I think it goes in the manager's ossec.conf
On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <[email protected]> wrote: > hey gang, > > I'm working on my centralized management of ossec and it seems to be > going well. > > However, it seems that since i centralized and moved all the > configuration to agent.conf, my active response rules have stopped > working. (last entry in active-response.log is Feb. 21, last SSH > brute force attach in /var/log/auth is like from 10 minutes ago). > > Where should the active response configuration stuff go in a > centralized deployment? > -in the agent.conf? in which block? <syscheck></syscheck>? > -in the ossec.conf on the server? > > my agent.conf only has the IP of the server block. nothing else. i'm > hoping i can keep it that way. > > Thanks! > > J
