Good point. For clarity, my AR is set for server execution. It then launches a shell script that then loops through a set of servers in a LB pool to do a null route on those servers. I would then see the AR in the Ossec Server AR log and client AR log. I dont even see the AR log entry on the Ossec Server AR log.
On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: > > are you checking the right logs and do you have the ARs set for the right > place? Sometimes people forget the log entries will be in agents log files, > not the SERVER. > > > On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: >> >> Hello, >> I recently upgraded my ossec server to 2.7 and everything is working >> great. The weird issue I'm having is that the active responses sometimes >> dont fire. >> Its very intermittent because I get email spam for my Rule that is >> supposed to trigger a null-route. I check the server's active-responses.log >> and it shows no entries, though previously in the same day (couple hours >> ago) I see entries for the same rule number. >> >> Any suggestions on helping determine why the ossec server couldnt spawn >> my active response for the rule? >> >> Thank you, >> Brian >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
