Hi Peter M. Abraham
Thank you.
I am wondering if there is some bug in OSSEC when we want to use
active-response.Would you please reread my first mail? I just did not want
to trigger activer-response in the apache logs when multiple errors
occurred.
Though I use rules_id to to this,active-reponse still be there when multiple
errors turned up in apache logs.
Is there something wrong with my configuration or the OSSEC itself?
Thank you.
-----邮件原件-----
发件人: [email protected] [mailto:[EMAIL PROTECTED] 代
表 Peter M. Abraham
发送时间: 2007年12月27日 21:35
收件人: ossec-list
主题: [ossec-list] Re: active-response problems
Greetings Xu Feng:
RE: http://www.ossec.net/main/manual/#active-response
local = agent or local installation
server = ossec server
all = every ossec agent
/var/ossec/active-response/ossec-hids-responses.log is the location of
the log file that logs when active-response kicks off.
If you want 5712 and 5720 only triggered on the ossec server, then use
"server" rather than "local"
Thank you.
