Hi, you can use
Active response for execute any bat file in you windows agent.
the path for put you bat file is C:\Program Files (x86)\ossec-agent\active-response\bin
you must motorizing the active-response.log file in ossec.log file in the windows agent side.
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
you must set active response in manager side (
link) and set a rule and decoder or use some predefined one like this rule 5716(
link).
for example:
<active-response>
<command>netsh</command>
<location>local</location>
<rules_id>5716</rules_id>
<timeout>60</timeout>
</active-response>
where netsh is a command that will execute the netsh.exe( for you case bat file)
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
with this log -> Dec 10 01:02:02 host sshd[1234]: Accepted none for root from 64.62.197.132 port 1066 ssh2
for launch the 5716 rule, you should create a empty file for test in windows agent side and paste and save this log for that this alert inthe manager launch the active response and this run the bat file.
remember monitorizing you file test(wndows agent side):
<localfile>
<location>C:\Users\vagrant\Documents\test.txt</location>
<log_format>syslog</log_format>
</localfile>
let me know if this helps you
Regards