Hi Barry, if you want to see the rules generated by active response you must watch the active response log (as it said Dan): <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-responses.log</location> </localfile>
Now, you will see in archives.log (with option <logall>yes</logall>) the log received: 2016 Feb 23 10:59:06 LinMV->/var/ossec/logs/active-responses.log Tue Feb 23 10:59:04 UTC 2016 /var/ossec/active-response/bin/xxxxx.sh add - - 1456225144.17818 RULEID Then, if that log matches with some rule <https://github.com/wazuh/ossec-rules/blob/7b02b8cc8cb64d1ddfdff8161d4ff7d155746020/rules-decoders/ossec/rules/ossec_rules.xml#L297>, you will see the alert in alerts.log. It's up to you to generate rules to track the active responses. I hope that helps. Regards. Jesus Linares. On Tuesday, February 23, 2016 at 6:42:45 AM UTC+1, Barry Kaplan wrote: > > So I'm confused then. The server decided to initiate these actions on the > client, no? The server rules are what decided those actions. Should the > server not log that it took this action, given the elevated level of the > rules? I feel I am missing something understanding. > > -barry > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.