FYI, my problem has been solved by reformating the comment in the <active-response> section:
Changed from: <!-- comment --> To: <!-- comment --> Bug? /x On Fri, May 22, 2015 at 3:22 AM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > Not sure if this is of any help, but try to run ossec-execd in debug mode > and use -t to test the configuration. Maybe that way you can figure out > what is causing the issue. > > On Thu, May 21, 2015 at 8:01 AM, Xavier Mertens <xmert...@gmail.com> > wrote: > >> Hi, >> >> I don't often write to the group (I'm following it closely) but today, >> I've a question... >> >> I'd like to trigger an Active-Response script on the _server_ for _any_ >> alert (ex with level > 10). >> I don't want to deply the script on all agents. >> At the moment, here is my active-response config (for only 1 rule): >> >> <active-response> >> <command>script</command> >> <location>server</location> >> <rules_id>31510</rules_id> >> </active-response> >> >> It seems that it expect the rule 31510 to happen on the _server_ but it >> is happening on agents.. >> Any idea? >> >> /x >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
