Index

Getting started with Wazuh

Wazuh is a free and open source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

Wazuh helps organizations and individuals to protect their data assets against security threats. It is widely used by thousands of organizations worldwide, from small businesses to large enterprises.

Check this Getting Started for an overview of the Wazuh platform components, architecture, and common use cases.

Community and support

Wazuh has one of the largest open source security communities in the world. You can become part of it to learn from other users, participate in discussions, talk to our development team, and contribute to the project. The following resources are easily available:

Slack channel: Join our community channel to chat with our developers and technical team in a close to real-time experience.
Google group: Here you can share questions and learn from other Wazuh users. It is easy to subscribe via email.
GitHub repositories: Get access to the Wazuh source code, report issues, and contribute to the project. We happily review and accept pull requests.
Discord: Engage with our community in dynamic discussions and collaborations on the latest security trends and Wazuh developments.
Reddit: Join our subreddit to share insights, ask questions, and discuss security issues with fellow users.
X: Follow us on X for real-time updates, news, and quick tips from our development team and security experts.
LinkedIn: Stay updated with our professional network and industry news by connecting with us on LinkedIn.
YouTube: Subscribe to our YouTube channel for video tutorials, webinars, and walkthroughs of Wazuh features and configurations.

In addition, we also provide professional support, training, and consulting services.

How to install Wazuh

The Wazuh solution is composed of three central platform components and a single universal agent. For installing Wazuh in your infrastructure, you can check the following sections of our documentation:

The Quickstart is an automated way of installing Wazuh in just a few minutes.
The Installation guide provides instructions on how to install each central component and how to deploy the Wazuh agents.

Wazuh Cloud

The Wazuh Cloud is our software as a service (SaaS) solution. We provide a 14-day free trial for you to create a cloud environment and get the best out of our SaaS solution. Check the Cloud service documentation for more information.

Screenshots

Components

The Wazuh platform provides XDR and SIEM features to protect your cloud, container, and server workloads. These include log data analysis, intrusion and malware detection, file integrity monitoring, configuration assessment, vulnerability detection, and support for regulatory compliance.

The Wazuh solution is based on the Wazuh agent, which is deployed on the monitored endpoints, and on three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard.

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This central component indexes and stores alerts generated by the Wazuh server.
The Wazuh server analyzes data received from the agents. It processes it through decoders and rules, using threat intelligence to look for well-known indicators of compromise (IOCs). A single server can analyze data from hundreds or thousands of agents, and scale horizontally when set up as a cluster. This central component is also used to manage the agents, configuring and upgrading them remotely when necessary.
The Wazuh dashboard is the web user interface for data visualization and analysis. It includes out-of-the-box dashboards for threat hunting, regulatory compliance (e.g., PCI DSS, GDPR, CIS, HIPAA, NIST 800-53), detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. It is also used to manage Wazuh configuration and to monitor its status.
Wazuh agents are installed on endpoints such as laptops, desktops, servers, cloud instances, or virtual machines. They provide threat prevention, detection, and response capabilities. They run on operating systems such as Linux, Windows, and macOS.

In addition to agent-based monitoring capabilities, the Wazuh platform can monitor agent-less devices such as firewalls, switches, routers, or network IDS, among others. For example, a system log data can be collected via Syslog, and its configuration can be monitored through periodic probing of its data, via SSH or through an API.

The diagram below represents the Wazuh components and data flow.

Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.

The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names, or properties with their corresponding values, which can be strings, numbers, Boolean values, dates, arrays of values, geolocations, or other types of data.

An index is a collection of related documents. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards and distributing those shards across various nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.

We show an image of the Wazuh indexer cluster below:

Wazuh uses several types of indices to store different event types. For details, see the Wazuh indexer indices section of the documentation.

The Wazuh indexer is well-suited for time-sensitive use cases like security analytics and infrastructure monitoring, as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.

In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data roll-ups, alerting, anomaly detection, and index lifecycle management.

Visit the installation guide and user manual for more information about the Wazuh indexer.

Wazuh server

The Wazuh server is the central component responsible for analyzing data collected from Wazuh agents and agentless devices. It detects threats, anomalies, and regulatory compliance violations in real time, generating alerts when suspicious activity is identified. Beyond detection, the Wazuh server enables centralized management by remotely configuring Wazuh agents and continuously monitoring their operational status.

The Wazuh server leverages multiple threat intelligence sources and enriches alerts with contextual data to enhance detection accuracy. This includes mapping events to the MITRE ATT&CK framework, detecting vulnerabilities with the Wazuh CTI service, and aligning findings with regulatory standards such as PCI DSS, GDPR, HIPAA, CIS benchmarks, and NIST 800-53. These capabilities provide security teams with actionable insights for threat hunting, vulnerability detection, and regulatory compliance monitoring.

The Wazuh server integrates with external platforms to support streamlined workflows. Examples include ticketing systems such as ServiceNow, Jira, and PagerDuty, as well as communication tools like Slack. These integrations help automate incident tracking, accelerate response times, and improve collaboration within security operations teams.

Server architecture

The Wazuh server includes the Analysis engine, Wazuh server API, agent enrollment service, agent connection service, cluster daemon, and Filebeat. It runs on Linux across physical endpoints, virtual machines, containers, or cloud instances. On Windows endpoints, deploy using Wazuh Docker.

The diagram below shows the Wazuh server architecture and components.

Server components

The Wazuh server comprises several components listed below that have different functions, such as enrolling new agents, validating each agent's identity, and encrypting the communications between the Wazuh agent and the Wazuh server.

Agent enrollment service: Registers new Wazuh agents and generates and distributes unique authentication keys to each agent. It runs as a network service and supports TLS and SSL certificate–based authentication, or enrollment using a fixed password.
Agent connection service: Manages communication between Wazuh agents and the Wazuh server. It validates Wazuh agent identities using enrollment keys, enforces encryption for secure data transfer, and enables centralized configuration management to push updated agent settings remotely.
Analysis engine: At the core of Wazuh threat detection capabilities, the Analysis engine processes received security data using decoders and rules:
- Decoders classify log types (for example, Windows events, SSH logs, web server logs) and extract relevant fields such as IP addresses, usernames, and event IDs.
- Rules match decoded events against known patterns to detect threats and anomalies. When triggered, rules generate alerts and invoke incident response actions such as blocking IP addresses, terminating malicious processes, or removing malware artifacts.
Wazuh server API: Provides a programmatic interface for interacting with the Wazuh server. It allows administrators using the Wazuh dashboard or command line to perform the following, but not limited to:
- Configure and manage agents or servers
- Monitor system health and infrastructure status
- Query alerts and endpoint data
- Create or update decoders and rules

To learn more, visit the Wazuh server API documentation.

Wazuh cluster daemon: Enables horizontal scaling by linking multiple Wazuh servers into a cluster. Using a load balancer provides high availability, fault tolerance, and load distribution.
Filebeat: Forwards events and alerts from the Wazuh analysis engine to the Wazuh indexer.

Visit the installation guide and user manual for more information about the Wazuh server.

Wazuh dashboard

The Wazuh dashboard is a flexible and intuitive web interface for visualizing, analyzing, and managing security data. It enables users to investigate events and alerts, oversee the Wazuh platform, and enforce role-based access control (RBAC) and single sign-on (SSO) policies.

Data visualization and analysis

The Wazuh dashboard lets users navigate security data collected from Wazuh agent and agentless devices, and alerts generated by the Wazuh server. It includes dashboards for threat hunting, malware detection, file integrity monitoring, system inventory, and regulatory compliance (for example, PCI DSS, GDPR, HIPAA, and NIST 800-53). You can generate reports and create custom visualizations and dashboards.

Agents monitoring and configuration

The Wazuh dashboard allows users to manage agent configuration and monitor agent status. For each monitored endpoint, users can define which agent modules are enabled, which log files are read, which files are monitored for integrity changes, and which configuration checks are performed.

Platform management

The Wazuh dashboard provides a user interface to manage a Wazuh deployment. This includes monitoring the status, logs, and statistics of Wazuh components, configuring the Wazuh server, and creating custom rules and decoders for log analysis and threat detection.

Developer tools

The Wazuh dashboard includes a ruleset test tool that processes log messages to show how they are decoded and whether they match a detection rule. This is useful when testing custom decoders and rules.

The Wazuh dashboard also includes API consoles for interacting with the Wazuh server and the Wazuh indexer API. They are used to manage the Wazuh server capabilities or interact with Wazuh indexer indices.

Wazuh server API

Wazuh indexer API

Wazuh agent

The Wazuh agent runs on Linux, Windows, and macOS operating systems. It can be deployed to laptops, desktops, servers, cloud instances, containers, or virtual machines. The Wazuh agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel.

Agent architecture

The Wazuh agent has a modular architecture. Each module is in charge of its own tasks, including monitoring the file system, reading log files, collecting inventory data, scanning the system configuration, and looking for malware. Users can manage agent modules through configuration settings, adapting the solution to their specific use cases.

The diagram below shows the agent architecture and modules.

Wazuh agent modules

All agent modules are configurable and perform different security tasks. This modular architecture allows you to configure each module according to your security needs. The following list summarizes the purposes of the Wazuh agent modules.

Log collector: Reads flat log files and Windows events, collecting operating system and application log messages. It supports XPath filters for Windows events and recognizes multi-line formats like Linux Audit logs. It can also enrich JSON events with additional metadata.
Command execution: Runs authorized commands periodically, collecting their output and reporting it back to the Wazuh server for further analysis. You can use this module for different purposes, such as monitoring available disk space or getting a list of recently logged-in users.
File integrity monitoring (FIM): Monitors the file system, reporting when files are created, deleted, or modified. It keeps track of changes in file attributes, permissions, ownership, and content. When an event occurs, it captures who, what, and when details in real time.
Security configuration assessment (SCA): Provides continuous configuration assessment, utilizing out-of-the-box checks based on the Center of Internet Security (CIS) benchmarks. Users can also create their own SCA checks to monitor and enforce their security policies.
System inventory: Periodically runs scans to collect inventory data such as operating system version, network interfaces, running processes, installed applications, and a list of open ports. Scan results are stored in local SQLite databases that can be queried remotely.
Malware detection: Uses a non-signature-based approach to detect anomalies and the possible presence of rootkits. It also looks for hidden processes, hidden files, and hidden ports while monitoring system calls.
Active Response: Runs automatic actions when threats are detected, triggering responses to block a network connection, stop a running process, or delete a malicious file. Users can also create custom responses when required, for example, responses for running a binary in a sandbox, capturing network traffic, and scanning a file with an antivirus.
Container security monitoring: Integrates with the Docker Engine API to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. It alerts about containers running in privileged mode and about users executing commands in a running container.
Cloud security monitoring: Monitors cloud providers such as Amazon Web Services, Microsoft Azure, or Google GCP, communicating natively with their APIs. It detects changes to the cloud infrastructure, for example, when a new user is created, a security group is modified, or a cloud instance is stopped. Additionally, it collects cloud services log data such as AWS CloudTrail, GCP Pub/Sub, and Azure Active Directory.

Communication with Wazuh server

The Wazuh agent communicates with the Wazuh server to ship collected data and security-related events. The Wazuh agent also sends operational data, reporting its configuration and status. Once connected, the agent can be upgraded, monitored, and configured remotely from the Wazuh server.

The communication between the Wazuh agent and the Wazuh server takes place through a secure channel (TCP or UDP), providing data encryption and compression in real time. Additionally, it includes flow control mechanisms to avoid flooding, queueing events when necessary, and protecting the network bandwidth.

You need to enroll the Wazuh agent before connecting it to the Wazuh server for the first time. This process provides the agent with a unique key used for authentication and data encryption.

Architecture

The Wazuh architecture is composed of a multi-platform Wazuh agent and three central components: the Wazuh server, Wazuh indexer, and Wazuh dashboard. The agent is deployed on endpoints to collect and forward security data to the Wazuh server for analysis. The analyzed data is then forwarded to the Wazuh indexer for indexing and storage, and subsequently to the Wazuh dashboard for alerting and visualization.

Wazuh also supports agentless monitoring for systems and devices where installing the Wazuh agent is not possible. Network devices such as firewalls, switches, routers, and access points can actively forward log data via Syslog and SSH.

The Wazuh central components can be deployed in different ways, depending on scalability and availability needs:

All-in-one deployment: All Wazuh components (server, indexer, and dashboard) are installed on a single server. Best suited for labs and small environments with a limited number of monitored endpoints.
Single-node deployment: The Wazuh server, indexer, and dashboard are each deployed on separate servers. Recommended for medium environments that require higher performance than an all-in-one setup.
Multi-node deployment: Typically, one instance of the Wazuh dashboard and multiple instances of the Wazuh server (Wazuh server cluster) and indexer (Wazuh indexer cluster) are deployed on their individual servers, respectively. The number of instances varies depending on your needs. This deployment is recommended for large environments with high event throughput, or when fault tolerance and high availability are required.

Visit the installation guide and installation alternatives documentation to learn about the different ways to deploy Wazuh.

The diagram below represents a Wazuh deployment architecture. It shows how the Wazuh server and the Wazuh indexer nodes can be configured as clusters, providing load balancing and high availability.

Component communication

Wazuh agent - Wazuh server

The Wazuh agent continuously sends events to the Wazuh server for analysis and threat detection. To start shipping this data, the agent establishes a connection with the Wazuh server service for agent connection, which listens on TCP port 1514 by default (this is configurable). The Wazuh server then decodes and matches rules against the received events, utilizing the Wazuh Analysis engine.

The Wazuh messages protocol uses AES encryption with 128 bits per block and 256-bit keys.

Note

Read the Benefits of using AES in the Wazuh communications document for more information.

Wazuh server - Wazuh indexer

The Wazuh server uses Filebeat to send alert and event data to the Wazuh indexer, using TLS encryption. Filebeat reads the Wazuh server output data and sends it to the Wazuh indexer (by default listening on port 9200/TCP). Once the data is indexed by the Wazuh indexer, the Wazuh dashboard is used to query and visualize the security information.

Wazuh dashboard - Wazuh dashboard/Wazuh indexer

The Wazuh dashboard queries the Wazuh server API (by default listening on port 55000/TCP on the Wazuh server) to display configuration and status-related information of the Wazuh server and agents. This communication is encrypted with TLS and authenticated with a username and password.

The Wazuh dashboard visualizes and queries the information indexed on the Wazuh indexer.

Required ports

Wazuh components communicate using several services. The list of default ports used by these services is shown below. Users can modify these port numbers when necessary.

Component	Port	Protocol	Purpose
Wazuh server	1514	TCP	Agent connection service
	1515	TCP	Agent enrollment service
	1516	TCP	Wazuh cluster daemon
	514	UDP (default)	Wazuh Syslog collector (disabled by default)
	514	TCP (optional)	Wazuh Syslog collector (disabled by default)
	55000	TCP	Wazuh server RESTful API
Wazuh indexer	9200	TCP	Wazuh indexer RESTful API
Wazuh indexer	9300-9400	TCP	Wazuh indexer cluster communication
Wazuh dashboard	443	TCP	Wazuh web user interface

Wazuh CTI

The Wazuh Cyber Threat Intelligence (CTI) service is a publicly accessible platform that collects, analyzes, and disseminates actionable information on emerging cyber threats and vulnerabilities. This service currently focuses on vulnerability intelligence, delivering timely updates on Common Vulnerabilities and Exposures (CVEs), severity scores, exploitability insights, and mitigation strategies. It aggregates and sanitizes data from trusted sources, including operating system vendors and major vulnerability databases, to ensure high-quality, relevant intelligence.

This service is integrated directly with the Wazuh Vulnerability Detection module, but is also publicly available at the Wazuh CTI website.

Use cases

The Wazuh platform helps organizations and individuals protect their data assets through threat prevention, detection, and response. Besides, Wazuh is also employed to meet regulatory compliance requirements, such as PCI DSS or HIPAA, and configuration standards like CIS hardening guides.

Moreover, Wazuh is also a solution for users of IaaS (Amazon AWS, Azure, or Google Cloud) to monitor virtual machines and cloud instances. This is done at a system level utilizing the Wazuh security agent and at an infrastructure level pulling data directly from the cloud provider API.

Additionally, Wazuh is employed to protect containerized environments by providing cloud-native runtime security. This feature is based on an integration with the Docker engine API and the Kubernetes API. The Wazuh security agent can run on the Docker host providing a complete set of threat detection and response capabilities.

Below you can find examples of some of the most common use cases of the Wazuh platform.

Endpoint security	Threat intelligence	Security operations	Cloud security
Configuration assessment	Threat hunting	Incident response	Container security
Malware detection	Log data analysis	Regulatory compliance	Posture management
File integrity monitoring	Vulnerability detection	IT hygiene	Workload protection

Configuration assessment

Configuration assessment is a process that verifies whether endpoints adhere to a set of predefined rules regarding configuration settings and approved application usage. It involves comparing the current configuration against established industry standards and organizational policies to identify vulnerabilities and misconfigurations.

Regular configuration assessments are essential in maintaining a secure and compliant environment, as they help organizations proactively identify and patch vulnerabilities. This practice strengthens security controls and minimizes the risk of security incidents.

Wazuh SCA module

Wazuh offers a Security Configuration Assessment (SCA) module that assists security teams to scan and detect misconfigurations within their environment. The Wazuh agent uses policy files to scan endpoints that it monitors. These files contain predefined checks to be carried out on each monitored endpoint.

Wazuh includes SCA policies out-of-the-box based on the Center for Internet Security (CIS) security benchmarks. These benchmarks serve as essential guidelines on best practices for protecting IT systems and data from cyberattacks. They provide clear instructions for establishing a secure baseline configuration and offer guidance to ensure that users implement effective measures to safeguard their critical assets and mitigate potential vulnerabilities. By adhering to these standards, you can enhance your overall security posture and mitigate the risk of cyber threats against your business.

Some other benefits of the Wazuh Security Configuration Assessment (SCA) module include:

Security posture management: Wazuh SCA helps organizations ensure that their endpoints are configured securely. This minimizes vulnerabilities resulting from misconfigurations and reduces the risk of security breaches.
Compliance monitoring: It allows organizations to assess and implement compliance with regulatory standards, best practices, and internal security policies.
Continuous monitoring: Wazuh SCA continuously monitors the configuration of the endpoints and alerts when it discovers misconfigurations.

Overview of Wazuh SCA policies

The Wazuh SCA module uses policies written in YAML format. Each policy consists of checks, and each check comprises one or more rules. These rules can examine various aspects of an endpoint, such as the presence of files, directories, Windows registry keys, running processes, and more.

By default, the Wazuh agent runs scans for every policy (.yaml or .yml files) present in the ruleset directory. This directory can be found in the following locations on every operating system that runs the Wazuh agent:

Linux and Unix-based agents: /var/ossec/ruleset/sca.
Windows agents: C:\Program Files (x86)\ossec-agent\ruleset\sca.
macOS agents: /Library/Ossec/ruleset/sca.

Wazuh also allows you to create custom policies that can be used to scan endpoints and verify if they conform to your organization’s policies.

See a snippet of a CIS policy file /var/ossec/ruleset/sca/cis_ubuntu22-04.yml which is included out-of-the-box on Ubuntu 22.04 endpoints. The SCA policy which is based on the CIS benchmarks, runs checks on the endpoint to determine if it conforms to the best practices for system hardening. The SCA policy with ID 28500 checks if the /tmp directory is on a separate partition.

- id: 28500
  title: "Ensure /tmp is a separate partition."
  description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications."
  rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
  impact: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based. /tmp utilizing tmpfs can be resized using the size={size} parameter in the relevant entry in /etc/fstab."
  remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs 0 /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs."
  references:
    - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
    - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
  compliance:
    - cis: ["1.1.2.1"]
    - cis_csc_v7: ["14.6"]
    - cis_csc_v8: ["3.3"]
    - mitre_techniques: ["T1499", "T1499.001"]
    - mitre_tactics: ["TA0005"]
    - mitre_mitigations: ["M1022"]
    - cmmc_v2.0: ["AC.L1-3.1.1", "AC.L1-3.1.2", "AC.L2-3.1.5", "AC.L2-3.1.3", "MP.L2-3.8.2"]
    - hipaa: ["164.308(a)(3)(i)", "164.308(a)(3)(ii)(A)", "164.312(a)(1)"]
    - pci_dss_v3.2.1: ["7.1", "7.1.1", "7.1.2", "7.1.3"]
    - pci_dss_v4.0: ["1.3.1", "7.1"]
    - nist_sp_800-53: ["AC-5", "AC-6"]
    - soc_2: ["CC5.2", "CC6.1"]
  condition: all
  rules:
    - 'c:findmnt --kernel /tmp -> r:\s*/tmp\s'
    - "c:systemctl is-enabled tmp.mount -> r:generated|enabled"

The /tmp directory is used to store data that is needed for a short time by system and user applications. Mounting /tmp on a separate partition allows an administrator to set additional mount options such as the noexec, nodev, and nosuid. Therefore making the directory useless for an attacker to install executable code. The SCA policy file also gives recommendations on how to remediate this issue.

Viewing SCA results

The Wazuh dashboard has a Configuration Assessment module that allows you to view SCA scan results for each agent.

Interpreting SCA results

The image below shows the policy based on the CIS benchmark for Ubuntu Linux 22.04 LTS. You can see that 191 checks were run against the Ubuntu 22.04 endpoint. Out of these, 56 passed, 87 failed, and 48 are not applicable to the endpoint. It also shows a score of 39% which is calculated based on the number of tests passed.

Policy for CIS benchmark for Ubuntu 22.04 checks

You can click on the checks to get more information. In the image below, you can see information such as rationale, remediation, and a description of the check with ID 3003.

Results for CIS benchmark for Ubuntu 22.04 check ID 3003

The above SCA scan result shows failed because the public key authentication for ssh is not enabled. If the remediation is implemented, the result will change to passed thereby improving the security of the endpoint.

Implementing SCA remediation steps

In the example in the previous section, implementing the remediation provided by the Wazuh SCA improves the security of the endpoint. This involves changing the PubkeyAuthentication option value in the sshd_config file. In the image below, you can see the status of the check 3003 has changed to passed.

By utilizing the Wazuh SCA module, you can detect misconfigurations, remediate them, and verify that your endpoints adhere to industry best practices. This proactive approach significantly reduces the likelihood of security breaches within your environment.

Malware detection

Malware, short for malicious software, refers to any software specifically designed to harm or exploit computer systems, networks, or users. It is created with the intention of gaining unauthorized access, causing damage, stealing sensitive information, or performing other malicious activities on a target system. There are various types of malware, each with specific functions and infection methods. Some common types of malware include viruses, worms, ransomware, botnets, spyware, trojans, and rootkits.

Malware detection is crucial for safeguarding computer systems and networks from cyber threats. It helps identify and mitigate malicious software that can cause a data breach, system compromise, and financial loss.

Wazuh for malware detection

Traditional methods, which rely solely on signature-based detections, have limitations and fail to capture new threats. Signature-based approaches struggle with detecting zero-day attacks, polymorphic malware, and other evasion techniques employed by threat actors. As a result, organizations are at risk of undetected breaches and data exfiltration. Wazuh empowers organizations to detect and respond to sophisticated and evasive threats effectively. Wazuh encompasses different modules that identify malware properties, activities, network connections, and more.

Detecting malicious activities with threat detection rules

Wazuh has threat detection rules that enable behavior-based malware detection. Instead of relying solely on predefined signatures, Wazuh focuses on monitoring and analyzing abnormal behavior exhibited by malware. This allows Wazuh to detect known and previously unknown threats. This way, Wazuh provides a proactive and adaptable defense against cyber threats. Wazuh has out-of-the-box rulesets that are specifically designed to trigger alerts for recognized malware patterns, providing a quick response to potential security incidents. For example, the image below shows an alert with rule ID 92213 triggered when an executable is dropped in a folder commonly used by malware. This alert prompts security teams to begin the investigation and remediation process.

Executable dropped in folder used by malware alert

Wazuh allows users to create custom rules for more flexibility in detection, empowering them to focus on relevant activities, and optimizing malware detection. Wazuh decodes and organizes logs from monitored endpoints into fields, which can then be utilized to create custom rules for alerting when malicious activity is detected.

Wazuh rules use multiple fields that denote indicators of compromise (IOCs) to reduce false positives and detect known malware based on specific behaviors. These rules can connect related malware activities, such as intrusion, privilege escalation, lateral movement, obfuscation, and exfiltration for comprehensive detection.

Below is an example of some Wazuh custom rules created to alert on malicious activities of the LimeRAT malware:

<group name="lime_rat,sysmon,">

  <!-- Rogue create netflix.exe creation -->
  <rule id="100024" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\checker netflix\.exe</field>
    <description>Potential LimeRAT activity detected: checker netflix.exe created at $(win.eventdata.targetFilename) by $(win.eventdata.image).</description>
    <mitre>
      <id>T1036</id>
    </mitre>
  </rule>

  <!-- Registry key creation for persistence -->
  <rule id="100025" level="12">
    <if_group>sysmon</if_group>
    <field name="win.eventdata.details" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\checker netflix\.exe</field>
    <field name="win.eventdata.targetObject" type="pcre2" >HKU\\\\.+\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\checker netflix\.exe</field>
    <field name="win.eventdata.eventType" type="pcre2" >^SetValue$</field>
    <description>Potential LimeRAT activity detected:  $(win.eventdata.details) added itself to the Registry as a startup program $(win.eventdata.targetObject) to establish persistence.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

  <!-- Network activity detection -->
  <rule id="100026" level="12">
    <if_sid>61605</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Roaming\\\\checker netflix\.exe</field>
    <description>Potential LimeRAT activity detected: Suspicious DNS query made by $(win.eventdata.image).</description>
    <mitre>
      <id>T1572</id>
    </mitre>
  </rule>


  <!-- LimeRAT service creation -->
  <rule id="100028" level="12">
    <if_sid>61614</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2" >HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\disk</field>
    <field name="win.eventdata.eventType" type="pcre2" >^CreateKey$</field>
    <description>Potential LimeRAT activity detected: LimeRAT service $(win.eventdata.targetObject) has been created on $(win.system.computer).</description>
      <mitre>
    <id>T1543.003</id>
      </mitre>
  </rule>

</group>

These rules create alerts that are visible in the Threat Hunting module on the Wazuh dashboard.

Refer to the blog post on LimeRat detection and response with Wazuh for the full configuration.

Wazuh identifies behavior indicative of malware, it generates real-time alerts and notifications, enabling security teams to respond swiftly and mitigate potential risks before they escalate.

Leveraging file integrity monitoring for detecting malware activity

File Integrity Monitoring (FIM) is a valuable component in malware detection. Wazuh provides FIM capabilities to monitor and detect changes to files and directories on monitored endpoints. These changes include creation, modification, or deletion. While FIM provides essential insights, combining it with other capabilities and integrations further enhances its effectiveness for malware detection. Wazuh allows security teams to create custom rules based on FIM events, enabling targeted malware detection. These customizable rules correlate FIM events with specific indicators of compromises such as suspicious file extensions, code snippets, or known malware signatures.

The image below shows an alert when a web shell creates or modifies a file on a web server.

Malware frequently targets Windows Registry to achieve malicious objectives, such as establishing persistence and performing other malicious actions. The Wazuh File Integrity Monitoring (FIM) module includes Windows Registry monitoring that monitors commonly targeted registry paths to detect modifications. When changes occur, the FIM module triggers real-time alerts, empowering security teams to swiftly identify and respond to suspicious registry key manipulation.

The images below display the Wazuh FIM module dashboard and events of Windows Registry modifications.

Windows registry modifications in FIM module dashboard

FIM module with Windows registry modifications events

Enhancing malware detection with threat intelligence integration

Users can boost their malware detection capabilities by integrating with threat intelligence sources. These intelligence feeds enrich the Wazuh knowledge base with additional up-to-date information on known malicious IP addresses, domains, URLs, and other indicators of compromise. Examples of threat intelligence sources Wazuh can integrate with include VirusTotal, MISP, and more.

Wazuh proactively identifies malicious files by comparing the identified IOCs with the information stored in the CDB lists (constant databases). These lists can store known malware indicators of compromise (IOCs) including file hashes, IP addresses, and domain names.

You can customize entries in either key:value or key: format for tailored detection, an example of such is seen below. A CBD list containing known MD5 malware hashes of the Mirai and Xbash malware is used for detection:

e0ec2cd43f71c80d42cd7b0f17802c73:mirai
55142f1d393c5ba7405239f232a6c059:Xbash

Upon detection, these alerts are observed within the Threat Hunting module of the Wazuh dashboard, as seen below.

Refer to the Use case: Detecting malware using file hashes in a CDB list for full configurations.

Unveiling stealthy threats with rootkit detection

Rootkits are malicious software designed to conceal the presence of malware on an endpoint by manipulating operating system functions such as altering system calls or modifying kernel data structures. Wazuh has a Rootcheck module that periodically scans the monitored endpoint to detect rootkits both at the kernel and the user space level. The rootcheck identifies and alerts potential rootkit activity. By analyzing system behavior and comparing it to known rootkit patterns, Wazuh promptly detects rootkit-related patterns and raises alerts for further investigation.

Below, we show an example of an alert generated by the Wazuh Rootcheck module when it detects an anomaly in the filesystem:

** Alert 1668497750.1838326: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2022 Nov 15 09:35:50 (Ubuntu) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rootkit 't0rn' detected by the presence of file '/usr/bin/.t0rn'.
title: Rootkit 't0rn' detected by the presence of file '/usr/bin/.t0rn'.

While Wazuh continues to enhance its rootkit behavior detection capabilities, the Command monitoring module can also be configured to monitor command-line activities across endpoints, enabling the detection of malicious commands and malware activities. This module provides organizations with a comprehensive approach to uncovering hidden threats and safeguarding their systems effectively.

Monitoring system calls for malware and anomaly detection

Wazuh monitors system calls on Linux endpoints to bolster malware detection and aid in anomaly detection. Wazuh utilizes the Linux Audit system to monitor system calls.

System call monitoring in combination with Wazuh File Integrity Monitoring (FIM) and threat intelligence integration enhances malware detection. It captures security-relevant events like file access, command execution, and privilege escalation, providing real-time insights into potential security incidents. This comprehensive approach strengthens organizations' cybersecurity resilience. In the image below, you can visualize the alerts for privilege abuse on the Wazuh dashboard for Ubuntu Linux 22.04.

Wazuh empowers security teams to leverage the audit rules provided by Auditd. Creating custom rules based on system call events enhances malware detection efforts and strengthens overall cybersecurity resilience.

File integrity monitoring

File Integrity Monitoring (FIM) involves monitoring the integrity of files and directories to detect and alert when there are file addition, modification, or deletion events. FIM provides an important layer of protection for sensitive files and data by routinely scanning and verifying the integrity of those assets. It identifies file changes that could be indicative of a cyberattack and generates alerts for further investigation and remediation if necessary.

The Wazuh open source File Integrity Monitoring module tracks the activities performed within monitored directories or files to gain extensive information on file creation, modification, and deletion. When a file is changed, Wazuh compares its checksum against a pre-computed baseline and triggers an alert if it finds a mismatch.

The open source FIM module performs real-time monitoring and scheduled scans depending on the level of sensitivity of the monitored files.

Viewing File Integrity Monitoring scan results

You can find a dedicated File Integrity Monitoring module in the Wazuh dashboard where all file integrity events triggered from monitored endpoints are reported. This increases visibility as it provides valuable information on the status of monitored directories and their potential impact on the security posture. The Wazuh FIM dashboard has three different sections to view FIM analysis results; Inventory, Dashboard, and Events.

The Inventory section displays a list of all files that the FIM module has indexed. Each file has entry information including the filename, last modification date, user, user ID, group, and file size.
The Dashboard section shows an overview of the events triggered by the FIM module for all monitored endpoints. You can also streamline it to show the events for a selected monitored endpoint.
The Events section shows the alerts triggered by the FIM module. It displays details such as the agent name, the file path of the monitored file, the type of FIM event, a description of the alert, and the rule level of each alert.

Below are common use cases the Wazuh FIM module would assist you in monitoring within your environment.

Monitoring file integrity

Modifications to configuration files and file attributes are frequent occurrences within endpoints in an IT infrastructure. However, if not validated, there may be unauthorized and inadvertent changes that could affect the behavior of the endpoints or the applications running in them. The Wazuh FIM module runs periodic scans on specific files and directories to detect file changes in real time. It scans the designated files to create a baseline of the current state. It checks for file modifications by comparing checksums and attribute values to the baseline, generating alerts if discrepancies are found.

The Wazuh FIM module supports various configuration options that enable effective monitoring of assets:

Real-time monitoring: The FIM module provides a realtime attribute that enables continuous monitoring of specified directories. This feature is particularly useful for monitoring critical directories and tracking changes immediately after they occur. Wazuh allows you to specify the directories or files in the monitored endpoints that would be reported in real-time if file changes occur.
Scheduled monitoring: The frequency option in the Wazuh FIM module allows users to customize the scheduling of each FIM scan performed in your monitored endpoints. The default scan interval for the FIM module is 12 hours (43200 seconds) and can be customized on each endpoint. Alternatively, scans can be scheduled using the scan_time and the scan_day options. These options help users to set up FIM scans outside business hours or during holidays.
Who-data monitoring: Wazuh captures advanced insights into file changes using the who-data functionality. This functionality uses audit tools like the Linux Audit subsystem and Microsoft Windows SACL to determine important information about the detected file changes. The who-data monitoring functionality allows the FIM module to obtain information on when the change event occurred, who or what made the change, and what content was changed. This is useful in maintaining accountability and validating if changes made to monitored files or directories were authorized and performed using approved processes.

Below is an example of an alert generated when a monitored file is changed on a Windows endpoint.

In alert fields, the who-data metadata shows that the user wazuh added the word Hello to the audit_docu.txt file using the Notepad.exe process.
Reporting changes in file values: The FIM module provides a report_changes attribute that records and reports the exact content changed in a text file to the Wazuh server. The attribute enables the Wazuh agent to make copies of monitored files to a private location on each endpoint for further review. This monitoring option is helpful when users want to initiate specific responses when file changes in monitored directories match the behavior of known malicious activities. For example, the alert below indicates when Wazuh detects the creation of a web shell scripting file webshell-script.php in a monitored directory.
Recording file attributes: Users can configure the FIM module to record specific attributes of a monitored file. Wazuh supports various file attributes that users can use to specify the file metadata that the FIM module will record or ignore. For example, this monitoring option would be useful when users want to record only the SHA-256 hash of a configuration file, excluding other hash types.

Detecting and responding to malware

The Wazuh FIM module integrates with other Wazuh capabilities and third-party threat intelligence solutions to create a comprehensive security monitoring environment. This is imperative to enhance malware detection and response capabilities, ensuring robust defense against cyber threats.

The Wazuh FIM module supports various integrations, including but not limited to:

File integrity monitoring and YARA: By combining the Wazuh FIM module and the YARA tool, it is possible to detect malware when suspicious file additions or modifications are identified. The YARA rule files contain samples of malware indicators that are downloaded to the monitored endpoints. When the FIM module detects a change in the monitored file or directory, it executes a YARA scan using a script to determine if it is malware. If the YARA rule finds a match with a file, it will send the scan results to the Wazuh server for decoding and alerting. This would be reported according to the custom rule and decoder configurations configured on the Wazuh server. Check this documentation for more information on how to integrate the Wazuh FIM module with YARA.
File integrity monitoring and VirusTotal: The Wazuh Integrator module connects to external APIs and alerting tools such as VirusTotal. The VirusTotal integration uses the VirusTotal API to detect malicious file hashes within the files and directories monitored by the FIM module. Once enabled, when FIM generates alerts, Wazuh initiates the VirusTotal integration to extract the hash value associated with the flagged file from the alert. The VirusTotal API is then used to compare these hashes against its scanning engines for potentially malicious content.
File integrity monitoring and Active Response: The Wazuh Active Response module automatically responds to threats identified in a timely manner. This combination enables the FIM module to not only detect but also respond to malicious activities. You can configure active response scripts to execute when the FIM module detects file changes in your monitored environment. Additionally, it also generates alerts for the response performed. This reduces the Mean Time To Respond (MTTR) as malicious changes detected are remediated in a timely manner.

In the image below Wazuh triggers when a file is added to the monitored endpoint. The VirusTotal API scans the file and identifies it as malicious content on 55 engines. Then the Wazuh Active Response module acts immediately to remove the threat from the monitored endpoint.
File integrity monitoring and CDB list: Wazuh FIM module also detects malicious files by checking the presence of known malware signatures when combined with CDB lists (constant database). CDB lists are used to store known malware indicators of Compromise (IOCs) such as file hashes, IP addresses, and domain names. When CDB lists are created, Wazuh checks if field values from FIM alerts such as file hash match the keys stored in the CDB lists. If matched, it generates an alert and response based on how you configure your custom rule.

Monitoring Windows Registry

The Wazuh FIM module periodically scans Windows Registry entries, stores its checksums and attributes in a local database, and alerts when changes in registry values are detected. This would keep users informed about registry modifications resulting from user activities or software installations whether malicious or not.

You can configure the Wazuh open source FIM module to monitor Windows Registry values using various configuration options. The report_changes attribute in the windows_registry option provides a granular breakdown of modification detected in the monitored Windows Registry value. You can configure which Windows Registry attributes the module would record or ignore. For example, you can choose to record the check_sha1sum attribute and ignore the check_md5sum attribute, if your CDB list only contains SHA1 hashes of malicious files.

The image below shows the event of a modified Windows registry value in a monitored endpoint.

The alert when expanded shows the modified field.

Threat actors maintain persistence by commonly adding programs for their malicious activities to the Run and RunOnce keys in the Registry. Additionally, Wazuh detects any suspicious programs added to the startup registry keys. This allows you to take appropriate action to remove them before they cause harm to your system.

Meeting regulatory compliance

Meeting regulatory compliance requirements is an important consideration for organizations in various industries. File integrity monitoring is a requirement for achieving compliance with regulations such as PCI DSS, SOX, HIPAA, NIST SP 800-53, among others.

You can customize the Wazuh FIM module to monitor specific files and directories where your organization’s sensitive and confidential data are stored. Wazuh provides a comprehensive report that outlines the changes made to the files and directories being monitored. This feature is particularly useful for ensuring compliance with various regulatory standards.

For example, organizations can meet the CM-3 Configuration change control requirement in NIST SP 800-53 standard by using Wazuh. The control requires organizations to protect information at rest and monitor configuration changes in their infrastructure. The image below shows an event generated when the permissions for Uncomplicated Firewall (UFW) rule files are modified on a monitored endpoint.

Threat hunting

Threat hunting is a proactive approach that involves analyzing numerous data sources like logs, network traffic, and endpoint data to identify and eliminate cyber threats that have evaded traditional security measures. It aims to uncover potential threats that may have gone undetected in an IT environment. The process of threat hunting typically involves several steps: hypothesis generation, data collection, analysis, and response.

Wazuh offers several capabilities that assist security teams in hunting threats within their environment, empowering them to take rapid actions to contain the threat and prevent further damage.

Log data analysis

Effective log data collection and analysis are essential for enhancing your threat hunting methodology. You can leverage the robust capabilities of Wazuh to optimize your threat hunting efforts.

Wazuh as a unified XDR and SIEM platform offers centralized log data collection, allowing gathering of data from diverse sources such as endpoints, network devices, and applications. This centralized approach simplifies analysis and reduces the effort required to monitor multiple sources.

The image below shows the configuration settings on the Wazuh dashboard for collecting audit logs from a monitored endpoint.

Wazuh uses decoders to extract meaningful information from log data obtained from various sources. It breaks down raw log data into individual fields or attributes, such as timestamp, source IP address, destination IP address, event type, and others. The Index patterns tab on the Wazuh dashboard shows the wazuh-alerts-* index pattern and its fields.

Wazuh offers agentless monitoring and syslog log collection for efficient log data handling. It ensures consistency and compatibility across various log formats. Wazuh indexing and querying capabilities facilitate quick search and access to specific log data, streamlining analysis and investigation. Wazuh uses its advanced parsing and real-time analysis to enhance threat hunting by proactively identifying and mitigating risks thereby enhancing security.

Wazuh archives

Wazuh provides a centralized storage location for archiving all collected logs from monitored endpoints. The Wazuh archives logs include those that do not trigger alerts on the Wazuh dashboard. Wazuh archives are disabled by default and can be easily enabled. The availability of detailed logs is crucial for effective threat hunting, providing comprehensive visibility into your environment.

Wazuh archives provide log retention, indexing, and querying capabilities that give concrete visibility to analyze events within specific monitored endpoints in your environment. This facilitates uncovering event causes, event locations, event communications, event timestamps, and related parent-child processes. The image below shows the archived logs in the Discover section on the Wazuh dashboard.

MITRE ATT&CK mapping

The MITRE ATT&CK framework offers a standardized approach to mapping and understanding cyber attack tactics, techniques, and procedures (TTPs). By utilizing the Wazuh MITRE ATT&CK module, we can enhance our understanding of TTPs used by threat actors and proactively defend against them.

The Wazuh MITRE ATT&CK module maps TTPs to generated events, facilitating efficient threat hunting by promptly identifying patterns in attacker behavior. For instance, a suspicious login attempt can be associated with the “Credential Stuffing” technique in the MITRE ATT&CK framework. This empowers users to assess the frequency of such attacks and implement necessary measures to mitigate risks, such as enabling multi-factor authentication or rate-limiting login attempts. The MITRE ATT&CK module on the Wazuh dashboard allows you to view various techniques found within a monitored environment.

This module generates reports and visualizations on the Wazuh dashboard, showcasing the frequency and severity of attacks utilizing specific TTP. These reports help track compliance with security standards and regulations while highlighting areas where security measures may require strengthening. The Wazuh MITRE ATT&CK module on the Wazuh dashboard has a customizable dashboard that displays an overview of TTPs found within a monitored environment as seen below.

You can proactively protect your systems and data by leveraging insights from the MITRE ATT&CK framework. The integration of MITRE ATT&CK with Wazuh significantly enhances threat hunting and improves overall security.

Third-party integration

Wazuh integrates with third-party solutions that enhance threat hunting capabilities. These integrations enable users to consolidate data from diverse sources and automate threat detection and response. Wazuh seamlessly integrates with popular open source platforms like VirusTotal, AlienVault, URLHaus, MISP, and many others. This integration allows users to cross-reference telemetry with threat intelligence feeds, improving detection and response to threats.

Third-party integrations play a crucial role in proactive threat hunting, encompassing threat intelligence and a range of collaborative tools. These integrations provide essential insights into both established and emerging threats, enabling a comprehensive and forward-looking approach to threat detection. By promoting the exchange of information among seasoned security teams, these integrations foster a collective defense strategy, enhancing the effectiveness of the overall threat hunting process.

Some third-party solutions that Wazuh integrates with to aid threat hunting are:

VirusTotal: Integrating VirusTotal enhances threat detection by leveraging the VirusTotal malware database for accurate identification and faster incident response. The image below shows malware detection via the VirusTotal integration.
URLHaus: Integrating URLHaus by abuse.ch with Wazuh amplifies threat intelligence capabilities, empowering users to proactively detect and block malicious URLs in real-time.
MISP: We can enrich Wazuh alerts by automating identifications of IOCs and integrating MISP with Wazuh.

Wazuh integrates with other tools that aid threat hunting beyond the above-mentioned. It supports third-party integrations for threat intelligence platforms, SIEMs, and messaging platforms using APIs and other integration methods.

Rules and decoders

Wazuh enhances threat hunting with robust rules, decoders, and pre-configured rules for diverse attack vectors and cyber activities.

The Rules module on the Wazuh dashboard presents both default and custom rules, covering a broad array of security events, including system anomalies, malware detection, authentication failures, and other potential threats as seen below.

Wazuh allows you to customize and create your own rules and decoders, tailored to your specific environment and threat landscape. This enables you to fine-tune detection, address unique requirements, and minimize blind spots.

Wazuh decoders play a vital role in normalizing and parsing diverse log formats and data sources. They ensure that collected information is presented in a standardized manner, facilitating effective analysis and correlation of data from various sources.

The Decoders module on the Wazuh dashboard allows you to view default and custom decoders. The image below shows details of the default decoder agent-upgrade.

Details of the default agent-upgrade decoder

Leveraging Wazuh rules and decoders, security teams attain actionable insights, enabling them to swiftly detect IOCs, anomalous behavior, and potential breaches.

Refer to the Wazuh ruleset documentation for detailed guidance on configuring custom rules and decoders.

Log data analysis

Log data analysis is a crucial process that involves examining and extracting valuable insights from log files created by different systems, applications, or devices. These logs contain records of events that provide useful information for troubleshooting, security analysis and monitoring, and optimizing performance. Log data analysis is an essential practice that contributes to a secure, efficient, and reliable IT ecosystem.

Wazuh collects, analyzes, and stores logs from endpoints, network devices, and applications. The Wazuh agent, running on a monitored endpoint collects and forwards system and application logs to the Wazuh server for analysis. Additionally, you can send log messages to the Wazuh server via syslog or third-party API integrations.

Log data collection

Wazuh collects logs from a wide range of sources, enabling comprehensive monitoring of various aspects of your IT environment. You can check our documentation on Log data collection to understand better how Wazuh collects and analyzes logs from monitored endpoints. Some of the common log sources supported by Wazuh include:

Operating system logs: Wazuh collects logs from several operating systems, including Linux, Windows, and macOS.

Wazuh can collect syslog, auditd, application logs, and others from Linux endpoints.

Wazuh collects logs on Windows endpoints using the Windows event channel and Windows event log format. By default, the Wazuh agent monitors the System, Application, and Security Windows event channels on Windows endpoints. The Wazuh agent offers the flexibility to configure and monitor other Windows event channels.

Wazuh utilizes the unified logging system (ULS) to collect logs on macOS endpoints. The macOS ULS centralizes the management and storage of logs across all the system levels.

