Thanks Dan. I added an <active-response> section to the Linux section of the agent.conf. It is contained inside the <syscheck></syscheck> section (which is where I found the Windows active-response lines).
seems that doesn't work. I'm moving it out of the <syscheck /> section now to see if that makes a difference. J On Thu, Feb 24, 2011 at 2:33 PM, dan (ddp) <[email protected]> wrote: > Hi J, > > On Wed, Feb 23, 2011 at 9:59 PM, <[email protected]> wrote: >> Hey Dan, >> >> I've got two main sections in my agent.conf. >> >> <agent_config os="Windows"> >> <agent_config os="Linux"> >> >> Each was cut/pasted from an original (default) ossec.conf for the particular >> platform. >> >> The Windows section has: >> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> > > This disabled AR on that agent. > >> But the Linux section didn't have any such section. >> > > I think it's "no" by default, so that should be enabled. Is ossec-execd > running? > >> In the manager's ossec.conf, there some <active-response> sections that >> define command/location/level/timeout, etc but no disable yes/no. >> >> I'll keep experimenting, but if anyone has a working sample of an agent.conf >> with active responses working, I'd greatly appreciate it! >> >> Thanks! >> >> J >> >> -----Original Message----- >> From: "dan (ddp)" <[email protected]> >> Sender: [email protected] >> Date: Wed, 23 Feb 2011 21:36:49 >> To: <[email protected]> >> Reply-To: [email protected] >> Subject: Re: [ossec-list] active response in central management? >> >> I think it goes in the manager's ossec.conf >> >> On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <[email protected]> wrote: >>> hey gang, >>> >>> I'm working on my centralized management of ossec and it seems to be >>> going well. >>> >>> However, it seems that since i centralized and moved all the >>> configuration to agent.conf, my active response rules have stopped >>> working. (last entry in active-response.log is Feb. 21, last SSH >>> brute force attach in /var/log/auth is like from 10 minutes ago). >>> >>> Where should the active response configuration stuff go in a >>> centralized deployment? >>> -in the agent.conf? in which block? <syscheck></syscheck>? >>> -in the ossec.conf on the server? >>> >>> my agent.conf only has the IP of the server block. nothing else. i'm >>> hoping i can keep it that way. >>> >>> Thanks! >>> >>> J >> >
