i still haven't got it working. I've tried moving the <command> definitions and the <active-response> sections to the agent.conf, and still no joy.
i just can't get active response to work in central management mode. I found that executing bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000 from the manager results in the following in the ossec.log on the agent. 2011/02/25 19:53:01 ossec-execd: INFO: Active response command not present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this system. 2011/02/25 19:53:01 ossec-execd(1311): ERROR: Invalid command name 'firewall-drop' provided. any further insights / thoughts would be greatly appreciated! J On Fri, Feb 25, 2011 at 10:58 AM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > On Feb 24, 2011, at 2:33 PM, "dan (ddp)" <[email protected]> wrote: >>> <active-response> >>> <disabled>yes</disabled> >>> </active-response> >>> >> >> This disabled AR on that agent. > > This is in the agent.conf, right? I had been disabling specific agents by > creating an active response at the top of my ossec.conf with that agent_id > identified. This looks MUCH easier and doesn't require a restart of my main > OSSEC server.. > > - Jason
