Active response does not seem to be working I have the following config in my ossec.conf file
<active-response>
<disabled>no</disabled>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>1512</rules_id>
</active-response>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
</command>
And when this rule happens I do not see anything logged to the active respone log file that my command was ran.
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
- [ossec-list] active response Quenten Griffith
- [ossec-list] Re: active response Daniel Cid
- [ossec-list] active response Surf Admin
- [ossec-list] Re: active response Daniel Cid
- [ossec-list] Active Response Adriel Desautels
- [ossec-list] Re: Active Response Peter M. Abraham
