Hi Tanishk, I don't mean to setup syscheck to watch it, I mean to use it as a localfile source: <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-response.log</location> </localfile>
You'll have to write a rule for it, but that shouldn't be too hard. On Thu, Mar 3, 2011 at 9:33 PM, Tanishk Lakhaani <[email protected]> wrote: > Hi dan, > Configuring ossec to watch the active response.log file will fire an alert > w.r.t Integrity Checksum Changed Event w.r.t active response.log file. But > what I am looking foirward is, that I get the actual active response log on > my email, (email alerting is configured). > > > Regards > Tanishk Lakhaani > Sent from BlackBerry® on Airtel > > -----Original Message----- > From: "dan (ddp)" <[email protected]> > Sender: [email protected] > Date: Wed, 2 Mar 2011 15:38:36 > To: <[email protected]> > Reply-To: [email protected] > Subject: Re: [ossec-list] How to check active response has been activated or > not ?? > > Check the active-response.log file (on the system that runs the active > response). > You can configure OSSEC to watch the active-response.log file and fire > off an email/alert when a new entry is added. It's simple to do, and > helps solve the notification problem. > > On Wed, Mar 2, 2011 at 2:18 PM, Tanishk Lakhaani <[email protected]> > wrote: >> Hi all, >> I have active response configured in my environment. No what ia am worried >> abt is that how do I get to knw that an IP address has been blocked by >> Active response configuration. Do I need to chek the active response.log >> file at the manager side everytime... Or there is some other way. I was >> thinking of integrating the same with email alerting in OSsEC >> >> >> Regards >> Tanishk Lakhaani >> Sent from BlackBerry® on Airtel >
