On Wed, Apr 25, 2012 at 11:34 AM, jfranz <[email protected]> wrote:
>> >> Unfortunately I think this is the way it works. "all" actually means >> "all agents," not "all systems." I think this might be worth looking >> into... > > Ok. That makes sense. Will test that by adding another machine/agent > to my testing setup. > >> >>> As I understand it, the agent uses the ossec.conf and *_rules.xml >>> files from the server?!?! >>> >> >> No. Each agent uses its own ossec.conf, and possibly the agent.conf >> from the server. >> >> The rules and decoders are only handled on the server. The agent >> passes a log message to the server, which then compares it to the >> decoders/rules. >> > > Ok. Got that. But how does an agent know when to use an active > response, based on a rule that is parsed on the server after the agent > send it's log? > The manager sends the agent a message telling it to run the AR. >> >> That's wrong. I don't know why there would be a perl script there. >> Something went haywire in your installation. >> > > Yepp. Did an clean install on the server and files look fine now. No > more perl script in there. > > Btw: Thx for your help ;) > No problem. :)
