On May 26, 2014 1:02 PM, "Nguyễn Văn Hớn" <[email protected]> wrote: > > > For example. when server have detect rootkit or modified from agent , we have alert. but it only server have alert. i want to agent know that. and agent have autonomous attack that. we have use syslog to send alert from server to agetn. config from ossec.conf (server) ????
There is currently no way to send the alert to the ossec agent software. Even if you could, there isn't any functionality for the agent to do anything with the alert. I do not anticipate that changing. Your best bet is to have the server notify the admins or security team of issues so they can take the appropriate actions. > Vào 23:51:44 UTC+7 Thứ hai, ngày 26 tháng năm năm 2014, dan (ddpbsd) đã viết: >> >> >> On May 26, 2014 12:49 PM, "Nguyễn Văn Hớn" <[email protected]> wrote: >> > >> > Oh thank Dan... the question 1. because when the server dectect attack from agent the only server know that. i think agent need know that. Can you help me more details. ( sorry my english is bad :( >> >> Typically you want a person to know. You could use active response to try and block the attacks, but you should still probably notify an admin or he security team. >> >> > 2. i have turn on option <logall>yes</logall> but have error >> > >> >> What error? >> >> > Vào 23:43:15 UTC+7 Thứ hai, ngày 26 tháng năm năm 2014, dan (ddpbsd) đã viết: >> >> >> >> >> >> On May 26, 2014 12:39 PM, "Nguyễn Văn Hớn" <[email protected]> wrote: >> >> > >> >> > hi everybody. i have question : >> >> > How to send alert from server to agent when agent have attacked. And log from agent send to server. Where is it stored? >> >> > >> >> >> >> You can't really send the alerts to the agents. You can send some alerts to a centralized location uskng csyslogd, but there's no functionality to send it to a lot of locations. Why would you want to do this anyways? >> >> Alerts are stored in /var/ossec/logs/alerts. Log messages are not stored by default, you need to turn on the log all option. If yiu do that they're stored in logs/archives. >> >> >> >> > thank for help >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
