Hi cyberfarer
I hope you are doing fine!
Default Active Responses generates an internal log file when some action applies, route-null default AR for example:
2021/11/12 11:44:21 active-response/bin/route-null.exe: Starting
2021/11/12 11:44:21 active-response/bin/route-null.exe: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-11-12T11:44:03.510-0300","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":5,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"localhost.localdomain","ip":"10.0.2.4"},"manager":{"name":"chb-VBox"},"id":"1636728243.1913600","full_log":"Nov 12 09:44:00 localhost sshd[30846]: Invalid user juanito from 10.0.2.5 port 53864","predecoder":{"program_name":"sshd","timestamp":"Nov 12 09:44:00","hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.5","srcport":"53864","srcuser":"juanito"},"location":"/var/log/secure"},"program":"active-response/bin/route-null.exe"}}
2021/11/12 11:44:21 active-response/bin/route-null.exe: {"version":1,"origin":{"name":"route-null.exe","module":"active-response"},"command":"check_keys","parameters":{"keys":["10.0.2.5"]}}
2021/11/12 11:44:21 active-response/bin/route-null.exe: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"continue","parameters":{"extra_args":[],"alert":{"timestamp":"2021-11-12T11:44:03.510-0300","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":5,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"localhost.localdomain","ip":"10.0.2.4"},"manager":{"name":"chb-VBox"},"id":"1636728243.1913600","full_log":"Nov 12 09:44:00 localhost sshd[30846]: Invalid user juanito from 10.0.2.5 port 53864","predecoder":{"program_name":"sshd","timestamp":"Nov 12 09:44:00","hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.0.2.5","srcport":"53864","srcuser":"juanito"},"location":"/var/log/secure"},"program":"active-response/bin/route-null.exe"}}
2021/11/12 11:44:21 active-response/bin/route-null.exe: Ended
On Ubuntu box the file is located in /var/ossec/logs/active-responses.log,
On Windows in C:\Program Files (x86)\ossec-agent\active-response\active-responses.log
Also, agent configuration is set by default to collect event from those files.
ossec.conf file on Ubuntu
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
ossec.conf file on Windows
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
That means, when an AR trigger it should generate an alert, because Agent collect events from that active-responses.log file and process it as a new alert, and you can create notifications from that alert, for example an email notification:
<email_alerts>
<rule_id>9999</rule_id> <---- set the alert rule id
<do_not_delay/>
</email_alerts>
If you have a customized Active Response, double check if it creates some log into active-responses.log, and probably, it will necessary to create a custom decoder and rule for it.
Let me know if this information it useful for you.
Regards.