The image below shows an event collected from the Microsoft-Windows-Sysmon/Operational event channel on a Windows endpoint.
Syslog events: Wazuh gathers logs from syslog-enabled devices, encompassing a wide array of sources including Linux/Unix systems and network devices that do not support agent installation. The image below shows an alert triggered when a new user is created on the Linux endpoint and the log is forwarded to the Wazuh server via rsyslog.
Agentless monitoring: The Wazuh agentless monitoring module monitors endpoints that don't support agent installation. It requires an SSH connection between the endpoint and the Wazuh server. The Wazuh agentless monitoring module monitors files, directories, or configurations and runs commands on the endpoint. The image below is an alert from an agentless device on the Wazuh dashboard.
Cloud provider logs: Wazuh integrates with cloud providers like AWS, Azure, Google Cloud, and Office 365 to collect logs from cloud services such as EC2 instances, S3 buckets, Azure VMs, and more. The image below shows the CLOUD SECURITY section in the Wazuh dashboard.
Custom logs: You can configure Wazuh to collect and parse logs from several applications and third-party security tools like VirusTotal, Windows Defender, and ClamAV. The image below shows an alert of a log from VirusTotal processed by the Wazuh server.

Rules and decoders

Wazuh rules and decoders are core components in log data analysis and threat detection and response. Wazuh provides a powerful platform for log data analysis, allowing organizations to enhance their security posture by promptly detecting and responding to potential security threats.

Wazuh decoders are responsible for parsing and normalizing log data collected from various sources. Decoders are essential for converting the raw log data in several formats into a unified and structured format that Wazuh can process effectively. Wazuh has pre-built decoders for common log formats such as syslog, Windows event channel, macOS ULS, and more. Additionally, Wazuh allows you to define custom decoders for parsing logs from specific applications or devices with unique log formats. By using decoders, Wazuh can efficiently interpret log data and extract relevant information, such as timestamps, log levels, source IP addresses, user names, and more. As shown below, you can view Wazuh out-of-the-box and custom decoders on the Server management > Decoders of the Wazuh dashboard.

Wazuh ruleset detects security events and anomalies in log data. These rules are written in a specific format and they trigger alerts when certain conditions are met. The rules are defined based on certain criteria like log fields, values, or patterns to match specific log entries that may indicate security threats. Wazuh provides a wide range of pre-built rules covering common security use cases. Additionally, administrators can create custom rules tailored to their specific environment and security requirements. The Server management category of the Wazuh dashboard lets you view the default and custom Rules.

For example, the rule below includes a match field used to define the pattern that the rule looks for. The rule also has a level field that specifies the priority of the resulting alert. Additionally, rules enrich events with technique identifiers from the MITRE ATT&CK framework and map them to regulatory compliance controls.

<rule id="5715" level="3">
  <if_sid>5700</if_sid>
  <match>^Accepted|authenticated.$</match>
  <description>sshd: authentication success.</description>
  <mitre>
    <id>T1078</id>
    <id>T1021</id>
  </mitre>
  <group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Log data indexing and storage

The Wazuh indexer is a highly scalable, distributed real-time search and analytics engine. The Wazuh indexer is critical in log analysis as it stores and indexes alerts generated by the Wazuh server. These alerts are stored as JSON documents.

The Wazuh indexer guarantees redundancy by storing the JSON documents across several containers called shards and distributing the shards across multiple nodes. This implementation prevents downtime when hardware failures or cyber-attacks occur and increases query capacity as nodes are added to a cluster.

Wazuh uses four indices to store several event types:

wazuh-alerts stores alerts generated by the Wazuh server when an event triggers a rule with high enough priority. The image below shows alerts in the Discover module of the Wazuh dashboard. The index pattern is set to wazuh-alerts-* by default.
wazuh-archives index stores all events received from the Wazuh server regardless of whether they trigger an alert. The Wazuh archives use this index to enable log retention and querying capabilities that offer deeper insight into events happening within monitored endpoints. Wazuh archives are disabled by default because of the huge storage requirements needed to store all the logs. The image below shows archived events in the Discover section of Wazuh dashboard with the index pattern set to wazuh-archives-*.
wazuh-monitoring index stores data about the state of Wazuh agents over a period of time. The state of the agent could be Active, Disconnected, or Never connected. This information is very useful in tracking Wazuh agents that are not reporting for several reasons that need investigation. The image below shows the connection status of the agents on the Wazuh dashboard. The agent information as shown in the image is collected from the wazuh-monitoring index.
wazuh-statistics index stores performance data related to the Wazuh server. This information is critical to ensuring the Wazuh server performs optimally with the available computing resources. The image below shows performance-related events on the Wazuh dashboard.

Log data querying and visualization

The Wazuh dashboard offers log data querying and visualization capabilities. You can leverage the dashboard’s intuitive interface to conduct complex searches and queries to extract meaningful insights from the log data collected by Wazuh.

Wazuh provides a set of predefined dashboards and visualizations out of the box, specifically tailored to security monitoring and compliance use cases. These dashboards provide insight into common security events such as failed logins, malware detection, and system anomalies. You can further customize these dashboards to suit your specific needs and requirements. Below is a sample image of the Security event dashboard showing several interesting information like Top 5 PCI DSS Requirements, Top 5 alerts, and Alert groups evolution.

The Wazuh dashboard enables users to explore log entries in real time, apply various filters, and drill down into specific events or time ranges. This flexibility allows security analysts to identify trends, anomalies, and potential security incidents within their environment.

Wazuh allows users to create customized dashboards that display key performance indicators, security metrics, and real-time monitoring of critical systems and applications. Users can assemble multiple visualizations, such as pie charts, line graphs, and heat maps, onto a single dashboard, providing a holistic view of their infrastructure's security posture. The following blog posts detailed how to query and create custom dashboards:

Vulnerability detection

Software vulnerabilities are weaknesses in code that can allow attackers to gain access to or manipulate the behavior of an application. Vulnerable software applications are commonly targeted by attackers to compromise endpoints and gain a persistent presence on targeted networks.

Vulnerability detection is the process of identifying these flaws before they are discovered and exploited by attackers. The goal of vulnerability detection is to identify vulnerabilities so that remediation can be carried out to prevent successful attacks.

The Wazuh agent uses the Syscollector module to collect inventory details from the monitored endpoint. It sends the collected data to the Wazuh server. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint.

Wazuh detects vulnerable applications, generating risk reports, using our Cyber Threat Intelligence (CTI) platform. In this platform, we aggregate vulnerability data from diverse sources like operating system vendors and vulnerability databases, consolidating it into a unified, reliable repository. The process involves standardizing the varied formats into a common structure. Additionally, we maintain the integrity of our vulnerability data by doing the following.

Rectifying format inconsistencies like version errors and typos.
Completing missing information.
Incorporating new cybersecurity vulnerabilities.

Subsequently, we merge this content, uploading the compiled documents to a cloud server. Finally, we publish these documents to our CTI API.

Relying on the Wazuh CTI, the Vulnerability Detection module supports a variety of operating systems, such as Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, and macOS operating systems, and applications.

Achieve comprehensive visibility

The Vulnerability Detection module generates alerts for vulnerabilities discovered on the operating system and applications installed on the monitored endpoint. It correlates the software inventory collected by the Wazuh agent with the vulnerability content documents and displays the alert generated on the Wazuh dashboard. This provides a clear and comprehensive view of vulnerabilities identified in all monitored endpoints, allowing you to view, analyze and fix vulnerabilities.

The vulnerability detection dashboard shows the frequency of occurrences in different categories such as package name, operating system, agent name, vulnerability ID, and alert severity. This allows analysts to direct their focus appropriately.

You can view the alerts generated on the dashboard when new vulnerabilities are discovered.

The alerts generated on the dashboard could also be a result of remediation activities. The image below shows alerts generated after an upgrade or an uninstallation of a package resolved a vulnerability.

Obtain actionable intelligence from vulnerability alerts

Wazuh vulnerability alerts contain relevant information about the identified vulnerability which can help users understand and decide on remediation steps. You can see an example of a vulnerability detection alert below:

{
 "_index": "wazuh-alerts-4.x-sample-threat-detection",
 "_id": "e2ffSY8Be9PWdpLhA_nt",
 "_version": 1,
 "_score": null,
 "_source": {
   "predecoder": {},
   "cluster": {
     "name": "wazuh"
   },
   "agent": {
     "ip": "197.17.1.4",
     "name": "Centos",
     "id": "005"
   },
   "manager": {
     "name": "wazuh-server"
   },
   "data": {
     "vulnerability": {
       "severity": "Medium",
       "package": {
         "condition": "Package less or equal than 2.1.7.3-2",
         "name": "cryptsetup",
         "version": "2:1.6.6-5ubuntu2.1",
         "architecture": "amd64"
       },
       "references": [
         "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html",
         "http://www.openwall.com/lists/oss-security/2016/11/14/13",
         "http://www.openwall.com/lists/oss-security/2016/11/15/1",
         "http://www.openwall.com/lists/oss-security/2016/11/15/4",
         "http://www.openwall.com/lists/oss-security/2016/11/16/6",
         "http://www.securityfocus.com/bid/94315",
         "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb",
         "https://nvd.nist.gov/vuln/detail/CVE-2016-4484",
         "http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4484.html",
         "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484"
       ],
       "cve_version": "4.0",
       "assigner": "cve@mitre.org",
       "published": "2017-01-23",
       "cwe_reference": "CWE-287",
       "title": "CVE-2016-4484 on Ubuntu 16.04 LTS (xenial) - low.",
       "rationale": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.",
       "cve": "CVE-2016-4484",
       "state": "Fixed",
       "bugzilla_references": [
         "https://launchpad.net/bugs/1660701"
       ],
       "cvss": {
         "cvss2": {
           "base_score": "7.200000",
           "vector": {
             "integrity_impact": "complete",
             "confidentiality_impact": "complete",
             "availability": "complete",
             "attack_vector": "local",
             "access_complexity": "low",
             "authentication": "none"
           }
         },
         "cvss3": {
           "base_score": "6.800000",
           "vector": {
             "user_interaction": "none",
             "integrity_impact": "high",
             "scope": "unchanged",
             "confidentiality_impact": "high",
             "availability": "high",
             "attack_vector": "physical",
             "access_complexity": "low",
             "privileges_required": "none"
           }
         }
       },
       "updated": "2017-01-26"
     }
   },
   "@sampledata": true,
   "rule": {
     "firedtimes": 290,
     "mail": false,
     "level": 7,
     "pci_dss": [
       "11.2.1",
       "11.2.3"
     ],
     "tsc": [
       "CC7.1",
       "CC7.2"
     ],
     "description": "CVE-2016-4484 affects cryptsetup",
     "groups": [
       "vulnerability-detector"
     ],
     "id": "23504",
     "gdpr": [
       "IV_35.7.d"
     ]
   },
   "location": "vulnerability-detector",
   "id": "1580123327.49031",
   "decoder": {
     "name": "json"
   },
   "timestamp": "2024-05-05T17:44:08.518+0000"
 },
 "fields": {
   "data.vulnerability.published": [
     "2017-01-23T00:00:00.000Z"
   ],
   "data.vulnerability.updated": [
     "2017-01-26T00:00:00.000Z"
   ],
   "timestamp": [
     "2024-05-05T17:44:08.518Z"
   ]
 },
 "highlight": {
   "manager.name": [
     "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
   ],
   "rule.groups": [
     "@opensearch-dashboards-highlighted-field@vulnerability-detector@/opensearch-dashboards-highlighted-field@"
   ]
 },
 "sort": [
   1714931048518
 ]
}

As you can see above, the alert contains key information about the detected vulnerability. This information includes the CVE information, reference links for further research, and a description that provides a concise explanation of the vulnerability.

Track vulnerability remediation

The Wazuh Vulnerability Detection module also allows you to confirm when a vulnerability has been remediated. This feature detects when a patch or software upgrade resolves a previously detected vulnerability. The feature is enabled using the hotfixes option and is available for Windows endpoints.

Use vulnerability reports to identify critical security issues

Wazuh provides users with the ability to download a report that contains security events related to discovered and resolved vulnerabilities. This feature allows users to identify endpoints with unresolved vulnerabilities and keep track of remediation activities.

Vulnerability Detection report generation

Incident response

A security incident refers to any adverse event or activity that risks or threatens the confidentiality, integrity, or availability of digital assets, networks, data, or resources. Such incidents include unauthorized access, data breaches, malware infections, denial-of-service attacks, and any other activities that compromise the security posture of an organization's information technology environment.

The goal of incident response is to effectively handle a security incident and restore normal business operations as quickly as possible. As organizations’ digital assets continuously grow, managing incidents manually becomes increasingly challenging, hence the need for automation.

Automated incident response involves automatic actions taken when responding to security incidents. These actions can include isolating compromised endpoints, blocking malicious IP addresses, quarantining infected devices, or disabling compromised user accounts. By automating incident response, cybersecurity teams reduce response time to detected threats, prevent or minimize the impact of incidents, and efficiently handle a large volume of security events.

Wazuh Active Response module

The Wazuh Active Response module allows users to run automated actions when incidents are detected on endpoints. This improves an organization's incident response processes, enabling security teams to take immediate and automated actions to counter detected threats.

You can also configure the actions to be either stateless or stateful. Stateless active responses are one-time actions while stateful responses revert their actions after some time.

Default active response actions

Out-of-the-box scripts are available on every operating system that runs the Wazuh agents. Some of the default active response scripts include:

Name of script	Description
disable-account	Disables a user account
firewall-drop	Adds an IP address to the iptables deny list.
firewalld-drop	Adds an IP address to the firewalld drop list.
restart.sh	Restarts the Wazuh agent or server.
netsh.exe	Blocks an IP address using netsh.

Custom active response actions

One of the benefits of the Wazuh Active Response module is its adaptability. Wazuh allows security teams to create custom active response actions in any programming language, tailoring them to their specific needs. This ensures that when a threat is detected, the response can be customized to align with the organization's requirements.

Automating incident response with Wazuh

To leverage the Wazuh Active Response module, you need to configure the action to be carried out when a specific event occurs on a monitored endpoint. For example, you can configure the Wazuh Active Response module to delete a malicious executable from an infected endpoint. In the examples that follow, we show how the Wazuh Active Response module handles different incidents.

Removing malware

You can use the Wazuh Active Response module in conjunction with the File Integrity Monitoring module and VirusTotal integration to detect and remove malicious files from an endpoint.

The image below shows the following activities:

Rule ID 554 is fired when a file is added to the Downloads directory which is monitored with the Wazuh File Integrity Monitoring module.
Rule ID 87105 triggers when Wazuh extracts the file hash, requests data about the file hash from the VirusTotal database via its API, and receives a malicious file response.
Rule ID 553 is fired when a file is deleted from the Downloads directory which is monitored with the Wazuh File Integrity Monitoring module.
Rule ID 110006 is fired when the Wazuh Active Response module deletes the malicious file from the endpoint.

In this scenario, the Wazuh Active Response module automatically removes the malicious file, reducing the time between threat detection and mitigation.

Responding to DoS attacks

The primary goal of a DoS attack is to render the target inaccessible to legitimate users, causing a denial of service. In the image below, we show how the Wazuh Active Response module blocks malicious IP addresses performing a DoS against a web server on an Ubuntu endpoint.

In this case, the Wazuh Active Response module automatically blocks the malicious hosts from causing a DoS attack on the web server. Thereby ensuring the availability of the web server to the authorized users.

Disabling a user account after a brute-force attack

Account lockout is a security measure used to defend against brute force attacks by limiting the number of login attempts a user can make within a specified time. We use the Wazuh Active Response module to disable the user account whose password is being guessed by an attacker.

In the image below, the Wazuh Active Response module disables the account on a Linux endpoint and re-enables it again after 5 minutes.

Linux account temporarily disabled alerts

In this scenario, when an attacker tries to guess a user's password repeatedly and fails, the account becomes temporarily inaccessible. This impedes attackers who rely on brute-force methods to guess user account passwords.

By utilizing the Wazuh Active Response module, security teams can automate responses to different incidents. Thereby ensuring efficient incident response and a more resilient cybersecurity posture.

Regulatory compliance

Regulatory compliance means following laws, rules, regulations, and standards set by government bodies, industry regulators, or other authorities. Organizations need to adhere to regulatory compliance to uphold the integrity of business operations and protect sensitive data.

Adhering to regulatory requirements constitutes a crucial component within an organization's cybersecurity framework. Through alignment with relevant laws, rules, and benchmarks, entities can safeguard their information resources and mitigate the likelihood of security breaches.

Wazuh provides several capabilities for implementing compliance, including:

File Integrity Monitoring (FIM).
Security Configuration Assessment (SCA).
Vulnerability detection.
Malware detection.
Incidence response.

Wazuh provides out-of-the-box rulesets mapped against compliance tags for PCI DSS, HIPAA, NIST 800-53, TSC, and GDPR frameworks and standards.

Wazuh allows you to create custom rules and tag them to compliance standards that suit your needs. The following section details use cases for the supported standards.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) outlines the security criteria that businesses that process, store, and transmit card data must adhere to. This standard is designed to tighten security measures surrounding cardholder data and lessen fraud within the payment card industry.

Payment card industries can leverage Wazuh capabilities to reinforce PCI DSS adherence. Users can customize these capabilities to align with specific business needs as stipulated by the standard. For example, you can use Wazuh to conduct a PAN scan by creating customs rules that detect the presence of an unmasked Primary Account Number(PAN).

Alert of unmasked Primary Account Number (PAN)

You can find more information on how Wazuh helps organizations meet the PCI DSS standard.

HIPAA

The Health Insurance Portability and Accountability Act is a legal framework that enables healthcare institutions and organizations to prevent the unauthorized disclosure of sensitive patient health information. The Health Insurance Portability and Accountability Act (HIPAA) sets guidelines and procedures for processing health information to increase the efficiency of healthcare services. It entails guidelines for electronic healthcare transactions and standards for security and distinctive health identification.

The HIPAA framework requires federal privacy protections for health information due to technological advancements, which have an influence on the privacy and security of this information.

Organizations can monitor access and changes made to PII (personally identifiable information) and other confidential documents using the Wazuh FIM module.

You can find more information on how Wazuh helps organizations meet the HIPAA framework.

The image below shows the creation and deletion of a file on a monitored endpoint.

NIST 800-53

The National Institute of Standards and Technology (NIST) 800-53 is known as Security and Privacy Controls for Federal Information Systems and Organizations. It is a crucial component of the larger NIST Special Publication 800 series.

NIST 800-53 offers recommendations for managing information security and privacy for federal organizations and agencies. It helps organizations safeguard sensitive data while protecting their information systems and data from various threats.

You can view the vulnerability detection module results on the Wazuh dashboard which includes vulnerable applications and packages on the monitored endpoint. You can find more information on how Wazuh helps organizations meet the NIST 800-53 standard.

Vulnerability Detection module inventory

TSC

The Trust Services Criteria were developed by the Assurance Services Executive Committee (ASEC) of the AICPA. The TSC has five trust service areas which are security, availability, processing integrity, confidentiality, and privacy. Organizations implement TSC to protect customer data from unauthorized access, use, disclosure, modification or destruction.

Wazuh provides out-of-the-box tags for TSC Common Criterias that give organizations a standardized way to evaluate and report on the effectiveness of their information security policies. You can find more information on how Wazuh helps organizations meet TSC compliance.

The image below shows some of the Common criteria Wazuh helps organizations meet CC7.2 - Requiring ongoing monitoring for all irregular activity indicative of incidents.

IT hygiene

IT hygiene refers to the measures that organizations and individuals undertake to maintain the health and security of their IT assets. IT hygiene requires continuous adaptation of practices and processes to counter emerging cybersecurity threats and challenges, fostering a secure and resilient IT environment. Organizations implement IT hygiene practices to prevent cyberattacks, data breaches, and other security concerns that may result in data loss, service disruption, reputational harm, or financial instability.

System inventory

An up-to-date system inventory helps organizations optimize asset visibility in their environment, and is essential for maintaining good IT hygiene. hardware and operating system information, user accounts, installed packages, running processes and services, network ports, users, groups, and browser extensions. Wazuh agents use the Wazuh Syscollector module to collect inventory data from monitored endpoints and send them to the Wazuh server. All data is aggregated into dedicated indices in the Wazuh indexer and accessible through the Wazuh dashboard, enabling rapid detection and remediation without endpoint-by-endpoint inspection.

Navigate to Security operations > IT Hygiene to generate system inventory reports from the Wazuh IT hygiene module on the Wazuh dashboard.

You can also generate property-specific reports for a monitored endpoint. For example, you can get a report containing the list of installed software or a list of running processes on a monitored endpoint.

The inventory data collected can be queried using the Wazuh server API or Wazuh indexer API, which retrieves nested data in JSON format. For example, you can query the package inventory to check for the wazuh-agent package on a monitored endpoint using the Wazuh > Tools > API Console module on the Wazuh dashboard. Command line tools like cURL can also be used to query the inventory database.

Querying the package inventory using the Dev Tools

Security Configuration Assessment

One of the objectives of implementing good IT hygiene is to reduce the attack surface of your organization. The Wazuh SCA module periodically scans monitored endpoints against policies based on the Center for Internet Security (CIS) benchmarks to identify security misconfigurations and flaws. The CIS benchmarks are essential guidelines for establishing a secure baseline configuration for critical assets. This minimizes vulnerabilities resulting from misconfigurations and reduces the risk of security breaches.

The Configuration Assessment module on the Wazuh dashboard provides each agent's SCA scan result. The results show the number of checks performed on the endpoint, how many failed, and the number of checks that passed. It also shows a score calculated based on the number of tests passed, giving you an overview of the level of compliance.

You can gain more insights from the Wazuh dashboard to view the passed and failed checks. Also, you can generate a CSV report to aid remediation activities, thereby improving the endpoint security posture.

You can see information such as rationale, remediation steps, and description of the checks performed on the endpoint on the Wazuh dashboard. This information is included in the report generated by Wazuh.

The SCA scan result above indicates a failure because the endpoint allows you to mount the cramfs file system. You can implement the remediation suggested in the report to improve the security posture.

Vulnerability management

The Wazuh vulnerability detection module identifies vulnerable applications by using vulnerability information available in our Wazuh CTI. Links to specific vulnerabilities on our Wazuh CTI are also available on each vulnerability ID.

Vulnerability Detection inventory dashboard

You can download a report that contains security events related to discovered and resolved vulnerabilities on a monitored endpoint from the Wazuh dashboard. This feature allows you to identify endpoints with unresolved vulnerabilities and keep track of remediation activities.

The Wazuh vulnerability detection module also enables you to track remediation activities, which could serve as a progress report on improving or maintaining IT hygiene. For example, when a vulnerability is remediated, an alert is generated on the Wazuh dashboard. This feature detects when a patch or software upgrade resolves a previously detected vulnerability.

Malware detection

Malware detection is essential for safeguarding computer systems and networks from cyber threats. Organizations can improve their IT hygiene by identifying and mitigating malicious software that can cause data breaches, system compromises, and financial losses.

Wazuh offers an out-of-the-box ruleset designed to recognize malware patterns and trigger alerts for quick response. Wazuh also allows security analysts to create custom rules tailored to their environment, thereby optimizing their malware detection efforts. For example, we created custom rules to detect Vidar infostealer malware using Wazuh.

<group name="windows,sysmon,vidar_detection_rule,">
<!-- Vidar downloads malicious DLL files on victim endpoint -->
  <rule id="100084" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\ProgramData\\\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field>
    <description>Possible Vidar malware detected. $(win.eventdata.targetFilename) was downloaded on $(win.system.computer)</description>
    <mitre>
      <id>T1056.001</id>
    </mitre>
  </rule>
<!-- Vidar loads malicious DLL files -->
  <rule id="100085" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\\\programdata\\\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field>
    <description>Possible Vidar malware detected. Malicious $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image)</description>
    <mitre>
      <id>T1574.002</id>
    </mitre>
  </rule>
<!-- Vidar deletes itself or a malicious process it creates -->
  <rule id="100086" level="7" frequency="5" timeframe="360">
    <if_sid>61603</if_sid>
    <if_matched_sid>100085</if_matched_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\cmd.exe</field>
    <match type="pcre2">cmd.exe\\" /c timeout /t \d{1,}.+del /f /q \\".+(exe|dll|bat|msi)</match>
    <description>Possible Vidar malware detected. Malware deletes $(win.eventdata.parentCommandLine)</description>
    <mitre>
      <id>T1070.004</id>
    </mitre>
  </rule>
</group>

The rules above detect specific behaviors of the Vidar infostealer malware and trigger alerts on the dashboard.

Wazuh boosts its malware detection capabilities by integrating with threat intelligence sources such as VirusTotal, MISP, and more. Wazuh also offers support for integrating third-party malware detection tools such as ClamAV and Windows Defender. By collecting and analyzing logs from third-party malware detection tools, Wazuh provides security analysts with a centralized monitoring platform. Wazuh increases the efficiency in detecting malware by combining diverse threat intelligence from third-party tools, thereby improving the organization's IT hygiene.

The image below shows an alert of an event from VirusTotal processed by the Wazuh server.

Wazuh uses CDB lists (constant databases) containing indicators of compromise (IOCs) to detect malware. These lists contain known malware IOCs such as file hashes, IP addresses, and domain names. Wazuh proactively identifies malicious files by comparing the identified IOCs with the information stored in the CDB lists.

Regulatory compliance

Regulatory standards provide a global benchmark for best business practices to help improve customer trust and business reputation. Compliance with regulatory standards also helps organizations to enhance their IT hygiene.

Wazuh streamlines the process of meeting regulatory compliance obligations by offering a solution that addresses requirements of industry standards such as PCI DSS, HIPAA, GDPR, and others.

Wazuh uses its capabilities such as the SCA, vulnerability detection, FIM, and more to identify and report compliance violations. It also provides dedicated compliance dashboards to help monitor compliance status, identify improvement areas, and take appropriate remediation actions.

For example, you can get a general overview of the PCI DSS requirement of a monitored endpoint on the Wazuh dashboard.

You can drill down to the individual PCI DSS requirement from the Controls tab to discover where the policy violations occurred.

The image below shows alerts generated for vulnerabilities that violate the PCI DSS Requirement 11.2.1.

This feature is also available for other compliance standards such as GDPR, TSC, HIPAA, and NIST-800-53.

Container security

Container security is an IT practice that is focused on safeguarding containers and their applications against security threats. Organizations can gain visibility into the usage of both containers and the applications they contain by implementing robust security measures in such an environment.

Containers offer lightweight, isolated environments with application code, runtime, and dependencies. They are widely used to deploy and scale applications both on-premises and in the cloud. As container applications and infrastructure become more popular, it becomes essential to protect them from potential threats.

Wazuh for container security

Wazuh integrates with container platforms like Docker and Kubernetes and actively monitors container runtime events, application logs, and overall container health. Wazuh identifies anomalies by evaluating container logs against predefined rules. Additionally, it maintains a record of container engine actions to detect unauthorized activities in a containerized environment. It also monitors health metrics to prevent performance bottlenecks in an organization.

Wazuh container security features comprise monitoring container runtimes, tracking containerized application logs, monitoring container resource utilization, centralized logging, and container alert notifications. This comprehensive set of capabilities enhances security and streamlines incident response.

Container runtime monitoring

Organizations can enhance the security of their containerized applications by monitoring container events. They can proactively address unexpected behavior by promptly responding to alerts triggered by predefined rules. Wazuh also provides insight into container engine interactions and detects irregularities in containerized applications.

Monitoring the container engine

Wazuh captures real-time events performed by the Docker engine via its Docker listener module. This ensures that no crucial Docker event or operation goes undetected.

Monitoring user interaction with Docker resources demonstrates how Wazuh enhances visibility into the interactions of the container engine with the containers and the images.

Docker container user interaction alerts

Wazuh also monitors the creation and destruction of resources in Kubernetes clusters to help identify unauthorized actions and potential security breaches.

The blog post on Auditing Kubernetes with Wazuh demonstrates how to monitor Kubernetes resource interactions with Wazuh.

Monitoring containerized application logs

Wazuh allows organizations to monitor containerized applications. It provides visibility into the applications that are resident in the container. When the application events are forwarded to the Wazuh manager, Security engineers can create custom rules that align with the unique requirements of their organization. This facilitates a highly personalized approach that improves overall visibility into the containers and the applications they host.

The Monitoring container runtime documentation has more information about monitoring containerized application logs.

Monitor container resource utilization with Wazuh

Wazuh tracks and analyzes the resource consumption of containerized applications. It provides insights into the CPU, memory, and network usage statistics of containers, assisting in identifying performance bottlenecks.

Wazuh provides customizable alerts and notifications, enabling organizations to detect and proactively respond to unusual resource spikes or consumption patterns.

The blog post on Docker container security monitoring with Wazuh demonstrates how Wazuh monitors network utilization in a containerized environment.

Monitoring network utilization in a containerized environment

Centralized logging and visualization of containers event

Wazuh centralizes container event logging and visualization. Its scalable indexer aggregates logs into a powerful search and analytics engine, providing real-time insights. This indexer handles event influx while also supporting compliance needs such as log retention policies.

Wazuh enables organizations to view container logs from a customized dashboard. Security professionals can track and analyze unfolding activities, swiftly identifying threats and unauthorized actions. This early detection enables security professionals to respond to security incidents as they arise swiftly, establishing an active approach to minimizing risks.

The image below displays the customized container dashboard of Wazuh, where events from all containers are showcased.

Container alert notification with Wazuh

Wazuh integrates with messaging platforms like email and Slack. It also integrates with case management solutions, like Jira , for incident response and real-time alerting. This ensures that security teams are promptly notified whenever potential threats or unauthorized actions occur in containerized environments.

The documentation on External API integration explains how the Integrator daemon allows Wazuh to connect to external APIs and case management systems tools like PagerDuty.

Connect to external APIs and case management systems

Posture management

Cloud Service Posture Management (CSPM) encompasses a set of practices aimed at safeguarding the security and compliance of cloud environments. This involves the ongoing assessment and monitoring of cloud workloads to pinpoint misconfigurations, vulnerabilities, and potential threats. CSPM also offers actionable remediation steps for addressing security risks, ultimately bolstering the overall security posture of cloud environments.

Wazuh provides security and compliance monitoring for various cloud platforms, including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. We leverage Wazuh for CSPM across the platforms listed below.

Google Cloud Platform

Wazuh connects with GCP through the Google Cloud publisher and subscriber services, also known as GCP Pub/Sub. These messaging services facilitate the transmission of log data from a GCP workload to a Wazuh instance. The image below shows the integration between GCP and Wazuh.

You can configure your Wazuh instance to receive GCP logs using the Pub/Sub service. Once configured, you can go to the Google Cloud module in the Wazuh dashboard to view logs related to your GCP services. We provide detailed guidelines on configuring Wazuh to receive GCP logs using the Pub/Sub service in our using Wazuh to monitor GCP services documentation.

Using Wazuh to monitor Google Cloud Platform

The image below shows an example log received from a monitored GCP instance on the Wazuh dashboard.

Amazon Web Services

Wazuh provides CSPM to your AWS workloads by monitoring the AWS services and instances. Monitoring your AWS services includes collecting and analyzing log data about your AWS infrastructure using the Wazuh module for AWS.

You can use the Amazon Web Services module in the Wazuh dashboard to view logs related to AWS services.

Enabling AWS module in the Wazuh dashboard

Follow the AWS prerequisite documentation to set up your Wazuh instance for AWS log collection. The documentation shows a list of the supported AWS services that Wazuh can monitor. The image below shows an Amazon Security Hub log received using the CloudWatch service.

This control is designed to assess the security configuration of S3 buckets by verifying that user permissions are not granted through access control lists (ACLs). It is recommended to use AWS Identity and Access Management (IAM) policies rather than S3 bucket ACLs for managing user permissions.

Microsoft Azure

Wazuh integrates with Azure using the Log Analytics Workspace. The Azure Log Analytics workspace is a service that facilitates storing log data from Azure Monitor and other Azure services, such as Microsoft Defender for Cloud. Wazuh provides a native integration module for Azure that retrieves logs from the Log Analytics Workspace.

Azure Log Analytics Workspace integration with Wazuh overview

We provide detailed guidelines on configuring Wazuh to receive Azure Cloud logs using the Log Analytics Workspace in our Azure Log Analytics documentation. Once configured, you can set up your Wazuh deployment to retrieve Recommendations, Security alerts, and Regulatory compliance logs for your Azure cloud infrastructure.

The image below shows Azure security posture management logs received on Wazuh.

Cloud workload protection

The Wazuh security platform provides threat detection, configuration compliance, and continuous monitoring for on-premises, cloud, and hybrid environments. It protects cloud workloads by monitoring the infrastructure at two levels:

Endpoint level: monitoring cloud instances or virtual machines using the lightweight Wazuh agent.
Cloud infrastructure level: monitoring cloud service activity by collecting and analyzing data from the provider API. Wazuh supports Amazon AWS, Microsoft Azure, and Google Cloud.

We describe some benefits of using Wazuh to enhance security operations, protect cloud-native applications, and facilitate compliance efforts for a secure cloud environment.

Cloud log data analysis and retention

Cloud environments generate large amounts of log data, vital for identifying security incidents. The Wazuh rules and decoders are responsible for parsing and analyzing log data to detect anomalous events. Wazuh collects and analyzes log data from various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, and GitHub.

The image below is an example of an AWS dashboard on Wazuh showing the trend of events collected from the cloud infrastructure.

Wazuh monitors and logs activities in the cloud, providing a centralized view of user actions across the entire cloud infrastructure. Wazuh has out-of-the-box rules to detect suspicious or unauthorized activities. In addition to the in-built rules, users can create custom rules to consolidate threat detection.

Amazon web services

Wazuh has dedicated modules for monitoring and securing AWS cloud infrastructure. Some of the AWS services that Wazuh monitors include:

Amazon Guardduty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, ensuring the protection of AWS accounts, workloads, and data stored in Amazon S3.
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Amazon Key Management Service (KMS) is used for cryptographic key management across AWS services.
Amazon Macie is a fully managed data security and privacy service. It automatically detects unencrypted S3 buckets, publicly accessible buckets, and buckets shared with external AWS accounts.
Amazon Virtual Private Cloud (VPC) provisions a logically isolated section of the AWS Cloud where AWS resources can be launched on a virtual network defined by the user.
AWS Config assesses, audits, and evaluates the configurations of your AWS resources. It helps the users review changes in configurations and relationships between AWS resources.
AWS Cloudtrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
AWS Trusted Advisor helps users reduce costs, increase performance, and improve security by optimizing their AWS environment. It provides real-time guidance to help users provision their resources following AWS best practices.
AWS Web Application Firewall (WAF) helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

Microsoft Azure

Wazuh has a dedicated module that pulls logs from and monitors Azure platform. This module obtains data from critical Azure services, including:

Log Analytics API: The Log Analytics API is a core component of the Azure Monitor service and is used to aggregate and analyze log data. The sources of such data are cloud applications, operating systems, and Azure resources. The Wazuh module for Azure is capable of querying the Log Analytics API, pulling the logs collected by the Azure Monitor service.
Blob Storage API: Logs from Azure services are optionally pushed to Azure Blob Storage. Specifically, it is possible to configure an Azure service to export logs to a container in a storage account created for that purpose. Afterward, the Wazuh agent will download those logs via its integration with the Blob Storage API.
Active Directory Graph API: The Azure Active Directory (AD) Graph API provides access to AZURE AD through REST API endpoints. It is used by Wazuh to monitor Active Directory events (for example, creation of a new user, update of user properties, disablement of user accounts, etc.)

Google Cloud Platform

Wazuh monitors Google Cloud services by pulling events from the Google Pub/Sub messaging service, a middleware for event ingestion and delivery. This integration helps detect threats targeting your Google Cloud assets. For more information, please refer to Using Wazuh to monitor GCP services.

Office 365

Wazuh includes a dedicated module designed to interact with the Office 365 Management Activity API. This module is responsible for fetching logs from Office 365 and making them available for analysis within the Wazuh platform. The Management Activity API serves as the source of audit logs for Office 365, containing information about various actions and events within the Office 365 environment. These logs are organized into tenant-specific content blobs and classified based on their content type and source. Wazuh performs analysis, alerting, and reporting on these logs, enhancing the security and compliance monitoring capabilities within the Office 365 environment. For more detailed information, please refer to Using Wazuh to monitor Office 365.

GitHub

Wazuh has a GitHub module that utilizes the GitHub API to pull GitHub audit logs, which contain information about actions performed by organization members. This log includes essential details such as the user who initiated the action, the nature of the action (e.g., repository creation, access changes, etc.), the timestamp indicating when the action took place and others. Wazuh collects, processes, and stores these logs, enabling analysis, alerting, and reporting. Refer to Using Wazuh to monitor GitHub for more information.

Protect cloud-native applications

Wazuh provides protection for cloud-native applications, safeguarding them against security threats and vulnerabilities. It integrates with container orchestration platforms like Kubernetes and Docker, allowing it to monitor and analyze container activity in real time. Wazuh detects suspicious container behavior, unauthorized image changes, and potential security misconfigurations, ensuring the overall integrity of containerized applications.

The image below shows alerts generated from a monitored Docker infrastructure.

Some additional use cases for using Wazuh to monitor cloud-native applications are:

Furthermore, the Wazuh integration with cloud service providers enables monitoring and analysis of cloud-native application logs, ensuring comprehensive visibility into the environment and facilitating effective security operations.

Promote security operations in the cloud

Wazuh promotes security operations within cloud environments by allowing security teams to detect and respond to threats, mitigating damages, and reducing the overall impact on the cloud infrastructure. Furthermore, Wazuh facilitates red and blue team activities. The platform's customizable rules enable organizations to simulate attacks and test their security defenses. Blue teams can use the insights gained on Wazuh from red team activities to fine-tune their security measures and strengthen their defenses. The following resources demonstrate how to use the Stratus Red Team tool to simulate attacks on some cloud platforms and how to detect them with Wazuh:

The centralized logging and reporting capabilities of Wazuh simplify compliance management within cloud environments. It helps organizations meet regulatory requirements by capturing and storing audit trails, ensuring accountability, and facilitating the investigation of security incidents. Refer to the Wazuh dashboard documentation for more information about how Wazuh aids analysis, reporting, and compliance efforts.

Quickstart

Wazuh is a security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. The solution is composed of a single universal agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. For more information, check the Getting Started documentation.

Wazuh is free and open source. Its components abide by the GNU General Public License, version 2, and the Apache License, Version 2.0 (ALv2).

This quickstart shows you how to install the Wazuh central components, on the same host, using our installation assistant. You can check our Installation guide for more details and other installation options.

Below you can find a section about the requirements needed to install Wazuh. It will help you learn about the hardware requirements and the supported operating systems for your Wazuh installation.

Requirements

Hardware

Hardware requirements highly depend on the number of protected endpoints and cloud workloads. This number can help estimate how much data will be analyzed and how many security alerts will be stored and indexed.

Following this quickstart implies deploying the Wazuh server, the Wazuh indexer, and the Wazuh dashboard on the same host. This is usually enough for monitoring up to 100 endpoints and for 90 days of queryable/indexed alert data. The table below shows the recommended hardware for a quickstart deployment:

Agents	CPU	RAM	Storage (90 days)
1–25	4 vCPU	8 GiB	50 GB
25–50	8 vCPU	8 GiB	100 GB
50–100	8 vCPU	8 GiB	200 GB

For larger environments we recommend a distributed deployment. Multi-node cluster configuration is available for the Wazuh server and for the Wazuh indexer, providing high availability and load balancing.

Operating system

The Wazuh central components require a 64-bit Intel, AMD, or ARM Linux processor (x86_64/AMD64 or AARCH64/ARM64 architecture) to run. Wazuh recommends any of the following operating system versions:

Amazon Linux 2, Amazon Linux 2023
CentOS Stream 10
Red Hat Enterprise Linux 7, 8, 9, 10
Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04

Installing Wazuh

Download and run the Wazuh installation assistant.

$ curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful.

INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
    User: admin
    Password: <ADMIN_PASSWORD>
INFO: Installation finished.

You now have installed and configured Wazuh.

Access the Wazuh web interface with https://<WAZUH_DASHBOARD_IP_ADDRESS> and your credentials:
- Username: admin
- Password: <ADMIN_PASSWORD>

When you access the Wazuh dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. This is expected and the user has the option to accept the certificate as an exception or, alternatively, configure the system to use a certificate from a trusted authority.

Note

You can find the passwords for all the Wazuh indexer and Wazuh API users in the wazuh-passwords.txt file inside wazuh-install-files.tar. To print them, run the following command:

$ sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

If you want to uninstall the Wazuh central components, run the Wazuh installation assistant using the option -u or –-uninstall.

Note

Recommended Action: Disable Wazuh Updates.

We recommend disabling the Wazuh package repositories after installation to prevent accidental upgrades that could break the environment.

Execute the following command to disable the Wazuh repository:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

Next steps

Now that your Wazuh installation is ready, you can start deploying the Wazuh agent. This can be used to protect laptops, desktops, servers, cloud instances, containers, or virtual machines. The agent is lightweight and multi-purpose, providing a variety of security capabilities.

Instructions on how to deploy the Wazuh agent can be found in the Wazuh web user interface, or in our documentation.

Linux

Windows

macOS

Installation guide

Wazuh is a security platform that provides unified XDR and SIEM protection for endpoints and cloud workloads. The solution is composed of the Wazuh agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. For more information, check the Getting Started documentation.

Wazuh is free and open source. Its components abide by the GNU General Public License, version 2, and the Apache License, Version 2.0 (ALv2).

In this installation guide, you will learn how to install Wazuh in your infrastructure. We also offer Wazuh Cloud, our software as a service (SaaS) solution. Wazuh Cloud is ready to use, with no additional hardware or software required, reducing the cost and complexity. Check the Wazuh Cloud service documentation for more information and take advantage of the Wazuh Cloud trial to explore this service.

Installing the Wazuh central components

You can install the Wazuh indexer, Wazuh server, and Wazuh dashboard on a single host or distribute them in cluster configurations. Each Wazuh central component supports two installation methods and both methods provide instructions to install the central components on a single host or on separate hosts.

You can check our Quickstart documentation to perform an all-in-one installation. This is the fastest way to get the Wazuh central components up and running.

For more deployment flexibility and customization, install the Wazuh central components by starting with the Wazuh indexer deployment. This deployment method supports both an all-in-one installation and installing components on separate hosts.

Follow this installation workflow:

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

Installing the Wazuh agent

The Wazuh agent is a single, lightweight monitoring software. It is a multi-platform component that you can deploy to laptops, desktops, servers, cloud instances, containers, or virtual machines. It provides visibility into the monitored endpoint by collecting critical system and application records, inventory data, and detecting potential anomalies.

Select your endpoint operating system below and follow the installation steps to deploy the Wazuh agent.

Linux

Windows

macOS

Packages list

The Packages list section contains all the packages required for installing Wazuh.

Uninstalling Wazuh

In the Uninstalling Wazuh section, you will find instructions on how to uninstall the Wazuh central components and the Wazuh agent.

Installation alternatives

Wazuh provides other installation alternatives as well. These are complementary to the installation methods of this installation guide. You will find instructions on how to deploy Wazuh using ready-to-use machines, containers, and orchestration tools. There is also information on how to install the solution offline, from sources, and with alternative components.

Wazuh indexer

The Wazuh indexer is a highly scalable, full-text search and analytics engine. It indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. If you want to learn more about Wazuh components, check the Getting started section.

You can install the Wazuh indexer on a single host or distribute it across multiple nodes in a cluster configuration. The cluster configuration provides scalability, high availability, and improved performance.

Check the requirements below and choose an installation method to start installing the Wazuh indexer.

Assisted installation: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component by following detailed step-by-step instructions.

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

Requirements

Check the supported operating systems and the recommended hardware requirements for the Wazuh indexer installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Recommended operating systems

The Wazuh indexer requires a 64-bit Intel, AMD, or ARM Linux processor (x86_64/AMD64 or AARCH64/ARM64 architecture) to run. Wazuh supports the following operating system versions:

Amazon Linux 2, Amazon Linux 2023
CentOS Stream 10
Red Hat Enterprise Linux 7, 8, 9, 10
Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04

Hardware recommendations

You can install the Wazuh indexer as a single-node or multi-node cluster.

Hardware recommendations for each node

Minimum

Recommended

Component

RAM (GB)

CPU (cores)

RAM (GB)

CPU (cores)

Wazuh indexer

4

2

16

8
Disk space requirements: The amount of disk space required depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a Wazuh indexer server, depending on the type of monitored endpoints.

Monitored endpoints

APS

Storage in Wazuh indexer

(GB/90 days)

Servers

0.25

3.7

Workstations

0.1

1.5

Network devices

0.5

7.4

For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh indexer server for 90 days of alerts is 230 GB.

	Minimum	Recommended
Wazuh indexer	4	2	16	8

Monitored endpoints	APS	Storage in Wazuh indexer (GB/90 days)
Servers	0.25	3.7
Workstations	0.1	1.5
Network devices	0.5	7.4

Installing the Wazuh indexer using the assisted installation method

Install and configure the Wazuh indexer as a single-node or multi-node cluster on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture using the assisted installation method. The Wazuh indexer is a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other features.

Wazuh indexer cluster installation

The installation process is divided into three stages.

Initial configuration
Wazuh indexer nodes installation
Cluster initialization

Note

You need root user privileges to run all the commands described below.

Initial configuration

Follow these steps to configure your Wazuh deployment, create SSL certificates to encrypt communications between the Wazuh components, and generate random passwords to secure your installation.

Download the Wazuh installation assistant and the configuration file.

# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh
# curl -sO https://packages.wazuh.com/5.0/config.yml

Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all Wazuh server, Wazuh indexer, and Wazuh dashboard nodes. Add as many node fields as needed.

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

Run the Wazuh installation assistant with the option --generate-config-files to generate the Wazuh cluster key, certificates, and passwords necessary for installation. You can find these files in ./wazuh-install-files.tar.
# bash wazuh-install.sh --generate-config-files
Copy the wazuh-install-files.tar file to all the servers of the distributed deployment, including the Wazuh server, the Wazuh indexer, and the Wazuh dashboard nodes. This can be done by using the scp utility.

Wazuh indexer node installation

Follow these steps to install and configure a single-node or multi-node Wazuh indexer.

