You don't really need anything in ossec.conf. Setting the disabled option to no doesn't hurt though.
Basically the server tells the agent which AR script to run and the parameters to run it with. On Wed, Sep 29, 2010 at 7:58 PM, jplee3 <[email protected]> wrote: > I'm experimenting with setting up active response on the agent, > controlled entirely by the server. > > What exactly do I need to put in the ossec.conf on the agent in this > case? I've copied the script over to the active-responses/bin folder > but do I need to add anything to the ossec.conf? I'm assuming active > response is supposed to be set as "<disabled>no</disabled>" - how > exactly does this work with remote agents? > > > > Thanks, > Jeremy
