I just ran into the opposite problem today.. I had just reinstalled several 'local' OSSEC installs as 'agents' and when I did this, the whitelists had to be added to the servers ossec.conf, as adding them to the agent's ossec.conf did nothing. This is really a question for another thread, but is there a better way to specify which hosts use certain whitelists instead of the <global> whitelists on the server?
Maybe you have certain addresses in your whitelist (on the servers ossec.conf) that are stopping the active responses on the agents? On Mon, Mar 16, 2009 at 5:46 PM, Trevor McLeod <[email protected]> wrote: > > Hello, > > I have a test environment consisting of three hosts with OSSEC (agent) > installed (Linux, XP professional and a Mac) and one host with OSSEC > (server) installed (Linux). The three hosts are configured to send > their events to the server. > > This environment has a completely stock environment, ie., none of the > configuration files, rules or scripts have been changed. > > Everything works well except for the active response on the agents. It > works fine on the server. > > If I run something like Bruter to pound away at the agents using ssh, > neither the hosts.deny or firewall on the agents are automatically > configured by the server to block the ip address of the host running > Bruter. > > If I run agent_control on the server, it shows all the agents as > active. If I run agent_control on the server and specify > integrity/rootkit checking on a particular agent, it runs on the agent. > > All that doesn't work is the active response on the agents. > > Any ideas? > Trevor McLeod > >
