Hi,
Is OSSEC capable of triggering an active response on Windows events? In
particular, I am frequently
seeing event 18152, "Multiple Windows Logon Failures", but no active
response is ever triggered.
There are 2 (at least) different variations on the events, 1 for Windows
log-in failures and another
for SQL Server log-in failures.
I added the null_cmd command mentioned in the docs, but I'd be happy if
it just triggered the firewall drop script.
Am I missing something in the configuration?
thanks.
Martin
