Hi again and sorry for the late response, In the last comment I posted, I showed you an example where I used manager and agent with Wazuh version 4.1.5.
In order to replicate your issue, I need to know the Wazuh versions you are using in the implicated manager and agents. I have also seen something new with the last comment you posted: * Logs received at /var/ossec/logs/active-responses.log Friday 04 March 2022 12:38:56 PM IST /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377736.334633505 554 (assetname) 192.168.71.33->syscheck (null) Friday 04 March 2022 12:46:26 PM IST /var/ossec/active-response/bin/virustotal_lookup.sh add - - 1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (null)* You are using a different active response script for the rule with ID 550: *virustotal_lookup.sh*. Have you checked your *command* and *active-response* configurations are OK? As far as I can see, a different active response is being triggered for rule 550. Also and as I told you in the last comment, have a look at the *ossec.log* file with *execd* in debug mode. In order to enable debug mode, add the following line to */var/ossec/etc/local_internal_options.conf*: *execd.debug=2* On Friday, March 4, 2022 at 11:06:00 AM UTC+1 AKSHA GANDHI wrote: > Hi, > Thank you for your detailed explanation. > I would like to discuss my scenario in detail so we could have a good > understanding on our issue. > > *Case1*: I will be creating a new file(march4.txt) generating rule ID 554 > and also editing an existing file(march.txt) generating rule ID 551. > This is the configuration kept by us at server ossec.conf > <command> > <name>test</name> > > <executable>syscheck-all.sh</executable> > > * <expect>FILENAME</expect>*</command> > > Logs received at archive.log > 2022 Mar 04 12:29:26 (assetname) 192.168.71.33->syscheck New file > '/etc/march4.txt' added to the file system. > 2022 Mar 04 12:31:48 (assetname) 192.168.71.33->syscheck Integrity > checksum changed for: '/etc/march.txt' > Logs received at /var/ossec/logs/active-responses.log > Friday 04 March 2022 12:31:48 PM IST > /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377308.329125727 > 551 (assetname) 192.168.71.33->syscheck /etc/march.txt > > *Summary*: Active Response did not get triggered for RULE ID 554 in this > scenario. I am receiving the *FILENAME* at (*$8*) for rule ID 551. > > *Case 2: Without FILENAME in the <except> parameter* > I will be creating a new file(march4new.txt) generating rule ID 554 and > also editing an existing file(march4new.txt) generating rule ID 551. > This is the configuration kept by us at server ossec.conf > <command> > <name>test</name> > <executable>syscheck-all.sh</executable> > > * <expect></expect>*</command> > > Logs received at archive.log > 2022 Mar 04 12:38:56 (assetname) 192.168.71.33->syscheck New file > '/etc/march4new.txt' added to the file system. > 2022 Mar 04 12:46:26 (assetname) 192.168.71.33->syscheck Integrity > checksum changed for: '/etc/march4new.txt' > > Logs received at /var/ossec/logs/active-responses.log > Friday 04 March 2022 12:38:56 PM IST > /var/ossec/active-response/bin/syscheck-all.sh add - - 1646377736.334633505 > 554 (assetname) 192.168.71.33->syscheck (*null*) > Friday 04 March 2022 12:46:26 PM IST > /var/ossec/active-response/bin/virustotal_lookup.sh add - - > 1646378186.340709781 550 (assetname) 192.168.71.33->syscheck (*null*) > > *Summary*: Active response was triggered for both the rules but (*null)* > value > was received at position of filename > > Please help why active response is not getting triggered with *rule 554 > and <expect>filename</expect>*. > > Thanks in advance. > > On Thu, Mar 3, 2022 at 11:22 PM Manuel Camona Perez <manuel....