I am trying to get Active Response working on a Windows 2012 server. I enabled AR in the local Windows 2012 OSSEC config file. On the agent side OSSEC Log I get some warnings about some linux shell based active responses not being present (which makes sense)
I copied over a Windows null route script we use on a Windows 2008r2 server. I created the command and ar configuration on the OSSEC server I then tried to test the AR script which looked like this: *root@monitor:/var/ossec/bin# ./agent_control -b 120.138.126.238 -f win_route-null1800 -u 001* *OSSEC HIDS agent_control: Running active response 'win_route-null1800' on: 001* *Under OSSEC 2.7 I would see this line when I tried to trigger an AR * *2014/07/30 21:32:08 ossec-agent: ERROR: Unable to create active response process.* *Setting windows.debug levels in internal_options.conf generated more log output but not any more detail on why AR was not triggering?* *I upgraded to OSSEC 2.8 upgrading both the OSSEC Server and Windows agen*t Now I don't see anything logged in the agent side ossec log when I trigger the active response The interesting thing to me is under either version I can trigger a restart of the agent from the OSSEC server and that event does appear in a client side active response log so it appears some communication is occuring. Any ideas on how to troubleshoot why AR doesn't appear to be triggering? Thanks, James Whittington -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
