On Wed, Apr 13, 2016 at 2:49 PM, Rob B <[email protected]> wrote: > Thanks, that gave me the food for thought I needed... > I will push my packages with updated .conf files for agents in an automated > "update like" fashion. > > Will test the directory that ossec agent needs to fire my package from. ( > Do you all know what I should run and look for to see the verbose > information? ie: debug mode / debug log location?) >
Create an active response that prints the current directory to a file, then trigger it? > Off to testing now.. =) > > Thanks! --Rob > > On Wednesday, April 13, 2016 at 7:27:53 AM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Apr 12, 2016 at 4:52 PM, Rob B <[email protected]> wrote: >> > Hello Folks, >> > >> > Could someone help me wrap my head around the windows active response >> > mechanism? >> > >> > If I understand correctly, the active response / bin folder on the >> > server >> > will house my .CMD file containing my windows response actions.? >> > >> >> I'm not totally sure on Windows, but I think so. >> >> > What I would like to do is have active response fire on an event such >> > as: >> > <rule id="182669" level="12"> >> > <if_sid>18100</if_sid> >> > </rule> >> > Which would then run my .cmd file, where I want to run an executable >> > that I >> > have already packaged. >> > >> > My question here is: what is the logic to run my packaged executable >> > from >> > the .cmd file? Where do I store my packaged executable, how does it get >> > to >> >> It should be on the agent you want to run it. >> >> > the client agent to fire? Where will it fire from, so that I may have >> > the >> > correct syntax in my .cmd file? Can the package be pushed from the >> > server to >> >> That's a good question, I would assume either the ossec directory, or >> the ar/bin directory. It shouldn't be too hard to test though. >> >> > all windows agents once they refresh somehow? >> > >> >> What package? The AR configuration should be pushed, but it's up to >> you to put your executable in place. >> >> > I do understand the basics as to how to setup active response in the >> > .conf >> > file on the server ossec.conf file and where to turn it ON in the agent >> > side >> > .conf file. How can I turn ON all the agents active response from the >> > server? (Currently i only know how to manually update the file at each >> > client.) >> > >> >> It's possible the agent.conf can be used for this, but if not your >> configuration management solution should be able to handle pushing new >> ossec.confs to the agents. >> >> > Any pointers from the Gurus would be greatly appreciated. =) >> > >> > Thanks much Guys!! >> > >> > >> > Rob >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
