Hi,
you are right Tony. The syntax for *ossec.conf* is not user-friendly. You
must think in the following way:
If it is a setting like yes/no, it will be overwritten if the parser found
the same setting below. Example:
yes
no
The final value will be 'no'.
However, if the setting is
For anyone curious it was an incredibly simple fix :(. Apparently if any
active-responses in your ossec.config file are disabled, it will disable
all of the active responses. I had 4 enabled and 1 disabled, but because of
that 1, they all were disabled.
On Wednesday, April 19, 2017 at 3:42:46
Hmm, ok, is this the only active-response config on your agent? I'm not
seeing any so that may be my problem. Is it one active-response config for
all (like the one you posted below should serve all future ARs)? And what I
posted was on the server. I'll give this a try though
On Wednesday,
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote:
> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
>> How would I go about checking if AR is disabled on agents? Checking config
>> files and don't see anything about it. Running v2.8.3 for OSSEC. Also,
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
> How would I go about checking if AR is disabled on agents? Checking config
> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
> on Ubuntu
>
I think it's enabled by default. This is all I have
How would I go about checking if AR is disabled on agents? Checking config
files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
on Ubuntu
On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote:
> Still no luck. Just to verify, the scripts should be located in
> /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
> really telling me anything either.
>
Yep, that's where they go.
AR isn't
Still no luck. Just to verify, the scripts should be located in
/var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
really telling me anything either.
On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote:
> Yes test.sh is on the agent. Execd is also running and yep the alert is
> firing.
>
Try removing the level option and leave just the rules_id.
> On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>>
Yes test.sh is on the agent. Execd is also running and yep the alert is
firing.
On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote:
> > Hello,
> >
> > I'm pretty new to OSSEC and I'm working to
On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote:
> Hello,
>
> I'm pretty new to OSSEC and I'm working to get some active responses
> working. I have tried a number of different active responses but cannot seem
> to get it to work anywhere (not on the server or agents).
11 matches
Mail list logo