Hi, This fixed it. Works now, thanks!
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, November 04, 2011 4:33 PM To: [email protected] Subject: Re: [ossec-list] Active Response-restaring ossec when agent.conf changes On Fri, Nov 4, 2011 at 7:18 PM, Jefferson, Shawn <[email protected]> wrote: > So, I'm trying to get this setup so that it works. No luck yet, but I'm not > sure if I have everything setup correctly. > > In my ossec.conf on the server: > > <command> > <name>win-restart-ossec</name> > <executable>restart-ossec.cmd</executable> > <expect>src_ip</expect> > <timeout_allowed>no</timeout_allowed> > </command> > syscheck alerts don't set the src_ip. Try <expect></expect> instead. > <active-response> > <command>win-restart-ossec</command> > <location>local</location> > <rules_id>105001</rules_id> > </active-response> > > In my local.rules on the server: > > <rule id="105001" level="7"> > <if_group>syscheck</if_group> > <match>C:\Program Files\ossec-agent/shared/agent.conf</match> > <description>Windows Agent.conf File Changed</description> > <group>agent.conf_changed</group> > </rule> > > The rule fires, but the active response never seems to fire and restart the > agent. > >
