Hi Joel, On Fri, Feb 25, 2011 at 7:59 PM, Joel Brooks <jbro...@oddelement.com> wrote: > i still haven't got it working. > > I've tried moving the <command> definitions and the <active-response> > sections to the agent.conf, and still no joy. >
No joy because the MANAGER doesn't use the agent.conf. > i just can't get active response to work in central management mode. > > I found that executing > > bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000 > > from the manager results in the following in the ossec.log on the agent. > > 2011/02/25 19:53:01 ossec-execd: INFO: Active response command not > present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using > it on this system. > The restart-ossec.cmd is a Windows AR, this message can be ignored. > 2011/02/25 19:53:01 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop' provided. > That's strange. I see it in the ossec.conf you sent to the mailing list (or this could be asking for the actual command /var/ossec/active-response/bin/firewall-drop.sh, I can't test to find out at the moment). Can you turn on debugging on the agents? I'm hoping that might help. I don't think the firewall-drop command would be the one to fire, since the host-deny command is used in the first active-response block and they use the same parameters. > any further insights / thoughts would be greatly appreciated! > > J > When you try testing this with SSH, which alert is firing? Your AR configuration requires that it be level 6+. It looks like most of the (single) ssh authentication failure alerts are level 5 or lower.