On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <printz.ke...@gmail.com> wrote: > Hello (again) > > I made other tests to try to understand why it's not working. If I setup the > <localfile> section into my server ossec.conf file, and I try to stop the > NTPD process on my server, the rule is fired, and the active response is > executed in my server. > But, when the rules is fired by the agent, the active response is never > executed (not in the server, neither on the agent). >
Is ossec-execd running on the agent? Make sure the restart.sh is listed in the /var/ossec/etc/shared/ar.conf file on the agent. > Any ideas ? > Thanks, > Kevin. > > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : >> >> Hi ! >> >> I have an OSSEC server, connected with a remote agent. And I want to have >> an active response setup on the agent, according to a process state change. >> For instance, I have a ntpd process running on my agent, and I want to >> start it if the process change to the stop state (using the service command >> - it's only for test in order to realize a POC) >> >> So, I setup the following configuration into my ossec.conf file on the >> agent side : >> <localfile> >> <log_format>full_command</log_format> >> <command>service ntpd status</command> >> </localfile> >> >> And, for the test, I create a script to start the ntpd service : >> [root@agenthostname scripts]# ll /var/ossec/active-response/bin/restart.sh >> -r-xr-x--- 1 root ossec 40 Oct 6 13:33 >> /var/ossec/active-response/bin/restart.sh >> >> [root@agenthostname scripts]# cat >> /var/ossec/active-response/bin/restart.sh >> #!/bin/bash >> service ntpd start >> exit 0 >> >> >> >> Then, on the server side, I setup the following rule : >> <rule id="90000" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'service ntpd status</match> >> <check_diff /> >> <description>ntpd change state - starting it</description> >> </rule> >> >> And, on the ossec.conf on the server, I setup the following command, and >> active response : >> <command> >> <name>restart</name> >> <executable>restart.sh</executable> >> <expect></expect> >> </command> >> <active-response> >> <command>restart</command> >> <location>local</location> >> <rules_id>90000</rules_id> >> </active-response> >> >> So, when I stop the ntpd process on the server, some time later, I got the >> following message on my server alerts file : >> ==> /var/ossec/logs/alerts/alerts.log <== >> ** Alert 1444138866.25874: mail - ossec, >> 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status >> Rule: 90000 (level 7) -> 'automatic restart of agent to load new >> configuration' >> ossec: output: 'service ntpd status': >> ntpd is stopped >> Previous output: >> ossec: output: 'service ntpd status': >> ntpd (pid 1418) is running... >> >> >> >> So, the rule is detected, but it's all. The active response doesn't start >> on my agent. (the NTPD process is still stopped, and nothing appear in the >> client /var/ossec/logs/active-responses.log file ...) >> Perhaps I have make a mistake on the active response setup ? >> >> Thank you, >> Kevin >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.