Clarification on Active Response Scalability in Wazuh EDR

21 views
Skip to first unread message

Jack Martin

unread,
Apr 7, 2026, 11:27:01 PM (2 days ago) Apr 7
to Wazuh | Mailing List

Hello Wazuh Team,

I hope you are doing well.

I have been using Wazuh continuously for the past three months and have developed a good understanding of its SIEM capabilities. I really appreciate the platform and its features.

However, I would like to gain a deeper understanding of the EDR (Active Response) capabilities, especially in large-scale environments.

In SIEM configurations, when managing a large number of endpoints (for example, more than 1000 agents), we can apply configurations centrally on the server, and they are automatically applied to all agents.

In contrast, my understanding of Active Response is that scripts must be present on each endpoint (agent). This raises a concern in large environments:

  • If we have 1000+ endpoints, does this mean we need to manually deploy scripts on each agent?
  • Is there a centralized or automated way to distribute and manage Active Response scripts across all agents?

Additionally, I would like to confirm whether the same approach applies across different operating systems, including:

  • Windows 10 Pro
  • Windows 11
  • Linux distributions such as Ubuntu

I would appreciate your guidance on the following:

  1. Best practices for deploying Active Response scripts in large-scale environments
  2. Whether there is a centralized method to push scripts to all agents
  3. Any official documentation, guides, or resources related to this use case across different operating systems

From my understanding, Active Response executes scripts on endpoints when triggered by rules configured on the manager, but I would like clarification on how this can be efficiently managed at scale.

Thank you for your time and support. I look forward to your response.

Bony V John

unread,
Apr 7, 2026, 11:42:55 PM (2 days ago) Apr 7
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Jack Martin

unread,
Apr 8, 2026, 4:13:55 AM (yesterday) Apr 8
to Bony V John, Wazuh | Mailing List
Thank you, sir. I appreciate your support. I will wait for your update.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8601497b-f73f-47bf-9e5f-7207235157b1n%40googlegroups.com.

Bony V John

unread,
Apr 8, 2026, 4:17:54 AM (yesterday) Apr 8
to Wazuh | Mailing List

Hi,

By default, there is no direct option in Wazuh to deploy custom active response scripts from the manager to connected endpoints like agent configuration. However, we can achieve this requirement using a workaround with the help of the shared file option and remote command execution in Wazuh.

In Wazuh, we can share custom SCA files to agents remotely using agent groups. This allows us to deploy custom SCA policies to endpoints for SCA checks. These files are stored in the /var/ossec/etc/shared directory. For SCA, there is no strict directory dependency, as we only need to reference the path in the agent ossec.conf.

However, for active response, the script must be placed in the /var/ossec/active-response/bin directory. To achieve this, we can first deploy the script from the manager to the endpoint using the shared file system. The script will be placed in /var/ossec/etc/shared on all endpoints within that agent group.

Next, we can add a Wodle command configuration on the endpoint via centralized agent configuration. This command will copy the script from /var/ossec/etc/shared to /var/ossec/active-response/bin, update the permissions, and on Windows, convert it into an executable format if required. This approach allows us to deploy custom active response scripts remotely to agents.

I have tested this on both Windows and Ubuntu systems, and it is working fine on my end. I have also prepared documentation for guidance, which you can refer to: https://github.com/bonyjohn05/AR-script-deploy/blob/main/README.md

Note that to achieve this, remote command execution must be enabled manually on each agent at least once during the initial setup.

⚠️ Warning:
Enabling this option allows the Wazuh manager to execute commands on the endpoints. This can introduce security risks if not properly controlled. Ensure that only trusted users have access to the manager, and restrict permissions appropriately to prevent unauthorized command execution on endpoints.

You can also refer to the following documentation that I used for testing this setup.

Jack Martin

unread,
Apr 8, 2026, 11:04:51 AM (yesterday) Apr 8
to Bony V John, Wazuh | Mailing List
Dear Sir,

Thank you for your guidance in resolving the Wazuh issue. Your support helped me solve the problem quickly.

I truly appreciate your help

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/59da598f-9fcb-4dfb-bb78-2682f79e9a56n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages