* BP9906 <[email protected]> [2014-05-30 14:42:09 -0700]:
I've been watching active responses lately and it seems like they dont
always generate an active response. I have the settings properly but I
would say the actual active response triggers about 25% of the time. I say
that because the alerts.log (and respective emails in my inbox) indicate
the correct rule is firing. I have a lot of local active responses that
fire regularly so I"m thinking there's a queue size for active responses
that is not big enough.
Any idea of what setting I should take a look at?
No. What the CPU load on the server. The only time I know of someone
running into this is due to the way active response fork/execs to create
child process and with so many firing to fast the OS does not handle the
load well.
Do you have active response logging? If you are using your own scripts
I would advise they do what the ossec scrpts do and log in this way:
https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh#L42
This way you can review actions in more detail.
Thank you
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
