Okay I am going to take a step back for a moment with AR not working on Windows 2012. I have found several issues that I need to address on my end first.
So far I can see my route-null script - was referencing environment variables that did not exist - was being prompted to run under elevated permissions The custom script I created ran fine from the commandline however: - my script just took in a ip address as an argument - the idea is if we see patterns of suspicious usage like repeated registration attempts to our web based products from the same source ip, we would trigger a trace history script that would track all activity seen from that address in recent history and create a ticket on our helpdesk for further followup - In looking through how AR Commands are defined I wondered how arguments were passed in - then read the documentation and now see 6 arguments are actually passed into the AR script, WHOOPS guess I should have read the docs on creating customized AR scripts So I am going to alter my custom script to accept the expected arguments and then see of things work. James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Starks Sent: Friday, August 01, 2014 11:54 To: [email protected] Subject: Re: [ossec-list] Issue triggering Active Response on Windows 2012 On 2014-08-01 8:03, James Whittington wrote: > I am trying to get Active Response working on a Windows 2012 server. > > I enabled AR in the local Windows 2012 OSSEC config file. > > On the agent side OSSEC Log I get some warnings about some linux shell > based active responses not being present (which makes sense) > > I copied over a Windows null route script we use on a Windows 2008r2 > server. What happens if you run the script manually? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
