One more (maybe crucial) information. My installation (and also system) drive is E, hence the agent is installed under: E:\Program Files\ossec-agent\
On Dec 22, 9:45 pm, Peter Skurczak <[email protected]> wrote: > On the agent, in ossec.conf I've got the following section: > > (...) > <active-response> > <disabled>no</disabled> > </active-response> > > </ossec_config> > > I actually followed the manual > onhttp://www.ossec.net/main/manual/manual-active-response-on-windows > > I will turn on windows debug and let you know what it says when I execute > "remote ip ban" > # Windows debug (used by the windows agent) > windows.debug=2 > > > > > > > > On Thu, Dec 22, 2011 at 9:00 PM, dan (ddp) <[email protected]> wrote: > > Is AR enabled on the agent? > > > On Thu, Dec 22, 2011 at 2:56 PM, Peter Skurczak > > <[email protected]> wrote: > > > Hello everyone, > > > > Although I read a lot on the internet about it, still I can't get why do > > I > > > have these kind of errors on the agent side (below). > > > Every time I'm trying to fire up: /var/ossec/bin/agent_control -b > > 1.2.3.5 -f > > > win_nullroute -u 002 I get: > > > > 2011/12/22 20:22:09 ossec-execd(1311): ERROR: Invalid command name > > > 'win_nullroute' provided. > > > 2011/12/22 20:22:16 ossec-execd(1311): ERROR: Invalid command name > > > 'win_nullroute' provided. > > > 2011/12/22 20:22:23 ossec-execd(1311): ERROR: Invalid command name > > > 'win_nullroute' provided. > > > > on the master server in ossec.conf I've got: > > > > <name>win_nullroute</name> > > > <executable>win_nullroute.cmd</executable> > > > <expect>srcip</expect> > > > <timeout_allowed>yes</timeout_allowed> > > > </command> > > > > on the agent side I also have got "win_nulroute.cmd" file ready to > > fire-up. > > > > I have also checked ar.conf on both sides the agent and the master - they > > > are identically the same. At the beginning I was thinking that maybe the > > > agent does not have the latest version from the master but this is not > > the > > > case. I am trying everything but nothing helps.... anyone any idea? > > > > Pete
