Check the active-response.log file (on the system that runs the active response). You can configure OSSEC to watch the active-response.log file and fire off an email/alert when a new entry is added. It's simple to do, and helps solve the notification problem.
On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <[email protected]> wrote: > Hi all, > I have active response configured in my environment. No what ia am worried > abt is that how do I get to knw that an IP address has been blocked by Active > response configuration. Do I need to chek the active response.log file at the > manager side everytime... Or there is some other way. I was thinking of > integrating the same with email alerting in OSsEC > > > Regards > Tanishk Lakhaani > Sent from BlackBerry® on Airtel
