On the agent, in ossec.conf I've got the following section: (...) <active-response> <disabled>no</disabled> </active-response>
</ossec_config> I actually followed the manual on http://www.ossec.net/main/manual/manual-active-response-on-windows I will turn on windows debug and let you know what it says when I execute "remote ip ban" # Windows debug (used by the windows agent) windows.debug=2 On Thu, Dec 22, 2011 at 9:00 PM, dan (ddp) <[email protected]> wrote: > Is AR enabled on the agent? > > On Thu, Dec 22, 2011 at 2:56 PM, Peter Skurczak > <[email protected]> wrote: > > Hello everyone, > > > > Although I read a lot on the internet about it, still I can't get why do > I > > have these kind of errors on the agent side (below). > > Every time I'm trying to fire up: /var/ossec/bin/agent_control -b > 1.2.3.5 -f > > win_nullroute -u 002 I get: > > > > 2011/12/22 20:22:09 ossec-execd(1311): ERROR: Invalid command name > > 'win_nullroute' provided. > > 2011/12/22 20:22:16 ossec-execd(1311): ERROR: Invalid command name > > 'win_nullroute' provided. > > 2011/12/22 20:22:23 ossec-execd(1311): ERROR: Invalid command name > > 'win_nullroute' provided. > > > > on the master server in ossec.conf I've got: > > > > <name>win_nullroute</name> > > <executable>win_nullroute.cmd</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > on the agent side I also have got "win_nulroute.cmd" file ready to > fire-up. > > > > I have also checked ar.conf on both sides the agent and the master - they > > are identically the same. At the beginning I was thinking that maybe the > > agent does not have the latest version from the master but this is not > the > > case. I am trying everything but nothing helps.... anyone any idea? > > > > Pete > > > > > > >
