Thanks everyone for the feedback and support. It all made sense and your comment did guide me to resolve it, wasn't any harder then updating the <location> section and add agent ID, e.g.:
<active-response> <command>ossec-slack</command> <location>server,AGENT.ID <http://agent.id/></location> <level>7</level> </active-response> Den tisdag 23 maj 2017 kl. 16:18:29 UTC+2 skrev Jesus Linares: > > I see your point.. I thought you were talking about the *integratord*. > > I never tried it using AR, but in your active-response configuration I see: > >> <location>local</location> > > > It means that OSSEC is going to execute the script in the agent that > generated the event. So, you must to configure your slack script in every > agent. I think for this reason Daniel Cid created the integratord. > <https://blog.sucuri.net/2016/01/server-security-integrating-ossec-with-slack-and-pagerduty.html> > > I hope it helps. > > On Tuesday, May 23, 2017 at 12:46:36 PM UTC+2, Fredrik Hilmersson wrote: >> >> Hello again Jesus, >> >> As I did state, so we're not misunderstanding each other, I do not run >> the wazuh forked version, but the 2.9.0 OSSEC version. >> This is the configuration settings i've got: >> >> ossec-slack.sh >> >> SLACKUSER="ossec" >> >> CHANNEL="#channel" >> >> SITE="https://hooks.slack.com/services/..." >> >> SOURCE="ossec2slack" >> >> ossec.conf >> >> <command> >> >> <name>ossec-slack</name> >> >> <executable>ossec-slack.sh</executable> >> >> <expect></expect> <!-- no expect args required --> >> >> <timeout_allowed>no</timeout_allowed> >> >> </command> >> >> >> <active-response> >> >> <command>ossec-slack</command> >> >> <location>local</location> >> >> <level>7</level> >> >> </active-response> >> >> Kind regards, >> Fredrik >> >> Den tisdag 23 maj 2017 kl. 11:08:51 UTC+2 skrev Jesus Linares: >>> >>> Hi Fredrik, >>> >>> this is the flow: >>> >>> - The integrator reads the alerts from alerts*.log *filtering by >>> *rule_id*, *level*, *group *or *event_location*. >>> - It executes the script using the arguments *hook_url *and *api_key* >>> . >>> - The slack script send the alert to slack. >>> >>> Clarification: The host specific alerts are sent to slack but the agent >>>> alerts are being ignored. >>> >>> Review your integrator configuration, maybe you have a filter to get >>> only alerts in the current host. Share here the config. >>> >>> Regards. >>> >>> >>> On Tuesday, May 23, 2017 at 10:55:55 AM UTC+2, Fredrik Hilmersson wrote: >>>> >>>> Clarification: The host specific alerts are sent to slack but the agent >>>> alerts are being ignored. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.