Greetings Daniel: I'm also using 1.3 (and a relatively new user; so I'm still learning too).
On the actual server (i.e. agent or local install) there should be a / var/ossec/logs/active-responses.log file if you have active-response enabled. That is where you can check if your active response is kicking off. Here's what I use on the ossec server in /var/ossec/etc/ossec.conf <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>5712,5720,100200,100210,100220,100230,100240</rules_id> <timeout>28800</timeout> </active-response> That has been working well; though I've not tested if the timeout is being honored. The 100000 rules are the custom rules I wrote in local_rules.xml Please let me know if you have any questions. Thank you.
