Hey all, Certain aspects of this question may have been touched upon previously but I don't think I've come across a specific answer.
First, I'll explain my scenario: - I'm currently using location "defined-agent" and agent_id to trigger the same active response on a set of machines in my environment. - I've whitelisted several IPs so that they don't get blocked by the AR if they happen to trigger the rules that set AR off. - I am currently using the classic OSSEC email alerts to give me a heads-up when AR was triggered. Now, the main issue with this approach is if I've whitelisted an IP, the OSSEC email alert will still go out if that IP triggered the relevant rule (i.e. multiple failed logons). To resolve this, I *could* (and actually have been testing this a bit) modify the AR script to send the email out. My main issue with this is consistency - to be consistent, I would want to setup the AR script to include emailing out on every machine where I have AR setup to trigger. This would produce lots of duplicate emails. I could always just modify the AR script on a single server and rely on that, but if that were the case I'd rather have the email come from the OSSEC master server rather than the local agent running the script. Ugh, that may have been too convoluted. But if anyone gets what I'm trying to do, please let me know if you have any ideas on Active Response alerting. This would be a cool feature to include in a future release of OSSEC btw :)
