So, I'm trying to get this setup so that it works. No luck yet, but I'm not
sure if I have everything setup correctly.
In my ossec.conf on the server:
<command>
<name>win-restart-ossec</name>
<executable>restart-ossec.cmd</executable>
<expect>src_ip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>win-restart-ossec</command>
<location>local</location>
<rules_id>105001</rules_id>
</active-response>
In my local.rules on the server:
<rule id="105001" level="7">
<if_group>syscheck</if_group>
<match>C:\Program Files\ossec-agent/shared/agent.conf</match>
<description>Windows Agent.conf File Changed</description>
<group>agent.conf_changed</group>
</rule>
The rule fires, but the active response never seems to fire and restart the
agent.