Download the Wazuh installation assistant. Skip this step if you performed the initial configuration on the same server and the Wazuh installation assistant is already in your working directory:
# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh
Run the Wazuh installation assistant with the option --wazuh-indexer and the node name to install and configure the Wazuh indexer. The node name must be the same one used in config.yml for the initial configuration, for example, node-1.
Note

Make sure that a copy of wazuh-install-files.tar, created during the initial configuration step, is placed in your working directory.
# bash wazuh-install.sh --wazuh-indexer node-1

Repeat this stage of the installation process for every Wazuh indexer node in your cluster. Then proceed with initializing your single-node or multi-node cluster in the next stage.

Note

For Wazuh indexer installation on hardened endpoints with noexec flag on the /tmp directory, additional setup is required. See the Wazuh indexer configuration on hardened endpoints section for necessary configuration.

Cluster initialization

The final stage of installing the Wazuh indexer single-node or multi-node cluster consists of running the security admin script.

Run the Wazuh installation assistant with option --start-cluster on any Wazuh indexer node to load the new certificates information and start the cluster.
```
# bash wazuh-install.sh --start-cluster
```
Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Testing the cluster installation

Verify that the Wazuh indexer installed correctly and the Wazuh indexer cluster is functioning as expected by following the steps below.

Run the following command to get the admin password:

# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1

Run the following command to confirm that the installation is successful. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and use the password gotten from the output of the previous command:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Run the following command to check if the cluster is working correctly. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter the password for the Wazuh indexer admin user when it prompts for password:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

The command output should be similar to the following:

ip              heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
192.168.107.240           19          94   4    0.22    0.21     0.20 dimr      data,ingest,master,remote_cluster_client *               node-1

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next steps

The Wazuh indexer is now successfully installed, and you can proceed with installing the Wazuh server. To perform this action, see the Installing the Wazuh server using the assisted installation method section.

Installing the Wazuh indexer step by step

Install and configure the Wazuh indexer as a single-node or multi-node cluster following step-by-step instructions. Wazuh indexer is a highly scalable full-text search engine and offers advanced security, alerting, index management, deep performance analysis, and several other features.

The installation process is divided into three stages:

Certificate creation
Wazuh indexer nodes installation
Cluster initialization

Note

You need root user privileges to run all the commands described below.

Certificate creation

Wazuh uses certificates to establish confidentiality and encrypt communications between its central components. Follow these steps to create certificates for the Wazuh central components.

Generating the SSL certificates

Download the wazuh-certs-tool.sh script and the config.yml configuration file. This creates the certificates that encrypt communications between the Wazuh central components.
```
# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# curl -sO https://packages.wazuh.com/5.0/config.yml
```

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

To learn more about how to create and configure the certificates, see the Certificates deployment section.

Run ./wazuh-certs-tool.sh to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster.
```
# bash ./wazuh-certs-tool.sh -A
```

Compress all the necessary files.

# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# rm -rf ./wazuh-certificates

Copy the wazuh-certificates.tar file to all the nodes, including the Wazuh indexer, Wazuh server, and Wazuh dashboard nodes. This can be done by using the scp utility.

Wazuh indexer nodes installation

Follow these steps to install and configure a single-node or multi-node Wazuh indexer.

Installing package dependencies

Run the following command to install the following packages if missing:

# apt-get install debconf adduser procps

# yum install coreutils

# dnf install coreutils

Adding the Wazuh repository

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Installing the Wazuh indexer

Install the Wazuh indexer package.

# apt-get -y install wazuh-indexer

# yum -y install wazuh-indexer

# dnf -y install wazuh-indexer

Configuring the Wazuh indexer

Edit /etc/wazuh-indexer/opensearch.yml and replace the following values:
1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and use it as its publish address. Accepts an IP address or a hostname.
  
  Use the same node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example, node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add more lines, according to your config.yml definitions.
```
cluster.initial_master_nodes:
- "node-1"
- "node-2"
- "node-3"
```
4. discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if you are configuring the Wazuh indexer as a single node. For multi-node configurations, uncomment this setting and set the IP addresses of each master-eligible node.
  discovery.seed_hosts: - "10.0.0.1" - "10.0.0.2" - "10.0.0.3"
5. plugins.security.nodes_dn: List of the Distinguished Names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the lines for node-2 and node-3 and change the common names (CN) and values according to your settings and your config.yml definitions.
```
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
```

Note

Firewalls can block communication between Wazuh components on different hosts. Refer to the Required ports section and ensure the necessary ports are open.

Deploying certificates

Note

Make sure that a copy of wazuh-certificates.tar, created in the previous stage of the installation process, is placed in your working directory.

Run the following commands, replacing <INDEXER_NODE_NAME> with the name of the Wazuh indexer node you are configuring as defined in config.yml. For example, node-1. This deploys the SSL certificates to encrypt communications between the Wazuh central components.

# NODE_NAME=<INDEXER_NODE_NAME>

# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components will be installed on this node, run the following command to remove the wazuh-certificates.tar file.
```
# rm -f ./wazuh-certificates.tar
```

Note

Starting the service

Enable and start the Wazuh indexer service.
# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer
Choose one option according to the operating system used.

RPM-based operating system:
# chkconfig --add wazuh-indexer
# service wazuh-indexer start
Debian-based operating system:
# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Repeat this stage of the installation process for every Wazuh indexer node in your multi-node cluster. Then proceed with initializing your single-node or multi-node cluster in the next stage.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Cluster initialization

The final stage of installing the Wazuh indexer single-node or multi-node cluster consists of running the security admin script.

Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the single-node or multi-node cluster.
```
# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
```
Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Testing the cluster installation

Run the following commands to confirm that the installation is successful. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter admin as the password when prompted:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Run the following command to check if the cluster is working correctly. Replace <WAZUH_INDEXER_IP_ADDRESS> with the IP address of the Wazuh indexer and enter admin as the password when prompted:

# curl -k -u admin https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

The command produces output similar to the following:

ip              heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                               cluster_manager name
192.168.107.240           19          94   4    0.22    0.21     0.20 dimr      data,ingest,master,remote_cluster_client *               node-1

Next steps

The Wazuh indexer is now successfully installed on your single-node or multi-node cluster, and you can proceed with installing the Wazuh server. To perform this action, see the Installing the Wazuh server step by step section.

To uninstall the Wazuh indexer, see Uninstalling the Wazuh indexer.

Wazuh server

The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when threats or anomalies are detected. It is also used to remotely manage the configurations of Wazuh agents and monitor their status. If you want to learn more about the Wazuh components, check the Getting started section.

You can install the Wazuh server on a single host or distribute it across multiple nodes in a cluster configuration. Multi-node configurations provide high availability and improved performance. When combined with a network load balancer, you can achieve efficient use of its capacity.

Check the requirements below and choose an installation method to start installing the Wazuh server.

Assisted installation: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component following detailed step-by-step instructions.

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

Requirements

Check the supported operating systems and the recommended hardware requirements for the Wazuh server installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Recommended operating systems

The Wazuh server requires a 64-bit Intel, AMD, or ARM Linux processor (x86_64/AMD64 or AARCH64/ARM64 architecture). Wazuh supports the following operating system versions:

Amazon Linux 2, Amazon Linux 2023
CentOS Stream 10
Red Hat Enterprise Linux 7, 8, 9, 10
Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04

Hardware requirements

You can install the Wazuh server as a single-node or multi-node cluster.

Hardware recommendations

Minimum

Recommended

Component

RAM (GB)

CPU (cores)

RAM (GB)

CPU (cores)

Wazuh server

2

2

4

8
Disk space requirements

The amount of data depends on the generated alerts per second (APS). This table details the estimated disk space needed per agent to store 90 days of alerts on a Wazuh server, depending on the type of monitored endpoints.

Monitored endpoints

APS

Storage in Wazuh Server

(GB/90 days)

Servers

0.25

0.1

Workstations

0.1

0.04

Network devices

0.5

0.2

For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh server for 90 days of alerts is 6 GB.

	Minimum	Recommended
Wazuh server	2	2	4	8

Monitored endpoints	APS	Storage in Wazuh Server (GB/90 days)
Servers	0.25	0.1
Workstations	0.1	0.04
Network devices	0.5	0.2

Scaling

To determine if a Wazuh server requires more resources, monitor these files:

/var/ossec/var/run/wazuh-analysisd.state: the variable events_dropped indicates whether events are being dropped due to lack of resources.
/var/ossec/var/run/wazuh-remoted.state: the variable discarded_count indicates if messages from the agents were discarded.

These two variables should be zero if the environment is working properly. If it is not the case, you can add additional nodes to the cluster.

Installing the Wazuh server using the assisted installation method

Install the Wazuh server as a single-node or multi-node cluster on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture using the assisted installation method. The Wazuh server analyzes the data received from the Wazuh agents, triggering alerts when it detects threats and anomalies. This central component includes the Wazuh manager and Filebeat.

Wazuh server cluster installation

Download the Wazuh installation assistant. Skip this step if you installed Wazuh indexer on the same server and the Wazuh installation assistant is already in your working directory:
```
# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh
```
Run the Wazuh installation assistant with the option --wazuh-server followed by the node name to install the Wazuh server. The node name must be the same one used in config.yml for the initial configuration, for example, wazuh-1:

Note

Make sure that a copy of wazuh-install-files.tar, created during the initial configuration step, is placed in your working directory.
```
# bash wazuh-install.sh --wazuh-server wazuh-1
```

Your Wazuh server is now successfully installed.

If you want a Wazuh server single-node cluster, everything is set and you can proceed directly with Installing the Wazuh dashboard using the assisted installation method.
If you want a Wazuh server multi-node cluster, repeat this process on every Wazuh server node.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next steps

The Wazuh server installation is now complete, and you can proceed with installing the Wazuh dashboard. To perform this action, see the Installing the Wazuh dashboard using the assisted installation method section.

Installing the Wazuh server step by step

Install and configure the Wazuh server as a single-node or multi-node cluster following step-by-step instructions. The Wazuh server is a central component that includes the Wazuh manager and Filebeat. The Wazuh manager collects and analyzes data from the deployed Wazuh agents. It triggers alerts when threats or anomalies are detected. Filebeat securely forwards alerts and archived events to the Wazuh indexer.

The installation process is divided into two stages.

Wazuh server node installation
Cluster configuration for multi-node deployment

Note

You need root user privileges to run all the commands described below.

Wazuh server node installation

Follow these steps to install a single-node or multi-node cluster Wazuh server.

Adding the Wazuh repository

Note

If you are installing the Wazuh server on the same host as the Wazuh indexer, you may skip these steps only if the Wazuh repository is already configured and enabled.

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Installing the Wazuh manager

Install the Wazuh manager package.

# apt-get -y install wazuh-manager

# yum -y install wazuh-manager

# dnf -y install wazuh-manager

Note

Firewalls can block communication between Wazuh components on different hosts. Refer to the Required ports section and ensure the necessary ports are open.

Installing Filebeat

Install the Filebeat package.

# apt-get -y install filebeat

# yum -y install filebeat

# dnf -y install filebeat

Configuring Filebeat

Download the preconfigured Filebeat configuration file.

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/5.0/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace your Wazuh indexer IP address accordingly.
  
  If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]
```
# Wazuh - Filebeat configuration file
output.elasticsearch:
hosts: ["10.0.0.1:9200"]
protocol: https
username: ${username}
password: ${password}
```
Create a Filebeat keystore to securely store authentication credentials.
```
# filebeat keystore create
```

Add the default username and password admin:admin to the secrets keystore.

# echo admin | filebeat keystore add username --stdin --force
# echo admin | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer.

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.

# curl -s https://packages.wazuh.com/5.x/filebeat/wazuh-filebeat-0.5.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates

Note

Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.

Replace <SERVER_NODE_NAME> with your Wazuh server node certificate name, the same one used in config.yml when creating the certificates. Then, move the certificates to their corresponding location.

# NODE_NAME=<SERVER_NODE_NAME>

# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Configuring the Wazuh indexer connection

Note

You can skip this step if you are not going to use the vulnerability detection capability.

Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool. Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the Wazuh indexer username and password:
```
# echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```
Note

The default step-by-step installation credentials are admin:admin
Edit /var/ossec/etc/ossec.conf to configure the indexer connection.

By default, the indexer settings have one host configured. It's set to 0.0.0.0 as highlighted below.
```
<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>
```
- Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.
- Ensure the Filebeat certificate and key name match the certificate files in /etc/filebeat/certs.
If you are running a Wazuh indexer cluster infrastructure, add a <host> entry for each one of your nodes. For example, in a two-node configuration:
```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
The Wazuh server prioritizes reporting to the first Wazuh indexer node in the list. It switches to the next node in case it is not available.

Starting the Wazuh manager

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-manager
# service wazuh-manager start

Debian-based operating system:

# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Run the following command to verify the Wazuh manager status.
# systemctl status wazuh-manager
# service wazuh-manager status

Starting the Filebeat service

Enable and start the Filebeat service.

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add filebeat
# service filebeat start

Debian-based operating system:

# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to verify that Filebeat is successfully installed.

# filebeat test output

Expand the output to see an example response.

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Your Wazuh server node is now successfully installed. Repeat this stage of the installation process for every Wazuh server node in your Wazuh cluster, then proceed with configuring the Wazuh cluster. If you want a Wazuh server single-node cluster, everything is set and you can proceed directly with Installing the Wazuh dashboard step by step.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Cluster configuration for multi-node deployment

After completing the installation of the Wazuh server on every node, you need to configure one server node only as the master and the rest as workers.

Configuring the Wazuh server master node

Edit the following settings in the /var/ossec/etc/ossec.conf file and configure the necessary parameters:

<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node><WAZUH_MASTER_ADDRESS></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Parameters to be configured:

name	It indicates the name of the cluster.
node_name	It indicates the name of the current node.
node_type	It specifies the role of the node. It has to be set to `master`.
key	Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key: `openssl rand -hex 16`.
port	It indicates the destination port for cluster communication.
bind_addr	It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).
nodes	It is the address of the `master node` and can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.
hidden	It shows or hides the cluster information in the generated alerts.
disabled	It indicates whether the node is enabled or disabled in the cluster. This option must be set to `no`.

Restart the Wazuh manager.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Configuring the Wazuh server worker nodes

Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file and configure the necessary parameters:

<cluster>
    <name>wazuh</name>
    <node_name>worker-node</node_name>
    <node_type>worker</node_type>
    <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><WAZUH_MASTER_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>

Parameters to be configured:

name	It indicates the name of the cluster.
node_name	It indicates the name of the current node. Each node of the cluster must have a unique name.
node_type	It specifies the role of the node. It has to be set as `worker`.
key	The key created previously for the `master` node. It has to be the same for all the nodes.
nodes	It has to contain the address of the `master node` and can be either an IP or a DNS.
disabled	It indicates whether the node is enabled or disabled in the cluster. It has to be set to `no`.

Restart the Wazuh manager.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Repeat these configuration steps for every Wazuh server worker node in your cluster.

Testing Wazuh server cluster

Run the following command to verify that the Wazuh cluster is enabled and all the nodes are connected:

# /var/ossec/bin/cluster_control -l

An example output of the command looks as follows:

NAME         TYPE    VERSION  ADDRESS
master-node  master  4.12.0   10.0.0.3
worker-node1 worker  4.12.0   10.0.0.4
worker-node2 worker  4.12.0   10.0.0.5

Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

Next steps

The Wazuh server installation is now complete, and you can proceed with Installing the Wazuh dashboard step by step.

If you want to uninstall the Wazuh server, see Uninstalling the Wazuh server.

Wazuh dashboard

This Wazuh central component is a flexible and intuitive web interface for mining, analyzing, and visualizing security data. It provides out-of-the-box dashboards, allowing you to seamlessly navigate through the user interface.

With the Wazuh dashboard, you can visualize security events, detected vulnerabilities, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and regulatory compliance standards. If you want to learn more about the Wazuh components, see the Getting started section.

Check the requirements below and choose an installation method to start installing the Wazuh dashboard.

Assisted installation: Install this component by running an assistant that automates the installation and configuration process.
Step-by-step installation: Install this component following detailed step-by-step instructions.

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

Requirements

Check the supported operating systems and the recommended hardware requirements for the Wazuh dashboard installation. Make sure that your system environment meets all requirements and that you have root user privileges.

Recommended operating systems

The Wazuh dashboard requires a 64-bit Intel, AMD, or ARM Linux processor (x86_64/AMD64 or AARCH64/ARM64 architecture). Wazuh supports the following operating system versions:

Amazon Linux 2, Amazon Linux 2023
CentOS Stream 10
Red Hat Enterprise Linux 7, 8, 9, 10
Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04

Hardware requirements

The Wazuh dashboard can be installed on a dedicated node or along with the Wazuh indexer.

Hardware recommendations

Minimum

Recommended

Component

RAM (GB)

CPU (cores)

RAM (GB)

CPU (cores)

Wazuh dashboard

4

2

8

4

	Minimum	Recommended
Wazuh dashboard	4	2	8	4

Installing the Wazuh dashboard using the assisted installation method

Install and configure the Wazuh dashboard on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture using the assisted installation method. Wazuh dashboard is a flexible and intuitive web interface for mining and visualizing security events and archives.

Wazuh dashboard installation

Download the Wazuh installation assistant. You can skip this step if you have already installed Wazuh indexer on the same server.
```
# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh
```
Run the Wazuh installation assistant with the option --wazuh-dashboard and the node name to install and configure the Wazuh dashboard. The node name must be the same one used in config.yml for the initial configuration, for example, dashboard:

Note

Make sure that a copy of wazuh-install-files.tar created during the Wazuh indexer installation is placed in your working directory.
```
# bash wazuh-install.sh --wazuh-dashboard dashboard
```
The default Wazuh web user interface port is 443, used by the Wazuh dashboard. You can change this port using the optional parameter -p <PORT_NUMBER> or --port <PORT_NUMBER>. Some recommended ports are 8443, 8444, 8080, 8888, and 9000.

Once the Wazuh installation is completed, the output shows the access credentials and a message that confirms that the installation was successful.
```
INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
   User: admin
   Password: <ADMIN_PASSWORD>

INFO: Installation finished.
```
You now have installed and configured Wazuh. Find all passwords that the Wazuh installation assistant generated in the wazuh-passwords.txt file inside the wazuh-install-files.tar archive. Run the following command to print them:
```
# tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
```
Access the Wazuh web interface with your admin user credentials. This is the default administrator account for the Wazuh indexer and it allows you to access the Wazuh dashboard.
- URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
- Username: admin
- Password: <ADMIN_PASSWORD>
When you access the Wazuh dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser instead. Alternatively, you can configure a certificate from a trusted authority.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Next steps

All the Wazuh central components are successfully installed.

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

The Wazuh environment is now ready, and you can proceed with installing the Wazuh agent on the endpoints to be monitored. To perform this action, see the Wazuh agent section.

Installing the Wazuh dashboard step by step

Install and configure the Wazuh dashboard following step-by-step instructions. The Wazuh dashboard is a web interface for mining and visualizing the Wazuh server alerts and archived events.

Note

You need root user privileges to run all the commands described below.

Wazuh dashboard installation

Follow these steps to install the Wazuh dashboard.

Installing package dependencies

Install the following packages if missing.

# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

# yum install libcap

# dnf install libcap

Adding the Wazuh repository

Note

If you are installing the Wazuh dashboard on the same host as the Wazuh indexer or the Wazuh server, you may skip these steps as you may have added the Wazuh repository already.

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Installing the Wazuh dashboard

Install the Wazuh dashboard package.

# apt-get -y install wazuh-dashboard

# yum -y install wazuh-dashboard

# dnf -y install wazuh-dashboard

Configuring the Wazuh dashboard

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and replace the following values:
server.host: This setting specifies the host of the Wazuh dashboard server. To allow remote users to connect, set the value to the IP address or DNS name of the Wazuh dashboard server. The value 0.0.0.0 will accept all the available IP addresses of the host.
opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example, ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]
   server.host: 0.0.0.0
   server.port: 443
   opensearch.hosts: https://localhost:9200
   opensearch.ssl.verificationMode: certificate

Note

Firewalls can block communication between Wazuh components on different hosts. Refer to the Required ports section and ensure the necessary ports are open.

Deploying certificates

Note

Make sure that a copy of the wazuh-certificates.tar file, created during the initial configuration step, is placed in your working directory.
Replace <DASHBOARD_NODE_NAME> with your Wazuh dashboard node name, the same one used in config.yml to create the certificates, and move the certificates to their corresponding location.
# NODE_NAME=<DASHBOARD_NODE_NAME>
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Starting the Wazuh dashboard service

Enable and start the Wazuh dashboard service.

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start

Debian-based operating system:

# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start

Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace <WAZUH_SERVER_IP_ADDRESS> with the IP address or hostname of the Wazuh server master node.

hosts:
   - default:
      url: https://<WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

Access the Wazuh web interface with your admin user credentials. This is the default administrator account for the Wazuh indexer and it allows you to access the Wazuh dashboard.
- URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
- Username: admin
- Password: admin
When you access the Wazuh dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, you can configure a certificate from a trusted authority.

Disable Wazuh updates

We recommend disabling the Wazuh package repositories after installing all components on this server to prevent accidental upgrades.

Execute the following command only after completing all installations:

# sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
# apt update

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

Securing your Wazuh installation

You have now installed and configured all the Wazuh central components. We recommend changing the default credentials to protect your infrastructure from possible attacks.

Select your deployment type and follow the instructions to change the default passwords for both the Wazuh API and the Wazuh indexer users.

Use the Wazuh passwords tool to change all the internal users' passwords.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh

INFO: The password for user admin is yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO
INFO: The password for user kibanaserver is nUa+66zY.eDF*2rRl5GKdgLxvgYQA+wo
INFO: The password for user kibanaro is 0jHq.4i*VAgclnqFiXvZ5gtQq1D5LCcL
INFO: The password for user logstash is hWW6U45rPoCT?oR.r.Baw2qaWz2iH8Ml
INFO: The password for user readall is PNt5K+FpKDMO2TlxJ6Opb2D0mYl*I7FQ
INFO: The password for user snapshotrestore is +GGz2noZZr2qVUK7xbtqjUup049tvLq.
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
INFO: The password for Wazuh API user wazuh is JYWz5Zdb3Yq+uOzOPyUU4oat0n60VmWI
INFO: The password for Wazuh API user wazuh-wui is +fLddaCiZePxh24*?jC0nyNmgMGCKE+2
INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

On any Wazuh indexer node, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all

INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j
INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp
INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna
INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h
INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4
INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.

On your Wazuh server master node, download the Wazuh passwords tool and use it to change the passwords of the Wazuh API users.

# curl -sO https://packages.wazuh.com/5.0/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh

INFO: The password for Wazuh API user wazuh is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je.
INFO: The password for Wazuh API user wazuh-wui is fL+f?sFRPEv5pYRE559rqy9b6G4Z5pVi

On all your Wazuh server nodes, run the following command to update the admin password in the Filebeat keystore. Replace <ADMIN_PASSWORD> with the random password generated for the admin user in the first step:
```
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
```

Restart Filebeat to apply the change.

