Hi Nikita, I have been using the location "all" without any issues on version 1.5. Note that the active responses run on the same connection that the agent initiated to the server. So, after you restart the server, it may take a few minutes (until the next agent keep alive) for this connection to be re-established. Can you re-run this test after the server has been running for a while?
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Jun 18, 2008 at 2:16 PM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Nikita: > > Go Nittany Lions!!!! > > We use the following where active-response hits all agents and the > ossec server using OSSEC 1.5: > > <active-response> > <command>firewall-drop</command> > <location>server</location> > <rules_id>(various rule id's comma delimited without parenthesis)</ > rules_id> > <timeout>(numerical response time out without parenthesis)</timeout> > </active-response> > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <rules_id>(various rule id's comma delimited without parenthesis)</ > rules_id> > <timeout>(numerical response time out without parenthesis)</timeout> > </active-response> > > Thank you. >
