Hi J, On Wed, Feb 23, 2011 at 9:59 PM, <jbro...@oddelement.com> wrote: > Hey Dan, > > I've got two main sections in my agent.conf. > > <agent_config os="Windows"> > <agent_config os="Linux"> > > Each was cut/pasted from an original (default) ossec.conf for the particular > platform. > > The Windows section has: > > <active-response> > <disabled>yes</disabled> > </active-response> >
This disabled AR on that agent. > But the Linux section didn't have any such section. > I think it's "no" by default, so that should be enabled. Is ossec-execd running? > In the manager's ossec.conf, there some <active-response> sections that > define command/location/level/timeout, etc but no disable yes/no. > > I'll keep experimenting, but if anyone has a working sample of an agent.conf > with active responses working, I'd greatly appreciate it! > > Thanks! > > J > > -----Original Message----- > From: "dan (ddp)" <ddp...@gmail.com> > Sender: ossec-list@googlegroups.com > Date: Wed, 23 Feb 2011 21:36:49 > To: <ossec-list@googlegroups.com> > Reply-To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] active response in central management? > > I think it goes in the manager's ossec.conf > > On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <jbro...@oddelement.com> wrote: >> hey gang, >> >> I'm working on my centralized management of ossec and it seems to be >> going well. >> >> However, it seems that since i centralized and moved all the >> configuration to agent.conf, my active response rules have stopped >> working. (last entry in active-response.log is Feb. 21, last SSH >> brute force attach in /var/log/auth is like from 10 minutes ago). >> >> Where should the active response configuration stuff go in a >> centralized deployment? >> -in the agent.conf? in which block? <syscheck></syscheck>? >> -in the ossec.conf on the server? >> >> my agent.conf only has the IP of the server block. nothing else. i'm >> hoping i can keep it that way. >> >> Thanks! >> >> J >