# systemctl restart filebeat

# service filebeat restart

On all your Wazuh server nodes, run the following command to update the admin password in the Wazuh Manager keystore. Replace <ADMIN_PASSWORD> with the random password generated for the admin user in the first step:
```
# echo '<ADMIN_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```
Restart the Wazuh manager to apply the change:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Note

Repeat steps 3–6 on every Wazuh server node.
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace <KIBANASERVER_PASSWORD> with the random password generated for the kibanaserver user in the first step:
```
# echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
```

Replace <WAZUH_WUI_PASSWORD> in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file with the new wazuh-wui password generated in the second step.

hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false

Restart the Wazuh dashboard to apply the changes.

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Next steps

All the Wazuh central components are successfully installed and secured.

Install the Wazuh indexer

Install the Wazuh server

Install the Wazuh dashboard

The Wazuh environment is now ready, and you can proceed with installing the Wazuh agent on the endpoints to be monitored. To perform this action, see the Wazuh agent section.

If you want to uninstall the Wazuh dashboard, see Uninstalling the Wazuh dashboard.

Wazuh agent

The Wazuh agent is multi-platform and runs on the endpoints that you want to monitor. It communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel.

The Wazuh agent was developed considering the need to monitor a wide variety of different endpoints without impacting their performance. It is supported on the most popular operating systems, and it requires 35 MB of RAM on average.

The Wazuh agent provides key features to enhance your system’s security.

Log collector	Command execution
File integrity monitoring (FIM)	Security configuration assessment (SCA)
System inventory	Malware detection
Active Response	Container security
Cloud security

To install a Wazuh agent, select your operating system and follow the instructions.

Linux

Windows

macOS

If you are deploying Wazuh in a large environment, with a high number of servers or endpoints, keep in mind that this deployment might be easier using automation tools such as Puppet, Chef, SCCM, or Ansible.

Note

Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent.

You can also deploy a new agent following the instructions in the Wazuh dashboard. Go to Agents management > Summary, and click on Deploy new agent.

Then follow the steps on the Wazuh dashboard to deploy a new agent.

Deploying Wazuh agents on Linux endpoints

The Wazuh agent runs on the endpoint you want to monitor and communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel.

The deployment of a Wazuh agent on a Linux endpoint uses deployment variables that facilitate the task of installing, enrolling, and configuring the Wazuh agent. Alternatively, if you want to download the Wazuh agent package directly, see the packages list section.

Note

You need root user privileges to run all the commands described below.

Add the Wazuh repository

Add the Wazuh repository to download the official packages.

Install the following packages if missing:

# apt-get install gnupg apt-transport-https

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the package information:
# apt-get update

Note

For Debian 7, 8, and Ubuntu 14 systems use the following commands.

# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
# apt-get update

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

For RHEL-compatible systems version 8 and earlier, use the following command:

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
protect=1
EOF

For RHEL-compatible systems version 9 and later, use the following command:

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
priority=1
EOF

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
priority=1
EOF

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
protect=1
EOF

Refresh the repository:
# zypper refresh

Deploy a Wazuh agent

Follow these steps to deploy the Wazuh agent on your Linux endpoint.

Select your package manager and run the command below. Replace the WAZUH_MANAGER value with your Wazuh manager IP address or hostname:
# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent
# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent
# WAZUH_MANAGER="10.0.0.2" dnf install wazuh-agent
# WAZUH_MANAGER="10.0.0.2" zypper install wazuh-agent
For additional deployment options such as agent name, agent group, and enrollment password, see the Deployment variables for Linux section.

Note

Alternatively, if you want to install an agent without registering it, omit the deployment variables. To learn more about the different registration methods, see the Wazuh agent enrollment section.

Enable and start the Wazuh agent service.

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

Choose one option according to your operating system.

RPM-based operating systems:

# chkconfig --add wazuh-agent
# service wazuh-agent start

Debian-based operating systems:

# update-rc.d wazuh-agent defaults 95 10
# service wazuh-agent start

On some systems, you need to start the agent manually:

# /var/ossec/bin/wazuh-control start

The deployment process is now complete, and the Wazuh agent is successfully running on your Linux system.

Disable Wazuh updates

Compatibility between the Wazuh agent and the Wazuh manager is guaranteed when the Wazuh manager version is later than or equal to that of the Wazuh agent. Therefore, we recommend disabling the Wazuh repository to prevent accidental upgrades. To do so, use the following command:

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update

Alternatively, you can set the package state to hold. This action stops updates but you can still upgrade it manually using apt-get install.

# echo "wazuh-agent hold" | dpkg --set-selections

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo

# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo

Deploying Wazuh agents on Windows endpoints

The Wazuh agent runs on the endpoint you want to monitor and communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel. You can deploy the Wazuh agent on Windows systems ranging from Windows 7 to the latest versions, including Windows 11 and Windows Server 2022.

Note

You must have administrator privileges to perform the installation.

Download the Windows installer to start the installation process.
Select the installation method you want to follow: command line interface (CLI) or graphical user interface (GUI).
1. Choose one of the command shell alternatives to deploy the Wazuh agent on your endpoint. Run the command below and replace the WAZUH_MANAGER value with your Wazuh manager IP address or hostname. Ensure the downloaded Wazuh agent installation file is in your working directory.
  - Using CMD:
    
    > wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2"
  - Using PowerShell:
    
    > .\wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2"
  For additional deployment options such as agent name, agent group, and registration password, see the Deployment variables for Windows section.
2. Start the Wazuh agent from the GUI or by running:
  - Using CMD:
    
    > NET START WazuhSvc
  - Using PowerShell:
    
    > Start-Service wazuhsvc
  The installation process is now complete and the Wazuh agent is successfully installed and configured.
  
  Note
  
  Alternatively, if you want to install an agent without enrolling it, omit the deployment variables. To learn more about the different enrollment methods, see the Wazuh agent enrollment section.
1. Run the Windows installer and follow the steps in the installation wizard to deploy the Wazuh agent on your endpoint. If you are not sure how to answer some of the prompts, use the default answers. Once installed, the Wazuh agent uses a GUI for configuration, opening the log file, and starting or stopping the service.
The installation process is now complete, and the Wazuh agent is successfully installed on your Windows endpoint. The next step is to register and configure the agent to communicate with the Wazuh server. To perform this action, see the Wazuh agent enrollment section.

By default, all agent files are stored in C:\Program Files (x86)\ossec-agent after the installation.

Deploying Wazuh agents on macOS endpoints

The Wazuh agent runs on the endpoint you want to monitor and communicates with the Wazuh manager, sending data in near real-time through an encrypted and authenticated channel.

Note

You need root user privileges to run all the commands described below.

To start the installation process, download the Wazuh agent according to your architecture:
- Intel: wazuh-agent-5.0.0-1.intel64.pkg. Suitable for macOS Sierra and later.
- Apple silicon: wazuh-agent-5.0.0-1.arm64.pkg. Suitable for macOS Big Sur and later.
Select the installation method you want to follow: Command line interface (CLI) or graphical user interface (GUI).
1. To deploy the Wazuh agent on your endpoint, choose your architecture, edit the WAZUH_MANAGER variable to contain your Wazuh manager IP address or hostname, and run the following command.
  # echo "WAZUH_MANAGER='10.0.0.2'" > /tmp/wazuh_envs && sudo installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /
  For additional deployment options such as agent name, agent group, and enrollment password, see the Deployment variables for macOS section.
  
  Note
  
  Alternatively, if you want to install an agent without enrolling it, omit the deployment variables. To learn more about the different enrollment methods, see the Wazuh agent enrollment section.
2. Start the Wazuh agent to complete the installation process:
  # launchctl bootstrap system /Library/LaunchDaemons/com.wazuh.agent.plist
The installation process is now complete, and the Wazuh agent is successfully deployed and running on your macOS endpoint.
1. To install the Wazuh agent on your system, run the downloaded file and follow the steps in the installation wizard. If you are not sure how to answer some of the prompts, use the default answers.
2. Start the Wazuh agent to complete the installation process:
  # launchctl bootstrap system /Library/LaunchDaemons/com.wazuh.agent.plist
The installation process is now complete, and the Wazuh agent is successfully installed on your macOS endpoint. The next step is to register and configure the agent to communicate with the Wazuh server. To perform this action, see the Wazuh agent enrollment section.

By default, all agent files are stored in /Library/Ossec/ after the installation.

Packages list

This download page contains packages required for the Wazuh installation.

Wazuh indexer

Package type	Architecture	Package
RPM	x86_64	wazuh-indexer-5.0.0-1.x86_64.rpm (sha512)
RPM	aarch64	wazuh-indexer-5.0.0-1.aarch64.rpm (sha512)
DEB	amd64	wazuh-indexer_5.0.0-1_amd64.deb (sha512)
DEB	arm64	wazuh-indexer_5.0.0-1_arm64.deb (sha512)

Wazuh server

Wazuh manager

Distribution	Version	Architecture	Package
Amazon Linux	1 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
Amazon Linux	1 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
CentOS	7 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
CentOS	7 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
Debian	8 and later	x86_64	wazuh-manager_5.0.0-1_amd64.deb (sha512)
Debian	8 and later	aarch64	wazuh-manager_5.0.0-1_arm64.deb (sha512)
Fedora	22 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
Fedora	22 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
OpenSUSE	42 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
OpenSUSE	42 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
Oracle Linux	7 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
Oracle Linux	7 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
Red Hat Enterprise Linux	7 and later	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
Red Hat Enterprise Linux	7 and later	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
SUSE	12	x86_64	wazuh-manager-5.0.0-1.x86_64.rpm (sha512)
SUSE	12	aarch64	wazuh-manager-5.0.0-1.aarch64.rpm (sha512)
Ubuntu	13 and later	x86_64	wazuh-manager_5.0.0-1_amd64.deb (sha512)
Ubuntu	13 and later	aarch64	wazuh-manager_5.0.0-1_arm64.deb (sha512)
Raspbian OS	Buster and later	aarch64	wazuh-manager_5.0.0-1_arm64.deb (sha512)

Filebeat

Package type	Architecture	Package
RPM	x86_64	filebeat-7.10.2-2.x86_64.rpm (sha512)
RPM	aarch64	filebeat-7.10.2-2.aarch64.rpm (sha512)
DEB	amd64	filebeat_7.10.2-2_amd64.deb (sha512)
DEB	arm64	filebeat_7.10.2-2_arm64.deb (sha512)

Wazuh dashboard

Package type	Architecture	Package
RPM	x86_64	wazuh-dashboard-5.0.0-1.x86_64.rpm (sha512)
RPM	aarch64	wazuh-dashboard-5.0.0-1.aarch64.rpm (sha512)
DEB	amd64	wazuh-dashboard_5.0.0-1_amd64.deb (sha512)
DEB	arm64	wazuh-dashboard_5.0.0-1_arm64.deb (sha512)

Wazuh agent

Linux

Distribution	Version	Architecture	Package
AlmaLinux	10 and later	x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
AlmaLinux	10 and later	aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
Amazon Linux	2	powerpc	wazuh-agent-5.0.0-1.ppc64le.rpm (sha512)
	1 and later	x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
	1 and later	aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
CentOS	7 and later	powerpc	wazuh-agent-5.0.0-1.ppc64le.rpm (sha512)
	6 and later	i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
		armhf	wazuh-agent-5.0.0-1.armv7hl.rpm (sha512)
Debian	9 and later	powerpc	wazuh-agent_5.0.0-1_ppc64el.deb (sha512)
	7 and later	i386	wazuh-agent_5.0.0-1_i386.deb (sha512)
		x86_64	wazuh-agent_5.0.0-1_amd64.deb (sha512)
		aarch64	wazuh-agent_5.0.0-1_arm64.deb (sha512)
		armhf	wazuh-agent_5.0.0-1_armhf.deb (sha512)
Fedora	22 and later	powerpc	wazuh-agent-5.0.0-1.ppc64le.rpm (sha512)
		i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
		armhf	wazuh-agent-5.0.0-1.armv7hl.rpm (sha512)
OpenSUSE	42 and later	i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
		armhf	wazuh-agent-5.0.0-1.armv7hl.rpm (sha512)
Oracle Linux	6 and later	i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
Red Hat Enterprise Linux	6 and later	i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
RockyLinux	10 and later	x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
RockyLinux	10 and later	aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
SUSE	12	i386	wazuh-agent-5.0.0-1.i386.rpm (sha512)
		x86_64	wazuh-agent-5.0.0-1.x86_64.rpm (sha512)
		aarch64	wazuh-agent-5.0.0-1.aarch64.rpm (sha512)
		armhf	wazuh-agent-5.0.0-1.armv7hl.rpm (sha512)
Ubuntu	12 and later	i386	wazuh-agent_5.0.0-1_i386.deb (sha512)
		x86_64	wazuh-agent_5.0.0-1_amd64.deb (sha512)
		aarch64	wazuh-agent_5.0.0-1_arm64.deb (sha512)
		armhf	wazuh-agent_5.0.0-1_armhf.deb (sha512)
Raspbian OS	Buster and later	aarch64	wazuh-agent_5.0.0-1_arm64.deb (sha512)
Raspbian OS	Buster and later	armhf	wazuh-agent_5.0.0-1_armhf.deb (sha512)

Windows

Version	Architecture	Package
Windows 7 or later	32/64bits	wazuh-agent-5.0.0-1.msi (sha512)

macOS

Architecture	Package
Intel	wazuh-agent-5.0.0-1.intel64.pkg (sha512)
Apple silicon	wazuh-agent-5.0.0-1.arm64.pkg (sha512)

Uninstalling Wazuh

This section describes how to uninstall the Wazuh central components and the Wazuh agent.

Note

You need root user privileges to run all the commands described below.

Uninstalling the Wazuh central components

Follow these steps to uninstall the Wazuh central components using the Wazuh installation assistant.

Download the Wazuh installation assistant:

# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh

Run the Wazuh installation assistant with the option -u or --uninstall as follows:
```
# bash wazuh-install.sh --uninstall
```

This will remove the Wazuh indexer, the Wazuh server, and the Wazuh dashboard.

Uninstalling Wazuh components

Choose from the options below to uninstall a Wazuh component.

Uninstalling the Wazuh dashboard

Follow the step below to uninstall the Wazuh dashboard using your package manager.

Remove the Wazuh dashboard installation.

# apt-get remove --purge wazuh-dashboard -y

# yum remove wazuh-dashboard -y
# rm -rf /var/lib/wazuh-dashboard/
# rm -rf /usr/share/wazuh-dashboard/
# rm -rf /etc/wazuh-dashboard/

# dnf remove wazuh-dashboard -y
# rm -rf /var/lib/wazuh-dashboard/
# rm -rf /usr/share/wazuh-dashboard/
# rm -rf /etc/wazuh-dashboard/

Uninstalling the Wazuh server

Follow these steps to uninstall the Wazuh manager and filebeat using your package manager.

Remove the Wazuh manager installation.

# apt-get remove --purge wazuh-manager -y

# yum remove wazuh-manager -y
# rm -rf /var/ossec/

# dnf remove wazuh-manager -y
# rm -rf /var/ossec/

Remove the Filebeat installation.

# apt-get remove --purge filebeat -y

# yum remove filebeat -y
# rm -rf /var/lib/filebeat/
# rm -rf /usr/share/filebeat/
# rm -rf /etc/filebeat/

# dnf remove filebeat -y
# rm -rf /var/lib/filebeat/
# rm -rf /usr/share/filebeat/
# rm -rf /etc/filebeat/

Uninstalling the Wazuh indexer

Follow the step below to uninstall the Wazuh indexer using your package manager.

Remove the Wazuh indexer installation.

# apt-get remove --purge wazuh-indexer -y

# yum remove wazuh-indexer -y
# rm -rf /var/lib/wazuh-indexer/
# rm -rf /usr/share/wazuh-indexer/
# rm -rf /etc/wazuh-indexer/

# dnf remove wazuh-indexer -y
# rm -rf /var/lib/wazuh-indexer/
# rm -rf /usr/share/wazuh-indexer/
# rm -rf /etc/wazuh-indexer/

Uninstalling the Wazuh agent

This section describes how to uninstall Wazuh agents installed across the different operating systems below:

Linux
Windows
macOS

Uninstalling a Linux Wazuh agent

Run the following commands to uninstall a Linux agent.

Note

To uninstall Wazuh agent from a Linux endpoint with the anti-tampering feature enabled, refer to Uninstalling an agent with anti-tampering enabled.

Remove the Wazuh agent installation.
# apt-get remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Run the following command If you want to remove all files completely.
# apt-get remove --purge wazuh-agent
# yum remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
# dnf remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
# zypper remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
Disable the Wazuh agent service.
# systemctl disable wazuh-agent # systemctl daemon-reload
Choose one option according to your operating system.
1. RPM-based operating systems:
# chkconfig wazuh-agent off # chkconfig --del wazuh-agent
1. Debian-based operating systems:
# update-rc.d -f wazuh-agent remove
No action required.

The Wazuh agent is now completely removed from your Linux endpoint.

Uninstalling a Windows Wazuh agent

To uninstall the Wazuh agent, ensure the original Windows installer file is in your working directory and run the following command:

> msiexec.exe /x wazuh-agent-5.0.0-1.msi /qn

The Wazuh agent is now completely removed from your Windows endpoint.

Uninstalling a macOS Wazuh agent

Follow these steps to uninstall the Wazuh agent from your macOS endpoint.

Stop the Wazuh agent service.

# launchctl bootout system /Library/LaunchDaemons/com.wazuh.agent.plist

Remove the /Library/Ossec/ folder.
# /bin/rm -r /Library/Ossec

Remove launchdaemons and StartupItems.

# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
# /bin/rm -rf /Library/StartupItems/WAZUH

Remove the Wazuh user and group.

# /usr/bin/dscl . -delete "/Users/wazuh"
# /usr/bin/dscl . -delete "/Groups/wazuh"

Remove from pkgutil.

# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent

The Wazuh agent is now completely removed from your macOS endpoint.

Installation alternatives

You can install Wazuh using other deployment options. These are complementary to the installation methods you can find in the Installation guide and the Quickstart.

Installing the Wazuh central components

All the alternatives include instructions on how to install the Wazuh central components. After these are installed, you then need to deploy agents to your endpoints.

Ready-to-use machines

Virtual machine (VM): Wazuh provides a pre-built virtual machine image (OVA) that you can directly import using VirtualBox or other OVA compatible virtualization systems.
Amazon Machine Images (AMI): This is a pre-built Amazon Machine Image (AMI) you can directly launch on an AWS cloud instance.

Containers

Deployment on Docker: Docker is a set of platform-as-a-service (PaaS) products that deliver software in packages called containers. Using Docker, you can install and configure the Wazuh deployment as a single-host architecture.
Deployment on Kubernetes: Kubernetes is an open-source system for automating deployment, scaling, and managing containerized applications. This deployment type uses Wazuh images from Docker and allows you to build the Wazuh environment.

Offline

Offline installation guide: Installing the solution offline involves downloading the Wazuh components to later install them on a system with no internet connection.

From sources

Installing the Wazuh server from sources: Installing Wazuh from sources means installing the Wazuh manager without using a package manager. You compile the source code and copy the binaries to your computer instead.

Note

To integrate Wazuh with Elastic or Splunk, refer to our Integrations guide: Elastic, OpenSearch, Splunk, Amazon Security Lake.

Installing the Wazuh agent

The Wazuh agent is a single and lightweight monitoring software. It is a multi-platform component that can be deployed to laptops, desktops, servers, cloud instances, containers, or virtual machines. It provides visibility into the endpoint security by collecting critical system and application records, inventory data, and detecting potential anomalies.

If the Wazuh central components are already installed in your environment, select your operating system below and follow the installation steps to deploy the agent on the endpoints.

Linux

Windows

macOS

From sources

Installing the Wazuh agent from sources: Installing Wazuh from sources means installing the Wazuh agent without using a package manager. You compile the source code and copy the binaries to your computer instead.

Orchestration tools

These alternatives guide you to install the Wazuh central components along with the single universal agent.

Deployment with Ansible: Ansible is an open source platform designed for automating tasks. Its deployment tool is used to deploy the Wazuh infrastructure on AWS. The Wazuh environment consists of the Wazuh central components and a Wazuh agent.
Deployment with Puppet: Puppet is an open-source software tool that gives you an automatic way to inspect, deliver, operate, and future-proof all of your software, no matter where it is executed. It is very simple to use and allows you to install and configure Wazuh easily.

Virtual machine (VM)

Wazuh provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. It includes the Amazon Linux 2023 operating system and the Wazuh central components.

Wazuh manager 5.0.0
Filebeat-OSS 7.10.2
Wazuh indexer 5.0.0
Wazuh dashboard 5.0.0

You can import the Wazuh virtual machine image to VirtualBox or other OVA-compatible virtualization systems. This VM runs only on 64-bit systems with x86_64/AMD64 architecture. It does not provide high availability or scalability out of the box. However, you can implement these using distributed deployment.

Download the virtual appliance (OVA).

OS	Architecture	VM Format	Version	Package
Amazon Linux 2023	64-bit x86_64/AMD64 architecture	OVA	5.0.0	wazuh-5.0.0.ova (sha512)

Hardware requirements

The following requirements have to be in place before the Wazuh VM can be imported into a host operating system:

The host operating system must be 64-bit with x86_64/AMD64 architecture.
Enable hardware virtualization in the host firmware.
Install a virtualization platform, such as VirtualBox, on the host system.

The Wazuh VM is configured with these specifications by default:

Component	CPU (cores)	RAM (GB)	Storage (GB)
Wazuh v5.0.0 OVA	4	8	50

The hardware configuration can be modified depending on the number of protected endpoints and indexed alert data. For more information about requirements, see Quickstart.

Import and access the virtual machine

Import the wazuh-5.0.0.ova file to your virtualization platform.
If you use VirtualBox, set the Graphics Controller to VMSVGA. Other controllers can freeze the VM window.
1. Select the imported VM
2. Click Settings > Display
3. Switch from Basic to Expert mode at the top-left of the settings window.
4. From the Graphic controller dropdown, select the VMSVGA option.
Start the VM.
Log in using these credentials. You can use the virtualization platform or access it via SSH.
```
user: wazuh-user
password: wazuh
```
The SSH root user login is disabled. The wazuh-user has sudo privileges. To switch to root, execute the following command:
```
sudo -i
```

Access the Wazuh dashboard

After starting the VM, access the Wazuh dashboard in a web browser using these credentials:

URL: https://<WAZUH_SERVER_IP>
user: admin
password: admin

It might take a few seconds to minutes for the Wazuh dashboard to complete initialization. You can find <WAZUH_SERVER_IP> by typing the following command in the VM:

ip a

Configuration files

All components in this virtual image are configured to work out of the box. However, all components can be fully customized. These are the configuration file locations:

Wazuh manager: /var/ossec/etc/ossec.conf

Wazuh indexer: /etc/wazuh-indexer/opensearch.yml

Filebeat-OSS: /etc/filebeat/filebeat.yml

Wazuh dashboard:

/etc/wazuh-dashboard/opensearch_dashboards.yml

/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

VirtualBox time configuration

If you use VirtualBox, the VM might experience time skew when VirtualBox synchronizes the guest machine time. Follow the steps below to avoid this:

Select the imported Wazuh VM
Click on Settings > System.
Switch from Basic to Expert mode at the top-left of the settings window.
Click on the Motherboard sub-tab.
Enable the Hardware Clock in UTC Time option under Features.

Note

By default, the network interface type is set to Bridged Adapter. The VM attempts to obtain an IP address from the network DHCP server. Alternatively, you can set a static IP address by configuring the network files in Amazon Linux.

Once the virtual machine is imported and running, the next step is to deploy the Wazuh agents on the systems to be monitored.

Troubleshooting

VM fails to start on AMD processors with VMware

Issue:

After importing the Wazuh OVA into VMware Workstation on a host with an AMD processor, the VM fails to start with the error:
```
The guest operating system has disabled the CPU. Power off or reset the virtual machine.
```

Workaround:

Locate and edit the VM .vmx file after importing the OVA.

Add the following lines to the end of the file to resolve compatibility issues between the VM and AMD processors.

cpuid.0.eax = "0000:0000:0000:0000:0000:0000:0000:1011"
cpuid.0.ebx = "0111:0101:0110:1110:0110:0101:0100:0111"
cpuid.0.ecx = "0110:1100:0110:0101:0111:0100:0110:1110"
cpuid.0.edx = "0100:1001:0110:0101:0110:1110:0110:1001"
cpuid.1.eax = "0000:0000:0000:0001:0000:0110:0111:0001"
cpuid.1.ebx = "0000:0010:0000:0001:0000:1000:0000:0000"
cpuid.1.ecx = "1000:0010:1001:1000:0010:0010:0000:0011"
cpuid.1.edx = "0000:0111:1000:1011:1111:1011:1111:1111"
featureCompat.enable = "FALSE"

Save the file and power on the VM.

Upgrading the VM

The virtual machine can be upgraded as a traditional installation:

Upgrading the Wazuh central components

Amazon Machine Images (AMI)

Wazuh provides a pre-built Amazon Machine Image (AMI). An AMI is a ready-to-use template for creating virtual computing environments in Amazon Elastic Compute Cloud (Amazon EC2). The latest Wazuh AMI includes Amazon Linux 2023 and the Wazuh central components.

Wazuh manager 5.0.0
Filebeat-OSS 7.10.2
Wazuh indexer 5.0.0
Wazuh dashboard 5.0.0

Packages list

Distribution	Architecture	VM Format	Latest version	Product page
Amazon Linux 2023	64-bit	AWS AMI	5.0.0	Wazuh All-In-One Deployment

Deployment alternatives

You can deploy a Wazuh instance in two ways. Launch the Wazuh All-In-One Deployment AMI directly from the AWS Marketplace or configure and deploy an instance using the AWS Management Console.

Launch an instance from the AWS Marketplace
Deploy an instance using the AWS Management Console

Note

Our Wazuh Consulting Service is also available in the AWS Marketplace. Check the Professional Service packages that Wazuh has to offer.

Launch an instance from the AWS Marketplace

Go to Wazuh All-In-One Deployment in the AWS Marketplace, then click View purchase options.
Review the information and the terms for the software. Click Subscribe to confirm subscribing to our product. You will receive an email notification that your offer has been accepted.
Click Launch your software to continue your setup.
Select the service Amazon EC2, Launch from EC2 console, and a Region.
Click Launch from EC2 to take you to the AWS Management Console.
Review your configuration, ensuring all settings are correct, before launching the software. Adapt the default configuration to your needs.
1. When selecting the EC2 Instance Type, we recommend c5a.xlarge because it offers an ideal balance of high compute performance and cost-efficiency.
2. To guarantee the correct operation, the Security Group must have the appropriate settings for your Wazuh instance. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default.
Click Launch to generate the instance.

Once your instance is successfully launched and a few minutes have elapsed, you can access the Wazuh dashboard.

Deploy an instance using the AWS Management Console

Select EC2 from your AWS Management Console dashboard.
Click Launch instance.
Click on Browse more AMIs.
Search Wazuh All-In-One Deployment by Wazuh Inc under the AWS Marketplace AMIs tab, and click Select. This brings up a description of the Wazuh All-In-One Deployment with the option to either Subscribe on instance launch or Subscribe now.
Select the instance type that best fits your needs. We recommend c5a.xlarge.

You can use either of these three configuration alternatives available regarding the key pair settings:
- Choose an existing key pair
- Create a new key pair
- Proceed without a key pair (Not recommended)
You need to choose an existing key pair or create a new one to access the instance with SSH.
When selecting the Security Group, ensure it has the appropriate settings for your Wazuh instance to guarantee correct operation. You can create a new security group by choosing Create security group. This new group will have the appropriate settings by default. Check that the ports and protocols are the ports and protocols for Wazuh. Check the security measures for your instance. This will establish the Security Group (SG).
Under the Size (GiB) column, set your instance's storage capacity, then click Next: Add Tags. We recommend 100 GiB gp3 or more.
Review the instance configuration and click Launch instance.

After a few minutes, the instance will be ready. You can access the Wazuh dashboard.

Configuration files

All components included in this AMI are configured to work out-of-the-box without the need to modify any settings. However, all components can be fully customized. These are the configuration file locations:

Wazuh manager: /var/ossec/etc/ossec.conf
Wazuh indexer: /etc/wazuh-indexer/opensearch.yml
Filebeat-OSS: /etc/filebeat/filebeat.yml
Wazuh dashboard:
- /etc/wazuh-dashboard/opensearch_dashboards.yml
- /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

To learn more about configuring Wazuh, see the User manual.

Access the Wazuh dashboard

When the instance is launched, the user passwords are automatically changed to the instance ID with the first letter capitalized. For example: I-07f25f6afe4789342. This ensures that only the creator has access to the interface. This process can take an average of five minutes, depending on the type of instance. During this time, SSH access and Wazuh dashboard access are disabled.

Once the instance runs and the process to initialize passwords is complete, you can access the Wazuh dashboard with your credentials.

URL: https://<YOUR_INSTANCE_IP>
Username: admin
Password: <YOUR_INSTANCE_ID>

Note

The password is the instance ID with the first letter capitalized. For example, if the instance ID is: i-07f25f6afe4789342, the default password will be I-07f25f6afe4789342.

Warning

The passwords for the Wazuh server API users wazuh and wazuh-wui are the same as those for the admin user. We highly recommend changing the default passwords on the first SSH access. To perform this action, refer to the Password management section.

Security considerations about SSH

The root user cannot be identified by SSH, and the instance can only be accessed through the user: wazuh-user.
The instance can only be accessed through a key pair, which is provided to the user with the key pair.
You must download the key generated or stored in AWS to access the instance with a key pair. Then, run the following command to connect with the instance.
```
# ssh -i "<KEY_PAIR_NAME>" wazuh-user@<YOUR_INSTANCE_IP>
```
Access during the initial password change is disabled to prevent potential problems. This process might take a few minutes to complete. Any access attempt before completion shows: wazuh-user@<INSTANCE_IP>: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Next steps

The Wazuh AMI is now ready and you can proceed with deploying the Wazuh agents on the systems to be monitored.

Upgrading the AMI

Follow the instructions on how to upgrade the Wazuh central components.

Upgrading the Wazuh central components

Deployment on Docker

Docker is an open source platform that simplifies building, delivering, and running applications in lightweight, portable containers. These containers bundle their application with all its dependencies, such as code, system tools, system libraries, and settings. Docker enables the separation of applications from the underlying infrastructure and ensures they run consistently across any environment, whether in the cloud or on-premises.

Wazuh provides official Docker images that you can install to streamline deployment. These include:

You can find all available Wazuh Docker images on Docker Hub.

Content

Wazuh Docker deployment

Wazuh consists of a multi-platform Wazuh agent and three central components: the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. Refer to the Wazuh components documentation for more information.

Deployment options

Wazuh supports the deployment of its central components and agent on Docker.

Single-node stack: This stack deploys one of each Wazuh central component as a separate container. It includes:
- Wazuh indexer container: Stores and indexes security data collected by the Wazuh manager.
- Wazuh manager container: Analyzes collected security events, applies detection rules, and manages Wazuh agents.
- Wazuh dashboard container: Centralized web interface for monitoring, searching, and managing Wazuh.
It provides persistent storage and configurable certificates for secure communication.
Multi-node stack: This stack deploys each Wazuh component as a separate container. It includes:
- Three Wazuh indexer containers: Work together in a cluster to store and replicate indexed data, ensuring scalability and fault tolerance.
- Two Wazuh manager containers: One master and one worker node. The master coordinates agent management and rule updates, while the worker provides redundancy and load distribution.
- One Wazuh dashboard container.
- One Nginx proxy container: This provides a single secure entry point that load balances traffic between multiple Wazuh manager nodes for high availability. The Nginx container acts as a reverse proxy, distributing incoming requests across the available manager nodes and providing SSL termination for secure communication.

This deployment stack provides persistent storage, secure communication, and high availability.

Wazuh agent: This deploys the Wazuh agent as a container on your Docker host.

Prerequisites

Before deploying Wazuh on Docker, ensure your environment meets the following requirements.

System requirements

Single-node stack deployment

Operating system: Linux or Windows
Architecture: AMD64 (x86_64) or ARM64 (AARCH64)
CPU: At least 4 cores
Memory: At least 8 GB of RAM for the Docker host
Disk space: At least 50 GB storage for Docker images and data volumes

Multi-node stack deployment

Operating system: Linux or Windows
Architecture: AMD64 or ARM64
CPU: At least 4 cores
Memory: At least 16 GB for the Docker host
Disk space: At least 100 GB storage for Docker images and data volumes

Wazuh agent deployment

Operating system: Linux or Windows
Architecture: AMD64
CPU: At least 2 cores
Memory: At least 1 GB of RAM for the Docker host
Disk space: At least 10 GB storage for Docker images and logs

Required software

Docker Engine / Docker Desktop: Use the latest stable version.
- Linux: Docker Engine
- Windows: Docker Desktop (requires WSL 2)
Docker Compose: Latest stable version (included with Docker Desktop on Windows; install separately on Linux if needed).
Git: For cloning the Wazuh Docker repository.

Docker host requirements

You need to configure your Docker host to run Wazuh correctly on any system that uses a Linux kernel. This includes native Linux distributions and Windows with WSL 2 (Windows Subsystem for Linux version 2).

Set max_map_count to 262144 on your Docker host. The Wazuh indexer creates many virtual memory areas (VMAs), so the kernel must allow more than the Linux default limit of 65530. A VMA is a region of memory that lets applications like the Wazuh indexer access files directly from disk as if they were in RAM.

Note

On Windows systems using WSL 2, run this command within the WSL 2 environment.
```
# sysctl -w vm.max_map_count=262144
```
Warning

If you don’t set vm.max_map_count to at least 262144, the Wazuh indexer might fail due to limited virtual memory mapping. This value lets the indexer map more files and index segments to memory, preventing errors or crashes.
On native Linux systems, add your user to the docker group if you want to run Docker without root privileges:
```
# usermod -aG docker <USER>
```
Replace <USER> with your username. Log out and back in for the change to take effect.

Exposed ports

The following ports are exposed when the Wazuh central components are deployed.

Port	Component
1514	Wazuh TCP
1515	Wazuh TCP
514	Wazuh UDP
55000	Wazuh server API
9200	Wazuh indexer API
443	Wazuh dashboard HTTPS

Wazuh central components

Below are the steps for deploying the Wazuh central components in single-node and multi-node stacks.

Warning

Do not run the single-node and multi-node stacks at the same time on the same Docker host. Both stacks use overlapping resources (such as container names, ports, and volumes), which can lead to conflicts, unexpected behavior, or data corruption.

Single-node stack deployment

Follow the steps below to deploy the Wazuh central components in a single-node stack.

Note

All deployment commands provided apply to both Windows and Linux environments.

Cloning the repository

Clone the Wazuh Docker repository to your system:

# git clone https://github.com/wazuh/wazuh-docker.git -b v5.0.0

Navigate to the single-node directory to execute all the following commands.
```
# cd wazuh-docker/single-node/
```

Certificate generation

You must provide certificates for each node to secure communication between them in the Wazuh stack. You have two alternatives:

Wazuh self-signed certificates
Your own certificates

You must use the wazuh-certs-generator Docker image to generate self-signed certificates for each node of the stack.

Optional: Add the following to the generate-indexer-certs.yml file if your system uses a proxy. If not, skip this step. Replace <YOUR_PROXY_ADDRESS_OR_DNS> with your proxy information.

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.4
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml
    environment:
      - HTTP_PROXY=<YOUR_PROXY_ADDRESS_OR_DNS>

Run the following command to generate the desired certificates:

# docker compose -f generate-indexer-certs.yml run --rm generator

The generated certificates will be stored in the wazuh-docker/single-node/config/wazuh_indexer_ssl_certs directory.

If you already have valid certificates for each node, place them in the wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/ directory using the following file names. Note your stack for the right path.

Wazuh indexer:

wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin-key.pem

Wazuh manager:

wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca-manager.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem

Wazuh dashboard:

wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem
wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem

Deployment

Start the Wazuh Docker deployment using the docker compose command:
# docker compose up -d
# docker compose up

Note

Docker does not dynamically reload the configuration. After changing a component's configuration, you need to restart the stack.

Accessing the Wazuh dashboard

After deploying the single-node stack, you can access the Wazuh dashboard using your Docker host's IP address or localhost.

https://<DOCKER_HOST_IP>

Note

If you use a self-signed certificate, your browser will display a warning that it cannot verify the certificate's authenticity.

This is the default username and password to access the Wazuh dashboard:

Username: admin
Password: SecretPassword

Refer to the changing the default password of Wazuh users section to learn more about additional security.

Note

To determine when the Wazuh indexer is up, the Wazuh dashboard container uses curl to repeatedly send queries to the Wazuh indexer API (port 9200). You can expect to see several Failed to connect to Wazuh indexer port 9200 log messages or Wazuh dashboard server is not ready yet until the Wazuh indexer is started. Then the setup process continues normally. It takes about one minute for the Wazuh indexer to start up. You can find the default Wazuh indexer credentials in the docker-compose.yml file.

Multi-node stack deployment

Follow the steps below to deploy the Wazuh central components in a multi-node stack.

Note

All deployment commands provided apply to both Windows and Linux environments.

Cloning the repository

Clone the Wazuh Docker repository to your system:

# git clone https://github.com/wazuh/wazuh-docker.git -b v5.0.0

Navigate to the multi-node directory to execute all the following commands.
```
# cd wazuh-docker/multi-node/
```

Certificate generation

You must provide certificates for each node to secure communication between them in the Wazuh stack. You have two alternatives:

Wazuh self-signed certificates
Your own certificates

You must use the wazuh-certs-generator Docker image to generate self-signed certificates for each node of the stack.

Optional: Add the following to the generate-indexer-certs.yml file if your system uses a proxy. If not, skip this step. Replace <YOUR_PROXY_ADDRESS_OR_DNS> with your proxy information.

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
  generator:
    image: wazuh/wazuh-certs-generator:0.0.4
    hostname: wazuh-certs-generator
    volumes:
      - ./config/wazuh_indexer_ssl_certs/:/certificates/
      - ./config/certs.yml:/config/certs.yml
    environment:
      - HTTP_PROXY=<YOUR_PROXY_ADDRESS_OR_DNS>

Run the following command to generate the desired certificates:

# docker compose -f generate-indexer-certs.yml run --rm generator

The generated certificates will be stored in the wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs directory.

If you already have valid certificates for each node, place them in the wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/ directory using the following file names. Note your stack for the right path.

Wazuh indexer:

wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/root-ca.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/admin.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/admin-key.pem

Wazuh manager:

wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/root-ca-manager.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.manager.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem

Wazuh dashboard:

wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem
wazuh-docker/multi-node/config/wazuh_indexer_ssl_certs/root-ca.pem

Deployment

Start the Wazuh Docker deployment using the docker compose command:
# docker compose up -d
# docker compose up

Note

Docker does not dynamically reload the configuration. After changing a component's configuration, you need to restart the stack.

Accessing the Wazuh dashboard

After deploying the multi-node stack, you can access the Wazuh dashboard using your Docker host's IP address or localhost.

https://<DOCKER_HOST_IP>

Note

If you use a self-signed certificate, your browser will display a warning that it cannot verify the certificate's authenticity.

This is the default username and password to access the Wazuh dashboard:

Username: admin
Password: SecretPassword

Refer to the changing the default password of Wazuh users section to learn more about additional security.

Note

Wazuh agent

Running the Wazuh agent in a Docker container provides a lightweight option for integrations and for collecting logs via syslog, without installing the agent directly on a host. However, when deployed this way, the containerized agent cannot directly access or monitor the host system.

Deployment

Follow these steps to deploy the Wazuh agent using Docker.

Clone the Wazuh Docker repository to your system:

# git clone https://github.com/wazuh/wazuh-docker.git -b v5.0.0

Navigate to the wazuh-docker/wazuh-agent/ directory within your repository:
```
# cd wazuh-docker/wazuh-agent
```

Edit the docker-compose.yml file. Replace <YOUR_WAZUH_MANAGER_IP> with the IP address of your Wazuh manager. Locate the environment section for the agent service and update it:

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
  wazuh.agent:
    image: wazuh/wazuh-agent:5.0.0
    restart: always
    environment:
      - WAZUH_MANAGER_SERVER=<WAZUH_MANAGER_IP>
    volumes:
      - ./config/wazuh-agent-conf:/wazuh-config-mount/etc/ossec.conf

Start the Wazuh agent deployment using docker compose:
# docker compose up -d
# docker compose up
Verify from your Wazuh dashboard that the Wazuh agent deployment was successful and visible. Navigate to the Agent management > Summary, and you should see the Wazuh agent container active on your dashboard.

Changing the default password of Wazuh users

We recommend changing the default Wazuh user's password to improve security.

There are two types of users on Wazuh Docker environments:

Wazuh indexer users
Wazuh server API users

Follow the steps below to change the password of these Wazuh users.

Note

Depending on your Wazuh Docker stack, you must run the commands from the wazuh-docker/single-node or wazuh-docker/multi-node directory.

Wazuh indexer user

The Wazuh indexer has the admin and kibanaserver users by default. You can access the Wazuh dashboard using either the admin or kibanaserver user credentials.

To change these credentials, you must:

Log out of your Wazuh dashboard
Set a new password in the Docker Compose file
Create and set the hash of your new password
Apply the changes

Warning

You can only change one user's password at a time.
If you have custom users, add them to the config/wazuh_indexer/internal_users.yml file in the deployment model directory. Otherwise, executing this procedure deletes them.

Logging out of your Wazuh dashboard

You must log out of your Wazuh dashboard before starting the password change process. If you don't, persistent session cookies will cause errors when accessing Wazuh after changing user passwords.

Setting the new password in the Docker Compose file

Note

If your password contains the $ character, you must escape it by doubling it. For example, to set the password Secret$Password in the docker-compose.yml file, write it as Secret$$Password.

Open the docker-compose.yml file. Change all occurrences of the old password with the new one. For example, for a single-node stack:

...
services:
    wazuh.manager:
    ...
    environment:
        - INDEXER_URL=https://wazuh.indexer:9200
        - INDEXER_USERNAME=admin
        - INDEXER_PASSWORD=SecretPassword
        - FILEBEAT_SSL_VERIFICATION_MODE=full
        - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
        - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
        - SSL_KEY=/etc/ssl/filebeat.key
        - API_USERNAME=wazuh-wui
        - API_PASSWORD=MyS3cr37P450r.*-
    ...
    wazuh.indexer:
    ...
    environment:
        - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
    ...
    wazuh.dashboard:
    ...
    environment:
        - INDEXER_USERNAME=admin
        - INDEXER_PASSWORD=SecretPassword
        - WAZUH_API_URL=https://wazuh.manager
        - DASHBOARD_USERNAME=kibanaserver
        - DASHBOARD_PASSWORD=kibanaserver
        - API_USERNAME=wazuh-wui
        - API_PASSWORD=MyS3cr37P450r.*-
    ...

...

services:
    wazuh.dashboard:
    ...
    environment:
        - INDEXER_USERNAME=admin
        - INDEXER_PASSWORD=SecretPassword
        - WAZUH_API_URL=https://wazuh.manager
        - DASHBOARD_USERNAME=kibanaserver
        - DASHBOARD_PASSWORD=kibanaserver
        - API_USERNAME=wazuh-wui
        - API_PASSWORD=MyS3cr37P450r.*-
    ...

Setting a new hash

Follow the steps below to generate and set a new password hash for your Wazuh users.

Stop the stack if it's running:
```
# docker compose down
```

Run this command to generate the hash for your new password:

# docker run --rm -ti wazuh/wazuh-indexer:5.0.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

Once the container launches, input the new password and press Enter.

Copy the generated hash.
Open the config/wazuh_indexer/internal_users.yml file. Locate the block for the user whose password you want to change.

Replace <NEW_HASH> with your hash values.

...

admin:
  hash: "<NEW_HASH>"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

...

...

kibanaserver:
  hash: "<NEW_HASH>"
  reserved: true
  description: "Demo kibanaserver user"

...

Save the changes.

Applying the changes

After updating docker-compose.yml file, restart the Wazuh Docker stack and reapply settings using the securityadmin.sh tool.

Start the deployment stack.
```
# docker compose up -d
```
Run docker ps and note the name of the first Wazuh indexer container. For example, single-node-wazuh.indexer-1, or multi-node-wazuh1.indexer-1.
Run docker exec -it <WAZUH_INDEXER_CONTAINER_NAME> bash to access the container. Replace <WAZUH_INDEXER_CONTAINER_NAME> with the Wazuh indexer container name. For example, use single-node-wazuh.indexer-1 for the single-node stack and multi-node-wazuh1.indexer-1 for the multi-node stack:
```
# docker exec -it single-node-wazuh.indexer-1 bash
```

Set the following variables:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=$INSTALLATION_DIR/config
CACERT=$CONFIG_DIR/certs/root-ca.pem
KEY=$CONFIG_DIR/certs/admin-key.pem
CERT=$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

Wait for the Wazuh indexer to initialize properly. The waiting time can vary from one to five minutes. It depends on the size of the cluster, the assigned resources, and the network speed. Then, run the securityadmin.sh script to apply all changes.

$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd $CONFIG_DIR/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl

$ HOST=$(grep node.name $CONFIG_DIR/opensearch.yml | awk '{printf $2}')
$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd $CONFIG_DIR/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $HOST

Note

When working on Docker Desktop with a multi-node stack, use the multi-node-wazuh1.indexer-1 IP address instead of the $HOST variable.

Exit the Wazuh indexer container. Refresh the Wazuh dashboard and log in with the new credentials.

Wazuh server API users

The wazuh-wui user is the default user for connecting to the Wazuh server API. Follow these steps to change the password.

Warning

The password for Wazuh server API users must be between 8 and 64 characters long and contain at least one uppercase and lowercase letter, number, and symbol. The Wazuh manager service will fail to start if these requirements are unmet.

Open the config/wazuh_dashboard/wazuh.yml file and modify the value of the password parameter.

...
hosts:
  - 1513629884013:
      url: "https://wazuh.manager"
      port: 55000
      username: wazuh-wui

     password: "MyS3cr37P450r.*-"

     run_as: false
...

Open the docker-compose.yml file. Change all occurrences of the old password with the new one.

...
services:
  wazuh.manager:
    ...
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
     - API_PASSWORD=MyS3cr37P450r.*-

 ...
  wazuh.dashboard:
    ...
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui

     - API_PASSWORD=MyS3cr37P450r.*-

 ...

Recreate the Wazuh containers:

# docker compose down
# docker compose up -d

Refer to logging in to the Wazuh server API via the command line to learn more.

Building Docker images locally

You can modify and build Docker images for the Wazuh central components (manager, indexer, and dashboard) and the Wazuh agent.

Clone the Wazuh Docker repository to your system:

# git clone https://github.com/wazuh/wazuh-docker.git -b v5.0.0

Navigate to the build-docker-images directory:
```
# cd wazuh-docker/build-docker-images
```
Run the build script:
```
# ./build-images.sh
```

This process builds Docker images for all Wazuh components on your local system.

Wazuh Docker utilities

After deploying Wazuh with Docker, you can perform several tasks to manage and customize your installation. Wazuh components are deployed as separate containers built from their corresponding Docker image. You can access these containers using the service names defined in your docker-compose.yml file, which are specific to your deployment type.

Access to services and containers

This section explains how to interact with your Wazuh deployment by accessing service logs and shell instances of running containers.

Access the Wazuh dashboard using the Docker host IP address.
Enroll agents through the Wazuh agent Docker deployment or the standard Wazuh agent enrollment process. Use the Docker host address as the Wazuh manager address.

List the containers in the directory where the Wazuh docker-compose.yml file is located:

# docker compose ps

NAME                            COMMAND                  SERVICE             STATUS              PORTS
single-node-wazuh.dashboard-1   "/entrypoint.sh"         wazuh.dashboard     running             443/tcp, 0.0.0.0:443->5601/tcp
single-node-wazuh.indexer-1     "/entrypoint.sh open…"   wazuh.indexer       running             0.0.0.0:9200->9200/tcp
single-node-wazuh.manager-1     "/init"                  wazuh.manager       running             0.0.0.0:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, 0.0.0.0:55000->55000/tcp, 1516/tcp

Run the command below from the directory where the docker-compose.yml file is located to open a shell inside the container:
```
# docker compose exec <SERVICE> bash
```

Wazuh service data volumes

You can set Wazuh configuration and log files to exist outside their containers on the host system. This allows the files to persist after containers are removed, and you can provision custom configuration files to your containers.

Listing existing volumes

Run the following to see the persistent volumes on your Docker host:

# docker volume ls

DRIVER    VOLUME NAME
local     single-node_wazuh_api_configuration

You can also view these volumes in the volumes section directly from the docker-compose.yml file.

Adding a custom volume

You need multiple volumes to ensure persistence on the Wazuh server, Wazuh indexer, and Wazuh dashboard containers. Investigate the volumes section in your docker-compose.yml file and modify it to include your custom volumes:

services:
  wazuh.manager:
    . . .
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
    . . .
volumes:
  wazuh_api_configuration:

Custom commands and scripts

Run the command below to execute commands inside the containers. We use the Wazuh manager single-node-wazuh.manager-1 container in this example:

# docker exec -it single-node-wazuh.manager-1 bash

Every change made on this shell persists because of the data volumes.

Note

The actions you can perform inside the containers are limited.

Modifying the Wazuh configuration file

To customize the Wazuh configuration file /var/ossec/etc/ossec.conf, modify the appropriate configuration file on the Docker host according to your business needs. These local files are mounted into the containers at runtime, allowing your custom settings to persist across container restarts or rebuilds.

Run the following command in your deployment directory to stop the running containers:
```
# docker compose down
```
The following are the locations of the Wazuh configuration files on the Docker host that you can modify:
wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf
- Manager: wazuh-docker/multi-node/config/wazuh_cluster/wazuh_manager.conf
- Worker: wazuh-docker/multi-node/config/wazuh_cluster/wazuh_worker.conf
wazuh-docker/wazuh-agent/config/wazuh-agent-conf
Save the changes made in the configuration files.
Restart the stack:
```
# docker compose up -d
```

These files are mounted into the container at runtime (wazuh-config-mount/etc/ossec.conf), ensuring your changes take effect when the containers start.

Tuning Wazuh services

Tuning the Wazuh indexer and dashboard is optional. You can apply custom configurations only if you need to adjust performance, customize the dashboard interface, or override default settings.

The Wazuh indexer reads its configuration from the file(s) in the config/wazuh_indexer/ directory in your respective deployment stack. Edit the appropriate configuration file(s) with your desired parameters, and ensure any changes made are properly mapped in your docker-compose.yml so the container loads the updated configuration.
The Wazuh dashboard reads its configuration from the config/wazuh_dashboard/opensearch_dashboards.yml file. You can adjust dashboard behavior or appearance by modifying parameters in this file. Refer to the OpenSearch documentation on Modifying the YAML files for details about the available variables you can override in this configuration.

Upgrading Wazuh Docker

This section describes how to upgrade the Wazuh deployment on Docker.

To upgrade to version 5.0.0, choose one of the following strategies.

Using the default Docker Compose files: Replace the existing docker-compose.yml file with the default one provided for Wazuh 5.0.0.
Keeping your custom Docker Compose files: Retain your existing docker-compose.yml file of your outdated Wazuh Docker deployment and apply the upgrade without replacing it.

Using the default Docker Compose files

Follow these steps to upgrade your deployment using the default docker-compose.yml file:

Run the following command from your wazuh-docker/single-node/ or wazuh-docker/multi-node/ directory to stop the outdated environment:
```
# docker compose down
```
Update your local repository to fetch the latest tags:
```
# git fetch --all --tags
```
Check out the tag for the current version of wazuh-docker:
```
# git checkout v5.0.0
```
This command switches your local repository to the specified release tag, ensuring the deployment uses that version's exact configuration and files.

Note

Replace v5.0.0 with the tag of any other Wazuh version you want to upgrade to. You can run git tag -l to see all available versions.
Start the upgraded Wazuh Docker environment using the docker compose command:
```
# docker compose up -d
```
Your data and certificates remain persistent because they are stored in mounted Docker volumes. This means upgrading the environment does not erase your existing configuration or indexed data.

Keeping your custom Docker Compose files

To upgrade your deployment while preserving your custom docker-compose.yml file, follow these steps:

Single-node stack

Run the following command from your wazuh-docker/single-node/ directory to stop the outdated environment:
```
# docker compose down
```
If upgrading from a version earlier than 4.8, edit the single-node/config/wazuh_dashboard/opensearch_dashboards.yml file and update the defaultRoute parameter as follows:
```
uiSettings.overrides.defaultRoute: /app/wz-home
```
Optional: Modify the OPENSEARCH_JAVA_OPTS environment variable in the single-node/docker-compose.yml file to allocate more RAM to the Wazuh indexer container.
```
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
```

In single-node/generate-indexer-certs.yml, update the image generator tag to the latest version and add the CERT_TOOL_VERSION environment variable.

services:
   generator:
      image: wazuh/wazuh-certs-generator:0.0.4
      environment:
        - CERT_TOOL_VERSION=5.0

Recreate the certificates after these changes.
```
# docker compose -f generate-indexer-certs.yml run --rm generator
```
Optional: Update old paths with the new ones based on the version you are upgrading from.
Wazuh dashboard
1. Edit single-node/config/wazuh_dashboard/opensearch_dashboards.yml and do the following replacements.
  - Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.
2. Edit single-node/docker-compose.yml and do the following replacements.
  - Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.
Wazuh indexer
1. Edit the single-node/config/wazuh_indexer/wazuh.indexer.yml file and do the following replacements.
  - Replace ${OPENSEARCH_PATH_CONF}/certs/ with /usr/share/wazuh-indexer/config/certs/.
2. Edit the single-node/docker-compose.yml file and do the following replacements.
  - Replace /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ with /usr/share/wazuh-indexer/opensearch-security/.
Wazuh indexer
1. Edit the single-node/config/wazuh_indexer/wazuh.indexer.yml file and do the following replacements.
  - Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.
2. Edit the single-node/docker-compose.yml file and do the following replacements.
  - Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.
  - Replace /usr/share/wazuh-indexer/opensearch.yml with /usr/share/wazuh-indexer/config/opensearch.yml.
  - Replace /usr/share/wazuh-indexer/opensearch-security/internal_users.yml with /usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml.

Edit the docker-compose.yml file and update the highlighted lines to the latest images.

wazuh.manager:
   image: wazuh/wazuh-manager:5.0.0
...
wazuh.indexer:
   image: wazuh/wazuh-indexer:5.0.0
...
wazuh.dashboard:
   image: wazuh/wazuh-dashboard:5.0.0

Optional: If you are upgrading from Wazuh version 4.3, add the variable related to the kibanaserver user.

...
wazuh.dashboard:
   image: wazuh/wazuh-dashboard:5.0.0
   environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver

Replace the content of single-node/config/wazuh_cluster/wazuh_manager.conf file in your stack with the one from the v5.0.0 tag of the Wazuh Docker repository.

# curl -sL https://raw.githubusercontent.com/wazuh/wazuh-docker/v5.0.0/single-node/config/wazuh_cluster/wazuh_manager.conf > single-node/config/wazuh_cluster/wazuh_manager.conf

Start the new version of Wazuh using the docker compose command:
```
# docker compose up -d
```

Multi-node stack

Run the following command from your wazuh-docker/multi-node/ directory to stop the outdated environment:
```
# docker compose down
```
If upgrading from a version earlier than 4.8, edit multi-node/config/wazuh_dashboard/opensearch_dashboards.yml file and update the defaultRoute parameter as follows:
```
uiSettings.overrides.defaultRoute: /app/wz-home
```
Optional: Modify the OPENSEARCH_JAVA_OPTS environment variable in the multi-node/docker-compose.yml file to allocate more RAM to the Wazuh indexer container.
```
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
```

In multi-node/generate-indexer-certs.yml, update the image generator tag to the latest version and add the CERT_TOOL_VERSION environment variable.

services:
   generator:
      image: wazuh/wazuh-certs-generator:0.0.4
      environment:
        - CERT_TOOL_VERSION=5.0

Recreate the certificates after these changes.
```
# docker compose -f generate-indexer-certs.yml run --rm generator
```
Optional: Update these old paths with the new ones based on the version you are upgrading from.
Wazuh dashboard
1. Edit multi-node/config/wazuh_dashboard/opensearch_dashboards.yml and do the following replacements.
  - Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.
2. Edit multi-node/docker-compose.yml and do the following replacements.
  - Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.
Wazuh indexer
1. Edit the multi-node/config/wazuh_indexer/wazuh1.indexer.yml, multi-node/config/wazuh_indexer/wazuh2.indexer.yml, and multi-node/config/wazuh_indexer/wazuh3.indexer.yml files and do the following replacements.
  - Replace ${OPENSEARCH_PATH_CONF}/certs/ with /usr/share/wazuh-indexer/config/certs/.
2. Edit the multi-node/docker-compose.yml file and do the following replacements.
  - Replace /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ with /usr/share/wazuh-indexer/opensearch-security/.
Wazuh indexer
1. Edit the multi-node/config/wazuh_indexer/wazuh1.indexer.yml, multi-node/config/wazuh_indexer/wazuh2.indexer.yml, and multi-node/config/wazuh_indexer/wazuh3.indexer.yml files and do the following replacements.
  - Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.
2. Edit the multi-node/docker-compose.yml file and do the following replacements.
  - Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.
  - Replace /usr/share/wazuh-indexer/opensearch.yml with /usr/share/wazuh-indexer/config/opensearch.yml.
  - Replace /usr/share/wazuh-indexer/opensearch-security/internal_users.yml with /usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml.

Edit the docker-compose.yml file and update the highlighted lines to the latest images.

wazuh.master:
   image: wazuh/wazuh-manager:5.0.0
...
wazuh.worker:
   image: wazuh/wazuh-manager:5.0.0
...
wazuh1.indexer:
   image: wazuh/wazuh-indexer:5.0.0
...
wazuh2.indexer:
   image: wazuh/wazuh-indexer:5.0.0
...
wazuh3.indexer:
   image: wazuh/wazuh-indexer:5.0.0
...
wazuh.dashboard:
   image: wazuh/wazuh-dashboard:5.0.0

Optional: If you are updating from Wazuh version 4.3, add the variable related to the kibanaserver user.

...
wazuh.dashboard:
   image: wazuh/wazuh-dashboard:5.0.0
   environment:
      - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
      - WAZUH_API_URL="https://wazuh.master"
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver

Replace the content of the following files in your stack with the ones from the v5.0.0 tag of the Wazuh Docker repository.

multi-node/config/wazuh_cluster/wazuh_manager.conf

# curl -sL https://raw.githubusercontent.com/wazuh/wazuh-docker/v5.0.0/multi-node/config/wazuh_cluster/wazuh_manager.conf > multi-node/config/wazuh_cluster/wazuh_manager.conf

multi-node/config/wazuh_cluster/wazuh_worker.conf

# curl -sL https://raw.githubusercontent.com/wazuh/wazuh-docker/v5.0.0/multi-node/config/wazuh_cluster/wazuh_worker.conf > multi-node/config/wazuh_cluster/wazuh_worker.conf

Start the new version of Wazuh using the docker compose command:
```
# docker compose up -d
```

Uninstalling the Wazuh Docker deployment

Follow these steps to uninstall your Wazuh Docker deployment from your Docker host:

Navigate to the directory of your deployment model.
Stop the stack:
```
# docker compose down
```
This command stops all running containers and removes them, but preserves your data volumes and configuration files.
Optional: Delete persistent volumes.
- List all volumes first to confirm what you want to delete:
```
# docker volume ls
```
- If you created custom volumes for logs, configuration, or data, remove them manually:
```
# docker volume rm <VOLUME_ID>
```
- Replace <VOLUME_ID> with the volume name(s) you want to delete.
You can also perform steps 2 and 3 in a single command.

Warning

The -v flag will permanently delete all your Wazuh data, configurations, and logs. Use this only when you want to remove the deployment and start fresh completely.
- Run the following to stop the stack and immediately remove all associated volumes:
```
# docker compose down -v
```

Deployment on Kubernetes

In this section, we show the process of installing, upgrading, and uninstalling Wazuh on Kubernetes.

Kubernetes is an open source container orchestration engine. Containers are microservices packaged with their dependencies and configurations. Kubernetes is meant to run across a cluster, automating deployment, scaling, and management of containerized applications. It simplifies the operation of applications that span multiple containers deployed across multiple servers. For easy management and discovery, containers are grouped into pods, the basic operational unit for Kubernetes. Kubernetes pods are distributed among nodes to provide high availability. Kubernetes helps with networking, load balancing, security, and scaling across all Kubernetes nodes running your containers.

In this section of the documentation, we show how to clone the Wazuh Kubernetes repository, and set up SSL certificates. We also show how to apply the manifests and deploy the necessary pods and services for installing Wazuh on Kubernetes in the cloud and local environments. The other subsection in this documentation covers Kubernetes configuration, how to Upgrade Wazuh installed in Kubernetes, and how to Clean Up both clusters and volumes.

Kubernetes configuration

This section outlines how to configure Wazuh components within a Kubernetes cluster, including the manager, indexer, and dashboard. It describes the resource requirements, storage setup, and controller types used for each component.

Pre-requisites

Before you begin, ensure that the following requirements are met:

A running Kubernetes cluster.
An Amazon EBS CSI driver IAM role for Amazon EKS deployments using Kubernetes version 1.23 and later. The CSI driver requires that you assign an IAM role to work properly. For detailed instructions, refer to AWS documentation on Creating the Amazon EBS CSI driver IAM role. You need to install the CSI driver for both new and old deployments. The CSI driver is an essential Kubernetes feature.

Resource Requirement

Your cluster must have at least the following resources available:

2 CPU units
3 Gi of memory
2 Gi of storage

Overview

StatefulSet and Deployment controllers

A StatefulSet manages pods based on identical container specifications. Unlike Deployments, StatefulSets maintain a persistent identity for each pod. Pods are created from the same specification, but are not interchangeable. Each pod retains a persistent identifier that survives rescheduling.

StatefulSets are useful for stateful applications like databases that save data to persistent storage. Wazuh manager and Wazuh indexer components maintain their states, so we use StatefulSets to ensure state persistence across Pod restarts.

Deployments are intended for stateless applications and are lightweight. The Wazuh dashboard doesn't need to maintain state, so it is deployed using a Deployment controller.

Persistent volumes (PV) are storage resources in the cluster. They have a lifecycle independent of any individual pod that uses them. This API object captures storage implementation details for NFS, iSCSI, or cloud-provider-specific storage systems.

We use persistent volumes to store data from both the Wazuh manager and the Wazuh indexer.

For more information, see the Kubernetes persistent volumes documentation.

Pods

A Pod is the smallest and most fundamental deployable unit in Kubernetes. It represents a single instance of a running process in your cluster. You can view how we build Wazuh Docker containers in our repository.

Wazuh master

The master pod contains the master node of the Wazuh server cluster. The master node centralizes and coordinates worker nodes. It ensures critical data remains consistent across the Wazuh server cluster. Management operations occur only on this node, so the agent enrollment service (authd) runs here.

Image	Controller
wazuh/wazuh-manager	StatefulSet

Wazuh worker

The Wazuh worker pods contain the worker nodes of the Wazuh server cluster. They receive agent events.

Image	Controller
wazuh/wazuh-manager	StatefulSet

Wazuh indexer

The Wazuh indexer pod ingests events received from Filebeat.

Image	Controller
wazuh/wazuh-indexer	StatefulSet

Wazuh dashboard

The Wazuh dashboard pod provides visualization of Wazuh indexer data, Wazuh agent information, and Wazuh server configuration.

Image	Controller
wazuh/wazuh-dashboard	Deployment

Services

Wazuh indexer and dashboard

Name	Description
wazuh-indexer	Communication for Wazuh indexer nodes.
indexer	This is the Wazuh indexer API used by the Wazuh dashboard to read/write alerts.
dashboard	Wazuh dashboard service. https://wazuh.<YOUR_DOMAIN>.com:443

Wazuh server

Name	Description
wazuh-master	Wazuh API: wazuh-master.<YOUR_DOMAIN>.com:55000
wazuh-master	Agent registration service (`authd`): wazuh-master.<YOUR_DOMAIN>.com:1515
wazuh-workers	Reporting service: wazuh-manager.<YOUR_DOMAIN>.com:1514
wazuh-cluster	Communication for Wazuh manager nodes.

Deployment

This section covers deploying Wazuh on Kubernetes for Amazon EKS and Local Kubernetes clusters, from environment preparation to verifying that all components are running correctly.

Clone the Wazuh Kubernetes repository for the necessary services and pods:

$ git clone https://github.com/wazuh/wazuh-kubernetes.git -b v5.0.0 --depth=1
$ cd wazuh-kubernetes

Setup SSL certificates

Perform the steps below to generate the required certificates for the deployment:

Generate self-signed certificates for the Wazuh indexer cluster using the script at wazuh/certs/indexer_cluster/generate_certs.sh or provide your own certificates.

# wazuh/certs/indexer_cluster/generate_certs.sh

Root CA
Admin cert
create: admin-key-temp.pem
create: admin-key.pem
create: admin.csr
Ignoring -days without -x509; not generating a certificate
create: admin.pem
Certificate request self-signature ok
subject=C=US, L=California, O=Company, CN=admin
* Node cert
create: node-key-temp.pem
create: node-key.pem
create: node.csr
Ignoring -days without -x509; not generating a certificate
create: node.pem
Certificate request self-signature ok
subject=C=US, L=California, O=Company, CN=indexer
* dashboard cert
create: dashboard-key-temp.pem
create: dashboard-key.pem
create: dashboard.csr
Ignoring -days without -x509; not generating a certificate
create: dashboard.pem
Certificate request self-signature ok
subject=C=US, L=California, O=Company, CN=dashboard
* Filebeat cert
create: filebeat-key-temp.pem
create: filebeat-key.pem
create: filebeat.csr
Ignoring -days without -x509; not generating a certificate
create: filebeat.pem
Certificate request self-signature ok
subject=C=US, L=California, O=Company, CN=filebeat

Generate self-signed certificates for the Wazuh dashboard using the script at wazuh/certs/dashboard_http/generate_certs.sh or provide your own certificates.

# wazuh/certs/dashboard_http/generate_certs.sh

The required certificates are imported via secretGenerator in the kustomization.yml file:

secretGenerator:
    - name: indexer-certs
      files:
        - certs/indexer_cluster/root-ca.pem
        - certs/indexer_cluster/node.pem
        - certs/indexer_cluster/node-key.pem
        - certs/indexer_cluster/dashboard.pem
        - certs/indexer_cluster/dashboard-key.pem
        - certs/indexer_cluster/admin.pem
        - certs/indexer_cluster/admin-key.pem
        - certs/indexer_cluster/filebeat.pem
        - certs/indexer_cluster/filebeat-key.pem
    - name: dashboard-certs
      files:
        - certs/dashboard_http/cert.pem
        - certs/dashboard_http/key.pem
        - certs/indexer_cluster/root-ca.pem

Setup storage class (optional for non-EKS cluster)

The storage class provisioner varies depending on your cluster. Edit the envs/local-env/storage-class.yaml file to set the provisioner that matches your cluster type.

Check your storage class by running kubectl get sc:

# kubectl get sc

NAME                          PROVISIONER            RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
elk-gp2                       microk8s.io/hostpath   Delete          Immediate           false                  67d
microk8s-hostpath (default)   microk8s.io/hostpath   Delete          Immediate           false                  54d

The provisioner column displays microk8s.io/hostpath.

Apply all manifests

There are two variants of the manifest: one for EKS clusters located in envs/eks and the second for other cluster types located in envs/local-env.

You can adjust cluster resources by editing patches in envs/eks/ or envs/local-env/. You can also tune CPU, memory, and storage for persistent volumes of each cluster object. Remove patches from kustomization.yml or modify patch values to undo changes.

Deploy the cluster using the kustomization.yml file:

EKS cluster
```
# kubectl apply -k envs/eks/
```
Other cluster types
```
# kubectl apply -k envs/local-env/
```

Verifying the deployment

Namespace

Run the following command to check that the Wazuh namespace is active:

$ kubectl get namespaces | grep wazuh

wazuh         Active    12m

Services

Run the command below to view all running services in the Wazuh namespace:

$ kubectl get services -n wazuh

NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                          AGE
indexer               ClusterIP      xxx.yy.zzz.24    <none>             9200/TCP                         12m
dashboard             ClusterIP      xxx.yy.zzz.76    <none>             5601/TCP                         11m
wazuh                 LoadBalancer   xxx.yy.zzz.209   internal-a7a8...   1515:32623/TCP,55000:30283/TCP   9m
wazuh-cluster         ClusterIP      None             <none>             1516/TCP                         9m
Wazuh-indexer         ClusterIP      None             <none>             9300/TCP                         12m
wazuh-workers         LoadBalancer   xxx.yy.zzz.26    internal-a7f9...   1514:31593/TCP                   9m

Note

Take note of the External IP addresses for the wazuh and wazuh-workers services, as they are required during the Wazuh agent installation.

The wazuh External IP is used as the Wazuh Registration Server IP address (port 1515), while the wazuh-workers External IP is used as the Wazuh Manager IP address for event transmission (port 1514) after enrollment.

Deployments

Run the command below to check for the deployments in the Wazuh namespace:

$ kubectl get deployments -n wazuh

NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
wazuh-dashboard  1         1         1            1           11m

Statefulset

Run the command below to check the active StatefulSets in the Wazuh namespace:

$ kubectl get statefulsets -n wazuh

NAME                   READY   AGE
wazuh-indexer          3/3     15m
wazuh-manager-master   1/1     15m
wazuh-manager-worker   2/2     15m

Pods

Run the command below to view the pods status in the Wazuh namespace:

$ kubectl get pods -n wazuh

NAME                              READY     STATUS    RESTARTS   AGE
wazuh-indexer-0                   1/1       Running   0          15m
wazuh-dashboard-f4d9c7944-httsd   1/1       Running   0          14m
wazuh-manager-master-0            1/1       Running   0          12m
wazuh-manager-worker-0-0          1/1       Running   0          11m
wazuh-manager-worker-1-0          1/1       Running   0          11m

Enrolling a Wazuh agent

Follow the steps below to enroll a Wazuh agent to a Wazuh manager running in a Kubernetes environment.

Execute this command on the Kubernetes cluster and note the External IP of the wazuh and wazuh-workers load balancers:

# kubectl get services -n wazuh

NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                          AGE
indexer               ClusterIP      xxx.yy.zzz.24    <none>             9200/TCP                         12m
dashboard             ClusterIP      xxx.yy.zzz.76    <none>             5601/TCP                         11m
wazuh                 LoadBalancer   xxx.yy.zzz.209   internal-a7a8...   1515:32623/TCP,55000:30283/TCP   9m
wazuh-cluster         ClusterIP      None             <none>             1516/TCP                         9m
Wazuh-indexer         ClusterIP      None             <none>             9300/TCP                         12m
wazuh-workers         LoadBalancer   xxx.yy.zzz.26    internal-a7f9...   1514:31593/TCP                   9m

Set the following Wazuh agent deployment variables to simplify the installation, enrollment, and configuration process of the Wazuh agent.
- WAZUH_MANAGER: External IP of the wazuh-workers load balancer.
- WAZUH_REGISTRATION_SERVER: External IP of the wazuh load balancer.
- WAZUH_REGISTRATION_PASSWORD: The default password for deploying agents in Wazuh on Kubernetes is password. This password is used for enrolling new agents. The /var/ossec/etc/authd.pass file contains this password. For more information, see Using password authentication.
- WAZUH_AGENT_NAME: Name of the new Wazuh agent to be enrolled.
After setting the deployment variables, install the Wazuh agent using the Wazuh agent installation guide.
The example below shows the command you must run to set the deployment variables and install the Wazuh agent on a Linux endpoint after adding the Wazuh repository.
```
# WAZUH_MANAGER="<EXTERNAL_IP_WAZUH_WORKER>" WAZUH_REGISTRATION_SERVER="<EXTERNAL_IP_WAZUH>" WAZUH_REGISTRATION_PASSWORD="<PASSWORD>" WAZUH_AGENT_NAME="WAZUH_K8S_AGENT"  \
  apt-get install wazuh-agent
```
Replace:
- EXTERNAL_IP_WAZUH_WORKER with the external IP address of the wazuh-workers load balancer service.
- EXTERNAL_IP_WAZUH with the external IP address of the wazuh load balancer service.
- PASSWORD with the password used to enroll agents.
- WAZUH_K8S_AGENT with the Wazuh agent name that will be used for enrollment

Enable and start the Wazuh agent service.

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

To learn more about enrolling Wazuh agents, see the Wazuh agent enrollment section of the documentation.

Accessing Wazuh dashboard

If you created domain names for the services, access the dashboard using the URL https://wazuh.<YOUR_DOMAIN>.com. Otherwise, access the Wazuh dashboard using the external IP address or hostname that your cloud provider assigned.

Check the services to view the external IP:

$ kubectl get services -o wide -n wazuh

NAME                  TYPE           CLUSTER-IP       EXTERNAL-IP                      PORT(S)                          AGE       SELECTOR
dashboard             LoadBalancer   xxx.xx.xxx.xxx   xxx.xx.xxx.xxx                   80:31831/TCP,443:30974/TCP       15m       app=wazuh-dashboard

Note

For a local cluster deployment where the external IP address is not accessible, you can access the Wazuh dashboard using a port-forward as shown below:

# kubectl -n wazuh port-forward --address <KUBERNETES_HOST> service/dashboard 8443:443

Replace <KUBERNETES_HOST> with the IP address of the Kubernetes host.

The Wazuh dashboard is accessible at https://<KUBERNETES_HOST>:8443.

The default credentials are admin:SecretPassword.

Change the password of Wazuh users

Improve security by changing default passwords for Wazuh users. There are two categories of Wazuh users:

Wazuh indexer users
Wazuh server API users

Wazuh indexer users

Before starting the password change process, log out of your Wazuh dashboard session. Failing to do so might result in errors when accessing Wazuh after changing user passwords due to persistent session cookies.

To change the password of the default admin and kibanaserver users, do the following.

Warning

If you have custom users, add them to the internal_users.yml file. Otherwise, executing this procedure deletes them.

Set a new password hash

Start a Bash shell in the wazuh-indexer-0 pod.

# kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash

Run these commands to generate the hash of your new password. When prompted, input the new password and press Enter.
```
$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
```
Warning

Do not use the $ or & characters in your new password. These characters can cause errors during deployment.
Copy the generated hash and exit the Bash shell.
Open the wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file. Locate the block for the user whose password you want to change and replace the hash:
- admin user
```
...
admin:
    hash: "<ADMIN_PASSWORD_HASH>"
    reserved: true
    backend_roles:
    - "admin"
    description: "Demo admin user"

