Hi Annie, As I can see in the command configuration, you used the *expect* option with *srcip*. This means that the alert generated that triggered active response must have a *srcip* field as the *srcip* value will be used in the script.
In the active response configuration, you used the *level* option with value *5*. This means that all the alerts with level equal or higher than 5 will trigger the active response script. Taking these 2 statements into account, the following could be happening: an event with level>=5 but without srcip field is being generated, and therefore, the active response script is not being executed. Could you check this? Also, note that you are using *all* in the *location* option. This means that the active response script will be executed for all agents when AR is triggered. The *all* option should be used with caution because maybe this is not the use case you are looking for. If you use *local*, the AR script is executed on the agent that generated the event. If you use *server*, the AR script is run on the manager the agent is reporting to. You can find more information about this option here <https://documentation.wazuh.com/3.13/user-manual/reference/ossec-conf/active-response.html#location> . On Sunday, May 1, 2022 at 2:20:01 PM UTC+2 [email protected] wrote: > Hi all, > This is my active response configuration on centos server: > > <command> > <name>win_nullroute</name> > <executable>route-null.cmd</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <disabled>no</disabled> > <command>win_nullroute</command> > <location>all</location> > <level>5</level> > <timeout>60</timeout> > </active-response> > > I have enabled AR on windows agent, but it is not executed when an event > of level>=5 is fired. > I am using wazuh 3.13 version, windows 10 > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4833a5ab-2fce-49e3-9f00-0b2d2755d937n%40googlegroups.com.
