hey gang, I'm working on my centralized management of ossec and it seems to be going well.
However, it seems that since i centralized and moved all the configuration to agent.conf, my active response rules have stopped working. (last entry in active-response.log is Feb. 21, last SSH brute force attach in /var/log/auth is like from 10 minutes ago). Where should the active response configuration stuff go in a centralized deployment? -in the agent.conf? in which block? <syscheck></syscheck>? -in the ossec.conf on the server? my agent.conf only has the IP of the server block. nothing else. i'm hoping i can keep it that way. Thanks! J