Hi. A1: In fact you should enable <active_response> on your ossec.conf file, but it only enables the agent to receive commands from the server. However, the syscheck/rootcheck restarting is not immediate, but it will be done after a cycle of syscheck.
A2: That line seems so be correct, and that verbatim do work in our labs. You can find a larger file here, as example: https://github.com/wazuh/ossec-wazuh/blob/master/src/rootcheck/db/system_audit_ssh.txt If you tell us what you want to do, we might help you. A3: Yes, you can add multiple <system_audit> to your ossec.conf file, it's not necessary to join them into a single file. Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
