I'm such a fool *bangs head against the wall* it was sitting right there in the ossec.log ...my eyes just didn't see.
2015/12/18 15:29:51 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2015/12/18 15:29:54 ossec-agentd: INFO: Unable to connect to the active > response queue (disabled). > > so all is fine now :) from my understanding of the ossec-doc regarding AR was, that those options were only available on the master. initally i thought that AR was only configured and controlled by the master. thanks as usual for your quick answers!! :) Am Freitag, 18. Dezember 2015 17:09:47 UTC+1 schrieb dan (ddpbsd): > > > On Dec 18, 2015 11:00 AM, "theresa mic-snare" <[email protected] > <javascript:>> wrote: > > > > so, does this mean it is also possible to disable it with the above > mentioned syntax in the ossec.conf on the agent? > > > > Yes. > > > sorry for double-checking and the stupid question, but I haven't found > it in the official docs: > > > >> Active-reponse options are available in the the following installation > types: > >> > >> server > >> local > > > > > > the <disable>yes</disable> tag is one of those options, right?! > > > > As usual my poor grasp of the English language is casuing the confusion. > That option is available on agents. It disables AR entirely for that agent. > So far no one has brought up the situation of disablig it entirely on some > agents, but not others. > > > and shouldn't there also be a log entry in the ossec.conf, something > like this > > ossec-execd(1350): INFO: Active response disabled. Exiting. > > > > after restarting the agent? > > No clue. Probably. > > > i haven't found this log entry after disabling it in the ossec.conf on > the agent and restarted this agent afterwards. > > > > > > Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd): > >> > >> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare > >> <[email protected]> wrote: > >> > Hi all, > >> > > >> > please correct me if I am wrong, I just noticed that the active > response can > >> > only be disabled on the master but not on individual agents. > >> > is that true? > >> > > >> > I think it's a shame, because I just want to use it only on specific > >> > machines, that are expose to the bad bad internet :) > >> > I know I could just whitelist all the internal IPs, because it's > unlikely > >> > that an attack could be started from inside... > >> > > >> > wouldn't it be nice to have the possbility to just > >> > > >> > <active-response> > >> > <disabled>yes</disabled> > >> > </active-response> > >> > > >> > on the agent ossec.conf ? :)))) > >> > > >> > is there any reason is can only be controlled from the master? > >> > i'd like to understand it better. > >> > > >> > >> That should work to disable AR (as a whole) on the agent. > >> > >> > thanks, > >> > theresa > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
