Thanks, that gave me the food for thought I needed... I will push my packages with updated .conf files for agents in an automated "update like" fashion.
Will test the directory that ossec agent needs to fire my package from. ( Do you all know what I should run and look for to see the verbose information? ie: debug mode / debug log location?) Off to testing now.. =) Thanks! --Rob On Wednesday, April 13, 2016 at 7:27:53 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Apr 12, 2016 at 4:52 PM, Rob B <rba...@netorian.com <javascript:>> > wrote: > > Hello Folks, > > > > Could someone help me wrap my head around the windows active response > > mechanism? > > > > If I understand correctly, the active response / bin folder on the > server > > will house my .CMD file containing my windows response actions.? > > > > I'm not totally sure on Windows, but I think so. > > > What I would like to do is have active response fire on an event such > as: > > <rule id="182669" level="12"> > > <if_sid>18100</if_sid> > > </rule> > > Which would then run my .cmd file, where I want to run an executable > that I > > have already packaged. > > > > My question here is: what is the logic to run my packaged executable > from > > the .cmd file? Where do I store my packaged executable, how does it get > to > > It should be on the agent you want to run it. > > > the client agent to fire? Where will it fire from, so that I may have > the > > correct syntax in my .cmd file? Can the package be pushed from the > server to > > That's a good question, I would assume either the ossec directory, or > the ar/bin directory. It shouldn't be too hard to test though. > > > all windows agents once they refresh somehow? > > > > What package? The AR configuration should be pushed, but it's up to > you to put your executable in place. > > > I do understand the basics as to how to setup active response in the > .conf > > file on the server ossec.conf file and where to turn it ON in the agent > side > > .conf file. How can I turn ON all the agents active response from the > > server? (Currently i only know how to manually update the file at each > > client.) > > > > It's possible the agent.conf can be used for this, but if not your > configuration management solution should be able to handle pushing new > ossec.confs to the agents. > > > Any pointers from the Gurus would be greatly appreciated. =) > > > > Thanks much Guys!! > > > > > > Rob > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.