...
```
  Replace <ADMIN_PASSWORD_HASH> with the password hash generated in the previous step.
- kibanaserver user
```
...
kibanaserver:
    hash: "<KIBANASERVER_PASSWORD_HASH>"
    reserved: true
    description: "Demo kibanaserver user"

...
```
  Replace <KIBANASERVER_PASSWORD_HASH> with the password hash generated in the previous step.

Setting the new password

Encode your new password in base64 format. Use the -n option with the echo command as follows to avoid inserting a trailing newline character to maintain the hash value.
```
# echo -n "NewPassword" | base64
```

Edit the indexer or dashbboard secrets configuration file as follows. Replace the value of the password field with the base64 encoded password.

To change the admin user password, edit the wazuh/secrets/indexer-cred-secret.yaml file.

...
apiVersion: v1
kind: Secret
metadata:
    name: indexer-cred
data:
    username: YWRtaW4=              # string "admin" base64 encoded
    password: U2VjcmV0UGFzc3dvcmQ=  # string "SecretPassword" base64 encoded
...

To change the kibanaserver user password, edit the wazuh/secrets/dashboard-cred-secret.yaml file.

...
apiVersion: v1
kind: Secret
metadata:
    name: dashboard-cred
data:
    username: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded
    password: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded
...

Applying the changes

Apply the manifest changes

EKS cluster
```
# kubectl apply -k envs/eks/
```
Other cluster types
```
# kubectl apply -k envs/local-env/
```

Start a new Bash shell in the wazuh-indexer-0 pod.

# kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash

Set the following variables:

export INSTALLATION_DIR=/usr/share/wazuh-indexer
export CONFIG_DIR=$INSTALLATION_DIR/config
CACERT=$CONFIG_DIR/certs/root-ca.pem
KEY=$CONFIG_DIR/certs/admin-key.pem
CERT=$CONFIG_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk

Wait for the Wazuh indexer to initialize properly. The waiting time can vary from two to five minutes. It depends on the size of the cluster, the assigned resources, and the speed of the network. Then, run the securityadmin.sh script to apply all changes.
```
$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd $CONFIG_DIR/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $NODE_NAME
```
Force the Wazuh dashboard deployment rollout to update the component credentials.
```
$ kubectl rollout restart deploy/wazuh-dashboard -n wazuh
```

Delete all Wazuh manager pods to update the component credentials.

$ kubectl delete -n wazuh pod/wazuh-manager-master-0 pod/wazuh-manager-worker-0 pod/wazuh-manager-worker-1

Wazuh server API users

The wazuh-wui user is the default user used to connect to the Wazuh server API. Follow the steps below to change the password.

Note

The password for Wazuh server API users must be between 8 and 64 characters long. It must contain at least one uppercase and one lowercase letter, a number, and a symbol.

Encode your new password in base64 format. Use the -n option with the echo command as follows to avoid inserting a trailing newline character to maintain the hash value.
```
# echo -n "NewPassword" | base64
```

Edit the wazuh/secrets/wazuh-api-cred-secret.yaml file and replace the value of the password field.

apiVersion: v1
kind: Secret
metadata:
    name: wazuh-api-cred
    namespace: wazuh
data:
    username: d2F6dWgtd3Vp          # string "wazuh-wui" base64 encoded
    password: UGFzc3dvcmQxMjM0LmE=  # string "MyS3cr37P450r.*-" base64 encoded

Apply the manifest changes.
# kubectl apply -k envs/eks/

Restart the Wazuh dashboard and Wazuh manager master pods.

# kubectl delete pod wazuh-manager-master-0 wazuh-manager-worker-0-0 wazuh-manager-worker-1-0 wazuh-dashboard-f4d9c7944-httsd

Agents

The Wazuh agent can be deployed directly within your Kubernetes environment to monitor workloads, pods, and container activity. This setup provides visibility into the cluster’s runtime behavior, helping detect threats and configuration issues at the container and node levels.

There are two main deployment models for Wazuh agents in Kubernetes:

DaemonSet deployment where one Wazuh agent runs on each node to monitor the node and all containers on that node.
Sidecar deployment where the Wazuh agent runs as a companion container alongside a specific application pod to monitor that application only.

Deploying the Wazuh Agent as a DaemonSet

This is the most common approach for full-cluster monitoring. Each node runs one agent, ensuring complete coverage without manual intervention when new nodes are added.

Create the Wazuh Agent DaemonSet manifest wazuh-agent-daemonset.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: wazuh-daemonset
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wazuh-agent
  namespace: wazuh-daemonset
spec:
  selector:
    matchLabels:
      app: wazuh-agent
  template:
    metadata:
      labels:
        app: wazuh-agent
    spec:
      serviceAccountName: default
      terminationGracePeriodSeconds: 20

      #        INIT CONTAINERS
      initContainers:
        # 1) Clean stale PID / lock files
        - name: cleanup-ossec-stale
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Cleaning old locks..."
              mkdir -p /agent/var/run /agent/queue/ossec
              rm -f /agent/var/run/*.pid || true
              rm -f /agent/queue/ossec/*.lock || true
          volumeMounts:
            - name: ossec-data
              mountPath: /agent
        # 2) Seed /var/ossec into hostPath (first run only)
        - name: seed-ossec-tree
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Checking if seeding is required..."
              if [ ! -d /agent/bin ]; then
                echo "[init] Seeding /var/ossec to hostPath..."
                tar -C /var/ossec -cf - . | tar -C /agent -xpf -
              else
                echo "[init] Existing data found, skipping seed"
              fi
          volumeMounts:
            - name: ossec-data
              mountPath: /agent
        # 3) Fix ownership/permissions
        - name: fix-permissions
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Fixing permissions..."
              for d in etc logs queue var rids tmp "active-response"; do
                [ -d "/agent/$d" ] && chown -R 999:999 "/agent/$d"
              done
              chown -R 0:0 /agent/bin /agent/lib || true
              find /agent/bin -type f -exec chmod 0755 {} \; || true
          volumeMounts:
            - name: ossec-data
              mountPath: /agent
        # 4) Write ossec.conf with PASSWORD ENROLLMENT
        - name: write-ossec-config
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Writing ossec.conf..."
              mkdir -p /agent/etc
              cat > /agent/etc/ossec.conf <<EOF
              <ossec_config>
                <client>
                  <server>
                    <address>${WAZUH_MANAGER}</address>
                    <port>${WAZUH_PORT}</port>
                    <protocol>${WAZUH_PROTOCOL}</protocol>
                  </server>
                  <enrollment>
                    <enabled>yes</enabled>
                    <agent_name>${NODE_NAME}</agent_name>
                    <manager_address>${WAZUH_REGISTRATION_SERVER}</manager_address>
                    <port>${WAZUH_REGISTRATION_PORT}</port>
                    <authorization_pass_path>/var/ossec/etc/authd.pass</authorization_pass_path>
                  </enrollment>
                </client>
              </ossec_config>
              EOF
              chown 999:999 /agent/etc/ossec.conf
              chmod 0640 /agent/etc/ossec.conf
          volumeMounts:
            - name: ossec-data
              mountPath: /agent

        # 5) Copy authd.pass from Secret and fix ownership
        - name: fix-authd-pass-perms
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Copying authd.pass from Secret..."
              mkdir -p /agent/etc
              cp /secret/authd.pass /agent/etc/authd.pass
              chown 0:999 /agent/etc/authd.pass
              chmod 0640 /agent/etc/authd.pass
              ls -l /agent/etc/authd.pass
          volumeMounts:
            - name: ossec-data
              mountPath: /agent
            - name: wazuh-authd-pass
              mountPath: /secret/authd.pass
              subPath: authd.pass
              readOnly: true

      #        MAIN CONTAINER
      containers:
        - name: wazuh-agent
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              ln -sf /var/ossec/etc/ossec.conf /etc/ossec.conf || true
              exec /init
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          securityContext:
            runAsUser: 0
            allowPrivilegeEscalation: true
            capabilities:
              add: ["SETGID","SETUID"]
          volumeMounts:
            - name: varlog
              mountPath: /var/log
              readOnly: true
            - name: ossec-data
              mountPath: /var/ossec

      #            VOLUMES
      volumes:
        - name: varlog
          hostPath:
            path: /var/log
            type: Directory
        - name: ossec-data
          hostPath:
            path: /var/lib/wazuh
            type: DirectoryOrCreate
        - name: wazuh-authd-pass
          secret:
            secretName: wazuh-authd-pass

apiVersion: v1
kind: Namespace
metadata:
  name: wazuh-daemonset
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wazuh-agent
  namespace: wazuh-daemonset
spec:
  selector:
    matchLabels:
      app: wazuh-agent
  template:
    metadata:
      labels:
        app: wazuh-agent
    spec:
      serviceAccountName: default
      terminationGracePeriodSeconds: 20

      #        INIT CONTAINERS
      initContainers:
        # 1) Clean stale PID / lock files
        - name: cleanup-ossec-stale
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Cleaning old locks..."
              mkdir -p /agent/var/run /agent/queue/ossec
              rm -f /agent/var/run/*.pid || true
              rm -f /agent/queue/ossec/*.lock || true
          volumeMounts:
            - name: ossec-data
              mountPath: /agent

        # 2) Seed /var/ossec into hostPath (first run only)
        - name: seed-ossec-tree
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Checking if seeding is required..."
              if [ ! -d /agent/bin ]; then
                echo "[init] Seeding /var/ossec to hostPath..."
                tar -C /var/ossec -cf - . | tar -C /agent -xpf -
              else
                echo "[init] Existing data found, skipping seed"
              fi
          volumeMounts:
            - name: ossec-data
              mountPath: /agent

        # 3) Fix ownership/permissions
        - name: fix-permissions
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Fixing permissions..."
              for d in etc logs queue var rids tmp "active-response"; do
                [ -d "/agent/$d" ] && chown -R 999:999 "/agent/$d"
              done
              chown -R 0:0 /agent/bin /agent/lib || true
              find /agent/bin -type f -exec chmod 0755 {} \; || true
          volumeMounts:
            - name: ossec-data
              mountPath: /agent

        # 4) Write ossec.conf with PASSWORD ENROLLMENT
        - name: write-ossec-config
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Writing ossec.conf..."
              mkdir -p /agent/etc


              cat > /agent/etc/ossec.conf <<EOF
              <ossec_config>
                <client>
                  <server>
                    <address>${WAZUH_MANAGER}</address>
                    <port>${WAZUH_PORT}</port>
                    <protocol>${WAZUH_PROTOCOL}</protocol>
                  </server>

                  <enrollment>
                    <enabled>yes</enabled>
                    <agent_name>${NODE_NAME}</agent_name>
                    <manager_address>${WAZUH_REGISTRATION_SERVER}</manager_address>
                    <port>${WAZUH_REGISTRATION_PORT}</port>
                    <authorization_pass_path>/var/ossec/etc/authd.pass</authorization_pass_path>
                  </enrollment>
                </client>
              </ossec_config>
              EOF

              chown 999:999 /agent/etc/ossec.conf
              chmod 0640 /agent/etc/ossec.conf
          volumeMounts:
            - name: ossec-data
              mountPath: /agent

        # 5) Copy authd.pass from Secret and fix ownership
        - name: fix-authd-pass-perms
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "[init] Copying authd.pass from Secret..."
              mkdir -p /agent/etc
              cp /secret/authd.pass /agent/etc/authd.pass
              chown 0:999 /agent/etc/authd.pass
              chmod 0640 /agent/etc/authd.pass
              ls -l /agent/etc/authd.pass
          volumeMounts:
            - name: ossec-data
              mountPath: /agent
            - name: wazuh-authd-pass
              mountPath: /secret/authd.pass
              subPath: authd.pass
              readOnly: true


      #        MAIN CONTAINER
      containers:
        - name: wazuh-agent
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              ln -sf /var/ossec/etc/ossec.conf /etc/ossec.conf || true
              exec /init
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          securityContext:
            runAsUser: 0
            allowPrivilegeEscalation: true
            capabilities:
              add: ["SETGID","SETUID"]
          volumeMounts:
            - name: varlog
              mountPath: /var/log
              readOnly: true
            - name: dockersock
              mountPath: /var/run/docker.sock
              readOnly: true
            - name: ossec-data
              mountPath: /var/ossec


      #            VOLUMES
      volumes:
        - name: varlog
          hostPath:
            path: /var/log
            type: Directory
        - name: dockersock
          hostPath:
            path: /var/run/docker.sock
            type: Socket
        - name: ossec-data
          hostPath:
            path: /var/lib/wazuh
            type: DirectoryOrCreate
        - name: wazuh-authd-pass
          secret:
            secretName: wazuh-authd-pass

Note

The manifest in this example is for the Docker container runtime.

Replace:

<EXTERNAL_IP_WAZUH_WORKER> with the External IP of the wazuh-workers load balancer.
<EXTERNAL_IP_WAZUH> with the External IP of the wazuh load balancer.

Create the namespace:

$ kubectl create namespace wazuh-daemonset

Create the Kubernetes secret for the enrollment password:
```
$ kubectl create secret generic wazuh-authd-pass \
  -n wazuh-daemonset \
  --from-literal=authd.pass=password
```
Note

The default password for enrolling the Wazuh agent in your Kubernetes cluster is password. This value is stored in the /var/ossec/etc/authd.pass file on the Wazuh Manager. For more information, see Using password authentication documentation.

Deploy the Wazuh agent:

$ kubectl apply -f wazuh-agent-daemonset.yaml

Verify that the Wazuh agent was deployed across all nodes with the following command:

$ kubectl get pods -n wazuh-daemonset -o wide

NAME                READY   STATUS    RESTARTS   AGE   IP          NODE     NOMINATED NODE   READINESS GATES
wazuh-agent-t2fwl   1/1     Running   0          21m   10.42.0.9   server   <none>           <none>

Deploying the Wazuh Agent as a Sidecar

The sidecar approach is ideal for targeted monitoring of sensitive applications or workloads that require isolated log collection. Perform the steps below to deploy Wazuh as a Sidecar:

Modify your application's deployment to include the Wazuh agent container. In the example below, we deploy Wazuh alongside the Apache Tomcat application from the wazuh-agent-sidecar.yaml deployment file:

apiVersion: v1
kind: Namespace
metadata:
  name: wazuh-sidecar
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: tomcat-wazuh-agent
  namespace: wazuh-sidecar
spec:
  serviceName: tomcat-app
  replicas: 1
  selector:
    matchLabels:
      app: tomcat-wazuh-agent
  template:
    metadata:
      labels:
        app: tomcat-wazuh-agent
    spec:
      terminationGracePeriodSeconds: 20
      securityContext:
        fsGroup: 999
        fsGroupChangePolicy: OnRootMismatch

      #        INIT CONTAINERS
      initContainers:
        - name: cleanup-ossec-stale
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              mkdir -p /agent/var/run /agent/queue/ossec
              rm -f /agent/var/run/*.pid || true
              rm -f /agent/queue/ossec/*.lock || true
              echo "Cleanup complete. Ready for next init step."
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent

        - name: seed-ossec-tree
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              if [ ! -d /agent/bin ]; then
                echo "Seeding /var/ossec into PVC..."
                tar -C /var/ossec -cf - . | tar -C /agent -xpf -
              else
                echo "Existing Wazuh data found, skipping seed."
              fi
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent

        - name: write-ossec-config
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: WAZUH_AGENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              mkdir -p /agent/etc
              cat > /agent/etc/ossec.conf <<'EOF'
              <ossec_config>
                <client>
                  <server>
                    <address>${WAZUH_MANAGER}</address>
                    <port>${WAZUH_PORT}</port>
                    <protocol>${WAZUH_PROTOCOL}</protocol>
                  </server>
                  <enrollment>
                    <enabled>yes</enabled>
                    <agent_name>${WAZUH_AGENT_NAME}</agent_name>
                    <manager_address>${WAZUH_REGISTRATION_SERVER}</manager_address>
                    <port>${WAZUH_REGISTRATION_PORT}</port>
                    <authorization_pass_path>/var/ossec/etc/authd.pass</authorization_pass_path>
                  </enrollment>
                </client>
                <localfile>
                  <log_format>syslog</log_format>
                  <location>/usr/local/tomcat/logs/catalina.out</location>
                </localfile>
              </ossec_config>
              EOF

              sed -i \
                -e "s|\${WAZUH_MANAGER}|${WAZUH_MANAGER}|g" \
                -e "s|\${WAZUH_PORT}|${WAZUH_PORT}|g" \
                -e "s|\${WAZUH_PROTOCOL}|${WAZUH_PROTOCOL}|g" \
                -e "s|\${WAZUH_REGISTRATION_SERVER}|${WAZUH_REGISTRATION_SERVER}|g" \
                -e "s|\${WAZUH_REGISTRATION_PORT}|${WAZUH_REGISTRATION_PORT}|g" \
                -e "s|\${WAZUH_AGENT_NAME}|${WAZUH_AGENT_NAME}|g" \
                /agent/etc/ossec.conf

              chown 999:999 /agent/etc/ossec.conf
              chmod 0640 /agent/etc/ossec.conf
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent

        - name: fix-authd-pass-perms
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "Copying authd.pass from Secret..."
              mkdir -p /agent/etc
              cp /secret/authd.pass /agent/etc/authd.pass
              chown 0:999 /agent/etc/authd.pass
              chmod 0640 /agent/etc/authd.pass
              ls -l /agent/etc/authd.pass
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent
            - name: wazuh-authd-pass
              mountPath: /secret/authd.pass
              subPath: authd.pass
              readOnly: true


      #        MAIN CONTAINERS
      containers:
        - name: tomcat
          image: tomcat:10.1-jdk17
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: application-data
              mountPath: /usr/local/tomcat/logs
        - name: wazuh-agent
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command: ["/bin/sh", "-lc", "/var/ossec/bin/ossec-control stop || true; sleep 2"]
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              ln -sf /var/ossec/etc/ossec.conf /etc/ossec.conf
              exec /init
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: WAZUH_AGENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /var/ossec
            - name: application-data
              mountPath: /usr/local/tomcat/logs

      #            VOLUMES
      volumes:
        - name: wazuh-authd-pass
          secret:
            secretName: wazuh-authd-pass
  volumeClaimTemplates:
    - metadata:
        name: wazuh-agent-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: gp2  # Adjust according to your cluster's StorageClass
        resources:
          requests:
            storage: 3Gi
    - metadata:
        name: application-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: gp2  # Adjust according to your cluster's StorageClass
        resources:
          requests:
            storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-app
  namespace: wazuh-sidecar
spec:
  selector:
    app: tomcat-wazuh-agent
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 30013
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 30013

Note

Before applying the manifest, confirm the StorageClass names in your cluster by running the command kubectl get sc. In this example, the cluster uses the gp2 StorageClass.

apiVersion: v1
kind: Namespace
metadata:
  name: wazuh-sidecar
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: tomcat-wazuh-agent
  namespace: wazuh-sidecar
spec:
  serviceName: tomcat-app
  replicas: 1
  selector:
    matchLabels:
      app: tomcat-wazuh-agent
  template:
    metadata:
      labels:
        app: tomcat-wazuh-agent
    spec:
      terminationGracePeriodSeconds: 20
      securityContext:
        fsGroup: 999
        fsGroupChangePolicy: OnRootMismatch

      #        INIT CONTAINERS
      initContainers:
        - name: cleanup-ossec-stale
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              mkdir -p /agent/var/run /agent/queue/ossec
              rm -f /agent/var/run/*.pid || true
              rm -f /agent/queue/ossec/*.lock || true
              echo "Cleanup complete. Ready for next init step."
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent
        - name: seed-ossec-tree
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              if [ ! -d /agent/bin ]; then
                echo "Seeding /var/ossec into PVC..."
                tar -C /var/ossec -cf - . | tar -C /agent -xpf -
              else
                echo "Existing Wazuh data found, skipping seed."
              fi
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent

        - name: write-ossec-config
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: WAZUH_AGENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              mkdir -p /agent/etc
              cat > /agent/etc/ossec.conf <<'EOF'
              <ossec_config>
                <client>
                  <server>
                    <address>${WAZUH_MANAGER}</address>
                    <port>${WAZUH_PORT}</port>
                    <protocol>${WAZUH_PROTOCOL}</protocol>
                  </server>
                  <enrollment>
                    <enabled>yes</enabled>
                    <agent_name>${WAZUH_AGENT_NAME}</agent_name>
                    <manager_address>${WAZUH_REGISTRATION_SERVER}</manager_address>
                    <port>${WAZUH_REGISTRATION_PORT}</port>
                    <authorization_pass_path>/var/ossec/etc/authd.pass</authorization_pass_path>
                  </enrollment>
                </client>
                <localfile>
                  <log_format>syslog</log_format>
                  <location>/usr/local/tomcat/logs/catalina.out</location>
                </localfile>
              </ossec_config>
              EOF

              sed -i \
                -e "s|\${WAZUH_MANAGER}|${WAZUH_MANAGER}|g" \
                -e "s|\${WAZUH_PORT}|${WAZUH_PORT}|g" \
                -e "s|\${WAZUH_PROTOCOL}|${WAZUH_PROTOCOL}|g" \
                -e "s|\${WAZUH_REGISTRATION_SERVER}|${WAZUH_REGISTRATION_SERVER}|g" \
                -e "s|\${WAZUH_REGISTRATION_PORT}|${WAZUH_REGISTRATION_PORT}|g" \
                -e "s|\${WAZUH_AGENT_NAME}|${WAZUH_AGENT_NAME}|g" \
                /agent/etc/ossec.conf

              chown 999:999 /agent/etc/ossec.conf
              chmod 0640 /agent/etc/ossec.conf
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent

        - name: fix-authd-pass-perms
          image: busybox:1.36
          imagePullPolicy: IfNotPresent
          securityContext:
            runAsUser: 0
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              echo "Copying authd.pass from Secret..."
              mkdir -p /agent/etc
              cp /secret/authd.pass /agent/etc/authd.pass
              chown 0:999 /agent/etc/authd.pass
              chmod 0640 /agent/etc/authd.pass
              ls -l /agent/etc/authd.pass
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /agent
            - name: wazuh-authd-pass
              mountPath: /secret/authd.pass
              subPath: authd.pass
              readOnly: true

      #        MAIN CONTAINERS
      containers:
        - name: tomcat
          image: tomcat:10.1-jdk17
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: application-data
              mountPath: /usr/local/tomcat/logs

        - name: wazuh-agent
          image: wazuh/wazuh-agent:5.0.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command: ["/bin/sh", "-lc", "/var/ossec/bin/ossec-control stop || true; sleep 2"]
          command: ["/bin/sh", "-lc"]
          args:
            - |
              set -e
              ln -sf /var/ossec/etc/ossec.conf /etc/ossec.conf
              exec /init
          env:
            - name: WAZUH_MANAGER
              value: "<EXTERNAL_IP_WAZUH_WORKER>"
            - name: WAZUH_PORT
              value: "1514"
            - name: WAZUH_PROTOCOL
              value: "tcp"
            - name: WAZUH_REGISTRATION_SERVER
              value: "<EXTERNAL_IP_WAZUH>"
            - name: WAZUH_REGISTRATION_PORT
              value: "1515"
            - name: WAZUH_AGENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          volumeMounts:
            - name: wazuh-agent-data
              mountPath: /var/ossec
            - name: application-data
              mountPath: /usr/local/tomcat/logs

      #            VOLUMES
      volumes:
        - name: wazuh-authd-pass
          secret:
            secretName: wazuh-authd-pass
  volumeClaimTemplates:
    - metadata:
        name: wazuh-agent-data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 3Gi
    - metadata:
        name: application-data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-app
  namespace: wazuh-sidecar
spec:
  selector:
    app: tomcat-wazuh-agent
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
      nodePort: 30013

Note

The manifest in this example is for the Docker container runtime.

Replace:

<EXTERNAL_IP_WAZUH_WORKER> with the External IP of the wazuh-workers load balancer.
<EXTERNAL_IP_WAZUH> with the External IP of the wazuh load balancer.

Create the namespace for the Wazuh agent and the Node.js application:
```
# kubectl create namespace wazuh-sidecar
```
Create the Kubernetes secret for the enrollment password:
```
$ kubectl create secret generic wazuh-authd-pass \
  -n wazuh-sidecar \
  --from-literal=authd.pass=password
```
Note

The default password for enrolling the Wazuh agent in your Kubernetes cluster is password. This value is stored in the /var/ossec/etc/authd.pass file on the Wazuh Manager. For more information, see Using password authentication documentation.

Deploy the sidecar setup:

# kubectl apply -f wazuh-agent-sidecar.yaml

Run the command below to confirm that the tomcat-wazuh-agent pod is running:

# kubectl get pods -n wazuh-sidecar

NAME                           READY   STATUS     RESTARTS   AGE
tomcat-wazuh-agent-0   2/2     Running           0          18s

Upgrade Wazuh installed in Kubernetes

This section provides a guide to upgrading your Wazuh deployment in a Kubernetes environment while preserving existing configurations and data. Because Wazuh uses persistent volumes and Docker-based components, updates can be performed seamlessly without losing prior settings or logs.

Check files exported to the volume

The Kubernetes deployment uses Wazuh Docker images. The following directories and files are used in the upgrade:

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue
/var/ossec/var/multigroups
/var/ossec/integrations
/var/ossec/active-response/bin
/var/ossec/agentless
/var/ossec/wodles
/etc/filebeat
/var/lib/filebeat
/usr/share/wazuh-dashboard/config/
/usr/share/wazuh-dashboard/certs/
/var/lib/wazuh-indexer
/usr/share/wazuh-indexer/config/certs/
/usr/share/wazuh-indexer/config/opensearch.yml
/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml

Any modifications to these files are also made in the associated volume. When a replica pod is created, it gets those files from the volume, keeping the previous changes.

Recreating certificates

Upgrading from a version earlier than v4.8.0 requires you to recreate the SSL certificates. Clone the wazuh-kubernetes repository and check out the v5.0.0 tag. Then, follow the instructions in Setup SSL certificates.

Configuring the upgrade

To upgrade to version 5.0.0, you can follow one of two strategies.

Using default manifests : This strategy uses the default manifests for Wazuh 5.0. It replaces the wazuh-kubernetes manifests of your outdated Wazuh version.
Keeping custom manifests : This strategy preserves the wazuh-kubernetes manifests of your outdated Wazuh deployment. It ignores the manifests of the latest Wazuh version.

Using default manifests

To upgrade your deployment using the default manifests, perform the following steps.

Checkout the tag for the current version of wazuh-kubernetes:
```
# git checkout v5.0.0
```
Apply the new configuration.

Keeping custom manifests

The following approach allows administrators to preserve their existing deployment configurations instead of overwriting them with the default manifests from the new version. This method is ideal for environments with custom settings, resource allocations, network policies, or integrations that must remain intact during the upgrade.

The upgrade process differs slightly depending on your current Wazuh version.

If you are upgrading from version 4.3, update the Java Opts variable name with the new one.
Update old paths with the new ones.
If you are upgrading from a version earlier than 4.8, update configuration parameters.
Modify tags of Wazuh images.

Next, apply the new configuration.

Updating Java Opts variable name

If you are upgrading from version 4.3, you must replace ES_JAVA_OPTS with OPENSEARCH_JAVA_OPTS and modify the value.
- wazuh/wazuh_managers/wazuh-master-sts.yaml
```
env:
  - name: OPENSEARCH_JAVA_OPTS
    value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
```

Updating old paths

Wazuh dashboard

Edit wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml and do the following replacements.
- Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.
Edit wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml and do the following replacements.
- Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.

Wazuh indexer

Edit wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml and do the following replacements.

Replace /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ with /usr/share/wazuh-indexer/opensearch-security/.

Add the following statements:

volumes:
- name: indexer-certs
   secret:
      secretName: indexer-certs
      defaultMode: 0600
- name: indexer-conf
   configMap:
      name: indexer-conf
      defaultMode: 0600

spec:
   securityContext:
     fsGroup: 1000
   # Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it
   volumes:
   - name: indexer-certs

securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   capabilities:
      add: ["SYS_CHROOT"]

Wazuh indexer

Edit wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml and do the following replacements and additions.

Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.
Replace /usr/share/wazuh-indexer/opensearch.yml with /usr/share/wazuh-indexer/config/opensearch.yml.
Replace /usr/share/wazuh-indexer/opensearch-security/internal_users.yml with /usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml.

Add the following statements:

volumes:
- name: indexer-certs
   secret:
      secretName: indexer-certs
      defaultMode: 0600
- name: indexer-conf
   configMap:
      name: indexer-conf
      defaultMode: 0600

spec:
   securityContext:
     fsGroup: 1000
   # Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it
   volumes:
   - name: indexer-certs

securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   capabilities:
      add: ["SYS_CHROOT"]

Edit wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml and do the following replacements.
- Replace /usr/share/wazuh-indexer/certs/ with /usr/share/wazuh-indexer/config/certs/.

Updating configuration parameters

Update the defaultRoute parameter in the Wazuh dashboard configuration.
- wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml.
```
uiSettings.overrides.defaultRoute: /app/wz-home
```
Edit opensearch.yml and modify CN for Wazuh indexer.
- wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
```
plugins.security.nodes_dn:
  - CN=indexer,O=Company,L=California,C=US
```

Edit the following files and modify all Wazuh indexer URLs in the deployment.

wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

wazuh/wazuh_managers/wazuh-master-sts.yaml

env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

wazuh/wazuh_managers/wazuh-worker-sts.yaml

env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

Edit the following files of the v5.0.0 tag and apply all the customizations from your Wazuh manager ossec.conf file.
- wazuh/wazuh_managers/wazuh_conf/master.conf
- wazuh/wazuh_managers/wazuh_conf/worker.conf

Modifying tags of Wazuh images

Modify the tag of Wazuh images in the different statefulsets and deployments.

image: 'wazuh/wazuh-dashboard:5.0.0'
image: 'wazuh/wazuh-manager:5.0.0'
image: 'wazuh/wazuh-indexer:5.0.0'

Apply the new configuration

The last step is to apply the new configuration:

EKS cluster
$ kubectl apply -k envs/eks/
Other cluster types
$ kubectl apply -k envs/local-env/

 statefulset.apps "wazuh-manager-master" configured

This process will end the old pod while creating a new one with the new version, linked to the same volume. Once the Pods are booted, the update will be ready, and we can check the new version of Wazuh installed, the cluster, and the changes that have been maintained through the use of the volumes.

Clean Up

When you no longer need your Wazuh Kubernetes deployment or want a fresh deployment, it is important to properly remove all resources to prevent orphaned configurations or volumes from consuming cluster resources.

This section outlines the steps required to completely clean up your environment, including deleting StatefulSets, services, ConfigMaps, and persistent volumes associated with the Wazuh cluster.

Follow the steps below to delete all deployments, services, and volumes.

Remove the entire cluster

The deployment of the Wazuh cluster of managers involves the use of different StatefulSet elements as well as configuration maps and services.

To delete your Wazuh cluster, execute the following command from the repository directory.
- EKS cluster
```
$ kubectl delete -k envs/eks/
```
- Other cluster types
  $ kubectl delete -k envs/local-env/
This will remove every resource defined on the kustomization.yml file.

Remove the persistent volumes.

$ kubectl get persistentvolume

NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS        CLAIM                                                         STORAGECLASS             REASON    AGE
pvc-024466da-f7c5-11e8-b9b8-022ada63b4ac   10Gi       RWO            Retain           Released      wazuh/wazuh-manager-worker-wazuh-manager-worker-1-0           gp2-encrypted-retained             6d
pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac   30Gi       RWO            Retain           Bound         wazuh/wazuh-indexer-wazuh-indexer-0                           gp2-encrypted-retained             6d
pvc-fb821971-f7c4-11e8-b9b8-022ada63b4ac   10Gi       RWO            Retain           Released      wazuh/wazuh-manager-master-wazuh-manager-master-0             gp2-encrypted-retained             6d
pvc-ffe7bf66-f7c4-11e8-b9b8-022ada63b4ac   10Gi       RWO            Retain           Released      wazuh/wazuh-manager-worker-wazuh-manager-worker-0-0           gp2-encrypted-retained             6d

$ kubectl delete persistentvolume pvc-b3226ad3-f7c4-11e8-b9b8-022ada63b4ac

Repeat the kubectl delete command to delete all Wazuh related persistent volumes.

Warning

Do not forget to delete the volumes manually where necessary.

Offline installation guide

You can install Wazuh even without an Internet connection. Installing the solution offline involves first downloading the Wazuh central components on a system with Internet access, then transferring and installing them on the offline system. Wazuh supports both all-in-one and distributed deployments. The Wazuh server, indexer, and dashboard can run on the same host in an all-in-one setup, or be installed on separate hosts for a distributed deployment. It supports 64-bit architectures, including x86_64/AMD64 and AARCH64/ARM64.

For more information about the hardware requirements and the recommended operating systems, check the Requirements section.

Note

You need root user privileges to run all the commands described below.

Prerequisites

curl, tar, and setcap need to be installed in the target system where the offline installation will be carried out. gnupg might need to be installed as well for some Debian-based systems.
In some systems, the command cp is an alias for cp -i — you can check this by running alias cp. If this is your case, use unalias cp to avoid being asked for confirmation to overwrite files.

Download the packages and configuration files

From a Linux system with Internet access, run the script below to download all files needed for offline installation. Choose the package format (RPM or DEB) and architecture (x86_64/AMD64 or AARCH64/ARM64).

Run the command on any Linux system with Internet access to download and prepare the Wazuh offline installer script
```
# curl -sO https://packages.wazuh.com/5.0/wazuh-install.sh

# chmod 744 wazuh-install.sh
```

Download packages by architecture and format

x86_64 / AMD64

# ./wazuh-install.sh -dw rpm -da x86_64

AARCH64 / ARM64

# ./wazuh-install.sh -dw rpm -da aarch64

x86_64 / AMD64

# ./wazuh-install.sh -dw deb -da amd64

AARCH64 / ARM64

# ./wazuh-install.sh -dw deb -da arm64

Download the certificates configuration file.

# curl -sO https://packages.wazuh.com/5.0/config.yml

Edit config.yml to prepare the certificates creation.
- If you are performing an all-in-one deployment, replace "<indexer-node-ip>", "<wazuh-manager-ip>", and "<dashboard-node-ip>" with 127.0.0.1.
- If you are performing a distributed deployment, replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all the Wazuh server, Wazuh indexer, and Wazuh dashboard nodes. Add as many node fields as needed.
Run the ./wazuh-install.sh -g command to create the certificates. For a multi-node cluster, these certificates need to be later deployed to all Wazuh instances in your cluster.
```
# ./wazuh-install.sh -g
```
Copy or move the following files to a directory on the host(s) from where the offline installation will be carried out. You can use scp for this.
- wazuh-install.sh
- wazuh-offline.tar.gz
- wazuh-install-files.tar

Next steps

Once the Wazuh files are ready and copied to the specified hosts, it is necessary to install the Wazuh components.

Please make sure that a copy of the wazuh-install-files.tar and wazuh-offline.tar.gz files, created during the initial configuration step, is placed in your working directory.

Install Wazuh components using the assisted method

Single-node offline installation

Install and configure the single-node server on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture with the aid of the Wazuh assisted installation method.

Note

You need root user privileges to run all the commands described below.

Please, make sure that a copy of the wazuh-install-files.tar and wazuh-offline.tar.gz files, created during the initial configuration step, is placed in your working directory.

The following dependencies must be installed on the Wazuh single node.

coreutils
libcap

To perform the offline installation with the --offline-installation of Wazuh server on a single-node using the assisted method, run:
```
# bash wazuh-install.sh --offline-installation -a
```
Once the installation is finished, the output shows the access credentials and a message that confirms that the installation was successful.
```
INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
    User: admin
    Password: <ADMIN_PASSWORD>
INFO: Installation finished.
```
Access the Wazuh web interface with your admin user credentials. This is the default administrator account for the Wazuh indexer and it allows you to access the Wazuh dashboard.
- URL: https://<WAZUH_NODE_IP_ADDRESS>
- Username: admin
- Password: <ADMIN_PASSWORD>

Multi-node offline installation

Installing the Wazuh indexer

Install and configure the Wazuh indexer nodes on a 64-bit (x86_64/AMD64 or AARCH64/ARM64) architecture.

The following dependencies must be installed on the Wazuh indexer nodes.

coreutils

Run the multi-node assisted method with the --offline-installation to perform an offline installation. Use the option --wazuh-indexer and the node name to install and configure the Wazuh indexer. The node name must be the same one used in config.yml for the initial configuration, for example, node-1.
```
# bash wazuh-install.sh --offline-installation --wazuh-indexer node-1
```
Repeat this step for every Wazuh indexer node in your cluster. Then proceed with initializing your multi-node cluster in the next step.
Run the Wazuh assisted installation option --start-cluster on any Wazuh indexer node to load the new certificates information and start the cluster.
```
# bash wazuh-install.sh --offline-installation --start-cluster
```
Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Testing the cluster installation

Run the following command to get the admin password:

# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1

Run the following command to confirm that the installation is successful. Replace <ADMIN_PASSWORD> with the password gotten from the output of the previous command. Replace <WAZUH_INDEXER_IP_ADDRESS> with the configured Wazuh indexer IP address:

# curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Verify that the cluster is running correctly. Replace <WAZUH_INDEXER_IP_ADDRESS> and <ADMIN_PASSWORD> in the following command, then execute it:
```
# curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v
```

Installing the Wazuh server

On systems with yum as package manager, the following dependencies must be installed on the Wazuh server nodes.

libcap

Run the assisted method with --offline-installation to perform an offline installation. Use the option --wazuh-server followed by the node name to install the Wazuh server. The node name must be the same one used in config.yml for the initial configuration, for example, wazuh-1.
```
# bash wazuh-install.sh --offline-installation --wazuh-server wazuh-1
```

Your Wazuh server is now successfully installed. Repeat this step on every Wazuh server node.

Installing the Wazuh dashboard

The following dependencies must be installed on the Wazuh dashboard node.

libcap

Run the assisted method with --offline-installation to perform an offline installation. Use the option --wazuh-dashboard and the node name to install and configure the Wazuh dashboard. The node name must be the same one used in config.yml for the initial configuration, for example, dashboard.
```
# bash wazuh-install.sh --offline-installation --wazuh-dashboard dashboard
```
The default TCP port for the Wazuh web user interface (dashboard) is 443. You can change this port using the optional parameter -p|--port <PORT_NUMBER>. Some recommended ports are 8443, 8444, 8080, 8888, and 9000.

Once the assistant finishes the installation, the output shows the access credentials and a message that confirms that the installation was successful.
```
INFO: --- Summary ---
INFO: You can access the web interface https://<WAZUH_DASHBOARD_IP_ADDRESS>
   User: admin
   Password: <ADMIN_PASSWORD>

