Thanks, Tanishk. I'm really surprised nothing has been written for windows yet. Am I correct
in assuming the script would reside on the Windows agent machine?
Obviously, the windows agent communicates with the Linux server. Is it not possible to have an active response script triggered on the server side as happens with Linux agents?
Thanks. Martin On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote:
Hey martin, All these default active response scripts are written for a specific event. Read these scripts to understand these scripts. For the event of ur interest -- multiple logon failures...for linux, there is a default active response script -- for locking the account. But for windows there is no such script. What u can do is that u can create your own customised script and use it for active response purposes. Regards Tanishk lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: Martin Gottlieb<[email protected]> Sender: [email protected] Date: Fri, 22 Apr 2011 08:22:37 To:<[email protected]> Reply-To: [email protected] Subject: [ossec-list] Active Response on Windows events Hi, Is OSSEC capable of triggering an active response on Windows events? In particular, I am frequently seeing event 18152, "Multiple Windows Logon Failures", but no active response is ever triggered. There are 2 (at least) different variations on the events, 1 for Windows log-in failures and another for SQL Server log-in failures. I added the null_cmd command mentioned in the docs, but I'd be happy if it just triggered the firewall drop script. Am I missing something in the configuration? thanks. Martin
