Thanks Dan, I've changed my rsyslog format to IP addresses instead of hosts and all is good.
Do you know whether the <white_list> directive requires that <expect>srcip</expect> is specified or will it work without that? Glen On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote: > > On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder <glen....@gmail.com > <javascript:>> wrote: > > Hi, > > > > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I > have > > the following local_rules.xml defined to exercise syslog monitoring : > > $ sudo more /var/ossec/rules/local_rules.xml > > <group name="ossectester,local"> > > <rule id="100000" level="5"> > > <match>OSSEC-TESTER-RULE</match> > > <description>OSSEC Test Alert</description> > > </rule> > > </group> > > > > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an > active > > response is executed due to this ossec.conf: > > <command> > > <name>post2slack</name> > > <executable>ar_slack.sh</executable> > > <expect></expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > > <active-response> > > <command>post2slack</command> > > <location>local</location> > > <level>4</level> > > </active-response> > > > > This works as expected provided I do not populate the command <expect> > > field. If I specify <expect>srcip</expect> the alert still triggers, > > however, the active response is no longer executed. the syslog entry > ends up > > as something like: > > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE > > > > There is no IP in this log message to be decoded, so it makes sense > that AR won't be triggered if it expects there to be a source ip. > > > I can't determine from the documentation whether this should work or > not. > > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs > > specified anyway (my end goal is a to have some white_listing which is > why I > > specified srcip). > > > > Is there an implicit white_list default or another reason why specifying > > srcip causes the response to no longer execute? > > Is <expect>srcip</expect> required for white_list to work? > > > > Best regards, > > Glen > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.