On Wed, Mar 22, 2017 at 7:05 AM, Martin <martin...@gmail.com> wrote: > Ok the problem was that I thought that <location>all</location> as stated in > the doc would execute the command everywhere (meaning on all the agents & > the server). > > But "all" means all the agents except the server.
Thanks for pointing that out. I could have sworn I corrected that in the documentation years ago. > > In order to execute the command on all the agents and the server, I had to > duplicate the active-response ; > > <active-response> > <command>host-deny</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <command>host-deny</command> > <location>server</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>server</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > Thank you again for your help dan. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.