > The permissions on test.sh are correct with execute permission and >>> >> >> > I >>> >> >> > added >>> >> >> > them to ossec group as all other ARs seemed to have that. >>> >> >> > >>> >> >> >>> >> >> Is test.sh on the system you're trying to run the AR on? >>> >> >> Is execd running on the system you're trying to run the AR on? >>> >> >> Is 70999 firing? >>> >> >> With rules_id, I don't think you'll need the level option set. >>> >> >> >>> >> >> > >>> >> >> > Thanks! >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the Google >>> >> >> > Groups >>> >> >> > "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> >> > send >>> >> >> > an >>> >> >> > email to ossec-list+...@googlegroups.com. >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to ossec-list+...@googlegroups.com. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from
Re: [ossec-list] Active Response not working at all
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: > How would I go about checking if AR is disabled on agents? Checking config > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this > on Ubuntu > I think it's enabled by default. This is all I have on one of my agents: no 15,60,1440,86400 > On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: >> > Still no luck. Just to verify, the scripts should be located in >> > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't >> > really telling me anything either. >> > >> >> Yep, that's where they go. >> AR isn't disabled on the agents is it? >> What version of OSSEC? What OS/distro are you using? I don't think >> I'll be able to setup anything to try and recreate this. >> >> >> >> > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant >> >> wrote: >> >> > Yes test.sh is on the agent. Execd is also running and yep the alert >> >> > is >> >> > firing. >> >> > >> >> >> >> Try removing the level option and leave just the rules_id. >> >> >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) >> >> > wrote: >> >> >> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant >> >> >> wrote: >> >> >> > Hello, >> >> >> > >> >> >> > I'm pretty new to OSSEC and I'm working to get some active >> >> >> > responses >> >> >> > working. I have tried a number of different active responses but >> >> >> > cannot >> >> >> > seem >> >> >> > to get it to work anywhere (not on the server or agents). I'm now >> >> >> > trying >> >> >> > a >> >> >> > simple AR to just log to active-responses.log but it still does >> >> >> > not >> >> >> > seem >> >> >> > to >> >> >> > be triggering. I do receive the email alert, but the AR does not >> >> >> > trigger. >> >> >> > Here is my config for the test active response: >> >> >> > >> >> >> > >> >> >> > >> >> >> >test >> >> >> > >> >> >> >test.sh >> >> >> > >> >> >> > >> >> >> > >> >> >> >no >> >> >> > >> >> >> > >> >> >> > >> >> >> > (I've tried the location as local, all, and server but no luck) >> >> >> > >> >> >> > >> >> >> > >> >> >> >no >> >> >> > >> >> >> >test >> >> >> > >> >> >> >local >> >> >> > >> >> >> >70999 >> >> >> > >> >> >> >0 >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > #!/bin/sh >> >> >> > >> >> >> > ACTION=$1 >> >> >> > USER=$2 >> >> >> > IP=$3 >> >> >> > ALERTID=$4 >> >> >> > RULEID=$5 >> >> >> > >> >> >> > LOCAL=`dirname $0`; >> >> >> > cd $LOCAL >> >> >> > cd ../ >> >> >> > PWD=`pwd` >> >> >> > >> >> >> > >> >> >> > # Logging the call >> >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >> >> >> > ${PWD}/../logs/active-responses.log >> >> >> > >> >> >> > >> >> >> > >> >> >> > The permissions on test.sh are correct with execute permission and >> >> >> > I >> >> >> > added >> >> >> > them to ossec group as all other ARs seemed to have that. >> >> >> > >> >> >> >> >> >> Is test.sh on the system you're trying to run the AR on? >> >> >> Is execd running on the system you're trying to run the AR on? >> >> >> Is 70999 firing? >> >> >> With rules_id, I don't think you'll need the level option set. >> >> >> >> >> >> > >> >> >> > Thanks! >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.googl
Re: [ossec-list] Active Response not working at all
