Hi, you are totally right. Active response configuration should allow any field: srcip, user, port, dynamic fields <https://documentation.wazuh.com/current/user-manual/ruleset/dynamic-fields.html>, etc. It is in Wazuh roadmap.
It doesnt work, a real shame... It will only work if you dont have spaces > in your log line. Could you share your log and your decoders?. Thanks. Regards. On Wednesday, June 28, 2017 at 6:21:57 PM UTC+2, Guy Or wrote: > > It doesnt work, a real shame... It will only work if you dont have spaces >> in your log line. >> > This is really really really annoying lol... all that is needed is to > wrap with ' ' the argument (log line with spaces and all sort of > characters) when you pass it to the active response script (works when I > manually run it) but I as a user cannot do that its ossec's code.... also > why limit the argumets to srcip and user? what are the other parameters for > (extra_data etc....) just logging it seems and some rule filtering which > kills the level of logic you can have in the active response script. > > > Maybe in ossec 3....... > >> >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
