ok, ar still not working.

I'm attaching my ossec.conf (from the manager/server) and the
agent.conf files for reference.

For testing, I'm simply logging into ssh with a bad username/password
(from a non-whitelisted ip address) to see if the responses fire.

J




---------- Forwarded message ----------
From: dan (ddp) <ddp...@gmail.com>
Date: Thu, Feb 24, 2011 at 3:48 PM
Subject: Re: [ossec-list] active response in central management?
To: Joel Brooks <jbro...@oddelement.com>


That's still within the syscheck section.

Can you send your active response configuration (in the manager's ossec.conf)?
Also detail how you're testing the AR.
Make sure ossec-execd is running, and check for log messages about AR
in ossec.log.

On Thu, Feb 24, 2011 at 3:10 PM, Joel Brooks <jbro...@oddelement.com> wrote:
> here's the tail end of the Linux section of my agent.conf:
>
>  <active-response>
>    <disabled>no</disabled>
>  </active-response>
>
>  </syscheck>
>
> but it seems that active responses still don't fire on the Linux agents.
>
> how can i troubleshoot this further?
>
> thanks!
>
> J
>
> On Thu, Feb 24, 2011 at 3:04 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> Yeah, it shouldn't be inside of the syscheck section. It is its own section.
>>
>> On Thu, Feb 24, 2011 at 3:02 PM, Joel Brooks <jbro...@oddelement.com> wrote:
>>> Thanks Dan.
>>>
>>> I added an <active-response> section to the Linux section of the
>>> agent.conf.  It is contained inside the <syscheck></syscheck> section
>>> (which is where I found the Windows active-response lines).
>>>
>>> seems that doesn't work.
>>>
>>> I'm moving it out of the <syscheck /> section now to see if that makes
>>> a difference.
>>>
>>> J
>>>
>>>
>>>
>>> On Thu, Feb 24, 2011 at 2:33 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>>> Hi J,
>>>>
>>>> On Wed, Feb 23, 2011 at 9:59 PM,  <jbro...@oddelement.com> wrote:
>>>>> Hey Dan,
>>>>>
>>>>> I've got two main sections in my agent.conf.
>>>>>
>>>>> <agent_config os="Windows">
>>>>> <agent_config os="Linux">
>>>>>
>>>>> Each was cut/pasted from an original (default) ossec.conf for the 
>>>>> particular platform.
>>>>>
>>>>> The Windows section has:
>>>>>
>>>>> <active-response>
>>>>>  <disabled>yes</disabled>
>>>>> </active-response>
>>>>>
>>>>
>>>> This disabled AR on that agent.
>>>>
>>>>> But the Linux section didn't have any such section.
>>>>>
>>>>
>>>> I think it's "no" by default, so that should be enabled. Is ossec-execd 
>>>> running?
>>>>
>>>>> In the manager's ossec.conf, there some <active-response> sections that 
>>>>> define command/location/level/timeout, etc but no disable yes/no.
>>>>>
>>>>> I'll keep experimenting, but if anyone has a working sample of an 
>>>>> agent.conf with active responses working, I'd greatly appreciate it!
>>>>>
>>>>> Thanks!
>>>>>
>>>>> J
>>>>>
>>>>> -----Original Message-----
>>>>> From: "dan (ddp)" <ddp...@gmail.com>
>>>>> Sender: ossec-list@googlegroups.com
>>>>> Date: Wed, 23 Feb 2011 21:36:49
>>>>> To: <ossec-list@googlegroups.com>
>>>>> Reply-To: ossec-list@googlegroups.com
>>>>> Subject: Re: [ossec-list] active response in central management?
>>>>>
>>>>> I think it goes in the manager's ossec.conf
>>>>>
>>>>> On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks <jbro...@oddelement.com> 
>>>>> wrote:
>>>>>> hey gang,
>>>>>>
>>>>>> I'm working on my centralized management of ossec and it seems to be
>>>>>> going well.
>>>>>>
>>>>>> However, it seems that since i centralized and moved all the
>>>>>> configuration to agent.conf, my active response rules have stopped
>>>>>> working.   (last entry in active-response.log is Feb. 21, last SSH
>>>>>> brute force attach in /var/log/auth is like from 10 minutes ago).
>>>>>>
>>>>>> Where should the active response configuration stuff go in a
>>>>>> centralized deployment?
>>>>>> -in the agent.conf?  in which block?  <syscheck></syscheck>?
>>>>>> -in the ossec.conf on the server?
>>>>>>
>>>>>> my agent.conf only has the IP of the server block.  nothing else.  i'm
>>>>>> hoping i can keep it that way.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> J
>>>>>
>>>>
>>>
>>
>

Attachment: ossec.conf
Description: Binary data

Attachment: agent.conf
Description: Binary data

Reply via email to