Thanks Dan, So...Im doing it wrong =(
All of my configuration related with active is response is working in agents, I read in some documentantion ( I dont remember when or what) that active response options are available only server or local installation so I installed the hybrid mode =\ Anyway..how can I configure my server to manage active responde in ossec agents?? In my mind this should work like this example: The client receive a ssh brute force > the client communicates with server > the server triggers tcp wrappers in a client Right? Currently all of my agents use active response with tcp wrappers locally and just communicates with the server to register alerts and events. Best regards, Fernando C. Em terça-feira, 3 de dezembro de 2013 16h43min24s UTC-2, dan (ddpbsd) escreveu: > > On Tue, Dec 3, 2013 at 12:01 PM, Fernando Cardoso > <[email protected]<javascript:>> > wrote: > > Hello, > > > > I have many agents installed with hybrid mode configuration. > > > > By default the startup "/etc/init.d/ossec start" only starts the agent: > > /var/ossec/ossec-agent/bin/ossec-agentd > > /var/ossec/ossec-agent/bin/ossec-logcollector > > /var/ossec/ossec-agent/bin/ossec-syscheckd > > > > If I start ossec through "/var/ossec/bin/ossec-control start" works > fine: > > 00:00:00 /var/ossec/ossec-agent/bin/ossec-agentd > > 00:00:00 /var/ossec/ossec-agent/bin/ossec-logcollector > > 00:00:00 /var/ossec/ossec-agent/bin/ossec-syscheckd > > 00:00:00 /var/ossec/bin/ossec-execd > > 00:00:00 /var/ossec/bin/ossec-analysisd > > 00:00:00 /var/ossec/bin/ossec-logcollector > > 00:00:00 /var/ossec/bin/ossec-syscheckd > > 00:00:00 /var/ossec/bin/ossec-monitord > > > > I use hybrid mode because I need the ossec-agent managed by server and I > > need active-response local too. > > > > To solve this issue I need to change file /etc/ossec-init.conf > (DIRECTORY). > > > > My doubts are: > > My installation Its OK? Why only agent is started by default? > > Probably an oversight. I'm not entirely sure how much testing went > into hybrid before it was included. > > > I really need the hybrid mode to active response? > > You do not need hybrid mode to use active response. If that's what you > thought, please point out the documentation that led you to believe > this so I can correct it. > > > Can I manage the active response through ossec-server? > > > > Active response is managed through the server. The only configuration > done on the agent is enabling or disabling it. > > > Many Thanks > > Fernando C > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
