OSSec+SMS
From Atomicorp Wiki
OSSEC SMS notification on CentOS with ASL
This tutorial will help you use the ossec notification system provided by ASL to send alerts to your phone.
1) Create an account with Clickatell (they will be providing the sms gateway service)
2) Add some credit to your account
3) Create a "Connection" and note you API_ID
4) download and install smssend
wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm yum install smssend-3.2-1.i586.rpm
5) create the .sms file you will be using
cat > /usr/share/smssend/clickatell.sms << "EOF" NbParams 7 %Sessionid : Session ID %Login : Your username %Password : Your Pass %ApiID : Your API ID %Sender : API Sender Name %Tel : Phone number To Send Message To %Message Size=160 Convert : Your message PostURL https://api.clickatell.com/http/sendmsg? #GetURL https://api.clickatell.com/http/sendmsg? #Params session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message% PostData session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message% Search ID: PrintMsg message sent Else ErrorMsg 1 error sending message GO EOF
6) add the following to your /var/ossec/etc/ossec.conf
<command> <name>smsnotify</name> <executable>smsnotify.sh</executable> <expect>srcip</expect> </command> <active-response> <!-- This response will notify the admin via - sms for every event that fires a rule with - level (severity) >= 10. --> <command>smsnotify</command> <location>local</location> <level>10</level> </active-response>
7) create your own smsnotify.sh
cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF" #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=$1 USER=$2 IP=$3 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d "." -f 1` # Getting alert header LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2` # Create session and save to /tmp/sessionid wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q # Use only the session id for the variable sessionid=`cat /tmp/sessionid | awk '{print $2}'` # Send sms smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG" EOF
chmod 755 /var/ossec/active-response/bin/smsnotify.sh
8) do an asl -f -s to restart ossec and your are good to go :)
Enjoy