Hi Xu Feng,
The issue is that you have both level and rules_id in your config,
so ossec is acting on both. Try
leaving it just as:
active-response
commandhost-deny/command
locationlocal/location
rules_id5712,5720/rules_id
timeout600/timeout
/active-response
And it should work.
] Re: active-response problems
Greetings Xu Feng:
RE: http://www.ossec.net/main/manual/#active-response
local = agent or local installation
server = ossec server
all = every ossec agent
/var/ossec/active-response/ossec-hids-responses.log is the location of
the log file that logs when active
Greetings Xu Feng:
RE: http://www.ossec.net/main/manual/#active-response
local = agent or local installation
server = ossec server
all = every ossec agent
/var/ossec/active-response/ossec-hids-responses.log is the location of
the log file that logs when active-response kicks off.
If you want