I really need some help. It looks my OSSEC setup, a server and two clients, could not run active response properly. From the active-responses.log, the firewall-drop.sh command runs either on server or clients, depending on the <location> I set as in the following example.
<!-- Active Response Config --> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>all, server</location> <level>6</level> <timeout>600</timeout> <repeated_offenders>30,60,120</repeated_offenders> </active-response> When I use "<location>all</location>", two clients run the same firewall-drop.sh, but not the server: Client 1: Wed Jun 7 12:51:59 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 188.17.251.42 1496854297.9113366 5706 Wed Jun 7 13:02:30 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh delete - 188.17.251.42 1496854297.9113366 5706 Client 2: Wed Jun 7 12:53:28 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 188.17.251.42 1496854297.9113366 5706 Wed Jun 7 13:03:58 EDT 2017 /var/ossec/active-response/bin/firewall-drop.sh delete - 188.17.251.42 1496854297.9113366 5706 The event was triggered on Client 2 based on the examination of secure log. The system time is a bit off. When I use "<location>server</location>" or "<location>all, server</location>", then active response only runs on the server. No action on the clients. My question is how I should configure ossec so that active response runs on both server and clients? Please help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.