Hi Arif
Firstly, let me explain that I come from a mainframe background, and I work on
all manner of systems down –Unix, Windows, Linux, Sparc etc
Being quite lazy, I can only claim proficiency in one scripting language REXX –
this is available on just about all platforms – including Linus. The scripts
here are written in REXX, but should be fairly easy to decipher and rewrite as
a BASH script if you prefer – that’s just beyond my skills – and no way am I
going to spend the time to learn !!!
Here’s the Active Response definition in ossec.conf:
<command>
<name>send-sms</name>
<executable>sendsms.sh</executable>
<expect>username</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>send-sms</command>
<location>server</location>
<level>12</level>
</active-response>
Here’s the actual Active Response script – in active-response/bin
sendsms.sh
#!/bin/sh
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6" >> ${PWD}/../logs/active-responses.log
prefix="/var/sms/0272041878" <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< NB this is my
destination cellphone
suffix=$(date +%s)
ftype="sms"
filename=$prefix.$suffix.$ftype
echo "Lost Contact With Server $2 $5 $6" >> $filename
exit 0;
see – I said I wasn’t any good writing BASH scripts
Here’s my local_decoder.xml entry
<decoder name="agent-disconnected">
<type>ossec</type>
<parent>ossec</parent>
<prematch>^ossec: Agent disconnected:</prematch>
<regex offset="after_prematch">^ '(\S+)'</regex>
<order>username</order>
</decoder>
In local_rules.xml, add our rule:
<group name="high-priority">
<rule id="800004" level="12">
<if_sid>504</if_sid>
<description>Lost Contact with Server</description>
<options>alert_by_email</options>
</rule>
<rule id="800005" level="12">
<if_sid>18100</if_sid>
<id>^5634</id>
<description>Backup Failed</description>
<options>alert_by_email</options>
</rule>
</group>
Here’s the REXX SMS script that runs regularly – you may well wish to rewrite
as BASH script
#!/usr/local/bin/regina
trace off
rc=rxfuncadd('SysLoadFuncs', 'librexxutil.so', 'SysLoadFuncs')
rc=sysloadfuncs()
logfile = "/var/log/sms.log"
do forever
rc=sysfiletree('*.sms','files.','fo')
do i = 1 to files.0
tno = files.i
do while pos("/",tno) > 0
parse var tno . "/" tno
end
parse var tno tno "." .
if datatype(tno) <> "NUM" | substr(tno,1,2) <> "02" | length(tno) < 9 then
do
parse var files.i fname ".sms"
fname = fname || ".fail"
rc=sysfiledelete(fname)
xrc=sysmoveobject(files.i, fname)
datex = date('N')
parse var datex a b c
datex = substr(date('W'),1,3) b a time() NZST c
rc=lineout(logfile,datex "Invalid Construct in e-mail address" files.i)
rc=lineout(logfile,datex "RC" xrc "Renaming" files.i "to" fname)
iterate
end
line=linein(files.i)
rc = 0
if length(line) > 155 then
line = substr(line,1,155)
rc=stream(files.i,"C","CLOSE")
datex = date('N')
parse var datex a b c
datex = substr(date('W'),1,3) b a time() NZST c
rc=lineout(logfile,datex "RC" xrc 'sending to' tno '"' || line || '"')
rc=stream(logfile,"C","CLOSE")
if xrc = 0 then
rc=sysfiledelete(files.i)
end
rc=syssleep(60)
end
return
Best of luck
Andi
From: [email protected] [mailto:[email protected]] On
Behalf Of Arif Muslax
Sent: Monday, 16 April 2012 1:31 p.m.
To: [email protected]
Subject: Re: [ossec-list] Sending Alerts to SMS
Hi Andi
Could you share what you have done? I have tried this for weeks for no success.
Arif Muslax
On Tuesday, May 31, 2011 8:37:22 PM UTC+7, AndiC wrote:
Hi Dan
OK, it is working now - as far as it goes
I have written my own decoder that extracts the agent name as
"usernane", so that I have an "<expect>username</expect>" clause in the
decoder, and this is passed to the shell script so I know which server
has gone down - this is written to a file for broadcast
A script running every 60 seconds picks up these files and passes them
to GAMMU for SMS transmission
Andy
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Andy Cockroft (andic)
Sent: Saturday, 28 May 2011 10:21 p.m.
To: [email protected]
Subject: RE: [ossec-list] Sending Alerts to SMS
Hi Dan
I am sending (or rather trying to send) SMS directly via a Bluetooth
attached cellphone, so no email involved. SMS is working fine from the
command line using GAMMU.
I have created a level 12 rule for agents that become inactive - ie
suspect faulty server or network - and these I want to receive pretty
quickly before they become a major problem to users.
I have created a command script that runs on the server (where the
Bluetooth is), and whilst that starts and runs OK, I cannot seem to get
it to invoke anything other than a simple shell script - I would prefer
another language. I've tried writing a wrapper to call my scripts, but
it does not execute - so unless you have some insight, I may have to
start looking inside the code (ossec-execd?)
I would also like to have the agent name passed as a parameter, but that
doesn't seem to be available - but I'm sure that's just me missing
something
Cheers
Andy
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of dan (ddp)
Sent: Saturday, 28 May 2011 12:02 a.m.
To: [email protected]
Subject: Re: [ossec-list] Sending Alerts to SMS
http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html
There is an SMS mail format you can use.
On Fri, May 27, 2011 at 2:15 AM, Andy Cockroft (andic)
<[email protected]> wrote:
> I am just about to embark on an exercise to write my own command
> scripts to TXT a message to my cell to advise major issues (in
> particular agent disconnect that I have as a level 12 !!!)
>
> Just in case someone knows of a ready-made solution, feel free to
> reply and save me reinventing wheels
>
> So far I have Gammu up and running, and since I code in Rexx, I have
> installed Regina, and the two are working together AOK
>
> All I really need do is write the command script and configure OSSEC -
> unless of course you know better
>
> Andy
>
