so, does this mean it is also possible to disable it with the above mentioned syntax in the ossec.conf on the agent?
sorry for double-checking and the stupid question, but I haven't found it in the official docs: Active-reponse options are available in the the following installation > types: > > - server > - local > > the <disable>yes</disable> tag is one of those options, right?! and shouldn't there also be a log entry in the ossec.conf, something like this ossec-execd(1350): INFO: Active response disabled. Exiting. after restarting the agent? i haven't found this log entry after disabling it in the ossec.conf on the agent and restarted this agent afterwards. Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd): > > On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare > <rockpr...@gmail.com <javascript:>> wrote: > > Hi all, > > > > please correct me if I am wrong, I just noticed that the active response > can > > only be disabled on the master but not on individual agents. > > is that true? > > > > I think it's a shame, because I just want to use it only on specific > > machines, that are expose to the bad bad internet :) > > I know I could just whitelist all the internal IPs, because it's > unlikely > > that an attack could be started from inside... > > > > wouldn't it be nice to have the possbility to just > > > > <active-response> > > <disabled>yes</disabled> > > </active-response> > > > > on the agent ossec.conf ? :)))) > > > > is there any reason is can only be controlled from the master? > > i'd like to understand it better. > > > > That should work to disable AR (as a whole) on the agent. > > > thanks, > > theresa > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
