On Jun 26, 2015 12:23 PM, "Jeff Blaine" <[email protected]> wrote: > > When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. > > As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* > > Is this a bug or a misunderstanding on my part somewhere? >
Yes, I think it's a misunderstanding. Defining agent 19 below only configures AR to run on that agent. It does not in any way specify that alerts must come from that agent. > Config piece: > > <active-response> > <command>test-it</command> > <location>defined-agent</location> > <agent_id>019</agent_id> > <rules_id>550,554</rules_id> > </active-response> > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
