Hi Martin,
If you disabled active response on the agent, there is *no way that any response is going to be executed over there. When it is disabled, "ossec-execd" (the daemon responsible for executing response) will not even start. If you look at /var/ossec/active-responses/ there should be no log file there (on the agent system). *Can you do a "ps auwx |grep ossec" in the agent, just to confirm that execd is not running? If it is, can you show us your config file? Related to the syscheck problem, increasing the frequency is going to help (and also nicing it), but we will come up with a better solution to fix it in the next version. Thanks for the report! -- Daniel B. Cid dcid ( at ) ossec.net On 8/5/06, Martin Leung <[EMAIL PROTECTED]> wrote:
Hi oahmet, oahmet wrote: > > Hi again, > > I just checked my 0.9 installed debian box and everything seems normal. > Alert e-mails are coming with correct date (timezone values). > Is it possible to send us a sample alert e-mail with full headers? > (just copy&paste from /var/spool/mail). Here you are: Return-path: <[EMAIL PROTECTED]> Date: Sun, 06 Aug 2006 01:42:49 +0000 (HKT) From: OSSEC HIDS <[EMAIL PROTECTED]> Subject: OSSEC Notification - localhost - Alert level 8 To: [EMAIL PROTECTED] The above is from Fedora Core 5. Also, I think I found a typo at point 3.5 of the installation script. The script says syslog collector port is 514 but it seems to be 1514 instead. ossec-rem 621 ossecr 4u IPv4 10883705 UDP *:1514 > > PS: I'll also add /var/adm/messages to config file on solaris systems. > > Regards, > > Ahmet Ozturk. > > > > Ahmet Ozturk wrote: >> >> Hi Martin, >> >> Let me answer your first 2 questions: >> 1. I'm not sure if you can throttle the syscheck cpu usage directly >> (you may use nice command for a running process, but I don't know Thanks for the idea. I will modify the ossec-control script to reduce its priority. >> a way to automate this). syscheckd starts to run every 2 hours by >> default, >> you may want to change this. (see <frequency> and other options in >> ossec.conf) >> (http://www.ossec.net/en/manual.html#syscheck_options) The frequency is what I concern. I would prefer to have it run when my server is free. It could be some time early in the morning or when the CPU usage drops below certain level. >> >> 2. For active-response issue, please check the <location> option >> in ossec.conf file on the server. if it has the value "local" it will >> execute >> the active-response on the agent that generated the alert. If you want to >> use active-response only on your server, this value should be set to >> "analysis-server". >> (http://www.ossec.net/en/manual.html#active-response-config) Tried but I got the following error: [etc]# /etc/init.d/ossec restart Stopping OSSEC: [ OK ] Starting OSSEC: 2006/08/06 00:38:39 ossec-analysisd(1302): Invalid active response location: 'analysis-server'. 2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting. 2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting. [FAILED] Rgds. Martin
