Wazuh Active response module

25 views
Skip to first unread message

sarah .00

unread,
Apr 7, 2026, 12:25:47 AM (3 days ago) Apr 7
to Wazuh | Mailing List
hello. 
I was wondering if I have a specified agent <003> and i wanted to trigger active reponse script on it through the API. how would i do that?

1- i have this request body triggered by postman:
{
  "command": "!log-collector.cmd",
  "alert": {
    "id": "test-001",
    "agent": {
      "id": "001",
      "name": "Windows-10"
    },
    "data": {
      "log_type": "security",
      "log_name": "Security",
      "srcip": "",
      "max_events": 10,
      "max_results": 5,
    }
  }
}

this is the manager response:
{
    "data": {
        "affected_items": [
            "003"
        ],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": []
    },
    "message": "AR command was sent to all agents",
    "error": 0
}
3- ossec.conf on manager:

<command>
  <name>log-collector</name>
  <executable>log-collector.cmd</executable>
  <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
  <disabled>no</disabled>
  <command>log-collector</command>
  <location>defined-agent</location>
</active-response>
</ossec_config>

4- scripts on windows endpoint:
log-collector.cmd
@echo off
echo Wazuh ran me at %DATE% %TIME% >> "C:\Program Files (x86)\ossec-agent\active-response\bin\proof.txt"
powershell.exe -ExecutionPolicy Bypass -Command "$raw = [Console]::In.ReadToEnd(); $raw | & 'C:\Program Files (x86)\ossec-agent\active-response\bin\log-collector.ps1'"

the proof.txt is never generated
my question is how can i make this work and how to ensure it works only towards the agent i specify

Bony V John

unread,
Apr 7, 2026, 12:40:32 AM (3 days ago) Apr 7
to Wazuh | Mailing List

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Apr 7, 2026, 1:45:03 AM (3 days ago) Apr 7
to Wazuh | Mailing List
Hi,

Based on the details you shared, I was able to replicate the issue on my end. There are a few corrections required in your configuration to make it work as expected. Please follow the steps below:

First, on your Wazuh manager ossec.conf file, to trigger the active response for a single agent, you should add the configuration as shown below:

  <command>
    <name>log-collector</name>
    <executable>log-collector.cmd</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>log-collector</command>
    <location>defined-agent</location>
    <agent_id>003</agent_id>
  </active-response>

In your configuration, you have not used the <agent_id> tag, which is required when using the defined-agent option.

You can refer to the Wazuh active response configuration documentation for more details.

Then restart the manager:

systemctl restart wazuh-manager

On the Windows endpoint, try executing the script manually. I used the below script and command for testing:
@echo off
echo Wazuh ran me at %DATE% %TIME% >> "C:\Program Files (x86)\ossec-agent\active-response\bin\proof.txt"
exit /b 0

Save the script as log-collector.cmd in the following directory:   C:\Program Files (x86)\ossec-agent\active-response\bin\ directory.
Then run:
cd "C:\Program Files (x86)\ossec-agent\active-response\bin"
.\log-collector.cmd

Check if proof.txt is created in: C:\Program Files (x86)\ossec-agent\active-response\bin\ directory.

Next, I used a curl API command to trigger the script instead of Postman. You can try the below commands:

First, generate the bearer token:

curl -u <username>:<password> -k -X POST "https://<manager-IP>:55000/security/user/authenticate"

Replace <username> and <password> with your Wazuh API credentials, and <manager-IP> with your manager IP address.

Copy the generated bearer token from the output.

Then run the below command to check if the script is working:

curl -k -X PUT "https:// <manager-IP>  :55000/active-response?agents_list=003&pretty=true" \
  -H "Authorization: Bearer <JWT_TOKEN> " \
  -H "Content-Type: application/json" \
  -d '{

    "command": "!log-collector.cmd",
    "alert": {
      "id": "test-001",
      "agent": {
        "id": "003",

        "name": " Windows-10  "
      },
      "data": {
        "log_type": "security",
        "log_name": "Security",
        "max_events": 10,
        "max_results": 5,
        "callback_url": "http://<manmager-IP>:5678/webhook/log-results"
      }
    }
  }'

Replace <manager-IP> and <JWT_TOKEN> accordingly.

Then check whether the script is triggered and if the proof.txt file is created. I have tested this, and it is working fine on my end.

You can refer to the Wazuh active response documentation for more details.

Please let me know the update or if you need any further assistance.

Screenshot 2026-04-07 111348.png


Screenshot 2026-04-07 111422.png

Reply all
Reply to author
Forward
0 new messages