becuase my script removes usb storage and logs it in an active response log file.i see my favorite output for the other rules, but not my written rules. what do you mean by process debug mode? i've googled, but i can't find any tools for this purpose.
On 3/14/11, dan (ddp) <[email protected]> wrote: > How do you know the script isn't running? > Have you tried running the various processes debug mode? > > On Mon, Mar 14, 2011 at 3:09 AM, tayebe <[email protected]> wrote: >> hi, >> i installed ossec-hids-2.5.1 on fedora 13 as server and i have a >> windows xp agent. i 've recently write a new script and corresponding >> rule in local-rules to fire that script. i see the alert that detects >> my new rule. but it does'nt fire my script. i am sure that every >> setting is right, because if i change the rule id to 503 to fire that >> script (agent started), my script works properly,but when i add my >> rule id, it does'nt fire. >> here is my ossec.conf in server side: >> >> <command> >> <name>My-script</name> >> <executable>my-script.cmd</executable> >> <expect></expect> >> <timeout_allowed>no</timeout_allowed> >> </command> >> >> <active-response> >> <command>My-script</command> >> <location>local</location> >> <rules_id>100010</rules_id> >> </active-response> >> and i 'm sure to enable active response in windows agent,and have my- >> script.cmd in /active response/bin directory in agent side. >> any ideas? >
