Active response logging
887 views
Skip to first unread message
OSSIM Notify
Jun 29, 2021, 2:46:53 PM6/29/21
to wa...@googlegroups.com
Hello all,
I have added a custom active response script on our Wazuh 4.0.4 server. I defined the correct <command> and <active-response> blocks in ossec.conf and it triggers and executes correctly as expected.
However, one issue we are facing is that even though the active response script triggers correctly, it is not logging the action to the server's /var/ossec/logs/active-responses.log file. Did we miss a step in the setup of the new action?
We would like to have this action included in the active-responses.log file so that we can track it in a new rule similar to Rule IDs 601, 602, etc. Any assistance with this would be greatly appreciated. Thanks in advance.
Mariano Koremblum
Jun 29, 2021, 10:35:26 PM6/29/21
to Wazuh mailing list
Hi Ossim!
Could you please share with us your active-response configuration? Can you also please tell us exactly how are you testing this? Any other information you think that can be useful to fully understand your problem will be much appreciated.
Best Regards,
Mariano Koremblum
OSSIM Notify
Jun 30, 2021, 5:41:29 PM6/30/21
to Mariano Koremblum, Wazuh mailing list
Hi Mariano,
Thanks for the prompt reply. Below is our active response configuration:
<command>
<name>post-bhr</name>
<executable>post-bhr.php</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>post-bhr</command>
<location>server</location>
<rules_id>31104,31508,31516</rules_id>
<timeout>600</timeout>
</active-response>
<name>post-bhr</name>
<executable>post-bhr.php</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>post-bhr</command>
<location>server</location>
<rules_id>31104,31508,31516</rules_id>
<timeout>600</timeout>
</active-response>
Everything works as expected except for logging. Whenever the Wazuh server receives an event that matches Rule ID for 31104, 31508 or 31516 from an agent, it executes the server side script that was placed in /var/ossec/active-response/bin/post-bhr.php. However, this active response activity is not logged in /var/ossec/logs/active-responses.log on either the server or agent. We expected to find this activity on the server since that is where the script lives and we specified the <location> tags.
Thoughts?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d259ef58-df5a-4c66-bca6-974c70d3ce33n%40googlegroups.com.
Mariano Koremblum
Jul 1, 2021, 3:28:17 PM7/1/21
to Wazuh mailing list
Hi Ossim!
The active-responses.log file was meant to intentionally be written, in Syslog format, by the AR scripts, it is not automatically filled with AR’s activities. So, as you have created your custom script, I assume, it does not write any logs into this file, that is why you don’t see any logs when the AR is run even though it is performing well.
If you want to check some AR activity, you must write execd.debug=1 to your /var/ossec/etc/local_internal_options.conf file and then look for events on the ossec.log file, such as the following one:
2021/07/01 19:21:05 wazuh-execd[10860] execd.c:521 at ExecdStart(): DEBUG: Executing command 'active-response/bin/test.sh {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-07-01T19:21:05.637+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-master"},"manager":{"name":"wazuh-master"},"id":"1625167265.151304","full_log":"Jul 1 19:21:04 wazuh-master sshd[11910]: Invalid user asffsa from 192.168.200.1 port 36346","predecoder":{"program_name":"sshd","timestamp":"Jul 1 19:21:04","hostname":"wazuh-master"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.200.1","srcport":"36346","srcuser":"asffsa"},"location":"/var/log/secure"},"program":"active-response/bin/test.sh"}}'
Take into account that enabling the debug may increase considerably the number of logs that are logged to the ossec.log file.
I hope my answer helps you!
Best Regards,
Mariano
OSSIM Notify
Jul 2, 2021, 2:36:52 PM7/2/21
to Mariano Koremblum, Wazuh mailing list
Hi Mariano,
Thank you very much for this clarification. I did not realize that I had to manually write to active-responses.log for any custom scripts. This was very helpful!
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fe499af0-0d97-49bf-8357-0ba00ce4d34bn%40googlegroups.com.
Mariano Koremblum
Jul 3, 2021, 9:23:47 AM7/3/21
to Wazuh mailing list
You are welcome Ossim, we are here to help you whenever you need us :)
Best Regards,
Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages