When OSSEC detects some abusive emailaddresses the agent is supposed to add this emailaddress to a userlist. This works mostly, if I restart everything it works for a short while.
I see the events triggering the alert and active-response in /var/ossec/logs/alerts/alerts.log on the server. However the /var/ossec/logs/active-responses.log on the client usually doesn't show any activities for that specific rule. But if I fire it manually via /var/ossec/bin/agent_control it always work as expected.(besides the fact that the emailaddress is passed as an ipaddress) The username argument is used to pass on the emailaddress, could this be the problem? I see warnings about really ugly emailaddresses in /var/ossec/logs/ossec.log but these ones is not the problem. How do I debug this ? Can I see when the client actually forks the process for the active response? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