How would I go about checking if AR is disabled on agents? Checking config files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this on Ubuntu On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams > wrote: > > Still no luck. Just to verify, the scripts should be located in > > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't > > really telling me anything either. > > > > Yep, that's where they go. > AR isn't disabled on the agents is it? > What version of OSSEC? What OS/distro are you using? I don't think > I'll be able to setup anything to try and recreate this. > > > > > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant > wrote: > >> > Yes test.sh is on the agent. Execd is also running and yep the alert > is > >> > firing. > >> > > >> > >> Try removing the level option and leave just the rules_id. > >> > >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) > wrote: > >> >> > >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > >> >> wrote: > >> >> > Hello, > >> >> > > >> >> > I'm pretty new to OSSEC and I'm working to get some active > responses > >> >> > working. I have tried a number of different active responses but > >> >> > cannot > >> >> > seem > >> >> > to get it to work anywhere (not on the server or agents). I'm now > >> >> > trying > >> >> > a > >> >> > simple AR to just log to active-responses.log but it still does > not > >> >> > seem > >> >> > to > >> >> > be triggering. I do receive the email alert, but the AR does not > >> >> > trigger. > >> >> > Here is my config for the test active response: > >> >> > > >> >> > > >> >> > > >> >> >test > >> >> > > >> >> >test.sh > >> >> > > >> >> > > >> >> > > >> >> >no > >> >> > > >> >> > > >> >> > > >> >> > (I've tried the location as local, all, and server but no luck) > >> >> > > >> >> > > >> >> > > >> >> >no > >> >> > > >> >> >test > >> >> > > >> >> >local > >> >> > > >> >> >70999 > >> >> > > >> >> >0 > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > #!/bin/sh > >> >> > > >> >> > ACTION=$1 > >> >> > USER=$2 > >> >> > IP=$3 > >> >> > ALERTID=$4 > >> >> > RULEID=$5 > >> >> > > >> >> > LOCAL=`dirname $0`; > >> >> > cd $LOCAL > >> >> > cd ../ > >> >> > PWD=`pwd` > >> >> > > >> >> > > >> >> > # Logging the call > >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > >> >> > ${PWD}/../logs/active-responses.log > >> >> > > >> >> > > >> >> > > >> >> > The permissions on test.sh are correct with execute permission and > I > >> >> > added > >> >> > them to ossec group as all other ARs seemed to have that. > >> >> > > >> >> > >> >> Is test.sh on the system you're trying to run the AR on? > >> >> Is execd running on the system you're trying to run the AR on? > >> >> Is 70999 firing? > >> >> With rules_id, I don't think you'll need the level option set. > >> >> > >> >> > > >> >> > Thanks! > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response not working at all
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: > Still no luck. Just to verify, the scripts should be located in > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't > really telling me anything either. > Yep, that's where they go. AR isn't disabled on the agents is it? What version of OSSEC? What OS/distro are you using? I don't think I'll be able to setup anything to try and recreate this. > On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote: >> > Yes test.sh is on the agent. Execd is also running and yep the alert is >> > firing. >> > >> >> Try removing the level option and leave just the rules_id. >> >> > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant >> >> wrote: >> >> > Hello, >> >> > >> >> > I'm pretty new to OSSEC and I'm working to get some active responses >> >> > working. I have tried a number of different active responses but >> >> > cannot >> >> > seem >> >> > to get it to work anywhere (not on the server or agents). I'm now >> >> > trying >> >> > a >> >> > simple AR to just log to active-responses.log but it still does not >> >> > seem >> >> > to >> >> > be triggering. I do receive the email alert, but the AR does not >> >> > trigger. >> >> > Here is my config for the test active response: >> >> > >> >> > >> >> > >> >> >test >> >> > >> >> >test.sh >> >> > >> >> > >> >> > >> >> >no >> >> > >> >> > >> >> > >> >> > (I've tried the location as local, all, and server but no luck) >> >> > >> >> > >> >> > >> >> >no >> >> > >> >> >test >> >> > >> >> >local >> >> > >> >> >70999 >> >> > >> >> >0 >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > #!