I have not personalized the rules 5710 and 5712 regarding SSH.
I have attached the post-alert.py to this post.
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:416 at ExecdStart(): DEBUG: Received message: '{"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-analysisd"},"command":"postalert0","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"}}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:484 at ExecdStart(): DEBUG: Executing command 'active-response/bin/postalert.py {"version":1,"origin":{"name":"Test-Wazuh-Master","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-09-23T12:25:16.134+0200","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":36,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"Test-Dev","ip":"XXX.XXX.XXX.XXX"},"manager":{"name":"Test-Wazuh-Master"},"id":"1632392716.1200413","cluster":{"name":"test-wazuh","node":"Test-Wazuh-Master"},"full_log":"Sep 23 12:25:16 Test-Dev sshd[17544]: Failed password for invalid user toto from XXX.XXX.XXX.XXX port 54470 ssh2","predecoder":{"program_name":"sshd","timestamp":"Sep 23 12:25:16","hostname":"Test-Dev"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"XXX.XXX.XXX.XXX","srcuser":"toto"},"location":"/var/log/auth.log"},"program":"active-response/bin/postalert.py"}}'
2021/09/23 12:25:16 wazuh-execd[7027] execd.c:499 at ExecdStart(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/postalert.py'