os-wazuh-agent does not update alias when active-response plugin is called

[Haddock27]

os-wauh-agent correctly connects to Wazuh and I can see logs from OPNsense in Wazuh. I can also send a test active-response from Wazuh and I can see that this is received by OPNsense. However the alias does not get updated. These are the logs:

Code Select Expand

2025-03-25T02:42:07 wazuh-execd[98236] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'
2025-03-25T02:42:07 wazuh-execd[98236] execd.c 256 at ExecdRun(): DEBUG: Executing command 'active-response/bin/opnsense-fw {"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"data":{"srcip":"172.16.1.30"}},"program":"active-response/bin/opnsense-fw"}}'
2025-03-25T02:42:07 wazuh-execd[98236] execd.c 494 at ExecdStart(): DEBUG: Received message: '{"version": 1, "origin": {"name": null, "module": "API"}, "command": "!opnsense-fw", "parameters": {"extra_args": [], "alert": {"data": {"srcip": "172.16.1.30"}}}}'
2025-03-25T02:42:07 wazuh-agentd[1729] receiver.c 96 at receive_msg(): DEBUG: Received message: '#!-execd {"version": 1, "origin": {"name": null, "module": "API"}, "command": "!opnsense-fw", "parameters": {"extra_args": [], "alert": {"data": {"srcip": "172.16.1.30"}}}}'
The problem is that `active-response/bin/opnsense-fw` does not alter the alias. Has anyone got this working? I am using os-wazuh-agent 1.0_2

[Othvez]

Look into the command the active-response is running and ensure it is formatted correctly. You might need to add additional logging within the script to ensure it's being executed properly.

[bazbaz]

Hi have quite same problem. Wazuh agent does not update alias "sometimes". It receives commands, but sometimes they are processed, sometimes IPs are not inserted to the list.

I noticed that logfile for active response reports: opnsense-fw   Aborted

[bazbaz]

I still have this problem on every OPNSense.

With debug level high I see:

Code Select Expand

wazuh-logcollector[2206] read_syslog.c 104 at read_syslog(): DEBUG: Reading syslog message: '2025/05/21 18:08:45 opnsense-fw: Aborted'

[_tribal_]

I have once written to the author of the plugin, he said that everything works there and that was the end of it.

[someone]

Check and see if the key from the agent is in the server, If not manually put it in.

[someone]

here is what I did, dont know if it will help you.Ive gotten wazuh siem server working on Linux Mint 22 on a box and opnsense as an agent on another box
On the server which is LM22 I did an update and installed JDK via synaptic, which was 4 or 5 files
Then I used wazuh quickstart for ubuntu and followed the directions on their documentation page
Which was cut and paste one line, its a curl command and runs a script
Then wazuh server page appears
Then open a terminal on the server and go to /var/ossec/bin
command line ./manage_agents     this will create a new agent
Type A for add and enter hostname of opnsense router and its IP; then quit
then run command again and type L for LIst
Then type I to get a key for that agent, copy and save it, then exit

Next on the opnsense box I install wazuh agent from plugins
reboot and enable wazuh-agent, set manager hostname...IP of wazuh server on lan, which is lan address
authentication password is your hostname on opnsense which is opnsense.somethingdomain or whatever you changed it to
It is your hostname in the opnsense dashboard, and at the top right on the wazuh agent gui page
It is also what you set as name of the wazuh-agent on the wazuh server on the other box
Then ssh into opnsense and go to /var/ossec/bin
on command line enter ./manage_agents
your agent will show up and it will ask if you want to enter key, paste the key from the server here. exit, reboot

remember to open tcp ports 1515 and 1514 on both the server box and opnsense box
Reboot operating system or use systemctl to shutdown server first then power down
Dont think this part needed any more below
sudo systemctl stop wazuh-indexer
sudo systemctl stop wazuh-dashboard
sudo systemctl stop wazuh-server
Lately on new installs something has changed and I dont have to do manual start or stops