Custom Active Response Not Executing on Wazuh Agent

19 views
Skip to first unread message

Prince

unread,
Dec 26, 2025, 2:09:02 AM (yesterday) Dec 26
to Wazuh | Mailing List

Hello Team,

I hope you are doing well.

I am facing an issue with a custom active response configured on the Wazuh server, which is not executing on the agent side.

Configuration Details

Active response script path (Server):
/var/ossec/active-response/bin/f2b-unban.sh

Script content:
The script simply logs a success message to verify execution.

Command configuration:

<command> 
 <name>f2b-unban</name> 
 <executable>f2b-unban.sh</executable> 
 <timeout_allowed>yes</timeout_allowed> 
</command>

Active response configuration:

<active-response> 
 <command>f2b-unban</command> 
 <location>all</location> 
 <timeout>0</timeout> 
</active-response>

Verification:

When running agent_control, the active response appears correctly:

Response name: f2b-unban0, command: f2b-unban.sh

I trigger the response using the following command:

sudo /var/ossec/bin/agent_control -b 172.24.1.1 -f f2b-unban0 -a

The output confirms execution:

Wazuh agent_control: Running active response 'f2b-unban0' on: all

Although the command executes successfully from the server side, the script does not run on the agent, and no corresponding log entry is generated on the agent system.

Request

Could you please help identify why the active response is not being executed on the agent side?
Kindly let me know if additional configuration, permissions, or agent-side deployment is required.

Thank you for your time and support.

Cedrick Foko

unread,
Dec 26, 2025, 4:20:24 AM (yesterday) Dec 26
to Wazuh | Mailing List
Hello Prince,
In order to execute the script on the agents, you need to add your custom active response script or executable to the /var/ossec/active-response/bin directory on Linux/Unix endpoints.
After that, change the script permissions and ownership with the following commands:

sudo chmod 750 /var/ossec/active-response/bin/<CUSTOM_SCRIPT>
sudo chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_SCRIPT>

For further troubleshooting, you can check the /var/ossec/logs/active-responses.log file on your agents after adding the script. Please share that file from one of the agents with me for analysis.
Also, share the output of the following command from your manager:
grep 'active-response' /var/ossec/logs/ossec.log

Reply all
Reply to author
Forward
0 new messages