INFO: Installation finished.
```
You now have installed and configured Wazuh. All passwords generated by the Wazuh installation assistant can be found in the wazuh-passwords.txt file inside the wazuh-install-files.tar archive. To print them, run the following command:
```
# tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt
```
Access the Wazuh web interface with your admin user credentials. This is the default administrator account for the Wazuh indexer and it allows you to access the Wazuh dashboard.
- URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
- Username: admin
- Password: <ADMIN_PASSWORD>
When you access the Wazuh dashboard for the first time, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser. For increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser instead. Alternatively, a certificate from a trusted authority can be configured.

Install Wazuh components step by step

In the working directory where you placed wazuh-offline.tar.gz and wazuh-install-files.tar, execute the following command to decompress the installation files:
```
# tar xf wazuh-offline.tar.gz
# tar xf wazuh-install-files.tar
```
You can check the SHA512 of the decompressed package files in wazuh-offline/wazuh-packages/. Find the SHA512 checksums in the Packages list.

Installing the Wazuh indexer

The following dependencies must be installed on the Wazuh indexer nodes.

coreutils

Run the following commands to install the Wazuh indexer.

# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-indexer*.rpm

# dpkg -i ./wazuh-offline/wazuh-packages/wazuh-indexer*.deb

Run the following commands replacing <INDEXER_NODE_NAME> with the name of the Wazuh indexer node you are configuring as defined in config.yml. For example, node-1. This deploys the SSL certificates to encrypt communications between the Wazuh central components.
```
# NODE_NAME=<INDEXER_NODE_NAME>
```
```
# mkdir /etc/wazuh-indexer/certs
# mv -n wazuh-install-files/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# mv wazuh-install-files/admin-key.pem /etc/wazuh-indexer/certs/
# mv wazuh-install-files/admin.pem /etc/wazuh-indexer/certs/
# cp wazuh-install-files/root-ca.pem /etc/wazuh-indexer/certs/
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
```
Here you move the node certificate and key files, such as node-1.pem and node-1-key.pem, to their corresponding certs folder. They're specific to the node and are not required on the other nodes. However, note that the root-ca.pem certificate isn't moved but copied to the certs folder. This way, you can continue deploying it to other component folders in the next steps.
Edit /etc/wazuh-indexer/opensearch.yml and replace the following values:
1. network.host: Sets the address of this node for both HTTP and transport traffic. The node will bind to this address and will also use it as its publish address. Accepts an IP address or a hostname.
  
  Use the same node address set in config.yml to create the SSL certificates.
2. node.name: Name of the Wazuh indexer node as defined in the config.yml file. For example, node-1.
3. cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the config.yml file. Uncomment the node-2 and node-3 lines, change the names, or add more lines, according to your config.yml definitions.
```
cluster.initial_master_nodes:
- "node-1"
- "node-2"
- "node-3"
```
4. discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. You may leave this setting commented if you are configuring the Wazuh indexer as a single-node. For multi-node configurations, uncomment this setting and set your master-eligible nodes addresses.
  discovery.seed_hosts: - "10.0.0.1" - "10.0.0.2" - "10.0.0.3"
5. plugins.security.nodes_dn: List of the Distinguished Names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the lines for node-2 and node-3 and change the common names (CN) and values according to your settings and your config.yml definitions.
```
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
```

Enable and start the Wazuh indexer service.

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system:

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

For multi-node clusters, repeat the previous steps on every Wazuh indexer node.
When all Wazuh indexer nodes are running, run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificates information and start the cluster.
# /usr/share/wazuh-indexer/bin/indexer-security-init.sh

Run the following command to check that the installation is successful. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

# curl -XGET https://127.0.0.1:9200 -u admin:admin -k

Expand the output to see an example response.

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Installing the Wazuh server

On systems with apt as package manager, the following dependencies must be installed on the Wazuh server nodes.

gnupg
apt-transport-https

Run the following commands to import the Wazuh key and install the Wazuh manager.

# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-manager*.rpm

# dpkg -i ./wazuh-offline/wazuh-packages/wazuh-manager*.deb

Save the Wazuh indexer username and password into the Wazuh manager keystore using the wazuh-keystore tool:

# echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Note

The default offline-installation credentials are admin:admin

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-manager
# service wazuh-manager start

Debian-based operating system:

# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Run the following command to verify that the Wazuh manager status is active.
# systemctl status wazuh-manager
# service wazuh-manager status

Installing Filebeat

Filebeat must be installed and configured on the same server as the Wazuh manager.

Run the following command to install Filebeat.

# rpm -ivh ./wazuh-offline/wazuh-packages/filebeat*.rpm

# dpkg -i ./wazuh-offline/wazuh-packages/filebeat*.deb

Move a copy of the configuration files to the appropriate location. Ensure to type “yes” at the prompt to overwrite /etc/filebeat/filebeat.yml.

# cp ./wazuh-offline/wazuh-files/filebeat.yml /etc/filebeat/ &&\
cp ./wazuh-offline/wazuh-files/wazuh-template.json /etc/filebeat/ &&\
chmod go+r /etc/filebeat/wazuh-template.json

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
1. hosts: The list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace your Wazuh indexer IP address accordingly.
  
  If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]
```
# Wazuh - Filebeat configuration file
output.elasticsearch:
hosts: ["10.0.0.1:9200"]
protocol: https
username: ${username}
password: ${password}
```
Create a Filebeat keystore to securely store authentication credentials.
```
# filebeat keystore create
```

Add the username and password admin:admin to the secrets keystore.

# echo admin | filebeat keystore add username --stdin --force
# echo admin | filebeat keystore add password --stdin --force

Install the Wazuh module for Filebeat.

# tar -xzf ./wazuh-offline/wazuh-files/wazuh-filebeat-0.5.tar.gz -C /usr/share/filebeat/module

Replace <SERVER_NODE_NAME> with your Wazuh server node certificate name, the same used in config.yml when creating the certificates. For example, wazuh-1. Then, move the certificates to their corresponding location.

# NODE_NAME=<SERVER_NODE_NAME>

# mkdir /etc/filebeat/certs
# mv -n wazuh-install-files/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# cp wazuh-install-files/root-ca.pem /etc/filebeat/certs/
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Enable and start the Filebeat service.

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add filebeat
# service filebeat start

Debian-based operating system:

# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to make sure Filebeat is successfully installed.

# filebeat test output

Expand the output to see an example response.

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Your Wazuh server node is now successfully installed. Repeat the steps of this installation process stage for every Wazuh server node in your cluster, expand the Wazuh cluster configuration for multi-node deployment section below, and carry on then with configuring the Wazuh cluster. If you want a Wazuh server single-node cluster, everything is set and you can proceed directly with the Wazuh dashboard installation.

Wazuh cluster configuration for multi-node deployment

After completing the installation of the Wazuh server on every node, you need to configure one server node only as the master and the rest as workers.

Configuring the Wazuh server master node

Edit the following settings in the /var/ossec/etc/ossec.conf configuration file.
<cluster>
  <name>wazuh</name>
  <node_name>master-node</node_name>
  <node_type>master</node_type>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node><WAZUH_MASTER_ADDRESS></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
Parameters to be configured:

name

It indicates the name of the cluster.

node_name

It indicates the name of the current node.

node_type

It specifies the role of the node. It has to be set to master.

key

Key that is used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. The following command can be used to generate a random key: openssl rand -hex 16.

port

It indicates the destination port for cluster communication.

bind_addr

It is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 for any IP).

nodes

It is the address of the master node and can be either an IP or a DNS. This parameter must be specified in all nodes, including the master itself.

hidden

It shows or hides the cluster information in the generated alerts.

disabled

It indicates whether the node is enabled or disabled in the cluster. This option must be set to no.
Restart the Wazuh manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart

Configuring the Wazuh server worker nodes

Configure the cluster node by editing the following settings in the /var/ossec/etc/ossec.conf file and configure the necessary parameters:
<cluster>
    <name>wazuh</name>
    <node_name>worker-node</node_name>
    <node_type>worker</node_type>
    <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><WAZUH_MASTER_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>
Parameters to be configured:

name

It indicates the name of the cluster.

node_name

It indicates the name of the current node. Each node of the cluster must have a unique name.

node_type

It specifies the role of the node. It has to be set as worker.

key

The key created previously for the master node. It has to be the same for all the nodes.

nodes

It has to contain the address of the master node and can be either an IP or a DNS.

disabled

It indicates whether the node is enabled or disabled in the cluster. It has to be set to no.
Restart the Wazuh manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Repeat these configuration steps for every Wazuh server worker node in your cluster.

Testing Wazuh server cluster

To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:

# /var/ossec/bin/cluster_control -l

An example output of the command looks as follows:

NAME     TYPE    VERSION  ADDRESS
wazuh-1  master  4.12.0   10.0.0.3
wazuh-3  worker  4.12.0   10.0.0.5
wazuh-2  worker  4.12.0   10.0.0.4

Note that 10.0.0.3, 10.0.0.4, 10.0.0.5 are example IPs.

Installing the Wazuh dashboard

The following dependencies must be installed on the Wazuh dashboard node.

libcap

Run the following commands to install the Wazuh dashboard.

# rpm --import ./wazuh-offline/wazuh-files/GPG-KEY-WAZUH
# rpm -ivh ./wazuh-offline/wazuh-packages/wazuh-dashboard*.rpm

# dpkg -i ./wazuh-offline/wazuh-packages/wazuh-dashboard*.deb

Replace <DASHBOARD_NODE_NAME> with your Wazuh dashboard node name, the same used in config.yml to create the certificates. For example, dashboard. Then, move the certificates to their corresponding location.

# NODE_NAME=<DASHBOARD_NODE_NAME>

# mkdir /etc/wazuh-dashboard/certs
# mv -n wazuh-install-files/$NODE_NAME.pem /etc/wazuh-dashboard/certs/dashboard.pem
# mv -n wazuh-install-files/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/dashboard-key.pem
# cp wazuh-install-files/root-ca.pem /etc/wazuh-dashboard/certs/
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and replace the following values:
1. server.host: This setting specifies the host of the back end server. To allow remote users to connect, set the value to the IP address or DNS name of the Wazuh dashboard. The value 0.0.0.0 will accept all the available IP addresses of the host.
2. opensearch.hosts: The URLs of the Wazuh indexer instances to use for all your queries. The Wazuh dashboard can be configured to connect to multiple Wazuh indexer nodes in the same cluster. The addresses of the nodes can be separated by commas. For example, ["https://10.0.0.2:9200", "https://10.0.0.3:9200","https://10.0.0.4:9200"]
  server.host: 0.0.0.0 server.port: 443 opensearch.hosts: https://127.0.0.1:9200 opensearch.ssl.verificationMode: certificate

Enable and start the Wazuh dashboard.

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start

Debian-based operating system:

# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start

Edit the file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml and replace the url value with the IP address or hostname of the Wazuh server master node.

hosts:
  - default:
      url: https://<WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: wazuh-wui
      run_as: false

Run the following command to verify the Wazuh dashboard service is active.
# systemctl status wazuh-dashboard
# service wazuh-dashboard status
Access the Wazuh web interface.
- URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
- Username: admin
- Password: admin

Upon the first access to the Wazuh dashboard, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Securing your Wazuh installation

You have now installed and configured all the Wazuh central components. We recommend changing the default credentials to protect your infrastructure from possible attacks.

Select your deployment type and follow the instructions to change the default passwords for both the Wazuh API and the Wazuh indexer users.

Use the Wazuh passwords tool to change all the internal users passwords.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh

INFO: The password for user admin is yWOzmNA.?Aoc+rQfDBcF71KZp?1xd7IO
INFO: The password for user kibanaserver is nUa+66zY.eDF*2rRl5GKdgLxvgYQA+wo
INFO: The password for user kibanaro is 0jHq.4i*VAgclnqFiXvZ5gtQq1D5LCcL
INFO: The password for user logstash is hWW6U45rPoCT?oR.r.Baw2qaWz2iH8Ml
INFO: The password for user readall is PNt5K+FpKDMO2TlxJ6Opb2D0mYl*I7FQ
INFO: The password for user snapshotrestore is +GGz2noZZr2qVUK7xbtqjUup049tvLq.
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
INFO: The password for Wazuh API user wazuh is JYWz5Zdb3Yq+uOzOPyUU4oat0n60VmWI
INFO: The password for Wazuh API user wazuh-wui is +fLddaCiZePxh24*?jC0nyNmgMGCKE+2
INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

On any Wazuh indexer node, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all

INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j
INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp
INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna
INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h
INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4
INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.

On your Wazuh server master node, change the default password of the admin users: wazuh and wazuh-wui. Note that the commands below use 127.0.0.1, set your Wazuh manager IP address if necessary.

Get an authorization TOKEN.

# TOKEN=$(curl -u wazuh-wui:wazuh-wui -k -X GET "https://127.0.0.1:55000/security/user/authenticate?raw=true")

Change the wazuh user credentials (ID 1). Select a password between 8 and 64 characters long, it should contain at least one uppercase and one lowercase letter, a number, and a symbol. See PUT /security/users/{user_id} to learn more.

curl -k -X PUT "https://127.0.0.1:55000/security/users/1" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
  "password": "SuperS3cretPassword!"
}'

{"data": {"affected_items": [{"id": 1, "username": "wazuh", "allow_run_as": true, "roles": [1]}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "User was successfully updated", "error": 0}

Change the wazuh-wui user credentials (ID 2).

curl -k -X PUT "https://127.0.0.1:55000/security/users/2" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
  "password": "SuperS3cretPassword!"
}'

{"data": {"affected_items": [{"id": 2, "username": "wazuh-wui", "allow_run_as": true, "roles": [1]}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "User was successfully updated", "error": 0}

See the Securing the Wazuh API section for additional security configurations.

Note

Remember to store these passwords securely.

On all your Wazuh server nodes, run the following command to update the admin password in the Filebeat keystore. Replace <ADMIN_PASSWORD> with the random password generated in the first step.
```
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force
```
Restart Filebeat to apply the change.
# systemctl restart filebeat
# service filebeat restart
Note

Repeat steps 3 and 4 on every Wazuh server node.
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace <KIBANASERVER_PASSWORD> with the random password generated in the first step.
```
# echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
```

Update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file with the new wazuh-wui password generated in the second step.

hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false

Restart the Wazuh dashboard to apply the changes.

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Next steps

Once the Wazuh environment is ready, Wazuh agents can be installed on every endpoint to be monitored. To install the Wazuh agents and start monitoring the endpoints, see the Wazuh agent installation section. If you need to install them offline, you can check the appropriate agent package to download for your monitored system in the Wazuh agent packages list section.

To uninstall all the Wazuh central components, see the Uninstalling the Wazuh central components section.

Installation from sources

Installing from sources gives you more control over how Wazuh is deployed. You can customize build options and target operating systems that are not covered in existing packages.

Benefits of installing from sources

More control over compiler, libraries, and paths.
Ability to apply local patches or custom build flags.

The Wazuh manager and agent can be installed via sources as an alternative to the installation from packages:

Installing the Wazuh manager from sources

The Wazuh manager is the core component of the Wazuh server that processes and analyzes security data from Wazuh agents and other sources. It includes the analysis engine for log processing, rule evaluation, and alert generation, along with services for the Wazuh agent enrollment and connection.

This section covers installing dependencies, downloading and compiling the source code, running the installation wizard, and uninstalling the manager if needed.

Installing dependencies

Before compiling Wazuh from sources, you need to install the required build tools and libraries for the destination operating system. This section covers the essential development tools, compilers, and build utilities needed to compile the Wazuh manager successfully.

# apt-get update
# apt-get install python3 gcc g++ make libc6-dev curl policycoreutils automake autoconf libtool libssl-dev procps build-essential

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# yum update -y
# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 devtoolset-7 procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-* && scl enable devtoolset-7 bash

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# yum install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel yum-utils procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-* && scl enable devtoolset-7 bash
# yum-config-manager --enable PowerTools
# yum install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

# yum install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel yum-utils procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-* && scl enable devtoolset-7 bash
# yum config-manager --set-enabled crb
# yum install libstdc++-static -y

# dnf update -y
# dnf install make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel yum-utils procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-*
# dnf config-manager --set-enabled crb
# dnf install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

Optional: Install the following dependencies only when compiling the CPython from sources. Since v4.2.0, make deps TARGET=server will download a portable version of CPython ready to be installed. Nevertheless, you can download the CPython sources by adding the PYTHON_SOURCE flag when running make deps.

Follow these steps to install the required dependencies to build the Python interpreter:

# echo "deb-src http://archive.ubuntu.com/ubuntu $(lsb_release -cs) main" >> /etc/apt/sources.list
# apt-get update
# apt-get build-dep python3 -y

# yum install epel-release yum-utils -y
# yum-builddep python36 -y

# dnf install epel-release dnf-utils -y
# dnf builddep python3 -y

Note

The Python version from the previous command may change depending on the OS used to build the binaries. For more information, refer to the Install dependencies page.

Installing the Wazuh manager

This section walks you through downloading the Wazuh source code, compiling it, and running the installation wizard to set up the Wazuh manager on your system.

Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0

If you have previously compiled for another platform, clean the build using the Makefile in src/:
```
# make -C src clean
# make -C src clean-deps
```
Run the install.sh script. This will display a wizard to guide you through the installation process using the Wazuh sources:

Warning

If you want to enable the database output, check out the Alert management section before running the installation script.
```
# ./install.sh
```
The initial run might take some time as it downloads and processes the vulnerability detection content. To speed up this process, you can set the DOWNLOAD_CONTENT environment variable to y beforehand. The adjusted command downloads a pre-prepared database during installation.
```
# DOWNLOAD_CONTENT=y ./install.sh
```
When the script asks what kind of installation you want, type manager to install the Wazuh manager:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? manager
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh script and select the language, set the installation mode to manager, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt.

Warning

Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it.
The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with:
# systemctl start wazuh-manager
# service wazuh-manager start

Installing other Wazuh components

Once the Wazuh manager is installed from source, you can install the Wazuh indexer, Filebeat, and the Wazuh dashboard by following the Installation guide. The Wazuh indexer and dashboard are excluded from the installation from sources procedure, as they rely on pre-built packages.

Uninstall

This section provides instructions for completely removing the Wazuh manager installation from your system.

To uninstall the Wazuh manager, set WAZUH_HOME with the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-manager stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```

Delete the service:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove Wazuh user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

Installing the Wazuh agent from sources

The Wazuh agent is a lightweight monitoring software. It is a multi-platform component that provides visibility into the endpoint’s security by collecting critical system and application logs/events. The following section explains how to install it from sources across different operating systems.

This section covers installing dependencies, downloading and compiling the source code, running the installation wizard, and uninstalling the Wazuh agent if necessary.

Installing dependencies

Note

You need root user privileges to run all the commands described below. Since Wazuh 3.5, an Internet connection is required to follow this process.

Note

CMake 3.12.4 is the minimal library version required to build the Wazuh agent solution.

Note

GCC 9.4 is the minimal compiler version required to build the Wazuh agent solution.

Install development tools and compilers. In Linux, this can easily be done using your distribution’s package manager:

# apt-get install python3 gcc g++ make libc6-dev curl policycoreutils automake autoconf libtool libssl-dev procps build-essential

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# yum update -y
# yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-*

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz
# cd cmake-3.18.3 && ./bootstrap --no-system-curl
# make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

# yum install make gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel cmake procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-*
# yum-config-manager --enable PowerTools
# yum install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

# yum install make gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel cmake procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz  && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /bin/g++ /usr/bin/c++ && ln -fs /bin/gcc /usr/bin/cc && cd .. && rm -rf gcc-*
# yum config-manager --set-enabled crb
# yum install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

# dnf update -y
# dnf groupinstall "Development Tools"
# dnf install gmp-devel mpfr-devel libmpc-devel isl-devel make cmake gcc gcc-c++ python3 python3-policycoreutils automake autoconf libtool openssl-devel yum-utils procps -y
# curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz && cd gcc-9.4.0/ && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-*
# dnf config-manager --set-enabled crb
# dnf install libstdc++-static -y

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*
# export PATH=/usr/local/bin:$PATH

# zypper install -y make gcc12 gcc12-c++ policycoreutils-python automake autoconf libtool libopenssl-devel curl
# ln -sf /usr/bin/gcc-12 /usr/bin/gcc
# ln -sf /usr/bin/g++-12 /usr/bin/g++

CMake 3.18 installation

# curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
# cd .. && rm -rf cmake-*

Note

For Suse 11, it is possible that some of the tools are not found in the package manager. In that case, you can add the following official repository:

# zypper addrepo http://download.opensuse.org/distribution/11.4/repo/oss/ oss

GCC/G++ 14 is the recommended version to build Wazuh.

# pacman --noconfirm -Syu curl gcc14 make sudo wget expect gnupg perl-base perl fakeroot python brotli automake autoconf libtool gawk libsigsegv nodejs base-devel inetutils cmake

This section covers installing dependencies on Ubuntu and Windows endpoints. For Windows agent installation, Wazuh uses cross-compilation from a Linux environment to build the Windows installer package.

Note

This procedure is tested on Ubuntu 24.04 and might work with other Debian/Ubuntu versions as well. It is required to use MinGW 10.

Set up the Ubuntu build environment. Install these dependencies to build the Windows Wazuh agent installer on Ubuntu:
```
# apt-get install curl gcc-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-x86-64 nsis make cmake
```
Set up the Windows build environment. To generate the installer, the following dependencies must be in place on the Windows machine:
- WIX Toolset v3.11.
  
  Note
  
  If you install a WiX Toolset version other than v3.11 on your Windows endpoint, update the batch file at: wazuh-5.0.0/src/win32/wazuh-installer-build-msi.bat. On line 3, replace "WiX Toolset v3.11" with the exact version you installed.
- .NET Framework 3.5.1.
- Microsoft Windows SDK.

This section covers installing dependencies on macOS systems. The process involves installing Homebrew and setting up build tools.

Install brew, a package manager for macOS:
```
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
```
Note

On some macOS versions, this command may fail with a message indicating that homebrew/core is a shallow clone. To fix this issue, run:
```
$ rm -rf "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-core"
$ brew tap homebrew/core
```
Then, re-run the Homebrew installation command above.

Install development tools and compilers through Brew:

$ brew install automake autoconf libtool cmake

Installing the Wazuh agent

This section walks you through downloading the Wazuh source code, compiling it, and running the installation wizard to set up the Wazuh agent on your system.

Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0

If you have previously compiled for another platform, you must clean the build using the Makefile in src/:
```
# make -C src clean
# make -C src clean-deps
```
Build the Wazuh agent with gcc-14 and g++-14, this only applies to distributions with the Pacman package manager:
```
# cd wazuh-5.0.0/src
# make TARGET=agent deps
# make TARGET=agent CC=gcc-14 CXX=g++-14
# cd ..
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# cd wazuh-5.0.0
# ./install.sh
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent to install a Wazuh agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid or help)? agent
```

This process involves compiling the Wazuh agent and generating an MSI installer package.

Download the Wazuh source code on the Ubuntu machine and unzip it:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0/src

Compile the Agent by running the make command:
```
# make deps TARGET=winagent
# make TARGET=winagent
```
The following output will appear at the end of the building process:
```
Done building winagent
```
Move the repository to the Windows machine. We recommend compressing it to speed up the process:
```
# cd ../.. && zip -r wazuh.zip wazuh-5.0.0
```
Decompress the repository on the Windows machine, run the wazuh-installer-build-msi.bat script from the win32 folder:
```
> cd wazuh-5.0.0\src\win32
> .\wazuh-installer-build-msi.bat
```
If you do not want to sign the installer, you will have to comment out or delete the signtool line in the previous script.

Specify the version and the revision number when prompted. This will also generate the Windows installer file. In the following output, the version is set as 5.0.0, and the revision is set as 1. This generates the Windows installer wazuh-agent-5.0.0-1.msi

C:\wazuh\wazuh-5.0.0\src\win32>REM IF VERSION or REVISION are empty, ask for their value

C:\wazuh\wazuh-5.0.0\src\win32>IF [] == [] set /p VERSION=Enter the version of the Wazuh agent (x.y.z):
Enter the version of the Wazuh agent (x.y.z):5.0.0

C:\wazuh\wazuh-5.0.0\src\win32>IF [] == [] set /p REVISION=Enter the revision of the Wazuh agent:
Enter the revision of the Wazuh agent:1

C:\wazuh\wazuh-5.0.0\src\win32>SET MSI_NAME=wazuh-agent-5.0.0-1.msi

Install wazuh-agent-5.0.0-1.msi. See the installation guide.

This section covers installing the Wazuh agent from sources on macOS systems

Download and extract the latest version:
```
# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
```
Note

All the commands described below need to be executed with root user privileges.
If you have previously compiled for another platform, you must clean the build using the Makefile in src:
```
# cd wazuh-5.0.0
# make -C src clean
# make -C src clean-deps
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# cd wazuh-5.0.0
# USER_DIR="/Library/Ossec" ./install.sh
```
Note

Note that with the variable USER_DIR, it has been indicated that the agent installation path is /Library/Ossec
The script will ask about what kind of installation you want. Type agent to install a Wazuh agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent
```
Note

During the installation, users can decide on the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/Library/Ossec]). The default installation path is /Library/Ossec. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.

Download the latest version:

# wget -O wazuh.tar.gz --no-check-certificate https://api.github.com/repos/wazuh/wazuh/tarball/v5.0.0
# gunzip -c wazuh.tar.gz | tar -xvf -

Note

If you can't download the repository this way, then you should copy it via the scp utility.

Compile the sources:

# cd wazuh-5.0.0
# cd src
# gmake clean-deps
# gmake clean
# gmake deps TARGET=agent RESOURCES_URL=http://packages.wazuh.com/deps/27
# gmake TARGET=agent USE_SELINUX=no PREFIX=/var/ossec

If you have previously compiled for another platform, you must clean the build using the Makefile in src/:
```
# gmake -C src clean-deps
# gmake -C src clean
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# cd ..
# ./install.sh
```
Note

During the installation, users can decide on the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.

Finally, apply the following configuration:

# sed '/System inventory/,/^$/{/^$/!d;}' /var/ossec/etc/ossec.conf > /var/ossec/etc/ossec.conf.tmp
# mv /var/ossec/etc/ossec.conf.tmp /var/ossec/etc/ossec.conf

Note

Note that the above commands have been executed for the default installation path /var/ossec. If you have installed the agent in another path, you will have to modify the path of those commands.

Download the latest version:
```
# /usr/local/bin/curl -k -L -O https://github.com/wazuh/wazuh/archive/v5.0.0.zip && /usr/local/bin/unzip v5.0.0
```
Note

If you can't download the repository this way, then you should copy it via the scp utility.

Compile the sources:

# cd wazuh-5.0.0
# /usr/local/bin/gmake -C src deps RESOURCES_URL=http://packages.wazuh.com/deps/27 TARGET=agent
# /usr/local/bin/gmake -C src TARGET=agent USE_SELINUX=no

If you have previously compiled for another platform, you must clean the build using the Makefile in src/:
```
# /usr/local/bin/gmake -C src clean-deps
# /usr/local/bin/gmake -C src clean
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# ./install.sh
```
Note

During the installation, users can decide the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.

Download the latest version of Wazuh:

# /opt/csw/bin/git clone -b v5.0.0 https://github.com/wazuh/wazuh.git

Compile the sources.

For Solaris 10 i386:

# export PATH=/usr/local/gcc-5.5.0/bin:/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin:/opt/csw/gnu
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib
# cd wazuh/src
# gmake clean
# gmake deps TARGET=agent
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no
# cd ..

For Solaris 10 SPARC:

# export PATH=/usr/local/gcc-5.5.0/bin:/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin:/opt/csw/gnu
# export CPLUS_INCLUDE_PATH=/usr/local/gcc-5.5.0/include/c++/5.5.0
# export LD_LIBRARY_PATH=/usr/local/gcc-5.5.0/lib
# cd wazuh/src
# gmake clean
# gmake deps TARGET=agent RESOURCES_URL=http://packages.wazuh.com/deps/27
# gmake -j 4 TARGET=agent PREFIX=/var/ossec USE_SELINUX=no USE_BIG_ENDIAN=yes
# cd ..

Patch Solaris 10 sh files to change the shebang:

# for file in $(find . -name "*.sh");do
sed 's:#!/bin/sh:#!/usr/xpg4/bin/sh:g' $file > $file.new
mv $file.new $file && chmod +x $file
done

If you have previously compiled for another platform, you must clean the build using the Makefile in src/:
```
# gmake -C src clean
# gmake -C src clean-deps
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# bash install.sh
```
Note

During the installation, users can decide on the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent to install a Wazuh agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent
```

Download the latest version.
```
# git clone -b v5.0.0 https://github.com/wazuh/wazuh.git
```
Note

If you can’t download the file due to an OpenSSL error, then you should copy the directory with the scp utility.
If you have previously compiled for another platform, you must clean the build using the Makefile in src/:
```
# gmake -C src clean
# gmake -C src clean-deps
```
Run the install.sh script. This will run a wizard that will guide you through the installation process using the Wazuh sources:
```
# cd wazuh*
# ./install.sh
```
Note

During the installation, users can decide on the installation path. Execute the ./install.sh script and select the language, set the installation mode to agent, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default installation path is /var/ossec. A commonly used custom path is /opt. When choosing a different path than the default, if the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it. You can also run an unattended installation.
The script will ask about what kind of installation you want. Type agent to install a Wazuh agent:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? agent
```

Next steps

Now that the agent is installed, the next step is to enroll the agent with the Wazuh server. Check the Wazuh agent enrollment section for more information about this process.

Uninstall

To uninstall the Wazuh agent, set WAZUH_HOME with the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```

Delete the service:

# [ -f /etc/rc.local ] && sed -i'' '/wazuh-control start/d' /etc/rc.local
# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

# find /etc/systemd/system -name "wazuh*" | xargs rm -f
# systemctl daemon-reload

Remove Wazuh user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

To uninstall the agent, the original MSI file will be needed to perform the unattended process:

msiexec.exe /x wazuh-agent-5.0.0-1.msi /qn

To uninstall the Wazuh agent, set WAZUH_HOME to the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```
Delete the service:
```
# rm -rf /Library/StartupItems/WAZUH
```

Remove Wazuh user and group:

# dscl . -delete "/Users/wazuh" > /dev/null 2>&1
# dscl . -delete "/Groups/wazuh" > /dev/null 2>&1

To uninstall the Wazuh agent, set WAZUH_HOME to the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```

Delete the service:

# find /etc/rc.d -name "*wazuh*" | xargs rm -f

Remove Wazuh user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

To uninstall the Wazuh agent, set WAZUH_HOME to the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```

Delete the service:

# find /sbin/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove the Wazuh user and group

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

To uninstall the Wazuh agent, set WAZUH_HOME to the current installation path:
```
# WAZUH_HOME="/WAZUH/INSTALLATION/PATH"
```

Stop the service:

# service wazuh-agent stop 2> /dev/null

Stop the daemon:

# $WAZUH_HOME/bin/wazuh-control stop 2> /dev/null

Remove the installation folder and all its content:
```
# rm -rf $WAZUH_HOME
```

Delete the service:

# find /etc/{init.d,rc*.d} -name "*wazuh*" | xargs rm -f

Remove Wazuh user and group:

# userdel wazuh 2> /dev/null
# groupdel wazuh 2> /dev/null

Deployment with Ansible

Ansible is an open source platform designed for automating tasks. It comes with Playbooks, a descriptive language based on YAML, that makes it easy to create and describe automation jobs. Also, Ansible communicates with every host over SSH, making it very secure. See Ansible Overview for more info.

Contents

Installation Guide

The objective of this section is to guide users in the installation of an environment consisting of a Wazuh indexer, dashboard, manager, and Wazuh agents, in a simple and intuitive way using the Ansible deploy tool.

Ansible is an open source software that automates software provisioning, configuration management, and application deployment.

Requirements

Before we get started with Ansible, confirm the following requirements are met:

Private network DNS: If you intend to use hostname instead of IP Address for remote endpoints definitions, be sure you have correctly set up your DNS server and that it corresponds to the FQDN of your endpoints. Otherwise, use your hosts file.
Firewall settings: Ansible can work with any TCP port. By default, it uses TCP/22 port to work with Linux endpoints. Ensure this port is open in endpoints and/or firewalls. In addition, you need to use and configure iptables, firewalld, ufw, Security Groups, or any other firewall settings.
Required open ports: You can access the Required ports list to find out which ports you need to communicate the Wazuh components with external services such as Ansible.

Install Ansible

In this section, we will proceed to install the Ansible server. To be able to deploy using Ansible, we need to have the tool installed on a single server. From this control server, Ansible will access other endpoints and execute the playbooks configured for any type of deployment or installation.

In the example we will follow in this guide, we have the following infrastructure.

Ansible server
Wazuh server
Wazuh agent

Note

OpenSSH Compatibility: Ansible version 1.3 and later uses native OpenSSH for remote communication.

Installation on CentOS/RHEL/Fedora

Install the EPEL repository:
```
# yum -y install epel-release
```
Install Ansible:
```
# yum install ansible
```

Install Ansible using pip.

# pip3 install --upgrade --ignore-installed pip setuptools --user
# python3 -m pip install --user ansible

Installation on Debian/Ubuntu

For Debian and Ubuntu, we will use the Ansible PPA repository. The steps are as follows:

Install required dependencies:

# apt-get update
# apt-get install lsb-release software-properties-common gnupg

Setup ansible repository:

# apt-add-repository -y ppa:ansible/ansible
# apt-get update

# echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" | sudo tee -a /etc/apt/sources.list.d/ansible-debian.list
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
# apt-get update

Finally, install ansible:
```
# apt-get install ansible
```

Remote Connection

Ansible is an agentless automation platform. Hence, it relies on SSH connections to make deployments to remote endpoints. These connections can be made from the Ansible server using SSH key-pairing.

Configuring SSH key-pairing

Our Ansible server will need to connect to the other endpoints. Let’s see how to make this connection between our ansible server and the machine where we will install the Wazuh server. This procedure has to be repeated for each machine we want to connect to the Ansible server. For example, the endpoints where Wazuh agents will be deployed.

The first step is to generate the SSH authentication key pair for the root user of the Ansible server using the ssh-keygen tool.
1. Switch to root and navigate to the $HOME directory of the Ansible server.
```
$ sudo su
# cd ~
```
2. Generate an authentication key pair for SSH. If you wish to, you can include a passphrase.
```
# ssh-keygen
```
3. Check the permissions of the generated keys.
```
# ls -la ~/.ssh
```
  id_rsa must have restrictive permissions (600 or “- r w - - - - - - -“).
```
drwx------. 2 root root   57 Mar 18 10:06 .
dr-xr-x---. 5 root root  210 Mar 18 08:44 ..
-rw-------. 1 root root 1675 Mar 18 12:34 id_rsa
-rw-r--r--. 1 root root  408 Mar 18 12:34 id_rsa.pub
-rw-r--r--. 1 root root  175 Mar 18 10:14 known_hosts
```
  In addition, the /root/.ssh/ directory must have its permissions set to 700 (d r w x - - - - - -). The permissions can be set using the command below:
```
# chmod 700 ~/.ssh/
```
Now, proceed to copy the public key of the Ansible server to the ~/.ssh/authorized_keys file in the $HOME directory of the remote system (the Wazuh server in this example).
1. On the remote system, install openssh-server if it is not installed.
  # yum install openssh-server
  # apt-get install openssh-server
2. Start the SSH service.
  # systemctl start sshd
  # service sshd start
3. Move to the $HOME directory of the remote system.
```
$ cd ~
```
4. Check for the .ssh directory. If it does not exist, create the .ssh directory and assign the appropriate permissions to it:
```
$ mkdir .ssh
$ chmod 700 .ssh/
```
5. If the authorized_keys file does not exist in the .ssh/ directory, create it with the appropriate permissions, otherwise public key authentication will not work properly:
```
$ touch .ssh/authorized_keys
$ chmod 644 .ssh/authorized_keys
```
Return to the Ansible server and add the public key (id_rsa.pub) of the Ansible server to the ~/.ssh/authorized_keys file in the $HOME directory of the Wazuh server using SSH.
1. From the Ansible server, run the following command:
```
# cat ~/.ssh/id_rsa.pub | ssh <USERNAME>@<REMOTE_SERVER_IP_ADDRESS> "cat >> ~/.ssh/authorized_keys"
```
2. When we read the Wazuh server ~/.ssh/authorized_keys, we can see it contains the public key of the ansible server.
```
$ cat .ssh/authorized_keys
```
Before the public key authentication mechanism can be tested, we have to verify that the SSH configuration on the remote endpoint allows it. To do this, open the file /etc/ssh/sshd_config on the Wazuh server.
```
# vi /etc/ssh/sshd_config
```
1. Check that the following lines are uncommented:
  
  PubkeyAuthentication yes
  
  AuthorizedKeysFile .ssh/authorized_keys
2. Restart the ssh service.
  # systemctl restart sshd
  # service sshd restart
3. Verify that the authentication with the public key works. Test from the Ansible server.
```
# ssh <USERNAME>@<REMOTE_SERVER_IP_ADDRESS>
```
  It is expected that we will gain access without having to enter a password.

Windows endpoints

Windows endpoints are supported by Ansible from version 1.7 via the remote execution of PowerShell. As opposed to Linux endpoints, it is necessary to do some pre-work before being able to use Ansible on Windows endpoints. Please refer to the Windows Guide in the official documentation of Ansible.

The following minimum requirements should be met to use Ansible on Windows endpoints:

Windows versions under current and extended support from Microsoft. Ansible can manage desktop OSs including Windows 7, 8.1, and 10, and server OSs including Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019.
PowerShell 3.0 or newer.
At least .NET version 4.0 should be installed on the Windows endpoint.
A WinRM listener should be created and activated.

Before deploying on your Windows endpoints, you must set Ansible to use port 5986 . Edit the /etc/ansible/hosts file and add a configuration block for the Windows agents. For example:

[windows_agents]
agent1 ansible_host=<WAZUH_AGENT_1_IP_ADDRESS> ansible_port=5986
agent2 ansible_host=<WAZUH_AGENT_2_IP_ADDRESS> ansible_port=5986
agent3 ansible_host=<WAZUH_AGENT_3_IP_ADDRESS> ansible_port=5986

Where:

windows_agents is a host group name for the Windows agents.
agent1, agent2, and agent3 are names for each host.

Make sure to replace these values with your Windows agents actual data. Add and remove lines accordingly.

Testing the Ansible connection to remote endpoints

Add endpoints for management by Ansible.

This is done by including the hostname or IP Address in /etc/ansible/hosts on our Ansible server. In this case, we intend to use the Ansible playbooks to deploy the Wazuh indexer, dashboard, and manager on one server (all-in-one deployment).

We proceed to add the following entry to the /etc/ansible/hosts file:
```
[all_in_one]
<REMOTE_SERVER_IP_ADDRESS> ansible_ssh_user=<USERNAME>
```
Note

Python 3 usage: In some systems, such as Ubuntu 18, we may have problems with the use of Python interpreter due to its version and the default path where Ansible checks for it. If this happens, we must add the following line to the Ansible host file:

<ENDPOINT_IP_ADDRESS> ansible_ssh_user=<SSH_USER>

ansible_python_interpreter=/usr/bin/python3

Attempt a connection with the remote endpoints using the ping module.

# ansible all -m ping

The expected output is:

<REMOTE_SERVER_IP_ADDRESS> | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

This way, we confirm that the Ansible server reaches the remote system.

Playbooks and Roles

We can obtain the necessary playbooks and roles for the installation of the Wazuh server components, and Wazuh agents by cloning the wazuh-ansible repository in /etc/ansible/roles.

On the Ansible server, the following commands are run:

# cd /etc/ansible/roles/
# sudo git clone --branch v5.0.0 https://github.com/wazuh/wazuh-ansible.git
# ls

wazuh-ansible

Install Wazuh indexer and dashboard

In the Wazuh Ansible repository, we can find the playbooks and roles necessary to install the Wazuh indexer and dashboard components. The Ansible server must have access to the indexer and dashboard server.

Warning

In previous versions of this guide, playbooks were used pointing to roles to install Opendistro. Starting with Wazuh v.4.3.0 those roles have been replaced by the Wazuh indexer and dashboard.

1 - Accessing the wazuh-ansible directory

We access the contents of the directory on the Ansible server where we have cloned the repository to. We can see the roles we have by running the command below in the cloned directory:

# cd /etc/ansible/roles/wazuh-ansible/
# tree roles -d

roles
├── ansible-galaxy
│   └── meta
└── wazuh
  ├── ansible-filebeat-oss
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-agent
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-manager
  │   ├── defaults
  │   ├── files
  │   │   └── custom_ruleset
  │   │       ├── decoders
  │   │       └── rules
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   ├── templates
  │   └── vars
  ├── wazuh-dashboard
  │   ├── defaults
  │   ├── handlers
  │   ├── tasks
  │   ├── templates
  │   └── vars
  └── wazuh-indexer
      ├── defaults
      ├── handlers
      ├── meta
      ├── tasks
      └── templates

And we can see the preconfigured playbooks we have by running the command below.:

root@ansible:/etc/ansible/roles/wazuh-ansible# tree playbooks/

playbooks
├── ansible.cfg
├── wazuh-agent.yml
├── wazuh-dashboard.yml
├── wazuh-indexer.yml
├── wazuh-manager-oss.yml
├── wazuh-production-ready.yml
└── wazuh-single.yml

Using the dashboard and indexer roles, we will install and configure the Wazuh dashboard and indexer components. Let’s see below, the content of the playbook /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-indexer.yml.

---
- hosts: wi_cluster
roles:
  - role: ../roles/wazuh/wazuh-indexer

vars:
  instances:           # A certificate will be generated for every node using the name as CN.
    node1:
      name: node-1
      ip: <node-1 IP>
      role: indexer
    node2:
      name: node-2
      ip: <node-2 IP>
      role: indexer
    node3:
      name: node-3
      ip: <node-3 IP>
      role: indexer

Let’s see below, the content of the playbook /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-dashboard.yml

---
- hosts: wi1
  roles:
    - role: ../roles/wazuh/wazuh-dashboard
  vars:
    ansible_shell_allow_world_readable_temp: true

These files are designed to run the installations of each service individually.

Let's take a closer look at the content.

The line hosts: indicates the endpoints where the commands of the playbook will be executed.
The roles: section indicates the roles that will be executed on the hosts.

There are several variables we can use to customize the installation or configuration. If we want to change the default configuration:

We can change the following files:
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/wazuh-dashboard/defaults/main.yml
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/wazuh-indexer/defaults/main.yml
Alternatively, we also can create another YAML file with the content we want to change for each role. We can find more information about the roles below:
- Wazuh indexer role.
- Wazuh dashboard role.

More details on default configuration variables can be found in the variables references section.

2 - Preparing to run the playbook

We can configure the indexer and dashboard files and execute them individually, or create a single file that executes the installation of the services in our all in one Wazuh server. In this case, we choose to use a single file to execute the installation.

Create the file wazuh-indexer-and-dashboard.yml in the playbooks directory.

# touch playbooks/wazuh-indexer-and-dashboard.yml

Fill it with the content below:

- hosts: all_in_one
  roles:
    - role: ../roles/wazuh/wazuh-indexer
      perform_installation: false
  become: no
  vars:
    indexer_node_master: true
    instances:
      node1:
        name: node-1       # Important: must be equal to indexer_node_name.
        ip: 127.0.0.1
        role: indexer
  tags:
    - generate-certs

- hosts: all_in_one
  become: yes
  become_user: root
  roles:
    - role: ../roles/wazuh/wazuh-indexer
    - role: ../roles/wazuh/wazuh-dashboard

  vars:
    single_node: true
    indexer_network_host: 127.0.0.1
    ansible_shell_allow_world_readable_temp: true
    instances:           # A certificate will be generated for every node using the name as CN.
      node1:
        name: node-1
        ip: 127.0.0.1
        role: indexer

As we can see, we have added the IP address of our dashboard and indexer server to the indexer_network_host entry.

3 - Running the playbook

Now, It seems that we are ready to run the playbook and start the installation. However, some of the operations to be performed on the remote systems will need sudo permissions. We can solve this in several ways, such as entering the password when Ansible requests it or using the become option (to avoid entering passwords one by one).

Let's run the playbook.

Switch to the playbooks folder on the Ansible server and proceed to run the command below:
```
# ansible-playbook wazuh-indexer-and-dashboard.yml -b -K
```
We can check the status of our new services on our Wazuh indexer and dashboard server.
- Wazuh indexer
```
# systemctl status wazuh-indexer
```
- Wazuh dashboard
```
# systemctl status wazuh-dashboard
```

Note

The Wazuh dashboard can be accessed by visiting https://<wazuh_server_IP>
The default credentials for Wazuh deployed using ansible is:

Username: admin

Password: changeme

These credentials should be changed using the password changing tool.

Install Wazuh manager

Once the Ansible repository has been cloned, we proceed to install the Wazuh manager. The installation will follow the steps below:

1 - Accessing the wazuh-ansible directory

We access the contents of the directory on the Ansible server where we have cloned the repository to. We can see the roles we have by running the command below in the cloned directory:

# cd /etc/ansible/roles/wazuh-ansible/
# tree roles -d

roles
├── ansible-galaxy
│   └── meta
└── wazuh
    ├── ansible-filebeat-oss
    │   ├── defaults
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   └── templates
    ├── ansible-wazuh-agent
    │   ├── defaults
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   └── templates
    ├── ansible-wazuh-manager
    │   ├── defaults
    │   ├── files
    │   │   └── custom_ruleset
    │   │       ├── decoders
    │   │       └── rules
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   ├── templates
    │   └── vars
    ├── wazuh-dashboard
    │   ├── defaults
    │   ├── handlers
    │   ├── tasks
    │   ├── templates
    │   └── vars
    └── wazuh-indexer
        ├── defaults
        ├── handlers
        ├── meta
        ├── tasks
        └── templates

And we can see the preconfigured playbooks we have by running the command below.:

# tree playbooks/

playbooks
├── ansible.cfg
├── wazuh-agent.yml
├── wazuh-dashboard.yml
├── wazuh-indexer.yml
├── wazuh-manager-oss.yml
├── wazuh-production-ready.yml
└── wazuh-single.yml

Using the ansible-wazuh-manager and ansible-filebeat-oss roles, we will install and configure the Wazuh manager, and Filebeat components.

Let’s see below, the content of the YAML file /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-manager-oss.yml that we are going to run for a complete installation of the server.

# cat wazuh-manager-oss.yml

---
- hosts: managers
  roles:
    - role: ../roles/wazuh/ansible-wazuh-manager
    - role: ../roles/wazuh/ansible-filebeat-oss
      filebeat_output_indexer_hosts:
      - "<indexer-node-1>:9200"
      - "<indexer-node-2>:9200"
      - "<indexer-node-2>:9200"

Let's take a closer look at the content.

The first line hosts: indicates the machines where the commands below will be executed.
The roles: section indicates the roles that will be executed on the hosts mentioned above. Specifically, we are going to install the role of wazuh-manager (Wazuh manager + API) and the role of filebeat.
The parameter filebeat_output_indexer_hosts: indicates the host group of the Wazuh indexer cluster.

There are several variables we can use to customize the installation or configuration. If we want to change the default configuration:

We can change the following files:
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
Alternatively, we also can create another YAML file with the content we want to change for Filebeat and the Wazuh manager. We can find more information about the roles in this section

More details on default configuration variables can be found in the variables references section.

