wazuh manager not collecting active-responses.log
J.Carlos A
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
Nicolas Alejandro Bertoldo
I hope you are fine.
Have you checked that events are being generated in the active-response.log file?
If so, in order to check if the manager is receiving those events, you can temporarily enable <logall_json>. When this option is enabled, Wazuh stores all events in /var/ossec/logs/archives/archives.json, whether or not they trip a rule. By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server.
Restart the Wazuh manager to apply the configuration changes:
Then you can search for events in the archive, for example:
grep "active-response.json" /var/ossec/logs/archives/archives.json
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
If you do not know how to generate events, you can execute one of the use cases detailed in the documentation: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/index.html
I hope this helps. Please let me know how it went.
J.Carlos A
Nicolas Alejandro Bertoldo
To do some tests locally, could you share any of the events you get from archives.json?
Please masks all sensitive information, while maintaining its nature.
Regards
J.Carlos A
Please find below some sanitized samples of the logs received in /var/ossec/logs/archives/archives.json :
{"timestamp":"2024-06-25T02:51:42.916+0200","agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276702.159189960","full_log":"","decoder":{},"location":"/var/ossec/logs/active-responses.log"}
{"timestamp":"2024-06-25T02:51:42.918+0200","agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276702.159189960","full_log":"2024/06/25 02:52:17 active-response/bin/firewall-drop: {\"version\":1,\"origin\":{\"name\":\"firewall-drop\",\"module\":\"active-response\"},\"command\":\"check_keys\",\"parameters\":{\"keys\":[\"12.34.56.78\"]}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"version":"1","origin":{"name":"firewall-drop","module":"active-response"},"command":"check_keys","parameters":{"keys":["12.34.56.78"]}},"location":"/var/ossec/logs/active-responses.log"}
{"timestamp":"2024-06-25T02:51:42.921+0200","agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276702.159189960","full_log":"2024/06/25 02:52:17 active-response/bin/firewall-drop: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"abort\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2024-06-25T02:51:40.783+0200\",\"rule\":{\"level\":10,\"description\":\"blacklistedIP\",\"id\":\"100002\",\"firedtimes\":8,\"mail\":true,\"groups\":[\"blacklist\",\"attack\"]},\"agent\":{\"id\":\"034\",\"name\":\"SERVER01\",\"ip\":\"192.168.1.10\"},\"manager\":{\"name\":\"wazuhserver\"},\"id\":\"1719276700.159163983\",\"full_log\":\"12.34.56.78 - - [25/Jun/2024:02:52:16 +0200] \\\"GET /fakeURL HTTP/1.1\\\" 403 199 \\\"https://fakedomain.demo/index.html\\\" \\\"Mozilla/5.0 (Windows Phone 10.0; Android 4.1.0; Microsoft) Chrome/123.0 \\\" 4\",\"decoder\":{\"name\":\"web-accesslog\"},\"data\":{\"protocol\":\"GET\",\"srcip\":\"12.34.56.78\",\"id\":\"403\",\"url\":\"/fakeURL\",\"host\":\"fakedomain.demo\"},\"location\":\"/opt/apache2/logs/20240625.log\"},\"program\":\"active-response/bin/firewall-drop\"}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"version":"1","origin":{"name":"node01","module":"wazuh-execd"},"command":"abort","parameters":{"extra_args":[],"alert":{"timestamp":"2024-06-25T02:51:40.783+200","rule":{"level":"10","description":"BlacklistedIP","id":"100002","firedtimes":"8","mail":"true","groups":["blacklist","attack"]},"agent":{"id":"034","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276700.159163983","full_log":"12.34.56.78 - - [25/Jun/2024:02:52:16 +0200] \"GET fakeURL HTTP/1.1\" 403 199 \"https://fakedomain.demo/index.html\" \"Mozilla/5.0 (Windows Phone 10.0; Android 4.1.0; Microsoft) Chrome/123.0 \" 4","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"192.168.1.10","id":"403","url":"/fakeURL","host":"fakedomain.demo"},"location":"/opt/apache2/logs/20240625.log"},"program":"active-response/bin/firewall-drop"}},"location":"/var/ossec/logs/active-responses.log"}
{"timestamp":"2024-06-25T02:51:42.923+0200","agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276702.159189960","full_l
og":"","decoder":{},"location":"/var/ossec/logs/active-responses.log"}
{"timestamp":"2024-06-25T02:51:42.925+0200","agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276702.159189960","full_l
og":"2024/06/25 02:52:17 active-response/bin/firewall-drop: Aborted","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"location":"/var/ossec/logs/active-responses.log"}
thanks
Nicolas Alejandro Bertoldo
Let me run some tests locally and get back to you with an answer.
Regards
Nicolas Alejandro Bertoldo
Particularly none of the events you have shared generate alerts. Some of them match rule 650, but since it has level="0" it does not generate an alert. You can see this with the help of Wazuh-logtest:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.4
Type one log per line
2024/06/25 02:52:17 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"abort","parameters":{"extra_args":[],"alert":{"timestamp":"2024-06-25T02:51:40.783+0200","rule":{"level":10,"description":"blacklistedIP","id":"100002","firedtimes":8,"mail":true,"groups":["blacklist","attack"]},"agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276700.159163983","full_log":"12.34.56.78 - - [25/Jun/2024:02:52:16 +0200] "GET /fakeURL HTTP/1.1" 403 199 "https://fakedomain.demo/index.html" "Mozilla/5.0 (Windows Phone 10.0; Android 4.1.0; Microsoft) Chrome/123.0 " 4","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"12.34.56.78","id":"403","url":"/fakeURL","host":"fakedomain.demo"},"location":"/opt/apache2/logs/20240625.log"},"program":"active-response/bin/firewall-drop"}}
**Phase 1: Completed pre-decoding.
full event: '2024/06/25 02:52:17 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"abort","parameters":{"extra_args":[],"alert":{"timestamp":"2024-06-25T02:51:40.783+0200","rule":{"level":10,"description":"blacklistedIP","id":"100002","firedtimes":8,"mail":true,"groups":["blacklist","attack"]},"agent":{"id":"012","name":"SERVER01","ip":"192.168.1.10"},"manager":{"name":"wazuhserver"},"id":"1719276700.159163983","full_log":"12.34.56.78 - - [25/Jun/2024:02:52:16 +0200] "GET /fakeURL HTTP/1.1" 403 199 "https://fakedomain.demo/index.html" "Mozilla/5.0 (Windows Phone 10.0; Android 4.1.0; Microsoft) Chrome/123.0 " 4","decoder":{"name":"web-accesslog"},"data":{"protocol":"GET","srcip":"12.34.56.78","id":"403","url":"/fakeURL","host":"fakedomain.demo"},"location":"/opt/apache2/logs/20240625.log"},"program":"active-response/bin/firewall-drop"}}'
**Phase 2: Completed decoding.
name: 'ar_log_json'
parent: 'ar_log_json'
**Phase 3: Completed filtering (rules).
id: '650'
level: '0'
description: 'Active Response JSON Messages Grouped'
groups: '['ossec', 'active_response']'
firedtimes: '1'
mail: 'False'
In order to help you I need you to repeat the test that creates the firewall rule and check if the related event is generated in active-responses.log and archives.json. Then please share those events with me.
Thanks.