On Wed, Feb 24, 2010 at 3:56 AM, Mike Sievers <saturnge...@googlemail.com> wrote: > Hi! > > For me ./agent_control -R 000 do not work: > > 2010/02/24 09:55:26 agent_control(1210): ERROR: Queue '/queue/alerts/ > ar' not accessible: 'Queue not found'. > 2010/02/24 09:55:41 agent_control(1301): ERROR: Unable to connect to > active response queue. > > ** Unable to connect to remoted. > > ./agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > ??? >
I tried that on mine and it doesn't work either, but for different reasons. It doesn't look like you have active response enabled on your server. Make sure it is enabled and ossec-execd is running on the server and any agents you want to control in this way. After enabling active response, go ahead and restart ossec the old fashioned way (ossec-control restart). Then try agent_control -R <AGENT_ID> again, just don't use the server ID. I'm not sure if that's supposed to work or not (since you can just run ossec-control restart since you're on that box anyhow).
