[ossec-list] Active-response firewall-drop server IP instead of agent IP when fired an agent rule

Hi everyone, here is my ossec.conf on the server: firewall-drop server,all 31152 600 30,60,90,120,150 rule 31152 is: 31103 Multiple SQL injection attempts from same souce ip. attack,sql_injection, After i tried to SQL injection to

[ossec-list] Rule fired but active-response didn't work

My rule fired, i received alert emails too. But active-response doesn't work. Here is my active-response config in ossec.conf: firewall-drop all 100101 600 Here is my email alert: Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired (level 9) ->

[ossec-list] Ossec Active-Response stop working after a few days

First, sorry for my bad english. I'm a newbie and i have used Ossec for about 2 weeks. Last week, active response still worked well. But after 2,3 days. I checked the /var/logs/auth.log and found that there was a ssh brute force attack from an IP to my server. But then i check active-response