Now i haven't any whitelist. #ossec.log 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ... 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed.
#Test active response: root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user src_ip alert_id rule_id agent_host filename root@serv-10244 [/var/ossec/active-response/bin]# cat ../../logs/active-responses.log Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id rule_id agent_host filename Let's go from start. I need to execute active responcss on the same server, so, i run ossec-configure and select there installation type "local" and active responses enabled "yes" Next i add active response <command> <name>testar</name> <expect></expect> <executable>testar.sh</executable> </command> <active-response> <command>testar</command> <location>all</location> <level>6</level> </active-response> But active responces still not executed. Hi, > > The daemon in charge of executing active-response scripts is > *"ossec-execd",* I think your conf is good*,* active-response should be > active and working, try to force some response and check > active-response.log. > > Check ossec.log for entires like: > > 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for > active response. > 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white list > for active response. > > > > If you really want to check if active-response is active, try this: > > Enable debug mode: > /var/ossec/bin/ossec-control enable debug > > Restart OSSEC and check for line: > > 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ... > > The scripts should be placed on /var/ossec/active-response/bin with > execution permissions. > > Regards, > > Pedro S. > > > On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com > wrote: >> >> Why active-responces is not working ? >> I receive email notification, but active responce had not started. >> What may caused a problem? >> >> #etc/shared/ar.conf: >> restart-ossec0 - restart-ossec.sh - 0 >> restart-ossec0 - restart-ossec.cmd - 0 >> testar0 - testar.sh - 0 >> slack0 - slack.py - 0 >> >> >> #alert.log >> ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success, >> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure >> Rule: 5715 (level 7) -> 'SSHD authentication success.' >> Src IP: 104.131.225.112 >> User: root >> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from >> 104.131.225.112 port 47280 ssh2 >> >> #ossec.conf >> <command> >> <name>testar</name> >> <expect></expect> >> <executable>testar.sh</executable> >> </command> >> >> <command> >> <name>slack</name> >> <expect>user,srcip</expect> >> <executable>slack.py</executable> >> </command> >> >> <active-response> >> <command>testar</command> >> <location>local</location> >> <rules_id>5715,11309</rules_id> >> </active-response> >> >> >> <active-response> >> <command>slack</command> >> <location>local</location> >> <rules_id>5715,11309</rules_id> >> </active-response> >> >> >> #ossec.log: >> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting >> responses. >> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit >> Cleaning... >> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file. >> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157). >> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176). >> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180). >> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file. >> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >> 'sshd_rules.xml' >> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192). >> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured. >> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193). >> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >> 'local_rules.xml' >> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258' >> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184). >> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219). >> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents >> allowed: '256'. >> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication >> keys file. >> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available >> for 'local'. >> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent >> local: '0:0'. >> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter. >> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0 >> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/messages'. >> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >> '/var/log/secure'. >> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188). >> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215). >> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215). >> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: >> '/home/woodwork/public_html'. >> >> >> # ps ax | grep ossec >> 15176 ? S 0:00 /var/ossec/bin/ossec-maild >> 15180 ? S 0:00 /var/ossec/bin/ossec-execd >> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd >> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector >> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted >> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd >> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.