On Thu, Jan 30, 2014 at 11:57 AM, Chris Decker <[email protected]> wrote: > All, > > I just recently started using Active Response. > > My main use case right now is to perform a firewall-drop on my 'login' nodes > using <location>defined-agent</location>. This appears to be working fine > (after I realized that I couldn't define more than 1 agent within an > <active-response> stanza). > > I run into issues when I restart the OSSEC Manager. When I do that, it > appears that agents are never instructed to trigger their AR until I > manually restart the agents. I've been working around this by using > agent_control -R [uid] for each login node, but that doesn't seem very > elegant. >
I've never run into this problem, can you open a ticket on it at https://github.com/ossec/ossec-hids ? This is definitely something that should be looked into. > Is there a more elegant way to solve this problem? I know that it is > possible to restart just select processes of the OSSEC arch without > impacting things - is that the case with AR? > > > > Thanks, > Chris > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
