Hi Peter, Did you try it again after a while? Note that the way it works internally, the manager and the agent share a bunch of configuration files and when you update it on the manager, it may take a while to get pushed down to all agents (up to a couple of hours).
>From the log, it seems that you added the active response win_nullroute43200, but the agent didn't had time to receive the ar.conf file (stored inside /var/ossec/etc/shared). Can you try it now and see if it will work? Next time if you want to speed the process, restart the manager and it will get pushed down a lot quicker (within 10/20 minutes). *btw, I am working to have rootcheck updated to 2.1.1. Thanks for the reminder. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jul 3, 2009 at 11:57 PM, Peter M. Abraham<peter.abra...@dynamicnet.net> wrote: > > Greetings: > > Re: http://www.ossec.net/main/manual/manual-active-response-on-windows/ > > /var/ossec/bin/agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > Response name: win_nullroute43200, command: route-null.cmd > Response name: apache_restart0, command: apache_restart.sh > Response name: firewall-drop43200, command: firewall-drop.sh > > [r...@dnisp1 root]# /var/ossec/bin/agent_control -b 89.35.205.206 -f > win_nullroute43200 -u 016 > > OSSEC HIDS agent_control: Running active response 'win_nullroute43200' > on: 016 > > > Yet on the Windows server in question, in the ossec.log file i see the > following (route print doesn't have the block): > > 2009/07/03 22:38:01 ossec-execd(1311): ERROR: Invalid command name > 'win_nullroute43200' provided. > > 2009/07/03 22:43:51 ossec-execd(1311): ERROR: Invalid command name > 'win_nullroute43200' provided. > > > The agent and server are on ossec 2.1.1 > > Please advise as to what I need to check to make sure the problem is > not on my end. > > Thank you. >