I have a problem with Wazuh alerts.
Sebastian Cuadro
tail -f /var/ossec/logs/ossec.log
2026/04/10 01:29:24 wazuh-analysisd: WARNING: (1272): Invalid username 'N/A'. Possible logging attack.
2026/04/10 01:29:25 wazuh-analysisd: WARNING: (1272): Invalid username 'N/A'. Possible logging attack.
2026/04/10 01:29:27 wazuh-analysisd: WARNING: (1272): Invalid username 'N/A'. Possible logging attack.
2026/04/10 01:29:31 wazuh-analysisd: WARNING: (1272): Invalid username 'N/A'. Possible logging attack.
2026/04/10 01:29:48 wazuh-analysisd: WARNING: (1272): Invalid username 'N/A'. Possible logging attack.
This is the configuration being tested:
<command>
<name>firewall-drop-fortigate</name>
<executable>firewall-drop-fortigate.bash</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewall-drop-fortigate</command>
<location>server</location>
<rules_id>100849</rules_id>
<timeout>57600</timeout>
</active-response>
<active-response>
<command>firewall-drop-fortigate</command>
<location>server</location>
<rules_id>100850,100852,800012,120010,120011,120012</rules_id>
<timeout>57600</timeout>
<disabled>no</disabled>
</active-response>
<group name="local,fortigate,vpn,">
<rule id="100849" level="12">
<if_sid>81637</if_sid>
<match>status="failure"</match>
<field name="xauthuser">^N/A$</field>
<field name="vpntunnel">^N/A$</field>
<description>Fortigate VPN: authentication failure with no identified user from IP $(srcip). Possible external/invalid attempt.</description>
<group>fortigate,vpn,authentication_failed,unknown_user,external_probe,</group>
</rule>
<rule id="100850" level="12" frequency="4" timeframe="300">
<if_matched_sid>100849</if_matched_sid>
<same_srcip />
<description>Fortigate VPN: multiple authentication failures with no identified user from IP $(srcip). Possible external/invalid attempt.</description>
<group>fortigate,vpn,authentication_failures,unknown_user,external_probe,bruteforce,</group>
</rule>
<rule id="100851" level="7">
<if_sid>81637</if_sid>
<match>status="failure"</match>
<field name="xauthuser" negate="yes">^N/A$</field>
<field name="vpntunnel" negate="yes">^N/A$</field>
<description>Fortigate VPN: authentication failure for user $(xauthuser) from IP $(srcip) on tunnel $(vpntunnel).</description>
<group>fortigate,vpn,authentication_failed,known_user,</group>
</rule>
<rule id="100852" level="12" frequency="4" timeframe="300">
<if_matched_sid>100851</if_matched_sid>
<same_srcip />
<description>Fortigate VPN: multiple authentication failures from IP $(srcip). Last user: $(xauthuser). Tunnel: $(vpntunnel).</description>
<group>fortigate,vpn,authentication_failures,known_user,bruteforce,</group>
</rule>
</group>
The other alerts work perfectly:
2026-04-10 00:31:07 - Unblocked 47.128.25.190 – removed object AutoBlock-47.128.25.190-10-04-2026_00-13-41
2026-04-10 00:33:48 - Blocked 185.191.171.1 as AutoBlock-185.191.171.1-10-04-2026_00-33-48
2026-04-10 00:33:49 - Blocked 185.191.171.10 as AutoBlock-185.191.171.10-10-04-2026_00-33-49
2026-04-10 00:47:28 - Blocked 47.128.117.50 as AutoBlock-47.128.117.50-10-04-2026_00-47-27
2026-04-10 00:53:28 - Blocked 18.97.9.101 as AutoBlock-18.97.9.101-10-04-2026_00-53-28
2026-04-10 00:55:17 - Blocked 185.254.75.42 as AutoBlock-185.254.75.42-10-04-2026_00-55-17
Also, the wazuh-logtest confirms that rule 100849 matches correctly and that an alert should be generated.
For some reason, the alert is generated, but it does not trigger the active response.
