i ok i got it .....
main thing was that i send all syslog to the server and don leave anything local. so thise case i don have local informations in ex. authlog. one other thing . i thing it is needed to change / fix the firewall-drop.sh script for the obsd systems normaly you never change the orginal rc.conf file , you setup enything in /etc/rc.conf.local ( openbsd ) than is the default way describe by OpenBSD . if you now use tjhe firewall-drop.sh they diden't find the ossec_fwtable table or the pf.conf if it not on the default place. holger Holger Gläß wrote: > i saw it right now , > > the server add the attacker ip to the local iptables ! > not to the agent . > > but i think after reaad of the manual that > <location>local</location> means > > response an agent ! > > http://www.ossec.net/main/manual/manual-active-responses/ > > a bug ? > a missunderstanding ? > a missconfiguration ? > > holger > > > > > my config : > > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > > >
