--On July 23, 2010 11:00:21 AM -0700 reg <regoma...@gmail.com> wrote:
I am trying to write a custom active response based upon the instructions here. http://www.ossec.net/wiki/Know_How:CustomActiveResponses To test, I copied this text exactly and ran it on the server no problem. However, I would like to have this script ran on a remote host. To test, I copied the script to a remote host, added it to the /var/ossec/active-response/bin directory, checked the permissions, then modified the script to only execute this: echo "test" |mail $MAILADDRESS -s "OSSEC Alert"
If this is the only contents of the active responce it will always fail. The variable $MAILADDRESS is created far earlier in the script.
Use the full script from the we page <http://www.ossec.net/wiki/Know_How:CustomActiveResponses#3-Create_active_response_script> and just change line 5 MAILADDRESS="x...@ossec.net"
I have verified that the rule I am using to test work, I do see the alerts coming in. However, the active-response is not kicking off on the remote host and I am not sure why. I turned on debug=2 for the agent on both the OSSEC server and the client I am trying to kick off the action, but nothing is coming up. Here is my command and active response configuration. Even though I do not need any data from the rule itself, the <expect> tags were required for OSSEC to start, but that's another issue(I think). <command> <name>mailtest</name> <executable>mailtest.sh</executable> <expect>srcip</expect> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>svncheck</command> <location>defined-agent</location> <agent_id>349</agent_id> <rules_id>5712</rules_id> </active-response> Can someone give me an idea what I am doing wrong, or some way to turn on further debugging to locate where this is dying? -R