Question: I have a custom decoder/rule which I believe should lead to an active response
OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04 2016 us=815044
100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385171", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:10 2016 us=65544
100.99.88.77:62693 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385203", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:42 2016 us=65834
100.99.88.77:28569 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385211", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:50 2016 us=806194
100.99.88.77:59297 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385440", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:38 2016 us=310533
100.99.88.77:25104 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385448", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:46 2016 us=987802
100.99.88.77:4767 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
OSSEC - TS:"1474385454", RID: "100504", RL: "5", RG: "openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: "barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:53 2016 us=807904
100.99.88.77:10344 CRL CHECK FAILED: C=US, ST=PA, L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, name=EasyRSA, emailAddress=
m...@email.com is REVOKED[END]"
I have active response enable in my ossec.conf but my active_response.log shows no activity