Hi Peter, They should happen almost at the same time, with the active response before the e-mail (most of the time). Basically, as soon as the alert is fired, it is sent to the os-remoted (on the server), which forwards to the correct agent.
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/21/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Daniel: > > You were on target, and thank you for pointing out the log file: > > aug 17 16:58:08 CEST 2007 /var/ossec/active-response/bin/firewall- > drop.sh add - 61.136.58.249 1187360911.3960043 5720 > aug 17 17:02:01 CEST 2007 /var/ossec/active-response/bin/firewall- > drop.sh delete - 61.136.58.249 1187360911.3960043 5720 > > I guess I was not seeing it in time. > > May I ask how quickly does the firewall drop occur on the agent itself > in relation to the email sent from the ossec server? > > Thank you. > >
