Hi !
When the agent finds an audit event, it sends a message to Manager. I want to interrupt this behavior , and run my custom script to analyse the audit event. At first, I try to use the Active-Response to finish it. The flow like this : Agent : find audit event Agent : send audit event Manager : recv audit event Manager : analyse audit event Manager : trigger alert rule Manager : trigger AR Agent : trigger custom script via AR But the AR can't send the audit params from Manager to Agent, like the 'pid'. So I want to modify the flow like this: Agent : find audit event Agent : interrupt & trigger custom script Agent : send audit event Manager : recv audit event Manager : analyse audit event Manager : trigger alert rule How can I do this ? Thank you! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