@wazuh.com> > wrote: > >> Hi again, >> >> Which Wazuh version are you using? I suppose that you are using *4.1* or >> a previous version as from *4.2*, active response custom scripts work >> differently. >> >> I have been testing your active response configuration and scripts are >> being executed properly, as you said. >> >> As you can see in the following logs, your script is logging the call to >> */var/ossec/logs/active-responses.log* for both rule with ID 550 and >> rule with ID 554: >> >> >> *Thu Mar 3 15:45:32 UTC 2022 >> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322332.560567 >> 550 syscheck /test/b -Thu Mar 3 15:45:34 UTC 2022 >> /var/ossec/active-response/bin/syscheck-all.sh add - - 1646322334.560819 >> 554 syscheck /test/c -* >> >> >> This is the output of doing >> >> >> *printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> >> ${PWD}/../logs/active-responses.log* >> in *syscheck-all.sh* (line 37 >> <https://github.com/jonschipp/nsm-tools/blob/bc465038bfeb215ca54b67bb4170d607327d0436/syscheck-all.sh#L37> >> ) >> >> We can see that each script argument refers to a component. These >> arguments are the following (in this order) (ref: >> https://documentation.wazuh.com/4.1/user-manual/capabilities/active-response/remediation-faq.html#can-i-use-a-custom-script-for-active-responses >> ): >> >> >> >> *<SCRIPT-NAME> <ACTION> <USER> <IP> <ALERT-ID> <RULE-ID> <AGENT> >> <FILENAME>* >> >> *<SCRIPT-NAME>* is the name of the script file that is going to be run. >> >> *<ACTION>* can be delete or add. >> >> *<USER>* is the user name. It can be - if not set. >> >> *<IP>* is the source IP. It can be - if not set. >> >> *<ALERT-ID>* is the alert ID (unique for every alert). >> >> *<RULE-ID>* is the rule ID. >> >> *<AGENT>* is the agent ID or hostname. >> >> *<FILENAME>* is the source path file of the log that triggered the alert >> (if it exists). >> >> With this information, we know that >> >> - $0 is the script name: /var/ossec/active-response/bin/syscheck-all.sh >> - $1 is the action: add >> - $2 is the user: - >> - $3 is the IP: - >> - $4 is the alert ID: 1646322332.560567 and 1646322334.560819 >> - $5 is the rule ID: 550 and 554 >> - $6 is the agent: syscheck >> - $7 is the filename: /test/b and /test/c >> >> >> Note that in this case, we have the *service* (*syscheck*) instead of >> *agent* because we are using *syscheck* rules. >> >> >> Summarizing, I am receiving the *FILENAME* for both rules (*$7*). >> >> >> What is being logged in your agents' >> */var/ossec/logs/active-responses.log* file? Having a look at that >> output will help you know which argument is the *filename*. In your >> script, *filename* is expected to be *$8*. You can confirm whether >> *filename* is at *$8* or not by having a look at the log file, as I said. >> >> I hope this helps, please if you have more problems, send the >> */var/ossec/logs/active-responses.log* output. Also, have a look at the >> *ossec.log* file with *execd* in debug mode (how to enable debug mode is >> in the last comment). >> >> On Thursday, March 3, 2022 at 2:11:39 PM UTC+1 AKSHA GANDHI wrote: >> >>> Hi, >>> We are using AlienVault Version: OSSIM 5.7.4 >>> For scripts we are referring to : >>> https://github.com/jonschipp/nsm-tools/ >>> The script is getting executed but we are not receiving FILENAME >>> parameter when RULE ID 554 is getting triggered. >>> >>> Thanks in advance. >>> >>> On Thu, Mar 3, 2022 at 5:45 PM Manuel Camona Perez <manuel....@wazuh.com> >>> wrote: >>> >>>> Hi Aksha and sorry for the late response, >>>> >>>> I will try to help you solve this issue. I need some information to >>>> test your use case and see what is happening. >>>> >>>> First of all, could you tell me which Wazuh version you are using? >>>> Also, it would be fine if you send the active response script you are >>>> trying to execute. >>>> >>>> In order to troubleshoot this, I recommend that you enable the debug >>>> mode for the *execd* daemon, which is the one in charge of executing >>>> active response scripts. In order to do it, add the following line to >>>> */var/ossec/etc/local_internal_options.conf*: >>>> >>>> >>>> *execd.debug=2* >>>> Waiting for your response! >>>> >>>> On Wednesday, March 2, 2022 at 7:16:14 AM UTC+1 AKSHA GANDHI wrote: >>>> >>> Hi Ossec Team, >>>>> >>>>> Can anyone please review this and help. >>>>> >>>>> Thanks in Advance. >>>>> Aksha >>>>> On Friday, February 25, 2022 at 7:17:18 PM UTC+5:30 AKSHA GANDHI wrote: >>>>> >>>>>> Hi, >>>>>> 1. Active response is getting triggered for both Rule ID 550,554 if >>>>>> <expect> parameter is kept blank. 