>> I am trying to get Active Response working on a Windows 2012 server. > > > >I enabled AR in the local Windows 2012 OSSEC config file. >> >> On the agent side OSSEC Log I get some warnings about some linux shell >> based active responses not being present (which makes sense) >> >> I copied over a Windows null route script we use on a Windows 2008r2 >> server.
>What happens if you run the script manually? With the null route script I found some issues: - I am getting "The requested operation requires elevation", I guess due to the call to route.. - So I am looking at the UAC controls to see if that might be causing an issue. - Additionally the null-route script is different than the one we are using in production. - It referenced %WINDIR% and %OSSECPATH% and I didn't see those defined anywhere so I'm not sure where it came from I tested my custom script which is perl based and expects an ip address as input and it ran fine. If UAC is causing the issue with AR script running then I wouldn't have expected the restart-ossec.cmd to run. James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Starks Sent: Friday, August 01, 2014 11:54 To: [email protected] Subject: Re: [ossec-list] Issue triggering Active Response on Windows 2012 On 2014-08-01 8:03, James Whittington wrote: > I am trying to get Active Response working on a Windows 2012 server. > > I enabled AR in the local Windows 2012 OSSEC config file. > > On the agent side OSSEC Log I get some warnings about some linux shell > based active responses not being present (which makes sense) > > I copied over a Windows null route script we use on a Windows 2008r2 > server. What happens if you run the script manually? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
