On Tue, Nov 26, 2013 at 8:55 AM, C. L. Martinez <[email protected]> wrote: > On Tue, Nov 26, 2013 at 1:12 PM, dan (ddp) <[email protected]> wrote: >> On Mon, Nov 25, 2013 at 9:06 AM, C. L. Martinez <[email protected]> wrote: >> >> What tests are those? It's pretty simple to make sure. Change >> /var/ossec/etc/shared/ >> agent.conf and check alerts.log for the alert. >>
Please please please make sure the alert was triggered. >> Are other active responses working? >> What does your /var/ossec/etc/shared/ar.conf look like? >> Is the script executable (check permissions)? >> > > Yes, I have enabled firewwll-drop active response and it works without > problems ... > > ar.conf: > > [root@ossec02 ~]# ls -la /var/ossec/etc/shared/ar.conf > -r--r----- 1 root ossec 161 Nov 22 10:00 /var/ossec/etc/shared/ar.conf > > cat ar.conf: > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > firewall-drop86400 - firewall-drop.sh - 86400 > restart-ossec0 - restart-ossec.sh - 0 > > restart-ossec.sh or ar.conf?? restart-ossec.sh is executable, ar.conf > not ... (in server and in the agents) > ar.conf is not a script. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
