Wazuh active response dosn't work

[_tribal_]

Trying to configure wazuh active response... events to the server wazuh sends...and triggered, but the plugin on the router gives an error :

Code: [Select]

wazuh-execd[8576] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'
and  in SERVICES: WAZUH AGENT: LOGFILE / OSSEC:

Code: [Select]

wazuh-logcollector[70753] logcollector.c 1101 at handle_file(): DEBUG: (1963): Unable to open file '/var/ossec/logs/active-responses.log'.
wazuh server settings:

Code: [Select]

  <command>
    <name>opnsense-fw</name>
    <executable>opnsense-fw</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>opnsense-fw</command>
    <location>all</location>
    <rules_group>attack</rules_group>
    <timeout>180</timeout>
  </active-response>
opnsense wazuh plugin settings:

Code: [Select]

  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <repeated_offenders>180,1800,3600,14400,28800</repeated_offenders>
  </active-response>
I have tried different variants with the exact agent index and without repeated blocking, the error is still present.

Who has this plugin working, can you tell me what I'm doing wrong? :'(

os-wazuh-agent 1.0_1
OPNsense 24.1.2_1-amd64 OPNsense 24.1.4-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

UPD. maybe it's related with health check finds 2 errors in wazuh agent plugin:

Code: [Select]

wazuh-agent is missing a required shared library: libthr.so.3
wazuh-agent is missing a required shared library: libc.so.7

[mimugmail]

Active response is on the Manager, not the agent, correct?

[_tribal_]

I didn't quite understand the question.
Active response hould be configured in both agent and manager. I took the settings for agent (opnsense plugin) and manager (separate server) from OPNsense documentation, with a small modification from Wazuh documentation (added intervals of address repeat blocking). But when the rule is triggered in the manager, the address that should be added to the alias for blocking is not forwarded to the agent, instead I get an error message, which I showed in my post.

[mimugmail]

Active response doesnt need an agent. The manager can execute the script and send the api call to OPNsense

[_tribal_]

Okay, then why am I seeing this error in the wazuh agent log?

Code: [Select]

wazuh-execd[8576] execd.c 271 at ExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/opnsense-fw'
And ip address does not appear in FIREWALL: ALIASES: __wazuh_agent_drop 

That's what I wrote about in the original post.