OSSEC Series 4-active-response

How to save Host ids ossec log files to MYSQL
OSSEC Series II-write your own DECODE (Elementary)
OSSEC Series 3-file monitoring (SYSCHECK)

Another attraction of OSSEC is the active-response, which can be automatically processed for Rules. However, it is best to use this function with caution. Otherwise, if something should not be killed is killed, the consequence is very serious, it is a good choice to use this item to automatically trigger alarms. Here we will first provide a standard configuration to describe the name of the command [] [command] [name] test [/name] Due to Encoding Problems <>, [executable] test called after active-response. sh [/executable] // Script Name. Put this script under ar/ossec/active-response/bin and have the execution permission, belong to ossec group-r-xr-x-1 root ossec 445 11-09 test. sh [timeout_allowed] no [/timeout_allowed] // time-out setting, for example, how long does it take to expire? [reset CT] [/Reset CT] // exception, generally, do not set [/command] [active-response] // put it under [command]. Otherwise, the command [comma cannot be found. Nd] test [/command] // The Name Of The response command, which is the [location] server [/location] // response location defined above. The server is the server response, for example, to execute a script, the agent is the client's response level [level] 1 [/level] // response level. At least one level, the system will respond to [/active-response]. At last, let's look at the script file, which is to add a User File Name: test. shuseradd lionACTION = $1 USER = $ 2IP = $3 LOCAL = 'dirname $ 0'; cd $ LOCALcd .. /PWD = 'pwd' # Logging the callecho "'date' $0 $1 $2 $3 $4 $5" >$ {pwd }/.. /logs/active-responses.log reference http://www.ossec.net/doc/manual/ar/index.html