/bin/sh >> >> > >> >> > ACTION=$1 >> >> > USER=$2 >> >> > IP=$3 >> >> > ALERTID=$4 >> >> > RULEID=$5 >> >> > >> >> > LOCAL=`dirname $0`; >> >> > cd $LOCAL >> >> > cd ../ >> >> > PWD=`pwd` >> >> > >> >> > >> >> > # Logging the call >> >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >> >> > ${PWD}/../logs/active-responses.log >> >> > >> >> > >> >> > >> >> > The permissions on test.sh are correct with execute permission and I >> >> > added >> >> > them to ossec group as all other ARs seemed to have that. >> >> > >> >> >> >> Is test.sh on the system you're trying to run the AR on? >> >> Is execd running on the system you're trying to run the AR on? >> >> Is 70999 firing? >> >> With rules_id, I don't think you'll need the level option set. >> >> >> >> > >> >> > Thanks! >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response not working at all
Still no luck. Just to verify, the scripts should be located in /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't really telling me anything either. On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant > wrote: > > Yes test.sh is on the agent. Execd is also running and yep the alert is > > firing. > > > > Try removing the level option and leave just the rules_id. > > > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote: > >> > Hello, > >> > > >> > I'm pretty new to OSSEC and I'm working to get some active responses > >> > working. I have tried a number of different active responses but > cannot > >> > seem > >> > to get it to work anywhere (not on the server or agents). I'm now > trying > >> > a > >> > simple AR to just log to active-responses.log but it still does not > seem > >> > to > >> > be triggering. I do receive the email alert, but the AR does not > >> > trigger. > >> > Here is my config for the test active response: > >> > > >> > > >> > > >> >test > >> > > >> >test.sh > >> > > >> > > >> > > >> >no > >> > > >> > > >> > > >> > (I've tried the location as local, all, and server but no luck) > >> > > >> > > >> > > >> >no > >> > > >> >test > >> > > >> >local > >> > > >> >70999 > >> > > >> >0 > >> > > >> > > >> > > >> > > >> > > >> > #!/bin/sh > >> > > >> > ACTION=$1 > >> > USER=$2 > >> > IP=$3 > >> > ALERTID=$4 > >> > RULEID=$5 > >> > > >> > LOCAL=`dirname $0`; > >> > cd $LOCAL > >> > cd ../ > >> > PWD=`pwd` > >> > > >> > > >> > # Logging the call > >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > >> > ${PWD}/../logs/active-responses.log > >> > > >> > > >> > > >> > The permissions on test.sh are correct with execute permission and I > >> > added > >> > them to ossec group as all other ARs seemed to have that. > >> > > >> > >> Is test.sh on the system you're trying to run the AR on? > >> Is execd running on the system you're trying to run the AR on? > >> Is 70999 firing? > >> With rules_id, I don't think you'll need the level option set. > >> > >> > > >> > Thanks! > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response not working at all
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote: > Yes test.sh is on the agent. Execd is also running and yep the alert is > firing. > Try removing the level option and leave just the rules_id. > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote: >> > Hello, >> > >> > I'm pretty new to OSSEC and I'm working to get some active responses >> > working. I have tried a number of different active responses but cannot >> > seem >> > to get it to work anywhere (not on the server or agents). I'm now trying >> > a >> > simple AR to just log to active-responses.log but it still does not seem >> > to >> > be triggering. I do receive the email alert, but the AR does not >> > trigger. >> > Here is my config for the test active response: >> > >> > >> > >> >test >> > >> >test.sh >> > >> > >> > >> >no >> > >> > >> > >> > (I've tried the location as local, all, and server but no luck) >> > >> > >> > >> >no >> > >> >test >> > >> >local >> > >> >70999 >> > >> >0 >> > >> > >> > >> > >> > >> > #!/bin/sh >> > >> > ACTION=$1 >> > USER=$2 >> > IP=$3 >> > ALERTID=$4 >> > RULEID=$5 >> > >> > LOCAL=`dirname $0`; >> > cd $LOCAL >> > cd ../ >> > PWD=`pwd` >> > >> > >> > # Logging the call >> > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> >> > ${PWD}/../logs/active-responses.log >> > >> > >> > >> > The permissions on test.sh are correct with execute permission and I >> > added >> > them to ossec group as all other ARs seemed to have that. >> > >> >> Is test.sh on the system you're trying to run the AR on? >> Is execd running on the system you're trying to run the AR on? >> Is 70999 firing? >> With rules_id, I don't think you'll need the level option set. >> >> > >> > Thanks! >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response not working at all
