I've been watching active responses lately and it seems like they dont always generate an active response. I have the settings properly but I would say the actual active response triggers about 25% of the time. I say that because the alerts.log (and respective emails in my inbox) indicate the correct rule is firing. I have a lot of local active responses that fire regularly so I"m thinking there's a queue size for active responses that is not big enough.
Any idea of what setting I should take a look at? Thank you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
