ok, ar still not working. I'm attaching my ossec.conf (from the manager/server) and the agent.conf files for reference.
For testing, I'm simply logging into ssh with a bad username/password (from a non-whitelisted ip address) to see if the responses fire. J ---------- Forwarded message ---------- From: dan (ddp) <ddp...@gmail.com> Date: Thu, Feb 24, 2011 at 3:48 PM Subject: Re: [ossec-list] active response in central management? To: Joel Brooks <jbro...@oddelement.com> That's still within the syscheck section. Can you send your active response configuration (in the manager's ossec.conf)? Also detail how you're testing the AR. Make sure ossec-execd is running, and check for log messages about AR in ossec.log. On Thu, Feb 24, 2011 at 3:10 PM, Joel Brooks <jbro...@oddelement.com> wrote: > here's the tail end of the Linux section of my agent.conf: > > <active-response> > <disabled>no</disabled> > </active-response> > > </syscheck> > > but it seems that active responses still don't fire on the Linux agents. > > how can i troubleshoot this further? > > thanks! > > J > > On Thu, Feb 24, 2011 at 3:04 PM, dan (ddp) <ddp...@gmail.com> wrote: >> Yeah, it shouldn't be inside of the syscheck section. It is its own section. >> >> On Thu, Feb 24, 2011 at 3:02 PM, Joel Brooks <jbro...@oddelement.com> wrote: >>> Thanks Dan. >>> >>> I added an <active-response> section to the Linux section of the >>> agent.conf. It is contained inside the <syscheck></syscheck> section >>> (which is where I found the Windows active-response lines). >>> >>> seems that doesn't work. >>> >>> I'm moving it out of the <syscheck /> section now to see if that makes >>> a difference. >>> >>> J >>> >>> >>> >>> On Thu, Feb 24, 2011 at 2:33 PM, dan (ddp) <ddp...@gmail.com> wrote: >>>> Hi J, >>>> >>>> On Wed, Feb 23, 2011 at 9:59 PM, <jbro...@oddelement.com> wrote: >>>>> Hey Dan, >>>>> >>>>> I've got two main sections in my agent.conf. >>>>> >>>>> <agent_config os="Windows"> >>>>> <agent_config os="Linux"> >>>>> >>>>> Each was cut/pasted from an original (default) ossec.conf for the >>>>> particular platform. >>>>> >>>>> The Windows section has: >>>>> >>>>> <active-response> >>>>> <disabled>yes</disabled> >>>>> </active-response> >>>>> >>>> >>>> This disabled AR on that agent. >>>> >>>>> But the Linux section didn't have any such section. >>>>> >>>> >>>> I think it's "no" by default, so that should be enabled. Is ossec-execd >>>> running? >>>> >>>>> In the manager's ossec.conf, there some <active-response> sections that >>>>> define command/location/level/timeout, etc but no disable yes/no. >>>>> >>>>> I'll keep experimenting, but if anyone has a working sample of an >>>>> agent.conf with active responses working, I'd greatly appreciate it! >>>>> >>>>> Thanks! >>>>> >>>>> J >>>>> >>>>> -----Original Message----- >>>>> From: "dan (ddp)" <ddp...@gmail.com> >>>>> Sender: ossec-list@googlegroups.com >>>>> Date: Wed, 23 Feb 2011 21:36:49 >>>>> To: <ossec-list@googlegroups.com> >>>>> Reply-To: ossec-list@googlegroups.com >>>>> Subject: Re: [ossec-list] active response in central management? >>>>> >>>>> I think it goes in the manager's ossec.conf >>>>> >>>>> On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <jbro...@oddelement.com> >>>>> wrote: >>>>>> hey gang, >>>>>> >>>>>> I'm working on my centralized management of ossec and it seems to be >>>>>> going well. >>>>>> >>>>>> However, it seems that since i centralized and moved all the >>>>>> configuration to agent.conf, my active response rules have stopped >>>>>> working. (last entry in active-response.log is Feb. 21, last SSH >>>>>> brute force attach in /var/log/auth is like from 10 minutes ago). >>>>>> >>>>>> Where should the active response configuration stuff go in a >>>>>> centralized deployment? >>>>>> -in the agent.conf? in which block? <syscheck></syscheck>? >>>>>> -in the ossec.conf on the server? >>>>>> >>>>>> my agent.conf only has the IP of the server block. nothing else. i'm >>>>>> hoping i can keep it that way. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> J >>>>> >>>> >>> >> >
ossec.conf
Description: Binary data
agent.conf
Description: Binary data