1
24.1 Production Series / Wazuh active response dosn't work
« on: March 04, 2024, 12:34:55 am »
Trying to configure wazuh active response... events to the server wazuh sends...and triggered, but the plugin on the router gives an error :
and in SERVICES: WAZUH AGENT: LOGFILE / OSSEC:
wazuh server settings:
opnsense wazuh plugin settings:
I have tried different variants with the exact agent index and without repeated blocking, the error is still present.
Who has this plugin working, can you tell me what I'm doing wrong? :'(
os-wazuh-agent 1.0_1
OPNsense24.1.2_1-amd64 OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
UPD. maybe it's related with health check finds 2 errors in wazuh agent plugin:
Code: [Select]
wazuh-execd[8576] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'
and in SERVICES: WAZUH AGENT: LOGFILE / OSSEC:
Code: [Select]
wazuh-logcollector[70753] logcollector.c 1101 at handle_file(): DEBUG: (1963): Unable to open file '/var/ossec/logs/active-responses.log'.
wazuh server settings:
Code: [Select]
<command>
<name>opnsense-fw</name>
<executable>opnsense-fw</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>opnsense-fw</command>
<location>all</location>
<rules_group>attack</rules_group>
<timeout>180</timeout>
</active-response>
opnsense wazuh plugin settings:
Code: [Select]
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<repeated_offenders>180,1800,3600,14400,28800</repeated_offenders>
</active-response>
I have tried different variants with the exact agent index and without repeated blocking, the error is still present.
Who has this plugin working, can you tell me what I'm doing wrong? :'(
os-wazuh-agent 1.0_1
OPNsense
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
UPD. maybe it's related with health check finds 2 errors in wazuh agent plugin:
Code: [Select]
wazuh-agent is missing a required shared library: libthr.so.3
wazuh-agent is missing a required shared library: libc.so.7