I tried. If i understand correct, analyticsd send active responces to execd Could you please run command lsof | grep ossec | grep queue to compare with my output ? Thank you!
root@serv-10244 [~]# lsof | grep ossec | grep queue ossec-exe 2797 root 5u unix 0xffff88000c3ad0c0 0t0 270573469 /var/ossec/queue/alerts/execq ossec-ana 2803 ossec 4u unix 0xffff880093835380 0t0 270573486 /queue/ossec/queue ossec-ana 2803 ossec 5u REG 9,1 0 8651763 /var/ossec/queue/fts/hostinfo ossec-ana 2803 ossec 6u REG 9,1 102 8651748 /var/ossec/queue/fts/fts-queue ossec-ana 2803 ossec 7u REG 9,1 0 8651749 /var/ossec/queue/fts/ig-queue 2016-02-23 16:20 GMT+03:00 Pedro S <pe...@wazuh.com>: > I have been trying to replicate your situation, you can install either local > or server installation, it is working on both. > > I made it work by adding <rules_id> tag into <active-response> section like > this: > > <active-response> > <command>testar</command> > <location>server</location> > <level>6</level> > <rules_id>yourRuleID,yourAnotherRuleID</rules_id> > </active-response> > > Try to specify what rules will trigger your active response. > > Remember to set groups and permissions to your script.sh > > If you need to extract srcip don't forget to set expect on command section: > > <command> > <name>testar</name> > <expect>srcip</expect> > <executable>testar.sh</executable> > </command> > > > > > Regards, > > Pedro S. > > > On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com wrote: >> >> Now i haven't any whitelist. >> >> #ossec.log >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized >> ... >> 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init >> completed. >> >> #Test active response: >> root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user >> src_ip alert_id rule_id agent_host filename >> root@serv-10244 [/var/ossec/active-response/bin]# cat >> ../../logs/active-responses.log >> Tue Feb 23 07:28:03 EST 2016 ./testar.sh action user src_ip alert_id >> rule_id agent_host filename >> >> Let's go from start. >> I need to execute active responcss on the same server, so, i run >> ossec-configure and select there installation type "local" and active >> responses enabled "yes" >> Next i add active response >> >> <command> >> <name>testar</name> >> <expect></expect> >> <executable>testar.sh</executable> >> </command> >> >> <active-response> >> <command>testar</command> >> <location>all</location> >> <level>6</level> >> </active-response> >> >> But active responces still not executed. >> >> >>> Hi, >>> >>> The daemon in charge of executing active-response scripts is >>> "ossec-execd", I think your conf is good, active-response should be active >>> and working, try to force some response and check active-response.log. >>> >>> Check ossec.log for entires like: >>> >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 2 IPs in the white list for >>> active response. >>> 2016/02/23 03:48:19 ossec-analysisd: INFO: 1 Hostname(s) in the white >>> list for active response. >>> >>> >>> >>> If you really want to check if active-response is active, try this: >>> >>> Enable debug mode: >>> /var/ossec/bin/ossec-control enable debug >>> >>> Restart OSSEC and check for line: >>> >>> 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized >>> ... >>> >>> The scripts should be placed on /var/ossec/active-response/bin with >>> execution permissions. >>> >>> Regards, >>> >>> Pedro S. >>> >>> >>> On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com >>> wrote: >>>> >>>> Why active-responces is not working ? >>>> I receive email notification, but active responce had not started. >>>> What may caused a problem? >>>> >>>> #etc/shared/ar.conf: >>>> restart-ossec0 - restart-ossec.sh - 0 >>>> restart-ossec0 - restart-ossec.cmd - 0 >>>> testar0 - testar.sh - 0 >>>> slack0 - slack.py - 0 >>>> >>>> >>>> #alert.log >>>> ** Alert 1456222573.17132: mail - syslog,sshdauthentication_success, >>>> 2016 Feb 23 05:16:13 serv-10244->/var/log/secure >>>> Rule: 5715 (level 7) -> 'SSHD authentication success.' >>>> Src IP: 104.131.225.112 >>>> User: root >>>> Feb 23 05:16:12 serv-10244 sshd[16530]: Accepted password for root from >>>> 104.131.225.112 port 47280 ssh2 >>>> >>>> #ossec.conf >>>> <command> >>>> <name>testar</name> >>>> <expect></expect> >>>> <executable>testar.sh</executable> >>>> </command> >>>> >>>> <command> >>>> <name>slack</name> >>>> <expect>user,srcip</expect> >>>> <executable>slack.py</executable> >>>> </command> >>>> >>>> <active-response> >>>> <command>testar</command> >>>> <location>local</location> >>>> <rules_id>5715,11309</rules_id> >>>> </active-response> >>>> >>>> >>>> <active-response> >>>> <command>slack</command> >>>> <location>local</location> >>>> <rules_id>5715,11309</rules_id> >>>> </active-response> >>>> >>>> >>>> #ossec.log: >>>> 2016/02/23 05:11:04 ossec-monitord(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:04 ossec-logcollector(1225): INFO: SIGNAL Received. >>>> Exit Cleaning... >>>> 2016/02/23 05:11:04 ossec-remoted(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:04 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:04 ossec-analysisd(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:04 ossec-maild(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:04 ossec-execd(1314): INFO: Shutdown received. Deleting >>>> responses. >>>> 2016/02/23 05:11:04 ossec-execd(1225): INFO: SIGNAL Received. Exit >>>> Cleaning... >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Reading local decoder file. >>>> 2016/02/23 05:11:14 ossec-testrule: INFO: Started (pid: 15157). >>>> 2016/02/23 05:11:14 ossec-maild: INFO: Started (pid: 15176). >>>> 2016/02/23 05:11:15 ossec-execd: INFO: Started (pid: 15180). >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading local decoder file. >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >>>> 'sshd_rules.xml' >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15192). >>>> 2016/02/23 05:11:15 ossec-rootcheck: System audit file not configured. >>>> 2016/02/23 05:11:15 ossec-remoted: INFO: Started (pid: 15193). >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Reading rules file: >>>> 'local_rules.xml' >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Total rules enabled: '1258' >>>> 2016/02/23 05:11:15 ossec-analysisd: INFO: Started (pid: 15184). >>>> 2016/02/23 05:11:16 ossec-monitord: INFO: Started (pid: 15219). >>>> 2016/02/23 05:11:16 ossec-remoted(4111): INFO: Maximum number of agents >>>> allowed: '256'. >>>> 2016/02/23 05:11:16 ossec-remoted(1410): INFO: Reading authentication >>>> keys file. >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous counter available >>>> for 'local'. >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning counter for agent >>>> local: '0:0'. >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: No previous sender counter. >>>> 2016/02/23 05:11:16 ossec-remoted: INFO: Assigning sender counter: 0:0 >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >>>> '/var/log/messages'. >>>> 2016/02/23 05:11:21 ossec-logcollector(1950): INFO: Analyzing file: >>>> '/var/log/secure'. >>>> 2016/02/23 05:11:21 ossec-logcollector: INFO: Started (pid: 15188). >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Started (pid: 15215). >>>> 2016/02/23 05:11:22 ossec-rootcheck: INFO: Started (pid: 15215). >>>> 2016/02/23 05:11:22 ossec-syscheckd: INFO: Monitoring directory: >>>> '/home/woodwork/public_html'. >>>> >>>> >>>> # ps ax | grep ossec >>>> 15176 ? S 0:00 /var/ossec/bin/ossec-maild >>>> 15180 ? S 0:00 /var/ossec/bin/ossec-execd >>>> 15184 ? S 0:00 /var/ossec/bin/ossec-analysisd >>>> 15188 ? S 0:00 /var/ossec/bin/ossec-logcollector >>>> 15193 ? Sl 0:00 /var/ossec/bin/ossec-remoted >>>> 15215 ? S 0:00 /var/ossec/bin/ossec-syscheckd >>>> 15219 ? S 0:00 /var/ossec/bin/ossec-monitord >>>> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/b6BbvLBc9ws/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
