Hi Barry,
if you want to see the rules generated by active response you must watch
the active response log (as it said Dan):
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
Now, you will see in archives.log (with option <logall>yes</logall>) the
log received:
2016 Feb 23 10:59:06 LinMV->/var/ossec/logs/active-responses.log Tue Feb 23
10:59:04 UTC 2016 /var/ossec/active-response/bin/xxxxx.sh add - -
1456225144.17818 RULEID
Then, if that log matches with some rule
<https://github.com/wazuh/ossec-rules/blob/7b02b8cc8cb64d1ddfdff8161d4ff7d155746020/rules-decoders/ossec/rules/ossec_rules.xml#L297>,
you will see the alert in alerts.log.
It's up to you to generate rules to track the active responses.
I hope that helps.
Regards.
Jesus Linares.
On Tuesday, February 23, 2016 at 6:42:45 AM UTC+1, Barry Kaplan wrote:
>
> So I'm confused then. The server decided to initiate these actions on the
> client, no? The server rules are what decided those actions. Should the
> server not log that it took this action, given the elevated level of the
> rules? I feel I am missing something understanding.
>
> -barry
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