2 - Preparing to run the playbook

We can create a similar YAML file or modify the one we already have to adapt it to our configuration. In this case, we are going to modify the wazuh-manager-oss.yml file and include the IP address of the machine where we are going to install the Wazuh manager in the hosts section and the IP address of the machine where we installed the Wazuh indexer service to the filebeat_output_indexer_hosts field.

Our resulting file is:

---
- hosts: all_in_one
  roles:
    - role: ../roles/wazuh/ansible-wazuh-manager
    - role: ../roles/wazuh/ansible-filebeat-oss
      filebeat_node_name: node-1
      filebeat_output_indexer_hosts:
      - "127.0.0.1:9200"

3 - Running the playbook

Now, we are ready to run the playbook and start the installation. However, some of the operations to be performed on the remote systems will need sudo permissions. We can solve this in several ways, either by opting to enter the password when Ansible requests it or using the become option (to avoid entering passwords one by one).

Let’s run the playbook.
Switch to the playbooks folder on the Ansible server and proceed to run the command below:
# ansible-playbook wazuh-manager-oss.yml -b -K
We can check the status of the new services on our Wazuh server.
- Wazuh manager
  # systemctl status wazuh-manager
- Filebeat
  # systemctl status filebeat

Note

The Wazuh dashboard can be accessed by visiting https://<WAZUH_DASHBOARD_IP_ADDRESS>
The default credentials for Wazuh deployed using ansible is:

Username: admin

Password: changeme

These credentials should be changed using the password changing tool.

Install a Wazuh cluster

Wazuh can be deployed as a distributed cluster with Ansible playbooks. The installation will follow the steps below:

1 - Accessing the wazuh-ansible directory

We access the contents of the directory on the Ansible server where we have cloned the repository to. We can see the roles we have by running the command below in the cloned directory:

# cd /etc/ansible/roles/wazuh-ansible/
# tree roles -d

roles
├── ansible-galaxy
│   └── meta
└── wazuh
  ├── ansible-filebeat-oss
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-agent
  │   ├── defaults
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   └── templates
  ├── ansible-wazuh-manager
  │   ├── defaults
  │   ├── files
  │   │   └── custom_ruleset
  │   │       ├── decoders
  │   │       └── rules
  │   ├── handlers
  │   ├── meta
  │   ├── tasks
  │   ├── templates
  │   └── vars
  ├── wazuh-dashboard
  │   ├── defaults
  │   ├── handlers
  │   ├── tasks
  │   ├── templates
  │   └── vars
  └── wazuh-indexer
      ├── defaults
      ├── handlers
      ├── meta
      ├── tasks
      └── templates

And we can see the preconfigured playbooks we have by running the command below.:

# tree playbooks/

playbooks
├── ansible.cfg
├── wazuh-agent.yml
├── wazuh-dashboard.yml
├── wazuh-indexer.yml
├── wazuh-manager-oss.yml
├── wazuh-production-ready.yml
└── wazuh-single.yml

Using the wazuh-production-ready playbook, we will deploy a Wazuh manager and indexer cluster using Ansible.

Let’s see below, the content of the YAML file /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-production-ready.yml that we are going to run for a complete installation of the server.

# cat wazuh-production-ready.yml

# Certificates generation
  - hosts: wi1
    roles:
      - role: ../roles/wazuh/wazuh-indexer
        indexer_network_host: "{{ private_ip }}"
        indexer_cluster_nodes:
          - "{{ hostvars.wi1.private_ip }}"
          - "{{ hostvars.wi2.private_ip }}"
          - "{{ hostvars.wi3.private_ip }}"
        indexer_discovery_nodes:
          - "{{ hostvars.wi1.private_ip }}"
          - "{{ hostvars.wi2.private_ip }}"
          - "{{ hostvars.wi3.private_ip }}"
        perform_installation: false
    become: no
    vars:
      indexer_node_master: true
      instances:
        node1:
          name: node-1       # Important: must be equal to indexer_node_name.
          ip: "{{ hostvars.wi1.private_ip }}"   # When unzipping, the node will search for its node name folder to get the cert.
          role: indexer
        node2:
          name: node-2
          ip: "{{ hostvars.wi2.private_ip }}"
          role: indexer
        node3:
          name: node-3
          ip: "{{ hostvars.wi3.private_ip }}"
          role: indexer
        node4:
          name: node-4
          ip: "{{ hostvars.manager.private_ip }}"
          role: wazuh
          node_type: master
        node5:
          name: node-5
          ip: "{{ hostvars.worker.private_ip }}"
          role: wazuh
          node_type: worker
        node6:
          name: node-6
          ip: "{{ hostvars.dashboard.private_ip }}"
          role: dashboard
    tags:
      - generate-certs

# Wazuh indexer cluster
  - hosts: wi_cluster
    strategy: free
    roles:
      - role: ../roles/wazuh/wazuh-indexer
        indexer_network_host: "{{ private_ip }}"
    become: yes
    become_user: root
    vars:
      indexer_cluster_nodes:
        - "{{ hostvars.wi1.private_ip }}"
        - "{{ hostvars.wi2.private_ip }}"
        - "{{ hostvars.wi3.private_ip }}"
      indexer_discovery_nodes:
        - "{{ hostvars.wi1.private_ip }}"
        - "{{ hostvars.wi2.private_ip }}"
        - "{{ hostvars.wi3.private_ip }}"
      indexer_node_master: true
      instances:
        node1:
          name: node-1       # Important: must be equal to indexer_node_name.
          ip: "{{ hostvars.wi1.private_ip }}"   # When unzipping, the node will search for its node name folder to get the cert.
          role: indexer
        node2:
          name: node-2
          ip: "{{ hostvars.wi2.private_ip }}"
          role: indexer
        node3:
          name: node-3
          ip: "{{ hostvars.wi3.private_ip }}"
          role: indexer
        node4:
          name: node-4
          ip: "{{ hostvars.manager.private_ip }}"
          role: wazuh
          node_type: master
        node5:
          name: node-5
          ip: "{{ hostvars.worker.private_ip }}"
          role: wazuh
          node_type: worker
        node6:
          name: node-6
          ip: "{{ hostvars.dashboard.private_ip }}"
          role: dashboard

# Wazuh cluster
  - hosts: manager
    roles:
      - role: "../roles/wazuh/ansible-wazuh-manager"
      - role: "../roles/wazuh/ansible-filebeat-oss"
        filebeat_node_name: node-4
    become: yes
    become_user: root
    vars:
      wazuh_manager_config:
        connection:
            - type: 'secure'
              port: '1514'
              protocol: 'tcp'
              queue_size: 131072
        api:
            https: 'yes'
        cluster:
            disable: 'no'
            node_name: 'master'
            node_type: 'master'
            key: 'c98b62a9b6169ac5f67dae55ae4a9088'
            nodes:
                - "{{ hostvars.manager.private_ip }}"
            hidden: 'no'
      wazuh_api_users:
        - username: custom-user
          password: SecretPassword1!
      filebeat_output_indexer_hosts:
              - "{{ hostvars.wi1.private_ip }}"
              - "{{ hostvars.wi2.private_ip }}"
              - "{{ hostvars.wi3.private_ip }}"

  - hosts: worker
    roles:
      - role: "../roles/wazuh/ansible-wazuh-manager"
      - role: "../roles/wazuh/ansible-filebeat-oss"
        filebeat_node_name: node-5
    become: yes
    become_user: root
    vars:
      wazuh_manager_config:
        connection:
            - type: 'secure'
              port: '1514'
              protocol: 'tcp'
              queue_size: 131072
        api:
            https: 'yes'
        cluster:
            disable: 'no'
            node_name: 'worker_01'
            node_type: 'worker'
            key: 'c98b62a9b6169ac5f67dae55ae4a9088'
            nodes:
                - "{{ hostvars.manager.private_ip }}"
            hidden: 'no'
      filebeat_output_indexer_hosts:
              - "{{ hostvars.wi1.private_ip }}"
              - "{{ hostvars.wi2.private_ip }}"
              - "{{ hostvars.wi3.private_ip }}"

# Wazuh dashboard node
  - hosts: dashboard
    roles:
      - role: "../roles/wazuh/wazuh-dashboard"
    become: yes
    become_user: root
    vars:
      indexer_network_host: "{{ hostvars.wi1.private_ip }}"
      dashboard_node_name: node-6
      wazuh_api_credentials:
        - id: default
          url: https://{{ hostvars.manager.private_ip }}
          port: 55000
          username: custom-user
          password: SecretPassword1!
      ansible_shell_allow_world_readable_temp: true

Let’s take a closer look at the content.

The first line hosts: indicates the machines where the commands below will be executed.
The roles: section indicates the roles that will be executed on the hosts mentioned above. Specifically, we are going to install the role of wazuh-manager (Wazuh manager + API) and the role of filebeat.
The parameter filebeat_output_indexer_hosts: indicates the host group of the Wazuh indexer cluster.

More details on default configuration variables can be found in the variables references section.

2 - Preparing to run the playbook

The YAML file wazuh-production-ready.yml will provision a production-ready distributed Wazuh environment. We will add the public and private IP addresses of the endpoints where the various components of the cluster will be installed to the Ansible hosts file. For this guide, the architecture includes 2 Wazuh nodes, 3 Wazuh indexer nodes, and a Wazuh dashboard node.

The contents of the host file is:

wi1 ansible_host=<wi1_ec2_public_ip> private_ip=<wi1_ec2_private_ip> indexer_node_name=node-1
wi2 ansible_host=<wi2_ec2_public_ip> private_ip=<wi2_ec2_private_ip> indexer_node_name=node-2
wi3 ansible_host=<wi3_ec2_public_ip> private_ip=<wi3_ec2_private_ip> indexer_node_name=node-3
dashboard  ansible_host=<dashboard_node_public_ip> private_ip=<dashboard_ec2_private_ip>
manager ansible_host=<manager_node_public_ip> private_ip=<manager_ec2_private_ip>
worker  ansible_host=<worker_node_public_ip> private_ip=<worker_ec2_private_ip>

[wi_cluster]
wi1
wi2
wi3

[all:vars]
ansible_ssh_user=centos
ansible_ssh_private_key_file=/path/to/ssh/key.pem
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

Let’s take a closer look at the content.

The ansible_host variable should contain the public IP address/FQDN for each node.
The private_ip variable should contain the private IP address/FQDN used for the internal cluster communications.
If the environment is located in a local subnet, ansible_host and private_ip variables should match.
The ansible_ssh variable specifies the ssh user for the nodes.

3 - Running the playbook

Let's run the playbook.

Switch to the playbooks folder on the Ansible server and proceed to run the command below:
```
# ansible-playbook wazuh-production-ready.yml -b -K
```

We can check the status of the new services on our respective nodes.

Wazuh indexer.
```
# systemctl status wazuh-indexer
```
Wazuh dashboard
```
# systemctl status wazuh-dashboard
```
Wazuh manager.
```
# systemctl status wazuh-manager
```
Filebeat.
```
# systemctl status filebeat
```

Note

The Wazuh dashboard can be accessed by visiting https://<WAZUH_DASHBOARD_IP_ADDRESS>
The default credentials for Wazuh deployed using ansible is:

Username: admin

Password: changeme

These credentials should be changed using the password changing tool.

Install Wazuh Agent

We can install the Wazuh agent on endpoints using the roles and playbooks available in the Wazuh Ansible repository. The Ansible server must have access to the endpoints where the agents are to be installed.

Note

SSH key-pairing should already be configured between the ansible deployment server and the endpoints.
Add the endpoints where the agent will be deployed in the Ansible hosts file under the [wazuh-agents] hosts group.

1 - Accessing the wazuh-ansible directory

We access the contents of the directory on the Ansible server where we have cloned the repository to. We can see the roles we have by running the command below in the cloned directory:

# cd /etc/ansible/roles/wazuh-ansible/
# tree roles -d

roles
├── ansible-galaxy
│   └── meta
└── wazuh
    ├── ansible-filebeat-oss
    │   ├── defaults
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   └── templates
    ├── ansible-wazuh-agent
    │   ├── defaults
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   └── templates
    ├── ansible-wazuh-manager
    │   ├── defaults
    │   ├── files
    │   │   └── custom_ruleset
    │   │       ├── decoders
    │   │       └── rules
    │   ├── handlers
    │   ├── meta
    │   ├── tasks
    │   ├── templates
    │   └── vars
    ├── wazuh-dashboard
    │   ├── defaults
    │   ├── handlers
    │   ├── tasks
    │   ├── templates
    │   └── vars
    └── wazuh-indexer
        ├── defaults
        ├── handlers
        ├── meta
        ├── tasks
        └── templates

And we can see the preconfigured playbooks we have by running the command below:

# tree playbooks/

playbooks
├── ansible.cfg
├── wazuh-agent.yml
├── wazuh-dashboard.yml
├── wazuh-indexer.yml
├── wazuh-manager-oss.yml
├── wazuh-production-ready.yml
└── wazuh-single.yml

For the agent deployment, we are going to use the role of wazuh-agent, which contains the necessary commands to install an agent and register it in our Wazuh environment. Below is the content of the YAML file /etc/ansible/roles/wazuh-ansible/playbooks/wazuh-agent.yml we are going to run for a complete installation of the Wazuh agent.

---
- hosts: <WAZUH_AGENT_IP_ADDRESS>
  become: yes
  become_user: root
  roles:
    - ../roles/wazuh/ansible-wazuh-agent
  vars:
    wazuh_managers:
      - address: <WAZUH_MANAGER_IP_ADDRESS>
        port: 1514
        protocol: tcp
        api_port: 55000
        api_proto: 'https'
        api_user: wazuh
        max_retries: 5
        retry_interval: 5

Let’s take a closer look at the content.

The first line hosts: indicates the machines where the commands in the playbook will be executed.
The roles: section indicates the roles that will be executed on the hosts specified. In this case, we are going to install the role of wazuh-agent.
The variables list wazuh_managers: indicates details for the connection with the Wazuh manager. This list overwrites the default configuration.

There are several variables we can use to customize the installation or configuration. If we want to change the default configuration:

We can change the /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent/defaults/main.yml file directly.
Alternatively, we can create another YAML file with the content we want to change in the configuration. If we want to do this, we can find more information about the Wazuh agent role.

More details on default configuration variables can be found in the variables references section.

2 - Preparing to run the playbook

We can create a similar YAML file or modify the one we already have to adapt it to our configuration. We will use the host group of the endpoints where we are going to install the Wazuh agent in the hosts section. In this case, it is wazuh-agents. Make sure to replace these values with your agents actual data. Add and remove lines accordingly. The hosts file will look like this:

[wazuh-agents]
agent_1 ansible_host=<WAZUH_MANAGER_IP_ADDRESS> ansible_ssh_user=<USERNAME>

[wazuh-agents]
agent_1 ansible_host=<WAZUH_MANAGER_IP_ADDRESS>

[wazuh-agents:vars]
ansible_user=<USERNAME>
ansible_password=<PASSWORD>
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_ssh_port=5986

We will also add the IP address of the Wazuh server to the wazuh_managers: section.

Our resulting file is:

---
- hosts: wazuh-agents
  become: yes
  become_user: root
  roles:
    - ../roles/wazuh/ansible-wazuh-agent
  vars:
    wazuh_managers:
      - address: <WAZUH_MANAGER_IP_ADDRESS>
        port: 1514
        protocol: tcp
        api_port: 55000
        api_proto: 'https'
        api_user: wazuh
        max_retries: 5
        retry_interval: 5

3 - Running the playbook

Let’s run the playbook.

Switch to the playbooks folder on the Ansible server and proceed to run the command below:
```
# ansible-playbook wazuh-agent.yml -b -K
```
Once the deployment completes, we can check the status of the Wazuh agent on the endpoints.
# systemctl status wazuh-agent
We can also view agent information from the Wazuh server.
# /var/ossec/bin/agent_control -l

Remote endpoints connection

Ansible is an agentless automation platform. Hence, it relies on SSH connections to make deployments to remote endpoints. We briefly explain two (2) methods SSH connections can be made from the Ansible server below.

Note

We recommend the passwords method, to avoid sharing your public SSH Key among several hosts.

Using passwords

Ansible does most of the work via SSH, and uses SSH authentication mechanisms. In order to establish a connection with remote endpoints, a username/password must be supplied. The following is a description of some useful options that can be used for SSH authentication with passwords in ansible:

-u <USER>   Set the connection user.
-k          Ask the password of the connection user.
-b          Execute task and operations with a privilege user.
-K          Ask for sudo password, intended for privilege escalation.

You can use the above arguments as follows:

# ansible -m setup all -u foo -k -b -K

This will set the connection user as foo. Also, it will ask for the connection user password and privileged user password.

Using SSH key-pairing

You can set up an SSH key-pair to provide a passwordless authentication mechanism. First, create an OpenSSH key-pair on the Ansible server:

# ssh-keygen

Note

To improve security on this setup, please ensure you provide a passphrase for this key.
Using ssh-agent, we can avoid repeatedly asking for the key password on every Ansible deployment. Ssh-agent will cache the key to be used in further actions, until you log out.

Adding the public key to remote systems

After creating the Ansible server key-pair, you need to add the public key to all remote endpoints to be managed. This can be done by following the steps below:

Move to the $HOME directory of the remote system.
```
$ cd ~
```
Check for the .ssh directory. If it does not exist, create the .ssh directory and assign the appropriate permissions to it:
```
$ mkdir .ssh
$ chmod 700 .ssh/
```
If the authorized_keys file does not exist in the .ssh/ directory, create it with the appropriate permissions, otherwise public key authentication will not work properly:
```
$ touch .ssh/authorized_keys
$ chmod 644 .ssh/authorized_keys
```
Check the permissions of the files in .ssh/.
```
$ ls -lath .ssh/
```
Return to the Ansible server and add the public key (id_rsa.pub) of the Ansible server to the ~/.ssh/authorized_keys file in the $HOME directory of the remote system using SSH. From the Ansible server, run the following command:
```
# cat ~/.ssh/id_rsa.pub | ssh centos@192.168.33.31 "cat >> ~/.ssh/authorized_keys"
```
When we read the remote endpoint ~/.ssh/authorized_keys, we can see it contains the public key of the ansible server.
```
$ cat ~/.ssh/authorized_keys
```

Ensure you know the user to store authorized_keys, this will be the user you use for any action via Ansible. Also, the user should be a sudo user.

Add endpoints for management

This can be done by including the hostname or IP Address of the target endpoint in /etc/ansible/hosts. Endpoints can also be grouped. This is useful for executing tasks and roles to several endpoints at once:

# cat /etc/ansible/hosts

[wazuh-agents]
hosts1.example.net
hosts2.example.net

Note

You can check the Ansible inventory documentation for more info regarding hosts and groups.

Testing the connection to remote endpoints

We can attempt to verify the connection with the remote endpoints using the ping module.

# ansible all -m ping

You will get an output like this.

hosts1.example.net | SUCCESS => {
  "changed": false,
  "ping": "pong"
}
hosts2.example.net | SUCCESS => {
  "changed": false,
  "ping": "pong"
}

If you see the above, then Ansible is fully usable.

Windows authentication

Windows hosts use a different mechanism to perform authentication. Please refer to Authentication Options in the Ansible documentation order to set up the adequate option.

Roles

You can use our preconfigured roles to deploy the Wazuh indexer and dashboard components, Wazuh Manager, and Wazuh Agents. First, clone our GitHub repository directly to your Ansible roles folder:

# cd /etc/ansible/roles
# git clone --branch v5.0.0 https://github.com/wazuh/wazuh-ansible.git

Below we briefly explain how to use these roles. Please check out the Ansible Playbook Documentation for more information on Ansible roles.

Contents

Wazuh indexer

This role is intended to deploy the Wazuh indexer to a specified node. The following variables can be used to customize the installation:

indexer_network_hosts: This defines the listening IP address (default: 127.0.0.1).
indexer_http_port: This defines the listening port (default: 9200).
indexer_jvm_xms: This specifies the amount of memory to be used for java (default: null).

To use the role in a playbook, a YAML file wazuh-indexer.yml can be created with the contents below:

- hosts: indexer
  roles:
  - wazuh-indexer

Custom variable definitions for different environments can be set. For example:

For a production environment, the variables can be saved in vars-production.yml:
```
indexer_network_host: '<WAZUH_INDEXER_PROD_IP_ADDRESS>'
```
For a development environment, the variables can be saved in vars-development.yml:
```
indexer_network_host: '<WAZUH_INDEXER_DEV_IP_ADDRESS>'
```

To run the playbook for a specific environment, the command below is run:

$ ansible-playbook wazuh-indexer.yml -e@vars-production.yml

The example above will install the Wazuh indexer and set the listening address to: <WAZUH_INDEXER_PROD_IP_ADDRESS> using vars-production.yml.

Please review the variables references section to see all variables available for this role.

Wazuh dashboard

This role deploys the Wazuh dashboard. You can customize the installation with the following variables:

indexer_network_host: This defines the Elasticsearch node IP address (default: 127.0.0.1).
indexer_http_port: This defines the Elasticsearch node listening port (default: 9200).
dashboard_server_host: This defines the Wazuh dashboard listening node address (default: 0.0.0.0).

To use the role in a playbook, a YAML file wazuh-dashboard.yml can be created with the contents below:

- hosts: dashboard
  roles:
    - wazuh-dashboard

Custom variable definitions for different environments can be set. For example:

For a production environment, the variables can be saved in vars-production.yml:
```
indexer_network_host: '<WAZUH_INDEXER_PROD_IP_ADDRESS>'
```
For a development environment, the variables can be saved in vars-development.yml:
```
indexer_network_host: '<WAZUH_INDEXER_DEV_IP_ADDRESS>'
```

To run the playbook for a specific environment, the command below is run:

$ ansible-playbook wazuh-dashboard.yml -e@vars-production.yml

The example above will install the Wazuh dashboard and configure <WAZUH_INDEXER_PROD_IP_ADDRESS> as the Indexer node.

Please review the variable references section to see all variables available for this role.

Filebeat

Filebeat can be used in conjunction with Wazuh Manager to send events and alerts to the Wazuh indexer. This role will install Filebeat, you can customize the installation with these variables:

filebeat_output_indexer_hosts: This defines the indexer node(s) to be used (default: 127.0.0.1:9200).

Please review the variables references section to see all variables available for this role.

Wazuh Manager

This role will install and configure the Wazuh Manager and API. There are several variables you can use to customize the installation or configuration. They include:

wazuh_manager_config_overlay: This enables configuring the manager by overlaying sections of configs on top of defaults (default: true)
wazuh_manager_json_output: This parameter specifies whether JSON output should be enabled or not (default: yes)
wazuh_manager_email_notification: This enables email notifications (default: no)
wazuh_manager_mailto: This parameter specifies email notifications recipients (array, defaults: admin@example.net)
wazuh_manager_email_smtp_server: This parameter specifies the SMTP server to be used by email notifications ( defaults: localhost)
wazuh_manager_email_from: This parameter specifies the email notification sender identifier ( defaults: wazuh@example.com)

To use the role in a playbook, a YAML file wazuh-manager.yml can be created with the contents below:

- hosts: wazuh-manager
  roles:
    - ansible-wazuh-manager
    - ansible-filebeat-oss

Custom variable definitions for different environments can be set when configuring the installation. For example: vars-production.yml:

filebeat_output_indexer_hosts: '<WAZUH_INDEXER_IP_ADDRESS>:9200'

wazuh_manager_fqdn: "wazuh-manager"

wazuh_manager_config_overlay: true
wazuh_manager_json_output: 'yes'
wazuh_manager_alerts_log: 'yes'
wazuh_manager_logall: 'no'
wazuh_manager_log_format: 'plain'

wazuh_manager_connection:
  - type: 'secure'
    port: '1514'
    protocol: 'tcp'

wazuh_manager_authd:
  enable: true
  port: 1515
  use_source_ip: 'no'
  force:
    - enabled: 'yes'
      disconnected_time:
        enabled: yes
        value: '1h'
      after_registration_time: '1h'
      key_mismatch: 'yes'
  purge: 'no'
  use_password: 'no'
  ssl_agent_ca: null
  ssl_verify_host: 'no'
  ssl_manager_cert: null
  ssl_manager_key: null
  ssl_auto_negotiate: 'no'

Agentless host credentials can be configured in the file: ansible-wazuh-manager/vars/agentless_creds.yml. Set as many as you need:

# Be sure you encrypt this file with ansible-vault.
agentless_creds:
 - type: ssh_integrity_check_linux
   frequency: 3600
   host: root@example1.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty
 - type: ssh_integrity_check_bsd
   frequency: 3600
   host: user@example2.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty

Finally, the authd service password can be set in the file ansible-wazuh-manager/vars/authd_pass.yml:

# Be sure you encrypt this file with ansible-vault
authd_pass: foobar

Warning

We recommend the use of Ansible Vault to protect Wazuh API and agentless credentials.

To run the playbook for a specific environment, the command below is run:

$ ansible-playbook wazuh-manager.yml -e@vars-production.yml

The example above will install Wazuh Manager and Filebeat, Filebeat will be configured to forward data to <WAZUH_INDEXER_IP_ADDRESS>:9200 as the Indexer node, also it will set various agentless hosts configurations including their credentials, the Wazuh API, and the authd will be configured as well.

Please review the variables references section to see all variables available for this role.

Wazuh Agent

This role is designed to install and configure the Wazuh Agent on different hosts. There are agent installer packages for Linux, macOS, and Windows machines. This role can also enroll the agent in the Wazuh Manager. Below are some variables you can use to customize the installation:

wazuh_managers: This specifies a list of Wazuh manager node(s) for Wazuh agents to report to.
wazuh_agent_authd: This specifies a set of options to register the Wazuh agent on the Wazuh server. This requires the wazuh-authd service to be running on the Wazuh server.

To use the role in a playbook, a YAML file wazuh-agent.yml can be created with the contents below:

- hosts: all:!wazuh-manager
  roles:
   - ansible-wazuh-agent

You can maintain different environments using a variable definition YAML file for each one:

For a production environment, the variables can be saved in vars-production.yml:

wazuh_managers:
  - address: <WAZUH_MANAGER_IP_ADDRESS>
    port: 1514
    protocol: udp
wazuh_agent_authd:
  registration_address: <WAZUH_MANAGER_IP_ADDRESS>
  enable: true
  port: 1515
  ssl_agent_ca: null
  ssl_auto_negotiate: 'no'

For a development environment, the variables can be saved in vars-development.yml:

wazuh_managers:
  - address: <WAZUH_MANAGER_IP_ADDRESS>
    port: 1514
    protocol: udp
wazuh_agent_authd:
  registration_address: <WAZUH_MANAGER_IP_ADDRESS>
  enable: true
  port: 1515
  ssl_agent_ca: null
  ssl_auto_negotiate: 'no'

To run the playbook for a specific environment, the command below is run:

$ ansible-playbook wazuh-agent.yml -e@vars-production.yml

The example above for a production environment will install a Wazuh agent in all host groups except the wazuh-manager group. Then, it will register them against the wazuh-manager with IP address 10.1.1.12.

Please review the variables references section to see all variables available for this role.

Variables references

Wazuh indexer

Variable: indexer_cluster_name
Description: Name of the Indexer cluster.
Default value: wazuh

Variable: indexer_node_name
Description: Name of the Indexer node.
Default value: node-1

Variable: indexer_http_port
Description: Indexer listening port.
Default value: 9200

Variable: indexer_network_host
Description: Indexer listening IP address.
Default value: 127.0.0.1

Variable: indexer_jvm_xms
Description: JVM heap size.
Default value: null

Wazuh dashboard

Variable: indexer_http_port
Description: Indexer node port.
Default value: 9200

Variable: indexer_network_host
Description: IP address or hostname of Indexer node.
Default value: 127.0.0.1

Variable: dashboard_server_host
Description: Listening IP address of the Wazuh dashboard.
Default value: 0.0.0.0

Variable: dashboard_server_port
Description: Listening port of the Wazuh dashboard.
Default value: 443

Variable: wazuh_version
Description: Wazuh dashboard compatible version to install.
Default value: 5.0.0

Filebeat

Variable: filebeat_version
Description: Filebeat version to install.
Default value: 7.10.2

Variable: filebeat_create_config
Description: Generate or not Filebeat config.
Default value: true

Variable: filebeat_output_indexer_hosts
Description: Indexer node(s) to send output.
Example:

filebeat_output_indexer_hosts:
- "localhost:9200"
- "10.1.1.10:9200"

Variable: filebeat_ssl_dir
Description: Set the folder containing SSL certs.
Default value: /etc/pki/root

Wazuh Manager

Variable: wazuh_manager_fqdn
Description: Set Wazuh Manager fqdn hostname.
Default value: wazuh-manager

Variable: wazuh_manager_config_overlay
Description: Indicates if the role(s) should perform a hash_behaviour=merge at role runtime, similar to role-distributed ansible.cfg. This provides support for a partially defined wazuh_manager_config while also moving on from the deprecated hash_behaviour.
Default value: true

Variable: wazuh_manager_json_output
Description: Configures the jsonout_output section in  ossec.conf. This is a string, not a bool.
Default value: yes

Variable: wazuh_manager_alerts_log
Description: Configures the alerts_log section in ossec.conf. This is a string, not a bool.
Default value: yes

Variable: wazuh_manager_logall
Description: Configures the logall section in ossec.conf. This is a string, not a bool.
Default value: yes

Variable: wazuh_manager_email_notification
Description: Configures the email_notification section in ossec.conf. This is a string, not a bool.
Default value: yes

Variable: wazuh_manager_mailto
Description: Configures the email_to items in ossec.conf.
Default value: [‘admin@example.net’]

Variable: wazuh_manager_email_smtp_server
Description: Configures the smtp_server section in ossec.conf.
Default value: smtp.example.wazuh.com

Variable: wazuh_manager_email_from
Description: Configures the email_from section in ossec.conf.
Default value: wazuh@example.wazuh.com

Variable: wazuh_manager_email_maxperhour
Description: Configures the email_maxperhour section in ossec.conf.
Default value: 12

Variable: wazuh_manager_email_queue_size
Description: Configures the queue_size section from ossec.conf.
Default value: 131072

Variable: wazuh_manager_email_log_source
Description: Configures the email_log_source section from ossec.conf.
Default value: alerts.log

Variable: wazuh_manager_globals
Description: Configures the white_list section from ossec.conf.
Default values:

wazuh_manager_globals:
  - '127.0.0.1'
  - '^localhost.localdomain$'
  - '127.0.0.53'

Variable: wazuh_manager_log_level
Description: Configures the log_alert_level section from ossec.conf.
Default value: 3

Variable: wazuh_manager_email_level
Description: Configures the email_alert_level section from ossec.conf.
Default value: 12

Variable: wazuh_manager_log_format
Description: Configures log_format inside logging section from ossec.conf.
Default value: plain

Variable: wazuh_manager_extra_emails
Description: Configures one or more email_alerts sections from ossec.conf.
Default values:

wazuh_manager_extra_emails:
  - enable: false
    mail_to: 'recipient@example.wazuh.com'
    format: full
    level: 7
    event_location: null
    group: null
    do_not_delay: false
    do_not_group: false
    rule_id: null

Variable: wazuh_manager_connection
Description: Configures one or more remote sections from ossec.conf.
Default values:

wazuh_manager_connection:
  - type: 'secure'
    port: '1514'
    protocol: 'tcp'
    queue_size: 131072

Variable: wazuh_manager_reports
Description: Configures one or more reports sections from ossec.conf.
Default values:

wazuh_manager_reports:
  - enable: false
    category: 'syscheck'
    title: 'Daily report: File changes'
    email_to: 'recipient@example.wazuh.com'
    location: null
    group: null
    rule: null
    level: null
    srcip: null
    user: null
    showlogs: null

Variable: wazuh_manager_rootcheck
Description: Configures the rootcheck section from ossec.conf.
Default value:

wazuh_manager_rootcheck:
  frequency: 43200

Variable: wazuh_manager_syscollector
Description: Configures the wodle item named syscollector from ossec.conf.
Default values:

wazuh_manager_syscollector:
  disable: 'no'
  interval: '1h'
  scan_on_start: 'yes'
  hardware: 'yes'
  os: 'yes'
  network: 'yes'
  packages: 'yes'
  ports_no: 'yes'
  processes: 'yes'
  users: 'yes'
  groups: 'yes'
  services: 'yes'
  browser_extensions: 'yes'

Variable: wazuh_manager_monitor_aws
Description: Configures the AWS S3 module item named aws-s3 from ossec.conf.
Default values:

wazuh_manager_monitor_aws:
  disabled: 'yes'
  interval: '10m'
  run_on_start: 'yes'
  skip_on_error: 'yes'
  s3:
    - name: null
      bucket_type: null
      path: null
      only_logs_after: null
      access_key: null
      secret_key: null

Variable: wazuh_manager_sca
Description: Configures the sca section from ossec.conf.
Default values:

wazuh_manager_sca:
  enabled: 'yes'
  scan_on_start: 'yes'
  interval: '12h'
  skip_nfs: 'yes'
  day: ''
  wday: ''
  time: ''

Variable: wazuh_manager_vulnerability_detection
Description: Configures the vulnerability-detection section from ossec.conf.
Default values:

wazuh_manager_vulnerability_detection:
  enabled: 'yes'
  indexer_status: 'yes'
  feed_update_interval: '60m'

wazuh_manager_indexer:
  enabled: 'yes'
  hosts: "{{ filebeat_output_indexer_hosts }}"

Variable: wazuh_manager_syscheck
Description: Configures the syscheck section from ossec.conf.
Default values:

wazuh_manager_syscheck:
  disable: 'no'
  frequency: 43200
  scan_on_start: 'yes'
  auto_ignore: 'no'
  ignore:
    - /etc/mtab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/random-seed
    - /etc/random.seed
    - /etc/adjtime
    - /etc/httpd/logs
    - /etc/utmpx
    - /etc/wtmpx
    - /etc/cups/certs
    - /etc/dumpdates
    - /etc/svc/volatile
  ignore_linux_type:
    - '.log$|.swp$'
  no_diff:
    - /etc/ssl/private.key
  directories:
    - dirs: /etc,/usr/bin,/usr/sbin
      checks: ''
    - dirs: /bin,/sbin,/boot
      checks: ''
  auto_ignore_frequency:
    frequency: 'frequency="10"'
    timeframe: 'timeframe="3600"'
    value: 'no'
  skip_nfs: 'yes'
  skip_dev: 'yes'
  skip_proc: 'yes'
  skip_sys: 'yes'
  process_priority: 10
  max_eps: 50
  sync_enabled: 'yes'
  sync_interval: '5m'
  sync_max_interval: '1h'
  sync_max_eps: 10

Variable: wazuh_manager_commands
Description: Configures the command section from ossec.conf.
Default values:

wazuh_manager_commands:
  - name: 'disable-account'
    executable: 'disable-account'
    timeout_allowed: 'yes'
  - name: 'restart-wazuh'
    executable: 'restart-wazuh'
  - name: 'firewall-drop'
    executable: 'firewall-drop'
    timeout_allowed: 'yes'
  - name: 'host-deny'
    executable: 'host-deny'
    timeout_allowed: 'yes'
  - name: 'route-null'
    executable: 'route-null'
    timeout_allowed: 'yes'
  - name: 'win_route-null'
    executable: 'route-null.exe'
    timeout_allowed: 'yes'
  - name: 'netsh'
    executable: 'netsh.exe'
    timeout_allowed: 'yes'
  - name: 'netsh-win-2016'
    executable: 'netsh-win-2016.cmd'
    timeout_allowed: 'yes'

Variable: wazuh_manager_localfiles
Description: Configures the localfile section from ossec.conf for each platform.
Default values:

wazuh_manager_localfiles:
  common:
    - format: 'command'
      command: df -P
      frequency: '360'
    - format: 'full_command'
      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
      alias: 'netstat listening ports'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
    - format: 'syslog'
      location: '/var/ossec/logs/active-responses.log'
  debian:
    - format: 'syslog'
      location: '/var/log/auth.log'
    - format: 'syslog'
      location: '/var/log/syslog'
    - format: 'syslog'
      location: '/var/log/dpkg.log'
    - format: 'syslog'
      location: '/var/log/kern.log'
  centos:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'audit'
      location: '/var/log/audit/audit.log'

Variable: wazuh_manager_syslog_outputs
Description: Configures the syslog_output section from ossec.conf.
Default values:

wazuh_manager_syslog_outputs:
  - server: null
    port: null
    format: null

Variable: wazuh_manager_integrations
Description: Configures the integration section from ossec.conf.
Default values:

wazuh_manager_integrations:
  # slack
  - name: null
    hook_url: '<hook_url>'
    alert_level: 10
    alert_format: 'json'
    rule_id: null
  # pagerduty
  - name: null
    api_key: '<api_key>'
    alert_level: 12

Variable: wazuh_manager_labels
Description: Configures the labels section from ossec.conf.
Default values:

wazuh_manager_labels:
  enable: false
  list:
    - key: Env
      value: Production

Variable: wazuh_manager_ruleset
Description: Configures the ruleset section from ossec.conf.
Default values:

wazuh_manager_ruleset:
  rules_path: 'custom_ruleset/rules/'
  decoders_path: 'custom_ruleset/decoders/'
  cdb_lists:
    - 'audit-keys'
    - 'security-eventchannel'
    - 'amazon/aws-eventnames'

Variable: wazuh_manager_rule_exclude
Description: Configures the rule_exclude section from ossec.conf.
Default values:

wazuh_manager_rule_exclude:
  - '0215-policy_rules.xml'

Variable: wazuh_manager_authd
Description: Configures the auth section from ossec.conf.
Default values:

wazuh_manager_authd:
  enable: true
  port: 1515
  use_source_ip: 'no'
  force_insert: 'yes'
  force_time: 0
  purge: 'yes'
  use_password: 'no'
  limit_maxagents: 'yes'
  ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
  ssl_agent_ca: null
  ssl_verify_host: 'no'
  ssl_manager_cert: 'sslmanager.cert'
  ssl_manager_key: 'sslmanager.key'
  ssl_auto_negotiate: 'no'

Variable: wazuh_manager_cluster
Configures the cluster section from ossec.conf.
Default values:

wazuh_manager_cluster:
  disable: 'yes'
  name: 'wazuh'
  node_name: 'manager_01'
  node_type: 'master'
  key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
  port: '1516'
  bind_addr: '0.0.0.0'
  nodes:
    - 'manager'
  hidden: 'no'

Variable: wazuh_manager_api
Description: Configures the Wazuh API file called api.yaml.
Default values:

wazuh_manager_api:
  bind_addr: 0.0.0.0
  port: 55000
  https: yes
  https_key: "server.key"
  https_cert: "server.crt"
  https_use_ca: False
  https_ca: "ca.crt"
  logging_level: "info"
  cors: no
  cors_source_route: "*"
  cors_expose_headers: "*"
  cors_allow_headers: "*"
  cors_allow_credentials: no
  cache: yes
  cache_time: 0.750
  access_max_login_attempts: 5
  access_block_time: 300
  access_max_request_per_minute: 300
  drop_privileges: yes
  experimental_features: no

Variable: wazuh_api_user
Description: Wazuh API credentials.
Example:

wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1

Warning

We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.

Variable: wazuh_manager_config
Description: Stores the Wazuh Manager configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:

wazuh_manager_config:
  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  log_format: 'plain'
  cluster:
    disable: 'yes'
    name: 'wazuh'
    node_name: 'manager_01'
    node_type: 'master'
    key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
    interval: '2m'
    port: '1516'
    bind_addr: '0.0.0.0'
    nodes:
      - '172.17.0.2'
      - '172.17.0.3'
      - '172.17.0.4'
    hidden: 'no'
  connection:
    - type: 'secure'
      port: '1514'
      protocol: 'tcp'
  authd:
    enable: true
    port: 1515
    use_source_ip: 'no'
    force_insert: 'yes'
    force_time: 0
    purge: 'no'
    use_password: 'no'
    ssl_agent_ca: null
    ssl_verify_host: 'no'
    ssl_manager_cert: 'etc/sslmanager.cert'
    ssl_manager_key: 'etc/sslmanager.key'
    ssl_auto_negotiate: 'no'
  email_notification: 'no'
  mail_to:
    - 'admin@example.net'
  mail_smtp_server: localhost
  mail_from: wazuh-manager@example.com
  extra_emails:
    - enable: false
      mail_to: 'admin@example.net'
      format: full
      level: 7
      event_location: null
      group: null
      do_not_delay: false
      do_not_group: false
      rule_id: null
  reports:
    - enable: false
      category: 'syscheck'
      title: 'Daily report: File changes'
      email_to: 'admin@example.net'
      location: null
      group: null
      rule: null
      level: null
      srcip: null
      user: null
      showlogs: null
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/random-seed
      - /etc/random.seed
      - /etc/adjtime
      - /etc/httpd/logs
      - /etc/utmpx
      - /etc/wtmpx
      - /etc/cups/certs
      - /etc/dumpdates
      - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
  log_level: 1
  email_level: 12
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'command'
      command: 'df -P'
      frequency: '360'
    - format: 'full_command'
      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
  globals:
    - '127.0.0.1'
    - '192.168.2.1'
  commands:
    - name: 'disable-account'
      executable: 'disable-account'
      timeout_allowed: 'yes'
    - name: 'restart-wazuh'
      executable: 'restart-wazuh'
      timeout_allowed: 'no'
    - name: 'win_restart-wazuh'
      executable: 'restart-wazuh.exe'
      timeout_allowed: 'no'
    - name: 'firewall-drop'
      executable: 'firewall-drop'
      timeout_allowed: 'yes'
    - name: 'host-deny'
      executable: 'host-deny'
      timeout_allowed: 'yes'
    - name: 'route-null'
      executable: 'route-null'
      timeout_allowed: 'yes'
    - name: 'win_route-null'
      executable: 'route-null.exe'
      timeout_allowed: 'yes'
  active_responses:
    - command: 'restart-wazuh'
      location: 'local'
      rules_id: '100002'
    - command: 'win_restart-wazuh'
      location: 'local'
      rules_id: '100003'
    - command: 'host-deny'
      location: 'local'
      level: 6
      timeout: 600
  syslog_outputs:
    - server: null
      port: null
      format: null

Variable: wazuh_agent_configs
Description: This stores the different settings and profiles for centralized agent configuration via Wazuh Manager.
Example:

- type: os
  type_value: Linux
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    ignore:
    - /etc/mtab
    - /etc/mnttab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
    cis_distribution_filename: null
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'apache'
      location: '/var/log/httpd/error_log'
    - format: 'apache'
      location: '/var/log/httpd/access_log'
    - format: 'apache'
      location: '/var/ossec/logs/active-responses.log'
- type: os
  type_value: Windows
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    windows_registry:
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
        arch: 'both'
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
  localfiles:
    - format: 'Security'
      location: 'eventchannel'
    - format: 'System'
      location: 'eventlog'

Variable: cdb_lists
Description: Configure CDB lists used by the Wazuh Manager.
Example:

cdb_lists:
- name: 'audit-keys'
  content: |
    audit-wazuh-w:write
    audit-wazuh-r:read
    audit-wazuh-a:attribute
    audit-wazuh-x:execute
    audit-wazuh-c:command

Warning

We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.

Variable: agentless_creds
Description: Credentials and host(s) to be used by agentless feature.
Example:

agentless_creds:
  - type: ssh_integrity_check_linux
    frequency: 3600
    host: root@example.net
    state: periodic
    arguments: '/bin /etc/ /sbin'
    passwd: qwerty

Warning

We recommend the use of Ansible Vault to protect Wazuh agentless and authd credentials.

