hi i work with osec in an multi os environment ( Linux Debian, RedHat, OpenBSD , HPUX ) with the agent <-> server configuration.
the OpenBSD system are the firewall boxes and send they logs via syslog to our centralized logging system ( include the ossec-server ) and run the ossec-agent too. the ossec server know the logfile from the bsd box and detect the ,for ex., ssh login bruteforce. and send a mail. at the active-response.log on the server i see the action drop but there is no action on the agent . i use the default active-response config in ossec.conf ( i try the defined-agent option for location too with the agent_id ) but there is nothing happen on the agent. they don't do the drop of the attacker. what is the problem . it is needed to run the ossec-server as syslog server too ( i disable the syslog functionality by build ) ? is the multi os env the problem ( obsd agents -> debian linux server ) ? the comunication between the server and agent working. any clue for me ? holger p.s. big applause for this part of software :D
