Hi,

I based my active response script that sends whois information about
an IP on the zabbix-alert.sh script.

Sometimes I had the problem that my mails sent no information about
the host and the alert level. Investigating the problem I found out
that  I made a mistake in one of the grep commands that analyse the
alert.log file. I thought I made a mistake. A few moments ago I looked
into the zabbix-alert.sh and saw that the problem was already there.

The problem is in the following lines:

21 ALERTID=$4
.
.
.
48 # Getting alert time
49 ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`
50
51 # Getting end of alert
52 ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`
53
54 # Getting full alert
55 ALERTTEXT=`grep -A 10 "$ALERTTIME" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `
56
57 # Extract host (agent) name from alert.
58 HOSTNAME=`echo "$ALERTTEXT" | sed -n '1,1s/^.*\:[0-9][0-9]\:[0-9]
[0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p'`

The parameter $ALERTID is the ID given to the script. From that the
ALERTTIME and ALERTLAST is extracted. The BUG is in line 55 where the
ALERTTEXT is extracted. If only the ALERTTIME is used there and
several alerts happen at the same time (happened to me) there are
several parts extracted from the alert.log file. The result is that
the the HOSTNAME and other later needed parameters could not be
extracted exactly.

The solution would be to change the line like this:

55 ALERTTEXT=`grep -A 10 "$ALERTID" $PWD/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 `

The $ALERTID should be used instead of $ALERTTIME. So there is only
one alert extracted from the alert.log file.

I've tested it on several machines with the same wrong result. After
that I changed it in my active response script send-whois.sh. It
should be changed in the zabbix-alert.sh script too.

If you are interested in my active response script send-whois.sh I
would be glad to share it with you.

Kind regards

Andre Pietsch

Could you post your whois script?

And was the zabbix script the one I posted a while ago? Or is there
another floating around?

Thanks
David

On 09/23/2011 08:55 AM, andre.pietsch wrote:

--
David M. Zendzian | Managing Partner | ZZ Servers
268 Bush St. #4127 | San Francisco, CA 94104
T: 415-593-5593 ext 369 | F: 415-901-6625

Email : d...@zzservers.com

Business Hosting Solutions | PCI | HIPAA
Managed Hosting Specialists

Hi David,

you are more than welcome.

It is the zabbix-alert.sh script that is delivered with the ossec 2.6
package provided by the atomicorp yum repository.

I haven't found your post but in the script is your name and the
version 1.0 from April 6th 2010.

My script can be found at http://pastebin.com/E6PRgR34 . I hope it
helps.

As long as the whois stuff is not included within the default
notification (maybe configurable via the ossec.conf file) this script
helps us to secure some evidence for legal purposes.

It extracts ID, time, host, rule ID and rule description, level and IP
the way your script does it. It queries whois with the IP and tries to
find the corresponding lines within the log file belonging to the
alert.

It extracts the <email_from> and all <email_to> fields from the config
file and uses sendmail to send a mail to the given recipients. If
DEBUG is set to true the mail is only send to the first configured
<email_to> address and some additional logs are created in the /tmp
directory.

Kind regards
Andre