Hi Martin, On Fri, Apr 22, 2011 at 8:22 AM, Martin Gottlieb <[email protected]> wrote: > Hi, > > Is OSSEC capable of triggering an active response on Windows events? In > particular, I am frequently > seeing event 18152, "Multiple Windows Logon Failures", but no active > response is ever triggered. > There are 2 (at least) different variations on the events, 1 for Windows > log-in failures and another > for SQL Server log-in failures. >
Yes, it's possible. > I added the null_cmd command mentioned in the docs, but I'd be happy if it > just triggered the firewall drop script. > > Am I missing something in the configuration? > Don't know, your configuration didn't come through. > thanks. > > Martin >
