Hello Wali,
of course, here is the json send with the active response i cant parse:
{"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2023-10-02T15:54:58.461+0000","rule":{"level":5,"description":"sshd: authentication failed","id":"119999","frequency":3,"firedtimes":1,"mail":false,"groups":["local","syslog","sshd","authentication_failed"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"005","name":"server","ip":"111.111.111.111"},"manager":{"name":"suricate"},"id":"1696262098.4657309","previous_output":"{"reqId":"Y7pWv2x5b1vQzqWow1Qu","level":2,"time":"2023-10-02T17:54:54+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}n{"reqId":"j2zF5LRCxQgALLkT6w58","level":2,"time":"2023-10-02T17:54:51+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","full_log":"{"reqId":"M1xhbTkx2gH5iwxvD1lg","level":2,"time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","url":"/index.php/login?user=root","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"}","decoder":{"name":"json"},"data":{"url":"/index.php/login?user=root","reqId":"M1xhbTkx2gH5iwxvD1lg","level":"2","time":"2023-10-02T17:54:57+02:00","remoteAddr":"222.222.222.222","user":"--","app":"core","method":"POST","message":"Login failed: 'root' (Remote IP: '222.222.222.222')"},"location":"/var/www/server/stockage/server.log"},"program":"active-response/bin/test.sh"}}
here is the beginning to parse message and command:
![2023-10-02 18_09_25-Window.png](https://groups.google.com/group/wazuh/attach/1a21a50792e1b/2023-10-02%2018_09_25-Window.png?part=0.1&view=1)
you can try to echo the json piped in jq .you will get an error because the json is included in parent json for "previous-output"previous output contains the 2 last fired rule alert because mine is triggered only when the other is fired 3 timesThis would mean that we cannot parse any json file from an alert that would be triggered by a log line already in json format? I can't believe the developers forgot this detail, I must have missed something...
thanks regards