Hi again,
Which Wazuh version are you using? I suppose that you are using
4.1 or a previous version as from
4.2, active response custom scripts work differently.
I have been testing your active response configuration and scripts are being executed properly, as you said.
As you can see in the following logs, your script is logging the call to
/var/ossec/logs/active-responses.log for both rule with ID 550 and rule with ID 554:
Thu Mar 3 15:45:32 UTC 2022 /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567 550 syscheck /test/b -
Thu Mar 3 15:45:34 UTC 2022 /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819 554 syscheck /test/c -This is the output of doing
printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
in
syscheck-all.sh (
line 37)
We can see that each script argument refers to a component. These arguments are the following (in this order) (ref:
https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses):
<SCRIPT-NAME> <ACTION> <USER> <IP> <ALERT-ID> <RULE-ID> <AGENT> <FILENAME>
<SCRIPT-NAME> is the name of the script file that is going to be run.
<ACTION> can be delete or add.
<USER> is the user name. It can be - if not set.
<IP> is the source IP. It can be - if not set.
<ALERT-ID> is the alert ID (unique for every alert).
<RULE-ID> is the rule ID.
<AGENT> is the agent ID or hostname.
<FILENAME> is the source path file of the log that triggered the alert (if it exists).
With this information, we know that
- $0 is the script name: /var/ossec/active-response/bin/syscheck-all.sh
- $1 is the action: add
- $2 is the user: -
- $3 is the IP: -
- $4 is the alert ID: 1646322332.560567 and 1646322334.560819
- $5 is the rule ID: 550 and 554
- $6 is the agent: syscheck
- $7 is the filename: /test/b and /test/c
Note that in this case, we have the
service (
syscheck) instead of
agent because we are using
syscheck rules.
Summarizing, I am receiving the
FILENAME for both rules (
$7).
What is being logged in your agents'
/var/ossec/logs/active-responses.log file? Having a look at that output will help you know which argument is the
filename. In your script,
filename is expected to be
$8. You can confirm whether
filename is at
$8 or not by having a look at the log file, as I said.
I hope this helps, please if you have more problems, send the
/var/ossec/logs/active-responses.log output. Also, have a look at the
ossec.log file with
execd in debug mode (how to enable debug mode is in the last comment).