On Tue, Oct 13, 2015 at 8:17 AM, Kévin Printz <printz.ke...@gmail.com> wrote: > Yes, I created it with the same owner / rights that the default active > response scripts : > > > [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh > -r-xr-x--- 1 root ossec 59 Oct 8 08:49 > /var/ossec/active-response/bin/restart.sh > > Does some others config files or logs can help to debug ? >
Not that I know of. Try restarting the OSSEC processes on the manager and the agent. I'll try to wake up more and think of something to help troubleshoot this. > Le mardi 13 octobre 2015 13:29:48 UTC+2, dan (ddpbsd) a écrit : >> >> On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz <printz...@gmail.com> wrote: >> > Hello @dan >> > >> > Thank you for your answer. >> > >> > Yes, it seems that ossec-execd is running on my agent : >> > [root@hostname etc]# ps -edf | grep ossec-exec[d] >> > root 20235 1 0 08:36 ? 00:00:00 >> > /var/ossec/bin/ossec-execd >> > >> > And yes, the restart.sh is listed on the agent : >> > [root@hostname etc]# cat /var/ossec/etc/shared/ar.conf >> > 3restart-ossec0 - restart-ossec.sh - 0 >> > restart-ossec0 - restart-ossec.cmd - 0 >> > restart-ossec0 - restart-ossec.sh - 0 >> > restart0 - restart.sh - 0 >> > restart-remoted0 - check_process.sh - 0 >> > >> > But the script doens't start on my agent that triggered the rule. (I >> > tried >> > to make an echo in a file to debug, but nothing happened ...). Any ideas >> > on >> > why ? >> > >> >> >> Does the script exist on the agent, and is it executable? >> >> > Thanks, >> > Kevin >> > >> > Le vendredi 9 octobre 2015 13:35:37 UTC+2, dan (ddpbsd) a écrit : >> >> >> >> On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz <printz...@gmail.com> >> >> wrote: >> >> > Hello (again) >> >> > >> >> > I made other tests to try to understand why it's not working. If I >> >> > setup >> >> > the >> >> > <localfile> section into my server ossec.conf file, and I try to stop >> >> > the >> >> > NTPD process on my server, the rule is fired, and the active response >> >> > is >> >> > executed in my server. >> >> > But, when the rules is fired by the agent, the active response is >> >> > never >> >> > executed (not in the server, neither on the agent). >> >> > >> >> >> >> Is ossec-execd running on the agent? >> >> Make sure the restart.sh is listed in the >> >> /var/ossec/etc/shared/ar.conf file on the agent. >> >> >> >> > Any ideas ? >> >> > Thanks, >> >> > Kevin. >> >> > >> >> > Le mardi 6 octobre 2015 16:02:34 UTC+2, Kévin Printz a écrit : >> >> >> >> >> >> Hi ! >> >> >> >> >> >> I have an OSSEC server, connected with a remote agent. And I want to >> >> >> have >> >> >> an active response setup on the agent, according to a process state >> >> >> change. >> >> >> For instance, I have a ntpd process running on my agent, and I want >> >> >> to >> >> >> start it if the process change to the stop state (using the service >> >> >> command >> >> >> - it's only for test in order to realize a POC) >> >> >> >> >> >> So, I setup the following configuration into my ossec.conf file on >> >> >> the >> >> >> agent side : >> >> >> <localfile> >> >> >> <log_format>full_command</log_format> >> >> >> <command>service ntpd status</command> >> >> >> </localfile> >> >> >> >> >> >> And, for the test, I create a script to start the ntpd service : >> >> >> [root@agenthostname scripts]# ll >> >> >> /var/ossec/active-response/bin/restart.sh >> >> >> -r-xr-x--- 1 root ossec 40 Oct 6 13:33 >> >> >> /var/ossec/active-response/bin/restart.sh >> >> >> >> >> >> [root@agenthostname scripts]# cat >> >> >> /var/ossec/active-response/bin/restart.sh >> >> >> #!/bin/bash >> >> >> service ntpd start >> >> >> exit 0 >> >> >> >> >> >> >> >> >> >> >> >> Then, on the server side, I setup the following rule : >> >> >> <rule id="90000" level="7"> >> >> >> <if_sid>530</if_sid> >> >> >> <match>ossec: output: 'service ntpd status</match> >> >> >> <check_diff /> >> >> >> <description>ntpd change state - starting it</description> >> >> >> </rule> >> >> >> >> >> >> And, on the ossec.conf on the server, I setup the following command, >> >> >> and >> >> >> active response : >> >> >> <command> >> >> >> <name>restart</name> >> >> >> <executable>restart.sh</executable> >> >> >> <expect></expect> >> >> >> </command> >> >> >> <active-response> >> >> >> <command>restart</command> >> >> >> <location>local</location> >> >> >> <rules_id>90000</rules_id> >> >> >> </active-response> >> >> >> >> >> >> So, when I stop the ntpd process on the server, some time later, I >> >> >> got >> >> >> the >> >> >> following message on my server alerts file : >> >> >> ==> /var/ossec/logs/alerts/alerts.log <== >> >> >> ** Alert 1444138866.25874: mail - ossec, >> >> >> 2015 Oct 06 13:41:06 (agenthostname) any->service ntpd status >> >> >> Rule: 90000 (level 7) -> 'automatic restart of agent to load new >> >> >> configuration' >> >> >> ossec: output: 'service ntpd status': >> >> >> ntpd is stopped >> >> >> Previous output: >> >> >> ossec: output: 'service ntpd status': >> >> >> ntpd (pid 1418) is running... >> >> >> >> >> >> >> >> >> >> >> >> So, the rule is detected, but it's all. The active response doesn't >> >> >> start >> >> >> on my agent. (the NTPD process is still stopped, and nothing appear >> >> >> in >> >> >> the >> >> >> client /var/ossec/logs/active-responses.log file ...) >> >> >> Perhaps I have make a mistake on the active response setup ? >> >> >> >> >> >> Thank you, >> >> >> Kevin >> >> >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
