Look for something like the following in the agent's ossec.conf:
<active-response>
<disabled>no</disabled>
</active-response>
Although, I just tried agent_control -r -u <agent_id> and it didn't
seem to work
for me. agent_control -R <agent_id> restarted the process and kicked off
a syscheck scan just fine though.
On Fri, Feb 19, 2010 at 8:48 AM, Mike Sievers
<[email protected]> wrote:
> Hi!
>
> There are no error in my log file
> How can I check if active response is running?
> Maybe agent_control is not the statement I am looking for
> All I want is:
> patch the server
> acknowledge the changes immediately
> receiving the alert fast
>
