Hi all, I'm setting up an AR and it works if I only use 1 rules_group or if I use multiple rules_id but not if I use multiple rules_group. Here is the code.
WORKS: <active-response> <command>ipv6-subnet-log</command> <location>local</location> <rules_group>authentication_failed</rules_group> </active-response> WORKS: <active-response> <command>ipv6-subnet-log</command> <location>local</location> <rules_id>5716,5718</rules_id> </active-response> DOESN'T WORK: <active-response> <command>ipv6-subnet-log</command> <location>local</location> <rules_group>authentication_failed,invalid_login</rules_group> </active-response> According to the documentation that should work but it doesn't. Any idea why? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
