thank you, dan! i appreciate all effort that is being put into the ossec documentation. it makes my life and i'm sure for others as well, so much easier :)
Am Freitag, 18. Dezember 2015 17:40:43 UTC+1 schrieb dan (ddpbsd): > > > On Dec 18, 2015 11:21 AM, "theresa mic-snare" <rockpr...@gmail.com > <javascript:>> wrote: > > > > I'm such a fool *bangs head against the wall* > > > > it was sitting right there in the ossec.log ...my eyes just didn't see. > > > > > >> 2015/12/18 15:29:51 ossec-execd(1350): INFO: Active response disabled. > Exiting. > >> 2015/12/18 15:29:54 ossec-agentd: INFO: Unable to connect to the active > response queue (disabled). > >> > > > > so all is fine now :) > > > > from my understanding of the ossec-doc regarding AR was, that those > options were only available on the master. > > initally i thought that AR was only configured and controlled by the > master. > > > > I'll try to adjust the docs again, maybe spend more than 2 minutes on it. > > > thanks as usual for your quick answers!! :) > > > > Am Freitag, 18. Dezember 2015 17:09:47 UTC+1 schrieb dan (ddpbsd): > >> > >> > >> On Dec 18, 2015 11:00 AM, "theresa mic-snare" <rockpr...@gmail.com> > wrote: > >> > > >> > so, does this mean it is also possible to disable it with the above > mentioned syntax in the ossec.conf on the agent? > >> > > >> > >> Yes. > >> > >> > sorry for double-checking and the stupid question, but I haven't > found it in the official docs: > >> > > >> >> Active-reponse options are available in the the following > installation types: > >> >> > >> >> server > >> >> local > >> > > >> > > >> > the <disable>yes</disable> tag is one of those options, right?! > >> > > >> > >> As usual my poor grasp of the English language is casuing the > confusion. That option is available on agents. It disables AR entirely for > that agent. So far no one has brought up the situation of disablig it > entirely on some agents, but not others. > >> > >> > and shouldn't there also be a log entry in the ossec.conf, something > like this > >> > ossec-execd(1350): INFO: Active response disabled. Exiting. > >> > > >> > after restarting the agent? > >> > >> No clue. Probably. > >> > >> > i haven't found this log entry after disabling it in the ossec.conf > on the agent and restarted this agent afterwards. > >> > > >> > > >> > Am Freitag, 18. Dezember 2015 15:55:38 UTC+1 schrieb dan (ddpbsd): > >> >> > >> >> On Fri, Dec 18, 2015 at 9:40 AM, theresa mic-snare > >> >> <rockpr...@gmail.com> wrote: > >> >> > Hi all, > >> >> > > >> >> > please correct me if I am wrong, I just noticed that the active > response can > >> >> > only be disabled on the master but not on individual agents. > >> >> > is that true? > >> >> > > >> >> > I think it's a shame, because I just want to use it only on > specific > >> >> > machines, that are expose to the bad bad internet :) > >> >> > I know I could just whitelist all the internal IPs, because it's > unlikely > >> >> > that an attack could be started from inside... > >> >> > > >> >> > wouldn't it be nice to have the possbility to just > >> >> > > >> >> > <active-response> > >> >> > <disabled>yes</disabled> > >> >> > </active-response> > >> >> > > >> >> > on the agent ossec.conf ? :)))) > >> >> > > >> >> > is there any reason is can only be controlled from the master? > >> >> > i'd like to understand it better. > >> >> > > >> >> > >> >> That should work to disable AR (as a whole) on the agent. > >> >> > >> >> > thanks, > >> >> > theresa > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.