Active Respone not triggering
serano...@gmail.com
<name>check-account</name>
<executable>test.sh</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>check-account</command>
<location>local</location>
<rules_id>200005</rules_id>
<level>5</level>
</active-response>
Mauricio Ruben Santillan
Hello!
Thanks for using Wazuh!
For starters, in case you performed any changes to the script, did you make sure the script actually runs ok? I would recommend you to try run it manually to check that it works properly.
Also, did you make sure the script is located on the Agents in /var/ossec/active-response/bin as well? Have in mind that Windows Agents are not capable of running python scripts (info here).
Now about the modules you've configured (make sure they're in the Manager's /var/ossec/etc/ossec.conf), since you've configured Iocation=local it will only run on Agents that trigger the alerts. I would add <disabled>no</disabled> inside the active-response module. I also see you've configured it with rules_id and level. You should set either rules_id or level in a single module, not both. In case you need both criterias, just add another active-response module.
On the other hand, the provided script is a stateful script and you've configured both command and active-response modules as it was a stateless one.
You can also check the Wazuh manager's /var/ossec/logs/ossec.log file in case it reports a problem with AR. It's important to notice that the active-response.log that will include alerts, should be the one located on the Agent (the agents by default include a localfile module to ingest its events).
I hope this helps! Let me know how it goes!