Dear Janelle, Thanks for your answer. I checked again this morning and yes and more than yes : I made changes (just add a comment) in ossec.conf and agent.conf on the server. I wait some minutes and merge.mg was not updated on the server (and of course also on clients) I restart the server (ossec-control restart), wait few secondes and merge.mg on the server is updated, but nothing on clients despite a classic AR that should restart clients when agent.conf is updated. I restart each clients (ossec-control restart on all) and on all clients ar.conf, agent.conf and merge.mg has been updated !
During my previous investigations I found that ar.conf agent.conf and merge.mg was not updated even with a clients restart. Then I checked and changed files permissions in etc/shared and now files are updated when clients are restarted. So I am wondering if my problem is not coming from a file or folder permission ?? Can someone let me know what are files and folders owner/group and permissions ? I am using the last ossec server and client version on linux Debian Many thanks for your help !!!! Thomas Le mardi 20 janvier 2015 22:59:13 UTC+1, Janelle a écrit : > > I would make sure ar.conf is getting passed back to the agents. At the > same time, is merged.mg being updated? > > That was always the problem I found when AR stopped working. > ~J > > > On Tuesday, January 20, 2015 at 1:47:30 AM UTC-8, Thomas Vidal wrote: >> >> Dear all, >> >> Active response stop working one month ago and I really don't understand >> what's the problem is ! >> >> On Ossec server, rules are fired when I copy paste a log line in >> ossec-logtest, and rules are working on the server (shown on WebGui and in >> server log) >> I can also send an active response to ossec client by using >> agent_control, and client add the IP to IPTABLES. >> >> But when the rule is fired on the server the clients didn't get the >> information... >> >> Do you know how I can debug this ?? >> >> Many thanks for your help. >> >> Thomas >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.