Yes test.sh is on the agent. Execd is also running and yep the alert is firing. On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote: > > Hello, > > > > I'm pretty new to OSSEC and I'm working to get some active responses > > working. I have tried a number of different active responses but cannot > seem > > to get it to work anywhere (not on the server or agents). I'm now trying > a > > simple AR to just log to active-responses.log but it still does not seem > to > > be triggering. I do receive the email alert, but the AR does not > trigger. > > Here is my config for the test active response: > > > > > > > >test > > > >test.sh > > > > > > > >no > > > > > > > > (I've tried the location as local, all, and server but no luck) > > > > > > > >no > > > >test > > > >local > > > >70999 > > > >0 > > > > > > > > > > > > #!/bin/sh > > > > ACTION=$1 > > USER=$2 > > IP=$3 > > ALERTID=$4 > > RULEID=$5 > > > > LOCAL=`dirname $0`; > > cd $LOCAL > > cd ../ > > PWD=`pwd` > > > > > > # Logging the call > > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > > ${PWD}/../logs/active-responses.log > > > > > > > > The permissions on test.sh are correct with execute permission and I > added > > them to ossec group as all other ARs seemed to have that. > > > > Is test.sh on the system you're trying to run the AR on? > Is execd running on the system you're trying to run the AR on? > Is 70999 firing? > With rules_id, I don't think you'll need the level option set. > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Active Response not working at all
On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote: > Hello, > > I'm pretty new to OSSEC and I'm working to get some active responses > working. I have tried a number of different active responses but cannot seem > to get it to work anywhere (not on the server or agents). I'm now trying a > simple AR to just log to active-responses.log but it still does not seem to > be triggering. I do receive the email alert, but the AR does not trigger. > Here is my config for the test active response: > > > >test > >test.sh > > > >no > > > > (I've tried the location as local, all, and server but no luck) > > > >no > >test > >local > >70999 > >0 > > > > > > #!/bin/sh > > ACTION=$1 > USER=$2 > IP=$3 > ALERTID=$4 > RULEID=$5 > > LOCAL=`dirname $0`; > cd $LOCAL > cd ../ > PWD=`pwd` > > > # Logging the call > echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> > ${PWD}/../logs/active-responses.log > > > > The permissions on test.sh are correct with execute permission and I added > them to ossec group as all other ARs seemed to have that. > Is test.sh on the system you're trying to run the AR on? Is execd running on the system you're trying to run the AR on? Is 70999 firing? With rules_id, I don't think you'll need the level option set. > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Active Response not working at all
Hello, I'm pretty new to OSSEC and I'm working to get some active responses working. I have tried a number of different active responses but cannot seem to get it to work anywhere (not on the server or agents). I'm now trying a simple AR to just log to active-responses.log but it still does not seem to be triggering. I do receive the email alert, but the AR does not trigger. Here is my config for the test active response: test test.sh no (I've tried the location as local, all, and server but no luck) no test local 70999 0 #!/bin/sh ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 LOCAL=`dirname $0`; cd $LOCAL cd ../ PWD=`pwd` # Logging the call echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log The permissions on test.sh are correct with execute permission and I added them to ossec group as all other ARs seemed to have that. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.