Wazuh Active Response not working when its deployed in docker container, As shown in attached image below.

22 views
Skip to first unread message

Anand Kumar

unread,
May 9, 2026, 6:55:22 AM (yesterday) May 9
to Wazuh | Mailing List
Hi Team, 

I've Configured an active response, that will trigger based on the rule group match and sysmon eventId, I've attached the ossec.conf file for review. I have the send_file.py file that will transfer the files to the specific server. 
I tried and tested on the wazuh-manager deployed in a linux server manually and its working fine. The log and alert is generated as shown in attached image.
Screenshot 2026-05-09 040445.png


And The active response is triggered and details are logged properly in the log file on the system.

But when the same ossec.conf is used in the wazuh manager deployed in docker container it fails to trigger active response and executing file. 

However the alert is generated. 

Screenshot 2026-05-09 041029.png

But active response log file is empty. 

I've attached the ossec.log file for review from the windows on which it is not working. 

Wazuh Version: 4.8.2

Screenshot 2023-06-19 232533.png
ossec.log
wazuh_manager.conf

hasitha.u...@wazuh.com

unread,
12:47 AM (10 hours ago) 12:47 AM
to Wazuh | Mailing List
Hi Anand
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

hasitha.u...@wazuh.com

unread,
1:14 AM (9 hours ago) 1:14 AM
to Wazuh | Mailing List

Hi Anand,

The core issue appears to be that, in the Docker deployment, the Wazuh agent (or the manager’s internal components) cannot find the file:

/var/ossec/etc/shared/ar.conf

This file is required to validate and distribute Active Response commands.

The reason it works on a bare-metal Linux installation is that the required files and directories are automatically created during installation. In Docker deployments, volume mounts or container entrypoint behavior can sometimes override or skip these files unless they are explicitly mounted.

Please note that the ar.conf file (Active Response status file) should always be sent to agents, even if it is not present in the group folder.

To resolve this, please ensure that ar.conf exists and is properly mounted into the container. This is the most common fix for this issue.

Update your docker-compose.yml for the Wazuh manager service as follows:

  1. volumes:
  2.  - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
  3.  
  4.   # Mount ar.conf
  5.   - ./config/wazuh_cluster/ar.conf:/wazuh-config-mount/etc/shared/ar.conf
  6.  
  7.   # Mount custom active response scripts if required
  8.   - ./config/active-response:/var/ossec/active-response/bin

After making the changes, restart the stack:

docker compose down docker compose up -d

Also, if the ossec.conf file is not mounted properly, the configuration will not persist after restarting Docker Compose. Therefore, it is important to mount it as shown above.

On the Windows agent side:

  1. Verify whether the file is created under: C:\Program Files (x86)\ossec-agent\shared

  1. Trigger the alert again.

  2. Check the Active Response logs on the Windows agent:

type "C:\Program Files (x86)\ossec-agent\active-response\active-responses.log"

Please let me know the results after these changes so we can continue troubleshooting if needed.

Ref: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

Reply all
Reply to author
Forward
0 new messages