Example event:time=01:29:31 devname=\"fw-externo-noreste\" devid=\"FGT80FTK24019981\" eventtime=1775795371000172379 tz=\"-0300\" logid=\"0101037128\" type=\"event\" subtype=\"vpn\" level=\"error\" vd=\"root\" logdesc=\"Progress IPsec phase 1\" msg=\"progress IPsec phase 1\" action=\"negotiate\" remip=167.58.119.189 locip=164.73.250.190 remport=500 locport=500 outintf=\"wan1\" srccountry=\"Uruguay\" cookies=\"fb2101e854550ca6/0000000000000000\" user=\"N/A\" group=\"N/A\" useralt=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"N/A\" status=\"failure\" init=\"remote\" exch=\"SA_INIT\" dir=\"inbound\" role=\"responder\" result=\"ERROR\" version=\"IKEv2\" fctuid=\"N/A\" advpnsc=0","decoder":{"name":"fortigate-firewall-v5"},"data":{"action":"negotiate","srcip":"167.58.119.189","dstuser":"N/A","status":"failure","assignip":"N/A","cookies":"fb2101e854550ca6/0000000000000000","devid":"FGT80FTK24019981","devname":"fw-externo-noreste","eventtime":"1775795371000172379","group":"N/A","level":"error","locip":"164.73.250.190","locport":"500","logdesc":"Progress IPsec phase 1","logid":"0101037128","msg":"progress IPsec phase 1","outintf":"wan1","remport":"500","srccountry":"Uruguay","subtype":"vpn","time":"01:29:31","type":"event","vd":"root","vpntunnel":"N/A","xauthgroup":"N/A","xauthuser":"N/A"},"location":"164.73.191.51"}
Bony V John
Bony V John
Hi,
I have reviewed the configuration and rules you shared, and it seems some corrections are required.
Regarding your active response configuration in the Wazuh manager ossec.conf file, I can see that there are two <active-response> blocks triggering the same script, with no difference in location or timeout. The only difference is the rule IDs used.
Instead of maintaining multiple blocks, you can simplify this by using a single <active-response> block and including all rule IDs together, as shown below:
<name>firewall-drop-fortigate</name>
<executable>firewall-drop-fortigate.bash</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewall-drop-fortigate</command>
<location>server</location>
</active-response>
In the case of your custom rules, rule IDs 100850 and 100852 require a syntax correction.
You have used <same_srcip/>, but this will not work because there is no field named srcip in the decoded event. The source IP is mapped to the remip field.
Because of this, the rule will not trigger as expected. You should replace <same_srcip/> with:
<same_field>remip</same_field>
This ensures the rule checks whether the remip value is the same before triggering.
You can use the updated rules below:
<rule id="100849" level="12">
<if_sid>81637</if_sid>
<match>status="failure"</match>
<field name="xauthuser">^N/A$</field>
<field name="vpntunnel">^N/A$</field>
<description>Fortigate VPN: authentication failure with no identified user from IP $(srcip). Possible external/invalid attempt.</description>
<group>fortigate,vpn,authentication_failed,unknown_user,external_probe,</group>
</rule>
<rule id="100850" level="12" frequency="4" timeframe="300">
<if_matched_sid>100849</if_matched_sid>
<description>Fortigate VPN: multiple authentication failures with no identified user from IP $(srcip). Possible external/invalid attempt.</description>
<group>fortigate,vpn,authentication_failures,unknown_user,external_probe,bruteforce,</group>
</rule>
<rule id="100851" level="7">
<if_sid>81637</if_sid>
<match>status="failure"</match>
<field name="xauthuser" negate="yes">^N/A$</field>
<field name="vpntunnel" negate="yes">^N/A$</field>
<description>Fortigate VPN: authentication failure for user $(xauthuser) from IP $(srcip) on tunnel $(vpntunnel).</description>
<group>fortigate,vpn,authentication_failed,known_user,</group>
</rule>
<rule id="100852" level="12" frequency="4" timeframe="300">
<if_matched_sid>100851</if_matched_sid>
<description>Fortigate VPN: multiple authentication failures from IP $(srcip). Last user: $(xauthuser). Tunnel: $(vpntunnel).</description>
<group>fortigate,vpn,authentication_failures,known_user,bruteforce,</group>
</rule>
</group>
I have tested these rules, and they are working fine on my end.
