After adding the rule, did you restart the ossec server processes? Is ossec monitoring the log file that these log events are recorded to? Has one of these log events happened?
And for the active response, you'd need to post your active response configuration. I don't do a lot with it myself... On Mon, Jul 12, 2010 at 4:25 PM, Janiko <[email protected]> wrote: > Hi... > > Sorry for the delay... > > First of all, thank you for your help. But there must be smth I don't > understand : I've added a rule that works with ossec-logtest, but I > can't see any alerts in the ossec logs. What's wrong ? > > For information, when using ossec-logtest, I got the message : > > **Phase 3: Completed filtering (rules). > Rule id: '500001' > Level: '10' > Description: 'Casper badness' > **Alert to be generated. > > But nothing in the logs, and no active response (though I guess that a > 10-level alert should fire the host-deny response). Again, thank you > for your help ! >
