I found this webpage http://www.ossec.net/doc/faq/unexpected.html And started debugging for the agent in question.
But I am starting to suspect that the same rule will only trigger once within the timeout for the active response. even if the "username" varies but the ipaddress is empty. I will lower the timeout and see if my hunch is correct. On Friday, August 16, 2013 7:03:58 AM UTC+2, Per-Erik Persson wrote: > > When OSSEC detects some abusive emailaddresses the agent is supposed to > add this emailaddress to a userlist. > This works mostly, if I restart everything it works for a short while. > > I see the events triggering the alert and active-response in > /var/ossec/logs/alerts/alerts.log on the server. > However the /var/ossec/logs/active-responses.log on the client usually > doesn't show any activities for that specific rule. > But if I fire it manually via /var/ossec/bin/agent_control it always work > as expected.(besides the fact that the emailaddress is passed as an > ipaddress) > The username argument is used to pass on the emailaddress, could this be > the problem? > I see warnings about really ugly emailaddresses in > /var/ossec/logs/ossec.log but these ones is not the problem. > > How do I debug this ? Can I see when the client actually forks the process > for the active response? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