2.If <expect> parameter is given >>>>>> value FILENAME then active response is not getting triggered for RULE ID >>>>>> 554 but is getting triggered for RULE ID 550. 3. Not receiving any >>>>>> error logs. 4. Kindly find the details of the ossec.conf file for >>>>>> which Active response is not getting trigerred for RULE ID 554. >>>>>> >>>>>> ---- ossec.conf ----- >>>>>> <command> <name>Test</name> <executable>syscheck-all.sh</executable> >>>>>> <expect>FILENAME</expect> </command> <active-response> >>>>>> <disabled>no</disabled> <command>Test</command> >>>>>> <location>defined-agent</location> <agent_id>78</agent_id> >>>>>> <rules_id>554,550</rules_id> </active-response> >>>>>> >>>>>> --- ossec.conf --- >>>>>> Please help troubleshot the issue. >>>>>> >>>>>> Thanks & Regards >>>>>> Aksha >>>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ossec-list/70ad8924-11df-43cb-a543-5ca4f96a40a0n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ossec-list/70ad8924-11df-43cb-a543-5ca4f96a40a0n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> Disclaimer: Privileged & confidential information is contained in this >>> message (including all attachments). If you are not an intended recipient >>> of this message, please destroy this message immediately and kindly notify >>> the sender by reply e-mail. Any unauthorized use or dissemination of this >>> message in any manner whatsoever, in whole or in part, is strictly >>> prohibited. This e-mail, including all attachments hereto, is for >>> discussion purposes only and shall not be deemed or construed otherwise >>> unless expressly stated. Any views or opinions presented in this email are >>> solely those of the author and do not necessarily represent that of NJ >>> Group of Companies. This communication, including any attachments may not >>> be free of viruses, interceptions or interference, and may not be >>> compatible with your systems. You should carry out your own virus checks >>> before opening any attachment to this e-mail. The sender of this e-mail and >>> NJ Group of Companies shall not be liable for any damage that you may >>> sustain as a result of viruses, incompleteness of this message, a delay in >>> receipt of this message or computer problems experienced. This message has >>> been scanned for viruses and dangerous content by NJGroup Email Server, and >>> is believed to be clean. >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/bc1bd211-4255-4fa7-b8d6-f519dc5a225bn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ossec-list/bc1bd211-4255-4fa7-b8d6-f519dc5a225bn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > Disclaimer: Privileged & confidential information is contained in this > message (including all attachments). If you are not an intended recipient > of this message, please destroy this message immediately and kindly notify > the sender by reply e-mail. Any unauthorized use or dissemination of this > message in any manner whatsoever, in whole or in part, is strictly > prohibited. This e-mail, including all attachments hereto, is for > discussion purposes only and shall not be deemed or construed otherwise > unless expressly stated. Any views or opinions presented in this email are > solely those of the author and do not necessarily represent that of NJ > Group of Companies. This communication, including any attachments may not > be free of viruses, interceptions or interference, and may not be > compatible with your systems. You should carry out your own virus checks > before opening any attachment to this e-mail. The sender of this e-mail and > NJ Group of Companies shall not be liable for any damage that you may > sustain as a result of viruses, incompleteness of this message, a delay in > receipt of this message or computer problems experienced. This message has > been scanned for viruses and dangerous content by NJGroup Email Server, and > is believed to be clean. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/45009299-cbf6-4d25-8470-081e60d07c39n%40googlegroups.com.