Active Response log when an AR is triggered

[luca...@gmail.com]

Hello,

hope you're all doing well. I tried to look into old discussions, but I really couldn't find anything useful.

So we are at a point where we can trigger active response (even custom ones), but what we need now is a "suggested" way for checking that an AR script was really executed.

I have noticed that each script logs something into active-responses.log, and that thanks to one of the parameters passed (the eventId) I can correlate an AR to the alert that was generated. This is all clear.

The part I don't understand is: what does Wazuh do with active-responses.log? Does it parse it somehow (and maybe this is stored somewhere else) or do I need to write a parser for it by myself? I am looking here to be able to find information like how many times an AR was executed, ...

Hope you can help,

Thanks,

Luca

[Mauro Ezequiel Moltrasio]

Hi Luca,

As you mentioned, our active-response scripts log actions into the active-responses.log. The default configuration of every agent and manager include the following <localfile> section:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

With it, every line that is logged inside that file is forwarded to the manager for analysis and will trigger an alert if it matches a rule. As a quick PoC, I issued a PUT /agents/restart request to the API so it restarts agent 001. The restart is triggered through an active response script which logs the following text to active-responses.log:

Thu Aug 27 14:45:20 UTC 2020 /var/ossec/active-response/bin/restart-ossec.sh add - null (from_the_server) (no_rule_id)

This entry is picked up by logcollector and forwarded to the manager, who analyses the log and triggers the following alert:

{"timestamp":"2020-08-27T14:45:22.760+0000","rule":{"level":3,"description":"Active response: restart-ossec.sh - add","id":"607","firedtimes":1,"mail":false,"groups":["ossec","active_response"],"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]},"agent":{"id":"001","name":"ubuntu-agent","ip":"10.0.2.15"},"manager":{"name":"server"},"id":"1598539522.199782","full_log":"Thu Aug 27 14:45:20 UTC 2020 /var/ossec/active-response/bin/restart-ossec.sh add - null (from_the_server) (no_rule_id)","decoder":{"name":"ar_log"},"data":{"srcip":"null","id":"(from_the_server)","extra_data":"(no_rule_id)","script":"restart-ossec.sh","type":"add"},"location":"/var/ossec/logs/active-responses.log"}

The out-of-the-box decoder for active response takes care of triggering those alerts for you, as long as you respect the format of the log that is written. If you feel like experimenting, the log itself is forwarded as any other regular log, so you could in theory write your own decoders and rules for active responses that have a different log format.

Let me know if this was helpful and if you have any other questions.

Best regards,

Mauro Moltrasio.

[luca...@gmail.com]

Hi,

what you wrote is an extremely useful information!!! It's now all clear, thanks a lot!

The only thing I'd suggest is to add a section into your official documentation for AR.

Thanks again,

Luca

[Luca]

Hello,

I have just one more question. I know that all the log files under /var/ossec/logs are rotated/compressed. 

Does this apply to active-responses.log as well? I. was grepping the whole C code looking for the routines that compress this file, but I couldn't find anything

related to this particular file.

Is this file rotated? I am asking because a system where we have many active-responses being executed, this file could grow forever.

Thanks,

Luca

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d4ceb1f1-e4cd-496e-9941-de88989f6990n%40googlegroups.com.

[mauro.e...@wazuh.com]

Hi Luca,

Sorry for the delayed response.

The active-responses log does not get rotated automatically, however, using a tool such as logrotate on linux systems it should be possible to do so. Let me know if you need help setting it up.

Best regards,

Mauro.