success!
I ran the ossec-remoted in debug mode on the manager and found a
stream of these:
2011/02/26 13:15:48 ossec-remoted(1403): ERROR: Incorrectly formated
message from '192.168.0.1'.
2011/02/26 13:15:53 ossec-remoted(1403): ERROR: Incorrectly formated
message from '192.168.0.1'.
2011/02/26 1
i can get the active response to fire by passing "-b 1.2.3.4 -f
firewall-drop600 -u 000"
firewall-drop600 is in the ar.conf.
I guess i don't (yet) understand what uses ar.conf and what uses ossec.conf.
brain dump-
from what i think i understand then,
the ossec.conf on the ma
Hi Joel,
On Fri, Feb 25, 2011 at 7:59 PM, Joel Brooks wrote:
> i still haven't got it working.
>
> I've tried moving the definitions and the
> sections to the agent.conf, and still no joy.
>
No joy because the MANAGER doesn't use the agent.conf.
> i just can't get active response to work in c
i still haven't got it working.
I've tried moving the definitions and the
sections to the agent.conf, and still no joy.
i just can't get active response to work in central management mode.
I found that executing
bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000
from the manager results in
On Feb 24, 2011, at 2:33 PM, "dan (ddp)" wrote:
>>
>> yes
>>
>>
>
> This disabled AR on that agent.
This is in the agent.conf, right? I had been disabling specific agents by
creating an active response at the top of my ossec.conf with that agent_id
identified. This looks MUCH easier and
ed message --
From: dan (ddp)
Date: Thu, Feb 24, 2011 at 3:48 PM
Subject: Re: [ossec-list] active response in central management?
To: Joel Brooks
That's still within the syscheck section.
Can you send your active response configuration (in the manager's ossec.conf)?
Also detail ho
n agent.conf
>> with active responses working, I'd greatly appreciate it!
>>
>> Thanks!
>>
>> J
>>
>> -Original Message-
>> From: "dan (ddp)"
>> Sender: ossec-list@googlegroups.com
>> Date: Wed, 23 Feb 2011 21:3
ddp)"
> Sender: ossec-list@googlegroups.com
> Date: Wed, 23 Feb 2011 21:36:49
> To:
> Reply-To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] active response in central management?
>
> I think it goes in the manager's ossec.conf
>
> On Wed, Feb 23, 2011
sec-list@googlegroups.com
Date: Wed, 23 Feb 2011 21:36:49
To:
Reply-To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] active response in central management?
I think it goes in the manager's ossec.conf
On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks wrote:
> hey gang,
>
> I
I think it goes in the manager's ossec.conf
On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks wrote:
> hey gang,
>
> I'm working on my centralized management of ossec and it seems to be
> going well.
>
> However, it seems that since i centralized and moved all the
> configuration to agent.conf, my act
hey gang,
I'm working on my centralized management of ossec and it seems to be
going well.
However, it seems that since i centralized and moved all the
configuration to agent.conf, my active response rules have stopped
working. (last entry in active-response.log is Feb. 21, last SSH
brute force
11 matches
Mail list logo