Logic for /var/ossec/logs/active-responses.log

[Camar H.]

Hi,

Active response logs are distributed to all agents, even if the agent is not involved in the active response. It's very confusing because I can't find any logic.
The /var/ossec/logs/active-responses.log file may have a different content depending on whether it is on the Manager or on the agents.

On the manager, this file is full of:
Mon Jan 27 16:05:01 CET 2025 active-response/bin/restart.sh manager
Wed Feb 5 15:35:57 CET 2025 active-response/bin/restart.sh manager
Wed Feb 5 15:42:25 CET 2025 active-response/bin/restart.sh manager
Wed Feb 5 15:44:11 CET 2025 active-response/bin/restart.sh manager
Wed Feb 12 11:18:53 CET 2025 active-response/bin/restart.sh manager
Wed Feb 19 09:43:26 CET 2025 active-response/bin/restart.sh manager
Wed Feb 19 09:48:15 CET 2025 active-response/bin/restart.sh manager

On agents, it's a bit more verbose:
2025/02/26 06:15:57 active-response/bin/host-deny: {‘version’:1,‘origin’:{‘name’:‘node01’,‘module’:‘wazuh-execd’},‘command’:‘add’,.........

It could be also ‘delete’ or ‘continue’

I run wazuh on single node with Docker.

On the Manager, the AR tags are set for the firewall-drop and hosts-deny commands.
On the agents, the AR tags are set to disabled ‘NO’ but they are empty (no commands).

Do you have any clarification on how the AR logs work?

[Matías Mercado]

Hi,

I think the image on this documentation is going to clarify your question: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

The active-response.log contains the module log, you will find information about if it's running or not and error logs. That is why you are seeing events from all your agents and server. The alerts generated by the active response script/executable are on alerts.json or archieves.json (step 8).

Regards,
Matías.