Hi Barry, There are decoders <https://github.com/wazuh/ossec-rules/blob/7b02b8cc8cb64d1ddfdff8161d4ff7d155746020/rules-decoders/ossec/decoders/active-response_decoders.xml#L36>and rules <https://github.com/wazuh/ossec-rules/blob/7b02b8cc8cb64d1ddfdff8161d4ff7d155746020/rules-decoders/ossec/rules/ossec_rules.xml#L297>for active response. Look for rules with ID 600-606 in your alerts.log.
Regards. Jesus Linares. On Sunday, February 21, 2016 at 2:37:11 PM UTC+1, Barry Kaplan wrote: > > I see on my clients lots of active response ssh blocks in > active-response.log. Should I expect to see some trace of those in the > alerts.log? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
