On Thu, Jan 22, 2015 at 8:44 AM, Thomas Vidal <[email protected]> wrote: > Dear OSSEC team, > > I am using both on Ossec server&clients the last 2.8.1 Ossec version on > debian Wheezy. > Copy and Paste event in ossec-logtest give me good output. > When agent.conf is modified the active response to restart all client is > working fine. > Server and clients are using up to date and same agent.conf, ar.conf and > merge.mg files. > All clients and md5sum of agent.con on the server are the same. > Dropping an IP by using on the server "firewall-drop.sh add -u toto x.x.x.x" > is working fine and all clients drop the given IP and add a line in > active-response.log > But then when the server receive an alert about an attack from a specific > IP@, I write it in the alert.log but nothing else ! No active response.... > As this came from my last update at the end of december I am thinking this > is a bug... or not ? >
Where do you think the bug is? Are you sure ossec-execd is running on the agent? Is AR disabled on the agent or manager? Can you add some debug logs to the manager and maybe agent to log when AR is getting triggered? > Many thanks and all the best > > Thomas > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
