All, I just recently started using Active Response.
My main use case right now is to perform a firewall-drop on my ‘login’ nodes using <location>defined-agent</location>. This appears to be working fine (after I realized that I couldn’t define more than 1 agent within an <active-response> stanza). I run into issues when I restart the OSSEC Manager. When I do that, it appears that agents are never instructed to trigger their AR until I manually restart the agents. I’ve been working around this by using agent_control -R [uid] for each login node, but that doesn’t seem very elegant. Is there a more elegant way to solve this problem? I know that it is possible to restart just select processes of the OSSEC arch without impacting things - is that the case with AR? Thanks, Chris -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
