I'm testing Ossec as our IDPS solution, I chose the one-server-multiple-agents configuration as the agents will be installed on instances within an autoscaling group, I've managed to make everything work however the slack integration doesn't seem to work on the agents:
These are the configurations I've tried with little success
<command>
<name>ossec-slack</name>
<executable>ossec-slack.sh</executable>
<expect></expect> <!-- no expect args required -->
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>ossec-slack</command>
<location>local</location>
<level>3</level>
</active-response>
with this on the server I'll get the alerts for server related logs only, and adding this directly to agent will trigger empty alerts on slack.
<command>
<name>ossec-slack</name>
<executable>ossec-slack.sh</executable>
<expect></expect> <!-- no expect args required -->
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>ossec-slack</command>
<location>all</location>
<level>3</level>
</active-response>
This do not work at all, and the same with <agent_id>
The closest I got were empty alerts on slack sent from the agent ossec-slack.sh script, but for my understanding it doesn't make sense as the alert should be sent from the server and not from the agent itself