Hi, I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have the following local_rules.xml defined to exercise syslog monitoring : $ sudo more /var/ossec/rules/local_rules.xml <group name="ossectester,local"> <rule id="100000" level="5"> <match>OSSEC-TESTER-RULE</match> <description>OSSEC Test Alert</description> </rule> </group>
When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an active response is executed due to this ossec.conf: <command> <name>post2slack</name> <executable>ar_slack.sh</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>post2slack</command> <location>local</location> <level>4</level> </active-response> This works as expected provided I do not populate the command <expect> field. If I specify <expect>srcip</expect> the alert still triggers, however, the active response is no longer executed. the syslog entry ends up as something like: Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE I can't determine from the documentation whether this should work or not. myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs specified anyway (my end goal is a to have some white_listing which is why I specified srcip). Is there an implicit white_list default or another reason why specifying srcip causes the response to no longer execute? Is <expect>srcip</expect> required for white_list to work? Best regards, Glen -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
<ossec_config> <alerts> <log_alert_level>4</log_alert_level> <email_alert_level>0</email_alert_level> </alerts> <rules> <include>rules_config.xml</include> <include>local_rules.xml</include> </rules> <syscheck> <disabled>yes</disabled> </syscheck> <rootcheck> <disabled>yes</disabled> </rootcheck> <command> <name>post2slack</name> <executable>ar_slack.sh</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>post2slack</command> <location>local</location> <level>4</level> </active-response> <localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile> </ossec_config>