AR works in all-in-one but not cluster

[OSSIM Notify]

Good Morning,

We have two Wazuh environments: our test environment is an all-in-one installation and our production environment is a two node (master-worker) Wazuh cluster.

We have the identical AR configuration for both environments, but it is only currently working in the test environment.  The scripts do not trigger in the production environment nor are the actions logged.

We checked the agents in each environment and neither has AR disabled locally in the agent's ossec.conf.  We also verified that the ossec.conf on Master and Worker are identical, and both nodes have been restarted in the cluster to ensure that changes have taken effect.  Any ideas?

Below is the AR configuration on the cluster nodes:

<command>
    <name>post-bhr</name>
    <executable>post-bhr.php</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>ossec-slack</name>
    <executable>ossec-slack.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>post-bhr</command>
    <location>server</location>
 <rules_id>3357,5551,5712,5720,31105,31110,31516,31152,31153,31154,31411,31508,31510,100010,100011,100030</rules_id>
    <timeout>604800</timeout>
  </active-response>
  <active-response>
    <command>ossec-slack</command>
    <location>server</location>
    <rules_id>100032</rules_id>
  </active-response>

[Gonzalo Ezequiel Bonigo]

Hello,

I'm gonna try to reproduce it and let you know, but looks like a configuration issue.

Regards.