Regarding the active response not being triggered, could you please share the custom script you are using for testing? This will help us replicate the setup and assist you more effectively.
You can also refer to the Wazuh documentation for custom active response and rule syntax for further details.
Sebastian Cuadro
Good morning.
In the direct configuration for remip and srcip, I changed it in /var/ossec/ruleset/decoders/0100-fortigate_decoders.xml so it would work properly:
<decoder name="fortigate-firewall-v5">
<parent>fortigate-firewall-v5</parent>
<regex>remip="(\.*)"|remip=(\.*)\s|remip=(\.*)$</regex>
<order>remip</order>
</decoder>
to:
<decoder name="fortigate-firewall-v5">
<parent>fortigate-firewall-v5</parent>
<regex>remip="(\.*)"|remip=(\.*)\s|remip=(\.*)$</regex>
<order>srcip</order>
</decoder>
Here is the test:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.4
Type one log per line
date=2026-04-10 time=06:03:10 devname="fw-externo-noreste" devid="FGT80FTK24019981" eventtime=1775811789653864879 tz="-0300" logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=66.132.172.239 locip=190.64.212.75 remport=26025 locport=500 outintf="wan2" srccountry="United States" cookies="4d65822107fcfd52/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" fctuid="N/A" advpnsc=0
**Phase 1: Completed pre-decoding.
full event: 'date=2026-04-10 time=06:03:10 devname="fw-externo-noreste" devid="FGT80FTK24019981" eventtime=1775811789653864879 tz="-0300" logid="0101037128" type="event" subtype="vpn" level="error" vd="root" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=66.132.172.239 locip=190.64.212.75 remport=26025 locport=500 outintf="wan2" srccountry="United States" cookies="4d65822107fcfd52/0000000000000000" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="failure" init="remote" mode="main" dir="inbound" stage=1 role="responder" result="ERROR" fctuid="N/A" advpnsc=0'
**Phase 2: Completed decoding.
name: 'fortigate-firewall-v5'
action: 'negotiate'
assignip: 'N/A'
cookies: '4d65822107fcfd52/0000000000000000'
devid: 'FGT80FTK24019981'
devname: 'fw-externo-noreste'
dstuser: 'N/A'
eventtime: '1775811789653864879'
group: 'N/A'
level: 'error'
locip: '190.64.212.75'
locport: '500'
logdesc: 'Progress IPsec phase 1'
logid: '0101037128'
msg: 'progress IPsec phase 1'
outintf: 'wan2'
remport: '26025'
srccountry: 'United States'
srcip: '66.132.172.239'
status: 'failure'
subtype: 'vpn'
time: '06:03:10'
type: 'event'
vd: 'root'
vpntunnel: 'N/A'
xauthgroup: 'N/A'
xauthuser: 'N/A'
**Phase 3: Completed filtering (rules).
id: '100849'
level: '12'
description: 'Fortigate VPN: fallo de autenticación sin usuario identificado desde la IP 66.132.172.239. Posible intento externo/no válido.'
groups: '['local', 'fortigate', 'vpn', 'fortigate', 'vpn', 'authentication_failed', 'unknown_user', 'external_probe']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
I have also already tried leaving everything in a single active response, but the same thing still happens.
Sebastian Cuadro
Bony V John
Hi,
Apologies for the late response.
If the issue is occurring only for a specific rule ID, I recommend enabling debug logging in your custom script to capture detailed execution logs. This will help identify what is causing the issue.
Could you please share the active response script with us? I can test it on my end and assist you better.
If the issue is limited to a specific rule while other rule IDs are triggering the active response correctly, it is likely that the problem is within the custom script logic for that case.
Enabling debug logs in the script will make it easier to identify the root cause.
You can also refer to the Wazuh documentation on custom active response for a better understanding of how it works.
Please share the script for further analysis.