I have been trying to replicate your situation, you can install either local or server installation, it is working on both.
I made it work by adding <rules_id> tag into <active-response> section like this: <active-response> <command>testar</command> <location>*server*</location> <level>6</level> <*rules_id*>yourRuleID,yourAnotherRuleID</*rules_id*> </active-response> Try to specify what rules will trigger your active response. Remember to set groups and permissions to your *script.sh* If you need to extract srcip don't forget to set *expect *on command section: <command> <name>testar</name> <expect>srcip</expect> <executable>testar.sh</executable> </command> Regards, Pedro S. On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com wrote: > > Now i haven't any whitelist. > > #ossec.log > 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ... > 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed. > > #Test active response: > root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user > src_ip alert_id rule_id agent_host filename > root@serv-10244 [/var/ossec/active-response/bin]# cat > ../../logs/active-responses.log > Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id > rule_id agent_host filename > > Let's go from start. > I need to execute active responcss on the same server, so, i run > ossec-configure and select there installation type "local" and active > responses enabled "yes" > Next i add active response > > <command> > <name>testar</name> > <expect></expect> > <executable>testar.sh</executable> > </command> > > <active-response> > <command>testar</command> > <location>all</location> > <level>6</level> > </active-response> > > But active responces still not executed. > > > Hi, >> >> The daemon in charge of executing active-response scripts is >> *"ossec-execd",* I think your conf is good*,* active-response should be >> active and working, try to force some response and check >> active-response.log. >> >> Check ossec.log for entires like: >> >> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for >> active response. >> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white >> list for active response. >> >> >> >> If you really want to check if active-response is active, try this: >> >> Enable debug mode: >> /var/ossec/bin/ossec-control enable debug >> >> Restart OSSEC and check for line: >> >> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized >> ... >> >> The scripts should be placed on /var/ossec/active-response/bin with >> execution permissions. >> >> Regards, >> >> Pedro S. >> >> >> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com >> wrote: >>> >>> Why active-responces is not working ? >>> I receive email notification, but active responce had not started. >>> What may caused a problem? >>> >>> #etc/shared/ar.conf: >>> restart-ossec0 - restart-ossec.sh - 0 >>> restart-ossec0 - restart-ossec.cmd - 0 >>> testar0 - testar.sh - 0 >>> slack0 - slack.py - 0 >>> >>> >>> #alert.log >>> ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success, >>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure >>> Rule: 5715 (level 7) -> 'SSHD authentication success.' >>> Src IP: 104.131.225.112 >>> User: root >>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from >>> 104.131.225.112 port 47280 ssh2 >>> >>> #ossec.conf >>> <command> >>> <name>testar</name> >>> <expect></expect> >>> <executable>testar.sh</executable> >>> </command> >>> >>> <command> >>> <name>slack</name> >>> <expect>user,srcip</expect> >>> <executable>slack.py</executable> >>> </command> >>> >>> <active-response> >>> <command>testar</command> >>> <location>local</location> >>> <rules_id>5715,11309</rules_id> >>> </active-response> >>> >>> >>> <active-response> >>> <command>slack</command> >>> <location>local</location> >>> <rules_id>5715,11309</rules_id> >>> </active-response> >>> >>> >>> #ossec.log: >>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. >>> Exit Cleaning... >>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting >>> responses. >>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit >>> Cleaning... >>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file. >>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157). >>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176). >>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180). >>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file. >>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >>> 'sshd_rules.xml' >>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192). >>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured. >>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193). >>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >>> 'local_rules.xml' >>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258' >>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184). >>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219). >>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents >>> allowed: '256'. >>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication >>> keys file. >>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available >>> for 'local'. >>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent >>> local: '0:0'. >>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter. >>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0 >>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/messages'. >>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >>> '/var/log/secure'. >>> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188). >>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215). >>> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215). >>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: >>> '/home/woodwork/public_html'. >>> >>> >>> # ps ax | grep ossec >>> 15176 ? S 0:00 /var/ossec/bin/ossec-maild >>> 15180 ? S 0:00 /var/ossec/bin/ossec-execd >>> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd >>> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector >>> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted >>> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd >>> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
