Hi Aksha and sorry for the late response, I will try to help you solve this issue. I need some information to test your use case and see what is happening.
First of all, could you tell me which Wazuh version you are using? Also, it would be fine if you send the active response script you are trying to execute. In order to troubleshoot this, I recommend that you enable the debug mode for the *execd* daemon, which is the one in charge of executing active response scripts. In order to do it, add the following line to */var/ossec/etc/local_internal_options.conf*: *execd.debug=2* Waiting for your response! On Wednesday, March 2, 2022 at 7:16:14 AM UTC+1 AKSHA GANDHI wrote: > Hi Ossec Team, > > Can anyone please review this and help. > > Thanks in Advance. > Aksha > On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote: > >> Hi, >> 1. Active response is getting triggered for both Rule ID 550,554 if >> <expect> parameter is kept blank. 2.If <expect> parameter is given >> value FILENAME then active response is not getting triggered for RULE ID >> 554 but is getting triggered for RULE ID 550. 3. Not receiving any error >> logs. 4. Kindly find the details of the ossec.conf file for which Active >> response is not getting trigerred for RULE ID 554. >> >> ---- ossec.conf ----- >> <command> <name>Test</name> <executable>syscheck-all.sh</executable> >> <expect>FILENAME</expect> </command> <active-response> >> <disabled>no</disabled> <command>Test</command> >> <location>defined-agent</location> <agent_id>78</agent_id> >> <rules_id>554,550</rules_id> </active-response> >> >> --- ossec.conf --- >> Please help troubleshot the issue. >> >> Thanks & Regards >> Aksha >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f12d9c95-b16f-44d1-97d9-42afaf626cb4n%40googlegroups.com.
