Have you checked the active responses log on the respective agent/device? /var/ossec/logs/active-responses.log or on Windows systems C:\Program Files (x86)\ossec-agent\active-response\active-responses.log
Am Donnerstag, 19. Mai 2016 18:42:04 UTC+2 schrieb James Siegel: > > I have a set of subnets that are whitelisted. > The server and agents were installed quite some time ago and are on 2.81. > > The server and the agents have been restarted at various times over the > past months as part of update/patching processes. > > The conf file was not changed during those time periods. > > My boss was locked out by active response, after successfully logging in, > then trying to su up to root, that occurred last Thursday. > > The CEO was locked out of a device last night. > > In both those instance, the devices they were originating from were part > of whitelisted subnets. > > Somehow, suddenly random occurrences of locking out whitelisted devices? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.