On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez <[email protected]> wrote: > On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) <[email protected]> wrote: >> On Mon, Nov 25, 2013 at 6:36 AM, C. L. Martinez <[email protected]> wrote: >>> Hi all, >>> >>> Last week, I have updated 5 clients and one ossec server to release >>> 2.7.1. My surprise is with restart-ossec active response: it doesn't >>> works. >>> >>> My config (as appears in OSSEC docs) is: >>> >>> <command> >>> <name>restart-ossec</name> >>> <executable>restart-ossec.sh</executable> >>> <expect></expect> >>> </command> >>> >>> <active-response> >>> <command>restart-ossec</command> >>> <location>local</location> >>> <rules_id>120000</rules_id> >>> </active-response> >>> >>> and rule 120000: >>> >>> <rule id="120000" level="10"> >>> <if_sid>550</if_sid> >>> <match>/var/ossec/etc/shared/agent.conf</match> >>> <description>Customized agent.conf has been modified.</description> >>> </rule> >>> >>> but running agent_control -L: >>> >>> OSSEC HIDS agent_control. Available active responses: >>> >>> Response name: firewall-drop86400, command: firewall-drop.sh >>> >>> .. it doesn't appears ... Any idea why?? >>> >> >> Is ossec-execd running? >> >>> -- > > Yes, in all components: agents and server ... >
Is 120000 firing properly? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
