I see your point.. I thought you were talking about the *integratord*. I never tried it using AR, but in your active-response configuration I see:
> <location>local</location> It means that OSSEC is going to execute the script in the agent that generated the event. So, you must to configure your slack script in every agent. I think for this reason Daniel Cid created the integratord. <https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html> I hope it helps. On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote: > > Hello again Jesus, > > As I did state, so we're not misunderstanding each other, I do not run the > wazuh forked version, but the 2.9.0 OSSEC version. > This is the configuration settings i've got: > > ossec-slack.sh > > SLACKUSER="ossec" > > CHANNEL="#channel" > > SITE="https://hooks.slack.com/services/..." > > SOURCE="ossec2slack" > > ossec.conf > > <command> > > <name>ossec-slack</name> > > <executable>ossec-slack.sh</executable> > > <expect></expect> <!-- no expect args required --> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > <active-response> > > <command>ossec-slack</command> > > <location>local</location> > > <level>7</level> > > </active-response> > > Kind regards, > Fredrik > > Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares: >> >> Hi Fredrik, >> >> this is the flow: >> >> - The integrator reads the alerts from alerts*.log *filtering by >> *rule_id*, *level*, *group *or *event_location*. >> - It executes the script using the arguments *hook_url *and *api_key*. >> - The slack script send the alert to slack. >> >> Clarification: The host specific alerts are sent to slack but the agent >>> alerts are being ignored. >> >> Review your integrator configuration, maybe you have a filter to get only >> alerts in the current host. Share here the config. >> >> Regards. >> >> >> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote: >>> >>> Clarification: The host specific alerts are sent to slack but the agent >>> alerts are being ignored. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.