Well thats the problem, I dont get any log entry on the OSSEC server AR log so I think I need a debug config enabled to verify it is triggering an AR. What config setting do I set to see that?
On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Mar 13, 2013 at 4:43 PM, BP9906 <[email protected] <javascript:>> > wrote: > > Good point. > > For clarity, my AR is set for server execution. It then launches a shell > > script that then loops through a set of servers in a LB pool to do a > null > > route on those servers. > > I would then see the AR in the Ossec Server AR log and client AR log. > > I dont even see the AR log entry on the Ossec Server AR log. > > > > Can you provide your configuration, log samples that do work, and log > samples that do not work? > > > > > On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: > >> > >> are you checking the right logs and do you have the ARs set for the > right > >> place? Sometimes people forget the log entries will be in agents log > files, > >> not the SERVER. > >> > >> > >> On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: > >>> > >>> Hello, > >>> I recently upgraded my ossec server to 2.7 and everything is working > >>> great. The weird issue I'm having is that the active responses > sometimes > >>> dont fire. > >>> Its very intermittent because I get email spam for my Rule that is > >>> supposed to trigger a null-route. I check the server's > active-responses.log > >>> and it shows no entries, though previously in the same day (couple > hours > >>> ago) I see entries for the same rule number. > >>> > >>> Any suggestions on helping determine why the ossec server couldnt > spawn > >>> my active response for the rule? > >>> > >>> Thank you, > >>> Brian > >>> > >>> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
