Hey Dan, I've got two main sections in my agent.conf.
<agent_config os="Windows"> <agent_config os="Linux"> Each was cut/pasted from an original (default) ossec.conf for the particular platform. The Windows section has: <active-response> <disabled>yes</disabled> </active-response> But the Linux section didn't have any such section. In the manager's ossec.conf, there some <active-response> sections that define command/location/level/timeout, etc but no disable yes/no. I'll keep experimenting, but if anyone has a working sample of an agent.conf with active responses working, I'd greatly appreciate it! Thanks! J -----Original Message----- From: "dan (ddp)" <[email protected]> Sender: [email protected] Date: Wed, 23 Feb 2011 21:36:49 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] active response in central management? I think it goes in the manager's ossec.conf On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <[email protected]> wrote: > hey gang, > > I'm working on my centralized management of ossec and it seems to be > going well. > > However, it seems that since i centralized and moved all the > configuration to agent.conf, my active response rules have stopped > working. (last entry in active-response.log is Feb. 21, last SSH > brute force attach in /var/log/auth is like from 10 minutes ago). > > Where should the active response configuration stuff go in a > centralized deployment? > -in the agent.conf? in which block? <syscheck></syscheck>? > -in the ossec.conf on the server? > > my agent.conf only has the IP of the server block. nothing else. i'm > hoping i can keep it that way. > > Thanks! > > J
