Hi all,
Just following up for others who might be seeing this as well. Adding
the following did work around the issue. Active Response is now
triggered on the ossec server as well as all agents.
Aaron
<active-response>
<command>firewall-drop</command>
<location>server</location>
<level>6</level>
<timeout>6000</timeout>
</active-response>
On Fri, Apr 6, 2012 at 1:05 PM, Aaron Bliss <aaron.bl...@gmail.com> wrote:
> Hi all,
> I've set the location option in the active response configuration to
> all so that when an active response is initiated, all ossec agents
> will run the appropriate script. Everything is working well with this
> in that all agents execute the appropriate active response, except
> that I noticed that the ossec server never executes the active
> response local to itself. Here is the active response config as I
> have it. I'm going to test adding an additional section to the
> configuration with the location set to server to see if this triggers
> the active response to get triggered on the server as well, but was
> just wondering if what I'm seeing is by design or a bug. Please
> advise and thanks.
>
> Aaron
>
> <active-response>
> <command>firewall-drop</command>
> <location>all</location>
> <level>6</level>
> <timeout>6000</timeout>
> </active-response>
>
> <active-response>
> <command>win_nullroute</command>
> <location>all</location>
> <level>6</level>
> <timeout>6000</timeout>
> </active-response>
