Hi all,
I've set the location option in the active response configuration to
all so that when an active response is initiated, all ossec agents
will run the appropriate script. Everything is working well with this
in that all agents execute the appropriate active response, except
that I noticed that the ossec server never executes the active
response local to itself. Here is the active response config as I
have it. I'm going to test adding an additional section to the
configuration with the location set to server to see if this triggers
the active response to get triggered on the server as well, but was
just wondering if what I'm seeing is by design or a bug. Please
advise and thanks.
Aaron
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>6000</timeout>
</active-response>
<active-response>
<command>win_nullroute</command>
<location>all</location>
<level>6</level>
<timeout>6000</timeout>
</active-response>