Variable: authd_pass
Description: Wazuh authd service password.
Example:

authd_pass: foobar

Wazuh Agent

Variable: wazuh_managers
Description: Set the Wazuh Manager servers IP address, protocol, and port to be used by the agent. If a specific manager is used for registration, we can indicate which one it is by adding the register option set to true. If the register option is missing, the first manager on the list will be used for registration.
Example:

wazuh_managers:
- address: 172.16.24.56
  protocol: udp
  api_port: 55000
  api_proto: https
  api_user: wazuh
  max_retries: 5
  retry_interval: 5
- address: 192.168.10.15
  port: 1514
  protocol: tcp
  api_port: 55000
  api_proto: https
  api_user: wazuh
  max_retries: 5
  retry_interval: 5
  register: yes

Variable: wazuh_custom_packages_installation_agent_enabled:
Description: Configures the installation from custom packages.
Default value: false

Variable: wazuh_agent_sources_installation:
Description: Configures the installation via sources as an alternative to the installation from packages.
Example:

wazuh_agent_sources_installation:
    enabled: false
    branch: "v4.7.1"
    user_language: "y"
    user_no_stop: "y"
    user_install_type: "agent"
    user_dir: "/var/ossec"
    user_delete_dir: "y"
    user_enable_active_response: "y"
    user_enable_syscheck: "y"
    user_enable_rootcheck: "y"
    user_enable_sca: "y"
    user_enable_authd: "y"
    user_generate_authd_cert: "n"
    user_update: "y"
    user_binaryinstall: null
    user_agent_server_ip: 172.16.24.56
    user_agent_server_name: null
    user_agent_config_profile: null
    user_ca_store: /var/ossec/wpk_root.pem"

Variable: wazuh_agent_nolog_sensible:
Description: This variable indicates if the nolog option should be added to tasks which output sensitive information (like tokens).
Default value: yes

Variable: wazuh_agent_config_overlay:
Description: This variable apply an additional configuration combined with the default configuration.
Default value: yes

Variable: wazuh_agent_api_validate
Description: After registering the agent through the REST API, validate that registration is correct.
Default value: yes

Variable: wazuh_agent_address
Description: Establish which IP address we want to associate with this agent. It can be an address or “any” This variable will supersede wazuh_agent_nat.
Default value: ansible_default_ipv4.address

Variable: wazuh_profile_centos
Description: Configure what profiles this agent will have in case of CentOS systems.
Default value: centos7, centos7, centos7.7
Multiple profiles can be included, separated by a comma and a space, for example:

wazuh_profile: "centos7, centos7"

Variable: wazuh_profile_ubuntu
Description: Configure what profiles this agent will have in case of Ubuntu systems.
Default value: ubuntu, ubuntu18, ubuntu18.04
Multiple profiles can be included, separated by a comma and a space, for example:

wazuh_profile: "ubuntu, ubuntu18"

Variable: wazuh_auto_restart
Description: Set the <auto_restart> option in the agent.
Default value: null

Variable: wazuh_notify_time
Description: Set the <notify_time> option in the agent.
Default value: null

Variable: wazuh_crypto_method
Description: Set <crypto_method> option in the agent.
Default value: null

Variable: wazuh_time_reconnect
Description: Set <time-reconnect> option in the agent.
Default value: null

Variable: wazuh_winagent_config
Description: Set the Wazuh Agent installation regarding Windows hosts.
Example:

wazuh_winagent_config:
  download_dir: C:\
  install_dir: C:\Program Files\ossec-agent\
  install_dir_x86: C:\Program Files (x86)\ossec-agent\
  check_sha512: True

Variable: wazuh_agent_enrollment
Description: Configures the enrollment section in the agent ossec.conf.
Example:

wazuh_agent_enrollment:
  enabled: ''
  manager_address: ''
  port: 1515
  agent_name: 'testname'
  groups: ''
  agent_address: ''
  ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
  server_ca_path: ''
  agent_certificate_path: ''
  agent_key_path: ''
  authorization_pass_path: /var/ossec/etc/authd.pass
  auto_method: 'no'
  delay_after_enrollment: 20
  use_source_ip: 'no'

Variable: wazuh_agent_client_buffer
Description: Configures the client_buffer section from agent ossec.conf.
Example:

wazuh_agent_client_buffer:
  disable: 'no'
  queue_size: '5000'
  events_per_sec: '500'

Variable: wazuh_agent_rootcheck
Description: Configures the rootcheck section from agent ossec.conf.
Example:

wazuh_agent_rootcheck:
  frequency: 43200

Variable: wazuh_agent_syscollector
Description: Configures the wodle item named syscollector from ossec.conf.
Default values:

wazuh_agent_syscollector:
  disable: 'no'
  interval: '1h'
  scan_on_start: 'yes'
  hardware: 'yes'
  os: 'yes'
  network: 'yes'
  packages: 'yes'
  ports_no: 'yes'
  processes: 'yes'
  users: 'yes'
  groups: 'yes'
  services: 'yes'
  browser_extensions: 'yes'

Variable: wazuh_agent_sca
Description: Configures the sca section from ossec.conf.
Default values:

wazuh_agent_sca:
  enabled: 'yes'
  scan_on_start: 'yes'
  interval: '12h'
  skip_nfs: 'yes'
  day: ''
  wday: ''
  time: ''

Variable: wazuh_agent_syscheck
Description: Configures the syscheck section from ossec.conf.
Default values:

wazuh_agent_syscheck:
  frequency: 43200
  scan_on_start: 'yes'
  auto_ignore: 'no'
  win_audit_interval: 60
  skip_nfs: 'yes'
  skip_dev: 'yes'
  skip_proc: 'yes'
  skip_sys: 'yes'
  process_priority: 10
  max_eps: 50
  sync_enabled: 'yes'
  sync_interval: '5m'
  sync_max_interval: '1h'
  sync_max_eps: 10
  ignore:
    - /etc/mtab
    - /etc/hosts.deny
    - /etc/mail/statistics
    - /etc/random-seed
    - /etc/random.seed
    - /etc/adjtime
    - /etc/httpd/logs
    - /etc/utmpx
    - /etc/wtmpx
    - /etc/cups/certs
    - /etc/dumpdates
    - /etc/svc/volatile
  ignore_linux_type:
    - '.log$|.swp$'
  ignore_win:
    - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
  no_diff:
    - /etc/ssl/private.key
  directories:
    - dirs: /etc,/usr/bin,/usr/sbin
      checks: ''
    - dirs: /bin,/sbin,/boot
      checks: ''
  win_directories:
    - dirs: '%WINDIR%'
      checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
    - dirs: '%WINDIR%\SysNative'
      checks: >-
        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
        net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
    - dirs: '%WINDIR%\SysNative\drivers\etc%'
      checks: 'recursion_level="0"'
    - dirs: '%WINDIR%\SysNative\wbem'
      checks: 'recursion_level="0" restrict="WMIC.exe$"'
    - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
      checks: 'recursion_level="0" restrict="powershell.exe$"'
    - dirs: '%WINDIR%\SysNative'
      checks: 'recursion_level="0" restrict="winrm.vbs$"'
    - dirs: '%WINDIR%\System32'
      checks: >-
        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
        netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
    - dirs: '%WINDIR%\System32\drivers\etc'
      checks: 'recursion_level="0"'
    - dirs: '%WINDIR%\System32\wbem'
      checks: 'recursion_level="0" restrict="WMIC.exe$"'
    - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
      checks: 'recursion_level="0" restrict="powershell.exe$"'
    - dirs: '%WINDIR%\System32'
      checks: 'recursion_level="0" restrict="winrm.vbs$"'
    - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
      checks: 'realtime="yes"'
  windows_registry:
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Policies'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Security'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
      arch: "both"
    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
      arch: "both"
  windows_registry_ignore:
    - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
    - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
    - key: '\Enum$'
      type: "sregex"

Variable: wazuh_agent_localfiles
Description: Configures the localfile section from ossec.conf.
Default values:

wazuh_agent_localfiles:
  debian:
    - format: 'syslog'
      location: '/var/log/auth.log'
    - format: 'syslog'
      location: '/var/log/syslog'
    - format: 'syslog'
      location: '/var/log/dpkg.log'
    - format: 'syslog'
      location: '/var/log/kern.log'
  centos:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'syslog'
      location: '/var/log/maillog'
    - format: 'audit'
      location: '/var/log/audit/audit.log'
  linux:
    - format: 'syslog'
      location: '/var/ossec/logs/active-responses.log'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
    - format: 'command'
      command: df -P
      frequency: '360'
    - format: 'full_command'
      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
      alias: 'netstat listening ports'
      frequency: '360'
  windows:
    - format: 'eventlog'
      location: 'Application'
    - format: 'eventchannel'
      location: 'Security'
      query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
    - format: 'eventlog'
      location: 'System'
    - format: 'syslog'
      location: 'active-response\active-responses.log'

Variable: wazuh_agent_labels
Description: Configures the labels section from ossec.conf.
Default values:

wazuh_agent_labels:
  enable: false
  list:
    - key: Env
      value: Production

Variable: wazuh_agent_active_response
Description: Configures the active-response section from ossec.conf.
Default values:

wazuh_agent_active_response:
  ar_disabled: 'no'
  ca_store: '/var/ossec/etc/wpk_root.pem'
  ca_store_win: 'wpk_root.pem'
  ca_verification: 'yes'

Variable: wazuh_agent_log_format
Description: Configures the log_format section from ossec.conf.
Default value: plain

Variable: wazuh_agent_config_defaults
Description: Wazuh Agent related configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:

wazuh_agent_config_defaults:
  repo: '{{ wazuh_repo }}'
  active_response: '{{ wazuh_agent_active_response }}'
  log_format: '{{ wazuh_agent_log_format }}'
  client_buffer: '{{ wazuh_agent_client_buffer }}'
  syscheck: '{{ wazuh_agent_syscheck }}'

  rootcheck: '{{ wazuh_agent_rootcheck }}'

  syscollector: '{{ wazuh_agent_syscollector }}'
  sca: '{{ wazuh_agent_sca }}'
  localfiles: '{{ wazuh_agent_localfiles }}'

  labels: '{{ wazuh_agent_labels }}'
  enrollment: '{{ wazuh_agent_enrollment }}'

Warning

We recommend the use of Ansible Vault to protect authd credentials.

Variable: authd_pass
Description: Wazuh authd credentials for agent registration.
Example:

authd_pass: foobar

Deployment with Puppet

Puppet is an open source software that automatically inspects, delivers, operates, and future-proofs all of your software, no matter where it is executed. It runs on many Unix-like systems as well as Microsoft Windows and includes its own declarative language to describe system configuration. It gives an alternative to install and configure Wazuh.

Contents

Set up Puppet

In this section, we will explain how to install the different instances of Puppet. For a more detailed guide, see the official Puppet documentation.

Before we get started with Puppet, confirm that the following network requirements are met:

Private network DNS: Forward and reverse DNS must be configured, and every server must have a unique hostname. If you do not have DNS configured, use your hosts file for name resolution. We assume you will use your private network for communication within your infrastructure.
Firewall open ports: The Puppet master must be reachable on TCP port 8140.

Note

We made this guide using Puppet version 7.16. You need root user privileges to run all the commands described below.

Contents

Installing Puppet master

Installation on CentOS/RHEL/Fedora

Install the Puppet yum repository and then the "puppetserver" package. See this index for the correct RPM file to install the Puppet repo for your Linux distribution. For example, to install Puppet 7 for RHEL 9, do the following:
```
# rpm -Uvh https://yum.puppetlabs.com/puppet7-release-el-9.noarch.rpm
# yum -y install puppetserver
```

Create a symbolic link between the installed binary file and your default binary file:

# ln -s /opt/puppetlabs/bin/puppet /usr/local/bin
# ln -s /opt/puppetlabs/server/bin/puppetserver /usr/local/bin

Installation on Debian/Ubuntu

The manifest supports the following releases for installing Wazuh.

Debian: 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm)
Ubuntu: 12.04 (Precise Pangolin), 14.04 (Trusty Tahr), 15.04 (Vivid Vervet), 15.10 (Wily Werewolf), 16.04 (Xenial Xerus), 16.10 (Yakkety Yak), 18.04 (Bionic Beaver), 20.04 (Focal Fossa), 22.04 (Jammy Jellyfish)

Install curl, apt-transport-https, and lsb-release:

# apt-get update
# apt-get install curl apt-transport-https lsb-release wget

Install the appropriate Puppet apt repository, and then the "puppetserver" package. See https://apt.puppetlabs.com to find the correct Debian file to install the Puppet 8 repo for your Linux distribution.
```
# wget https://apt.puppet.com/puppet7-release-focal.deb
# dpkg -i puppet7-release-focal.deb
# apt-get update
# apt-get install -y puppetserver
```

Create a symbolic link between the installed binary file and your default binary file:

# ln -s /opt/puppetlabs/bin/puppet /usr/local/bin
# ln -s /opt/puppetlabs/server/bin/puppetserver /usr/local/bin

Memory allocation

By default, Puppet Server will be configured to use 2GB of RAM. However, if you want to experiment with Puppet Server on a VM, you can safely allocate as little as 512MB of memory. You can edit the init config file to change Puppet Server memory allocation.

/etc/sysconfig/puppetserver

/etc/default/puppetserver

Replace 2g in the JAVA_ARGS variable with the memory you want to allocate to Puppet Server. For example, to allocate 1GB of memory, use JAVA_ARGS="-Xms1g -Xmx1g"; for 512MB, use JAVA_ARGS="-Xms512m -Xmx512m".

Configuration

Edit the /etc/puppetlabs/puppet/puppet.conf file to configure the Puppet server. Add the following settings to the [server] section. You need to create the section if it doesn't exist. If you have set up your own DNS, replace puppet and puppet-master with your Fully Qualified Domain Names (FQDNs).

[server]
server = puppet-master
dns_alt_names = puppet, puppet-master

Note

If you find templatedir=$confdir/templates in the config file, delete that line. It has been deprecated.

Start your Puppet Server:

# systemctl start puppetserver
# systemctl enable puppetserver
# systemctl status puppetserver

# service puppetserver start
# update-rc.d puppetserver

Note

For Ubuntu/Debian machines, in case puppetserver does not start due to a lack of memory. Edit the /etc/default/puppetserver config file. Modify the following line to change the memory size to 1GB or 512MB:

JAVA_ARGS="-Xms512m -Xmx512m -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

Installing Puppet agent

This section explains how to install Puppet Agent. Follow this link to check the official installation guide.

We assume that you have already installed the apt or yum Puppet repository on your agent system in the same way that you did on your Puppet Server.

If you do not have DNS configured, use your hosts file for name resolution.

Edit the /etc/hosts file, and add the IP address and hostname of the Puppet master and agent:

<PUPPET_MASTER_IP> puppet puppet-master
<PUPPET_AGENT_IP> puppet-agent

Where:

PUPPET_MASTER_IP is the IP address of your Puppet master.
PUPPET_AGENT_IP is the IP address of your Puppet agent.

Installation on CentOS/RHEL/Fedora

See this index to find the correct rpm file to install the Puppet repo for your Linux distribution. For example, to install Puppet 7 for RHEL 9, do the following:

Install the Puppet yum repository and the puppet-agent package:

# rpm -Uvh https://yum.puppetlabs.com/puppet7-release-el-9.noarch.rpm
# yum -y install puppet-agent

Create a symbolic link between the installed binary file and your default binary file:
```
# ln -s /opt/puppetlabs/bin/puppet /usr/local/bin
```

Installation on Debian/Ubuntu

The manifest supports the following releases for installing Wazuh.

Debian: 7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm)
Ubuntu: 12.04 (Precise Pangolin), 14.04 (Trusty Tahr), 15.04 (Vivid Vervet), 15.10 (Wily Werewolf), 16.04 (Xenial Xerus), 16.10 (Yakkety Yak), 18.04 (Bionic Beaver), 20.04 (Focal Fossa), 22.04 (Jammy Jellyfish), 24.04 (Noble Numbat).

Install curl, apt-transport-https and lsb-release:

# apt-get update
# apt-get install curl apt-transport-https lsb-release wget

Install the appropriate Puppet apt repository, and then the “puppet-agent” package. See https://apt.puppetlabs.com for the correct Debian file to install the Puppet repo for your Linux distribution.
```
# wget https://apt.puppet.com/puppet7-release-focal.deb
# dpkg -i puppet7-release-focal.deb
# apt-get update
# apt-get install -y puppet-agent
```
Create a symbolic link between the installed binary file and your default binary file:
```
# ln -s /opt/puppetlabs/bin/puppet /usr/local/bin
```

Installation on Windows

Download the Windows puppet-agent package.

This package bundles all of Puppet's prerequisites.

Note

This is the package for a Puppet 7.16 version agent. If another package is needed, go to the official directory where all packages are available for download.
Install Puppet.
1. Using the Windows GUI:
Execute the GUI with elevated privileges.

During installation, Puppet asks you for the hostname of your Puppet master server.

For standalone Puppet nodes that won't connect to a master, use the default hostname (puppet). You might also want to install it on the command line and set the agent startup mode to Disabled.

Once the installer finishes, Puppet will be installed and running.
1. Using command line:
  > msiexec /qn /norestart /i puppet-agent-<VERSION>-x64.msi
Specify /l*v install.txt to log the installation's progress to a file. You can also set several MSI properties to pre-configure Puppet as you install it.

Agent configuration

To configure the Puppet agent, edit the configuration file on the node.

/etc/puppetlabs/puppet/puppet.conf for Linux systems
C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf for Windows systems

Add the server setting to the [main] section of the file. If you have set up your own DNS, replace puppet-master with the Fully Qualified Domain Name (FQDN) of your Puppet server.

[main]
server = puppet-master

Restart and check the status of the Puppet service:

# puppet resource service puppet ensure=running enable=true
# systemctl status puppet

Setting up Puppet certificates

To generate and sign a certificate, follow the next steps:

On the Puppet agent, run this command to generate an empty certificate:
```
# puppet agent -t
```
On the Puppet server side, list the current certificates that need approval:
```
# puppetserver ca list
```
It should output a list with your node hostname.
Approve the certificate on the Puppet server. Replace <PENDING_AGENT_NODE> with your agent's node name retrieved from the previous step:
```
# puppetserver ca sign --certname <PENDING_AGENT_NODE>
```
All certificates can be approved with this command:
```
# puppetserver ca sign --all
```

On the Puppet agent node, run this command to update the signed certificate:

# puppet agent -t

Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from puppet-master:8140 (172.31.11.101)
Notice: Catalog compiled by ip-172-31-11-101.host
Info: Caching catalog for ip-172-31-0-23.host
Info: Applying configuration version '1757619362'
Notice: Applied catalog in 0.01 seconds

Note

Remember that private network DNS is a prerequisite for a successful certificate signing.

This section explains how to install puppet-master. Follow this link to check the official installation guide.

If you do not have DNS configured, you must use your hosts file for name resolution. Edit the /etc/hosts file and add the following:

<PUPPET_MASTER_IP> puppet puppet-master
<PUPPET_AGENT_IP> puppet-agent

Where:

PUPPET_MASTER_IP is the IP address of your Puppet master.
PUPPET_AGENT_IP is the IP address of your Puppet agent.

Wazuh Puppet module

This module has been authored by Nicolas Zin and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for their contribution.

Install Wazuh module

Download and install the Wazuh module from Puppet Forge:

# puppet module install wazuh-wazuh --version 5.0.0

Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└─┬ wazuh-wazuh (v5.0.0)
  ├── puppet-archive (v8.0.0)
  ├── puppet-nodejs (v10.0.0)
  ├── puppet-selinux (v4.1.0)
  ├── puppet-zypprepo (v5.0.0)
  ├── puppetlabs-apt (v10.0.1)
  ├── puppetlabs-concat (v9.0.2)
  ├── puppetlabs-firewall (v8.1.7)
  ├─┬ puppetlabs-powershell (v6.0.1)
  │ └── puppetlabs-pwshlib (v1.2.3)
  └── puppetlabs-stdlib (v9.6.0)

This module is used to install and configure the Wazuh agent and manager.

Install a stack via Puppet

Single-node

You can use the manifest shown below to deploy a single-node stack. This stack consists of:

Wazuh dashboard
Wazuh indexer
Wazuh manager
Filebeat

To configure the manager before deployment, check the Wazuh puppet reference.

Install the following packages if missing on the Puppet agent. The Wazuh central components require these packages:

# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

# yum install libcap

# dnf install libcap

Create the stack.pp file on the Puppet master at /etc/puppetlabs/code/environments/production/manifests/ with the code below:

$discovery_type = 'single-node'
stage { 'certificates': }
stage { 'repo': }
stage { 'indexerdeploy': }
stage { 'securityadmin': }
stage { 'dashboard': }
stage { 'manager': }
Stage[certificates] -> Stage[repo] -> Stage[indexerdeploy] -> Stage[securityadmin] -> Stage[manager] -> Stage[dashboard]
Exec {
timeout => 0,
}
node "<PUPPET_MASTER>" {
class { 'wazuh::certificates':
  indexer_certs => [['node-1','127.0.0.1']],
  manager_certs => [['master','127.0.0.1']],
  dashboard_certs => ['127.0.0.1'],
  stage => certificates,
}
}
node "<PUPPET_AGENT>" {
class { 'wazuh::repo':
stage => repo,
}
class { 'wazuh::indexer':
  stage => indexerdeploy,
}
class { 'wazuh::securityadmin':
stage => securityadmin
}
class { 'wazuh::manager':
  stage => manager,
}
class { 'wazuh::filebeat_oss':
  stage => manager,
}
class { 'wazuh::dashboard':
  stage => dashboard,
}
}

Where:

PUPPET_MASTER is the hostname of the Puppet server where the Wazuh module was installed.
PUPPET_AGENT is the hostname of the Puppet agent.

Trigger a Puppet run on the Puppet server to generate the Wazuh certificates. Skip this step if you want the stack to run on the specified node once the run interval time, as set in puppet.conf elapses:
```
# puppet agent -t
```
Perform a Puppet run on the Puppet agent to start the deployment of the Wazuh stack. Skip this step if you want the stack to run on the specified node once the run interval time, as set in puppet.conf elapses:
```
# puppet agent -t
```

Note

The default login credentials are admin:admin. It is advised to change the password after installation.

Multi-node

Using the multi-node manifest below, you can deploy a distributed stack consisting of the following nodes on three servers or Virtual Machines (VMs).

3 indexer nodes
Manager master node
Manager worker node
Dashboard node

You must include the server's hostname where you are installing each application.

Install the following packages if missing. These packages are required by the Wazuh central components:

# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

# yum install libcap

# dnf install libcap

Create the stack.pp file at /etc/puppetlabs/code/environments/production/manifests/ with the code below:

$node1host   = '<WAZUH_INDEXER_NODE1>'
$node2host   = '<WAZUH_INDEXER_NODE2>'
$node3host   = '<WAZUH_INDEXER_NODE3>'
$masterhost    = '<WAZUH_MANAGER_MASTER>'
$workerhost    = '<WAZUH_MANAGER_WORKER>'
$dashboardhost = '<WAZUH_DASHBOARD>'
$indexer_node1_name = 'node1'
$indexer_node2_name = 'node2'
$indexer_node3_name = 'node3'
$master_name = 'master'
$worker_name = 'worker'
$cluster_size = '3'
$indexer_discovery_hosts = [$node1host, $node2host, $node3host]
$indexer_initial_cluster_manager_nodes = [$node1host, $node2host, $node3host]
$indexer_cluster_CN = [$indexer_node1_name, $indexer_node2_name, $indexer_node3_name]
# Define stage for order execution
stage { 'certificates': }
stage { 'repo': }
stage { 'indexerdeploy': }
stage { 'securityadmin': }
stage { 'dashboard': }
stage { 'manager': }
Stage[certificates] -> Stage[repo] -> Stage[indexerdeploy] -> Stage[securityadmin] -> Stage[manager] -> Stage[dashboard]
Exec {
timeout => 0,
}
node "puppet-server" {
class { 'wazuh::certificates':
  indexer_certs => [["$indexer_node1_name","$node1host" ],["$indexer_node2_name","$node2host" ],["$indexer_node3_name","$node3host" ]],
  manager_master_certs => [["$master_name","$masterhost"]],
  manager_worker_certs => [["$worker_name","$workerhost"]],
  dashboard_certs => ["$dashboardhost"],
  stage => certificates
}
class { 'wazuh::repo':
stage => repo
}
}
node "puppet-wazuh-indexer-node1" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
  indexer_node_name => "$indexer_node1_name",
  indexer_network_host => "$node1host",
  indexer_node_max_local_storage_nodes => "$cluster_size",
  indexer_discovery_hosts => $indexer_discovery_hosts,
  indexer_initial_cluster_manager_nodes => $indexer_initial_cluster_manager_nodes,
  indexer_cluster_CN => $indexer_cluster_CN,
  stage => indexerdeploy
}
class { 'wazuh::securityadmin':
indexer_network_host => "$node1host",
stage => securityadmin
}
}
node "puppet-wazuh-indexer-node2" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
  indexer_node_name => "$indexer_node2_name",
  indexer_network_host => "$node2host",
  indexer_node_max_local_storage_nodes => "$cluster_size",
  indexer_discovery_hosts => $indexer_discovery_hosts,
  indexer_initial_cluster_manager_nodes => $indexer_initial_cluster_manager_nodes,
  indexer_cluster_CN => $indexer_cluster_CN,
  stage => indexerdeploy
}
}
node "puppet-wazuh-indexer-node3" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::indexer':
  indexer_node_name => "$indexer_node3_name",
  indexer_network_host => "$node3host",
  indexer_node_max_local_storage_nodes => "$cluster_size",
  indexer_discovery_hosts => $indexer_discovery_hosts,
  indexer_initial_cluster_manager_nodes => $indexer_initial_cluster_manager_nodes,
  indexer_cluster_CN => $indexer_cluster_CN,
  stage => indexerdeploy
}
}
node "puppet-wazuh-manager-master" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::manager':
  ossec_cluster_name => 'wazuh-cluster',
  ossec_cluster_node_name => 'wazuh-master',
  ossec_cluster_node_type => 'master',
  ossec_cluster_key => '01234567890123456789012345678912',
  ossec_cluster_bind_addr => "$masterhost",
  ossec_cluster_nodes => ["$masterhost"],
  ossec_cluster_disabled => 'no',
  stage => manager
}
class { 'wazuh::filebeat_oss':
  filebeat_oss_indexer_ip => "$node1host",
  wazuh_node_name => "$master_name",
  stage => manager
}
}
node "puppet-wazuh-manager-worker" {
class { 'wazuh::repo':
stage => repo
}
class { 'wazuh::manager':
  ossec_cluster_name => 'wazuh-cluster',
  ossec_cluster_node_name => 'wazuh-worker',
  ossec_cluster_node_type => 'worker',
  ossec_cluster_key => '01234567890123456789012345678912',
  ossec_cluster_bind_addr => "$masterhost",
  ossec_cluster_nodes => ["$masterhost"],
  ossec_cluster_disabled => 'no',
  stage => manager
}
class { 'wazuh::filebeat_oss':
  filebeat_oss_indexer_ip => "$node1host",
  wazuh_node_name => "$worker_name",
  stage => manager
}
}
node "puppet-wazuh-dashboard" {
class { 'wazuh::repo':
stage => repo,
}
class { 'wazuh::dashboard':
  indexer_server_ip  => "$node1host",
  manager_api_host   => "$masterhost",
  stage => dashboard
}
}

Where:

WAZUH_INDEXER_NODE1 is the hostname of the Wazuh indexer node1.
WAZUH_INDEXER_NODE2 is the hostname of the Wazuh indexer node2.
WAZUH_INDEXER_NODE3 is the hostname of the Wazuh indexer node3.
WAZUH_MANAGER_MASTER is the hostname of the Wazuh manager master node.
WAZUH_MANAGER_WORKER is the hostname of the Wazuh manager worker node.
WAZUH_DASHBOARD is the hostname of the Wazuh dashboard.

Note

ossec_cluster_key is a unique 32-character-long key. You can generate a unique key with the command openssl rand -hex 16.

The wazuh::certificates class must be applied on the Puppet server (puppet-server) where the Wazuh module is installed. This is necessary because the archives module distributes files to all servers in the Wazuh stack deployment.

If you need more Wazuh indexer nodes, add new variables. For example, WAZUH_INDEXER_NODE4. Add them to the following arrays:

indexer_discovery_hosts
indexer_initial_cluster_manager_nodes
indexer_cluster_CN
indexer_certs

In addition, you need to add a new node instance similar to WAZUH_INDEXER_NODE2 or WAZUH_INDEXER_NODE3. Unlike the example for WAZUH_INDEXER_NODE1, these instances don't run securityadmin.

In case you need to add a Wazuh manager worker server, add a new variable such as WAZUH_MANAGER_WORKER2. Add the variable to the manager_worker_certs array. For example, ['worker',"$worker2host"]. Then, replicate the node instance WAZUH_MANAGER_WORKER with the new server.

Trigger a Puppet run on the Puppet server to generate the Wazuh certificates. Skip this step if you want the stack to run on the specified node once the run interval time, as set in puppet.conf elapses:
```
# puppet agent -t
```
Perform a Puppet run on the Puppet agents to start the deployment of the Wazuh stack. Skip this step if you want the stack to run on the specified node once the run interval time, as set in puppet.conf elapses:
```
# puppet agent -t
```

Change password for Wazuh users

Follow the instructions in the Password Management section to change your Wazuh user passwords. Once you change them, set the new passwords within the classes used for deploying the Wazuh Stack.

Indexer users

admin user:

node "<PUPPET_AGENT_NODE_NAME>" {
  class { 'wazuh::filebeat_oss':
    filebeat_oss_elastic_password  => '<NEW_PASSWORD>'
  }
}

kibanaserver user:

node "<PUPPET_AGENT_NODE_NAME>" {
  class { 'wazuh::dashboard':
    dashboard_password => '<NEW_PASSWORD>'
  }
}

Wazuh API users

wazuh-wui user:

node "<PUPPET_AGENT_NODE_NAME>" {
  class { 'wazuh::dashboard':
    dashboard_wazuh_api_credentials => '<NEW_PASSWORD>'
  }
}

Install Wazuh agent via Puppet

The agent is configured by installing the wazuh::agent class. Here is an example of a manifest wazuh-agent.pp (please replace <MANAGER_IP_ADDRESS> with your manager IP address).

Install the following packages if missing on the Puppet agent. The Wazuh central components require these packages:

# apt-get install debhelper tar curl libcap2-bin #debhelper version 9 or later

# yum install libcap

# dnf install libcap

Create the wazuh_agent_stack.pp file at /etc/puppetlabs/code/environments/production/manifests/ with the contents below:
```
node "<PUPPET_AGENT_NODE_NAME>" {
  class { 'wazuh::repo':
  }
  class { "wazuh::agent":
    wazuh_register_endpoint => "<MANAGER_IP_ADDRESS>",
    wazuh_reporting_endpoint => "<MANAGER_IP_ADDRESS>"
  }
}
```
Where:
- WAZUH_AGENT_NODE_NAME is the hostname of the Wazuh agent host.
- MANAGER_IP_ADDRESS is the hostname of the Wazuh server node.
Perform a Puppet run on the Puppet agent to start the deployment of the Wazuh stack. Skip this step if you want the stack to run on the specified node once the run interval time, as set in puppet.conf elapses:
```
# puppet agent -t
```

Wazuh Puppet module reference

Sections

Variables

Functions

Vulnerability Detection

Content

Wazuh manager class

`class wazuh::manager`

This contains variables that can be used to configure the Wazuh manager.

Alerts

Parameter	Description	Default value	Data type
`$ossec_alert_level`	Sets the minimum severity level for alerts stored in `/var/ossec/logs/alerts.log` and/or `/var/ossec/logs/alerts.json`.	`3`	Integer
`$ossec_email_alert_level`	The threshold defines the minimum severity for a rule to fire an email alert. Some rules circumvent this threshold (`alert_email` option).	`12`	Integer

Authd configuration variables

Parameter	Description	Default value	Data type
`$ossec_auth_disabled`	Toggles the execution of the Auth daemon on or off.	`no`	String
`$ossec_auth_port`	Defines the TCP port number for listening to connections.	`1515`	Integer
`$ossec_auth_use_source_ip`	Toggles the use of the client's source IP address or the use of "any" to add an agent.	`yes`	String
`$ossec_auth_purgue`	Toggles the deletion of client keys on or off when agents are removed.	`yes`	String
`$ossec_auth_use_password`	Toggles shared password authentication on or off.	`no`	String
`$ossec_auth_ciphers`	Sets the list of ciphers for network communication using SSL.	`'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'`	String
`$ossec_auth_ssl_verify_host`	Toggles source host verification on and off when a CA certificate is specified. This means that the client source IP address will be validated using the Common Name field.	`no`	String
`$ossec_auth_ssl_manager_cert`	Specifies the full path to the server SSL certificate.	`/var/ossec/etc/sslmanager.cert`	String
`$ossec_auth_ssl_manager_key`	Specifies the full path to the server's SSL key.	`/var/ossec/etc/sslmanager.key`	String
`$ossec_auth_ssl_auto_negotiate`	Toggles whether or not to auto select the SSL/TLS method.	`yes`	String

Cluster variables

Parameter	Description	Default value	Data type
`$ossec_cluster_name`	Specifies the name of the cluster this node belongs to.	`wazuh`	String
`$ossec_cluster_node_name`	Specifies the name of the current node of the cluster.	`node01`	String
`$ossec_cluster_node_type`	Specifies the role of the node.	`master`	String
`$ossec_cluster_key`	Defines the key used to encrypt the communication between the nodes. This key must be `32` characters long.	`KEY`	String
`$ossec_cluster_port`	Specifies the port to use for the cluster communications.	`1516`	String
`$ossec_cluster_bind_addr`	Specifies which IP address will communicate with the cluster when the node has multiple network interfaces.	`0.0.0.0`	String
`$ossec_cluster_nodes`	Lists all master nodes in the cluster using the `<node>` tag for each one.	`['NODE_IP']`	String
`$ossec_cluster_hidden`	Toggles whether or not to show information about the cluster that generated an alert. If this is set to `yes`, information about the cluster that generated the event won't be included in the alert.	`no`	String
`$ossec_cluster_disabled`	Toggles whether the cluster is enabled or not. If this value is set to `yes`, the cluster won't start.	`yes`	String

Global variables

Parameter	Description	Default value	Data type
`$ossec_emailnotification`	Whether or not to send email notifications. If this variable is not set to `true`, the email tags will not be added to `/var/ossec/etc/ossec.conf`.	`false`	Boolean
`$ossec_emailto`	Email to address. `['user1@mycompany.com','user2@mycompany.com']` Depends on `ossec_emailnotification`	`['recipient@example.wazuh.com']`	List
`$ossec_smtp_server`	SMTP mail server. Depends on `ossec_emailnotification`	`smtp.example.wazuh.com`	String
`$ossec_emailfrom`	Email from address. Depends on `ossec_emailnotification`	`ossecm@example.wazuh.com`	String
`$ossec_email_maxperhour`	Global Configuration with the maximum number of emails per hour. Depends on `ossec_emailnotification`	`12`	Integer
`$ossec_email_log_source`	This selects the alert file to be read from. Depends on `ossec_emailnotification`	`'alerts.log'`	String
`$ossec_email_idsname`	Define email ID name	`undef`	String
`$ossec_white_list`	Allow white-listing of IP addresses.	`['127.0.0.1','localhost.localdomain$',` `'10.0.0.2']`	List
`$ossec_remote_connection`	Specifies a type of incoming connection to accept: secure or syslog.	`secure`	String
`$ossec_remote_port`	Specifies the port to use to listen for events.	`1514`	Integer
`$ossec_remote_protocol`	Specifies the protocol to use. It is available for secure connections and syslog events.	`tcp`	String
`$ossec_remote_local_ip`	Local IP address to use to listen for connections.	`undef`	String
`$ossec_remote_allowed_ips`	IP address that is allowed to send syslog messages to the server. Needed if `ossec_remote_connection` is set to `syslog`	`undef`	String
`$ossec_remote_queue_size`	Sets the capacity of the remote daemon queue in number of agent events. Added if `ossec_remote_connection` is set to `secure`	`131072`	String

Localfile variables

Parameter

Description

Default value

Data type

$ossec_local_files

Files list for log analysis

These files are listed in params_manager.pp in section $default_local_files.

n/a

List

Rootcheck variables

Parameter	Description	Default value	Data type
`$configure_rootcheck`	Enables rootcheck section render on this host.	`true`	Boolean
`$ossec_rootcheck_disabled`	Disable rootcheck on this host (Linux).	`no`	String
`$ossec_rootcheck_check_files`	Enable the rootcheck checkfiles option.	`yes`	String
`$ossec_rootcheck_check_trojans`	Enable rootcheck checktrojans option.	`yes`	String
`$ossec_rootcheck_check_dev`	Enable rootcheck checkdev option.	`yes`	String
`$ossec_rootcheck_check_sys`	Enable the rootcheck checksys option.	`yes`	String
`$ossec_rootcheck_check_pids`	Enable rootcheck checkpids option.	`yes`	String
`$ossec_rootcheck_check_ports`	Enable the rootcheck checkports option.	`yes`	String
`$ossec_rootcheck_check_if`	Enable rootcheck checkif option.	`yes`	String
`$ossec_rootcheck_frequency`	Specifies how often the rootcheck scan will run (in seconds).	`36000`	String
`$ossec_rootcheck_ignore_list`	List of files or directories to be ignored. These files and directories will be ignored during scans.	`[]`	String
`$ossec_rootcheck_rootkit_files`	Change the location of the rootkit files database.	`'etc/shared/rootkit_files.txt'`	String
`$ossec_rootcheck_rootkit_trojans`	Change the location of the rootkit trojan's database.	`'etc/shared/rootkit_trojans.txt'`	String
`$ossec_rootcheck_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts.	`yes`	String
`$ossec_rootcheck_system_audit`	Specifies the path to an audit definition file for Unix-like systems.	`[]`	String

Syscheck variables

Parameter	Description	Default value	Data type
`$configure_syscheck`	Enables syscheck section rendering on this host. If this variable is not set to true, the complete syscheck tag will not be added to `/var/ossec/etc/ossec.conf`.	`true`	Boolean
`$ossec_syscheck_disabled`	Disable syscheck on this host.	`no`	String
`$ossec_syscheck_frequency`	Enables the syscheck section render on this host.	`43200`	String
`$ossec_syscheck_scan_on_start`	Specifies if syscheck scans immediately when started.	`yes`	String
`$ossec_syscheck_auto_ignore`	Specifies whether or not syscheck will ignore files that change too many times (manager only).	`undef`	String
`$ossec_syscheck_directories_1`	List of directories to be monitored. The directories should be comma-separated	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_1`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_1`. The real-time settings work with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_1`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_1`.	`no`	String
`$ossec_syscheck_directories_2`	List of directories to be monitored. The directories should be comma-separated	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_2`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_2`. The real-time settings work with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_2`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_2`.	`no`	String
`$ossec_syscheck_report_changes_directories_2`	Report file changes. This is limited to text files at this time.	`no`	String
`$ossec_syscheck_ignore_list`	List of files or directories to be ignored. Ignored files and directories are still scanned, but the results are not reported.	`['/etc/mtab','/etc/hosts.deny','/etc/mail/statistics','/etc/random-seed','/etc/random.seed','/etc/adjtime','/etc/httpd/logs','/etc/utmpx','/etc/wtmpx','/etc/cups/certs','/etc/dumpdates','/etc/svc/volatile','/sys/kernel/security','/sys/kernel/debug','/dev/core',]`	List
`$ossec_syscheck_ignore_type_1`	Simple regex pattern to filter out files.	`'^/proc'`	String
`$ossec_syscheck_ignore_type_2`	Another simple regex pattern to filter out files.	`'.log$\|.swp$'`	String
`$ossec_syscheck_max_eps`	Sets the maximum event reporting throughput. Events are messages that will produce an alert.	`50`	String
`$ossec_syscheck_process_priority`	Sets the nice value for the syscheck process. The nice value determines how a process should be with CPU time; higher values make it wait more, lower values make it run faster.	`10`	String
`$ossec_syscheck_synchronization_enabled`	Specifies whether there will be periodic inventory synchronizations or not.	`yes`	String
`$ossec_syscheck_synchronization_interval`	Specifies the initial number of seconds between every inventory synchronization. If synchronization fails, the value will be duplicated until it reaches the value of max_interval.	`5m`	String
`$ossec_syscheck_synchronization_max_eps`	Sets the maximum synchronization message throughput.	`10`	String
`$ossec_syscheck_synchronization_max_interval`	Specifies the maximum number of seconds between every inventory synchronization.	`1h`	String
`$ossec_syscheck_skip_nfs`	Specifies if syscheck should scan mounted filesystems. This option works on Linux and FreeBSD systems. Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.	`yes`	String

Syslog output variables

Parameter	Description	Default value	Data type
`$syslog_output`	Allows a Wazuh manager to send the OSSEC alerts to one or more syslog servers. If this variable is not set to true, the complete `syslog_output` tag will not be added to `/var/ossec/etc/ossec.conf`.	`false`	Boolean
`$syslog_output_level`	The minimum level of the alerts to be forwarded. Depends on `syslog_output`	`2`	Integer
`$syslog_output_port`	The port to forward alerts to. Depends on `syslog_output`	`514`	Integer
`$syslog_output_server`	The IP address of the syslog server. Depends on `syslog_output` Required if `syslog_output` is set to `true`	`undef`	String
`$syslog_output_format`	Format of alert output. Depends on `syslog_output`	`undef`	String

Vulnerability Detection variables

Parameter	Description	Default value	Data type
`$configure_vulnerability_detection`	Enables Vulnerability detection section rendering on this host. If this variable is not set to true, the complete vulnerability-detection tag will not be added to `/var/ossec/etc/ossec.conf`.	`yes`	String
`$vulnerability_detection_enabled`	Enables the vulnerability detection module. Depends on `configure_vulnerability_detection`	`yes`	String
`$vulnerability_detection_index_status`	Enables indexing of vulnerability inventory data. Depends on `configure_vulnerability_detection`	`yes`	String
	Depends on `configure_vulnerability_detection`
`$vulnerability_detection_feed_update_interval`	Time interval for periodic feed updates. Depends on `configure_vulnerability_detection`	`60m`	String
`$configure_vulnerability_indexer`	Enables rendering of the Vulnerability detection indexer section on the specified host. If this variable is not true, the vulnerability-indexer tag will not be added to `/var/ossec/etc/ossec.conf`.	`yes`	String
`$vulnerability_indexer_enabled`	Enables the Vulnerability detection indexer module. Depends on `configure_vulnerability_indexer` Depends on `configure_vulnerability_indexer`	`yes`	String
`$vulnerability_indexer_hosts_host`	Host or IP of Wazuh indexer nodes. Depends on `configure_vulnerability_indexer`	`['127.0.0.1']`	String
`$vulnerability_indexer_hosts_port`	Port of Wazuh indexer. Depends on `configure_vulnerability_indexer`	`9200`	String
`$vulnerability_indexer_ssl_ca`	Path of CA certificate. Depends on `configure_vulnerability_indexer`	`/etc/filebeat/certs/root-ca.pem`	String
	Depends on `configure_vulnerability_indexer`
`$vulnerability_indexer_ssl_certificate`	Path of Filebeat certificate. Depends on `configure_vulnerability_indexer`	`/etc/filebeat/certs/filebeat.pem`	String
`$vulnerability_indexer_ssl_key`	Path of Filebeat key. Depends on `configure_vulnerability_indexer` Depends on `configure_vulnerability_indexer`	`/etc/filebeat/certs/filebeat-key.pem`	String

Wazuh API variables

Parameter	Description	Default value \| Data type
`$wazuh_api_host`	IP address or hostname of the Wazuh manager where the Wazuh API is running.	`['0.0.0.0', '::']` \| List
`$wazuh_api_port`	Port where the Wazuh API will listen.	`55000`	String
`$wazuh_api_https_enabled`	Enable or disable SSL (https) in the Wazuh API.	`true`	String
`$wazuh_api_https_key`	File with the private key.	`server.key (in api/configuration/ssl)`	String
`$wazuh_api_https_cert`	File with the certificate.	`server.crt (in api/configuration/ssl)`	String
`$wazuh_api_https_use_ca`	Whether to use a certificate from a Certificate Authority.	`false`	String
`$wazuh_api_https_ca`	Certificate of the Certificate Authority (CA).	`ca.crt (in api/configuration/ssl)`	String
`$wazuh_api_logs_level`	Sets the verbosity level of the Wazuh API logs.	`info`	String
`$wazuh_api_logs_format`	Set the format of the Wazuh API logs.	`plain`	String
`$wazuh_api_cors_enabled`	Enable or disable the use of CORS in the Wazuh API.	`false`	Boolean
`$wazuh_api_cors_source_route`	Sources for which the resources will be available. For example, `http://client.example.org`.	`"*"`	String
`$wazuh_api_cors_expose_headers`	Specifies which headers can be exposed as part of the response.	`"*"`	String
`$wazuh_api_cors_allow_headers`	Specifies which HTTP headers can be used during the actual request.	`"*"`	String
`$wazuh_api_cors_allow_credentials`	Tells browsers whether to expose the response to frontend JavaScript.	`false`	String
`$wazuh_api_cache_enabled`	Enables or disables caching for certain API responses (currently, all `/rules` endpoints)	`true`	String
`$wazuh_api_cache_time`	Time in seconds the cache lasts before expiring.	`0.75`	String
`$wazuh_api_access_max_login_attempts`	Set a maximum number of login attempts during a specified `block_time` number of seconds.	`5`	Integer
`$wazuh_api_access_block_time`	Established period of time (in seconds) to attempt login requests. If the established number of requests (`max_login_attempts`) is exceeded within this time limit, the IP address is blocked until the end of the block time period.	`300`	Integer
`$wazuh_api_access_max_request_per_minute`	Establish a maximum number of requests the Wazuh API can handle per minute (does not include authentication requests). If the number of requests for a given minute is exceeded, all incoming requests (from any user) will be blocked. This feature can be disabled by setting its value to 0.	`300`	Integer
`$wazuh_api_drop_privileges`	Run wazuh-api process as wazuh user	`true`	String
`$wazuh_api_experimental_features`	Enable features under development	`false`	String

Wodle Syscollector variables

Parameter	Description	Default value	Data type
`$wodle_syscollector_disabled`	Disable the Syscollector wodle.	`no`	String
`$wodle_syscollector_interval`	Time between system scans.	`1h`	String
`$wodle_syscollector_scan_on_start`	Run a system scan immediately when the service is started.	`yes`	String
`$wodle_syscollector_hardware`	Enables the hardware scan.	`yes`	String
`$wodle_syscollector_os`	Enables the OS scan.	`yes`	String
`$wodle_syscollector_network`	Enables the network scan.	`yes`	String
`$wodle_syscollector_packages`	Enables the scan of the packages.	`yes`	String
`$wodle_syscollector_ports`	Enables the port scan.	`yes`	String
`$wodle_syscollector_processes`	Enables the scan of the processes.	`yes`	String

Misc Variables

Parameter	Description	Default value	Data type
`$server_package_version`	Modifies the `client.pp` and `server.pp` Puppet configuration files to accept package versions as a parameter.	`5.0.0-1`	String
`$manage_repos`	Install Wazuh through Wazuh repositories.	`true`	Boolean
`$manage_client_keys`	Manage client keys option.	`true`	String
`$local_decoder_template`	Allow using a custom `/var/ossec/etc/decoders/local_decoder.xml` in the manager.	`wazuh/local_decoder.xml.erb`	String
`$local_rules_template`	Allow using a custom `/var/ossec/etc/rules/local_rules.xml` in the manager.	`wazuh/local_rules.xml.erb`	String
`$shared_agent_template`	Enable the configuration to deploy through `agent.conf`	`wazuh/ossec_shared_agent.conf.erb`	String

`function wazuh::email_alert`

Parameter	Description	Default value	Data type
`$alert_email`	Email to send to.	n/a	String
`$alert_group`	An array of rule group names.	n/a	List

Note

No email will be sent for alerts with a severity below the global $ossec_email_alert_level, unless the rule has alert_email set.

`function wazuh::command`

Parameter	Description	Default value \| Data type
`$command_name`	Human-readable name for `wazuh::activeresponse` usage.	n/a	String
`$command_executable`	Name of the executable. WAZUH comes preloaded with disable-account, host-deny, ipfw, pf, route-null, firewall-drop, wazuh-slack, restart-wazuh executables.	n/a	String
`$timeout_allowed`	Specifies whether Active response commands should timeout or not.	`true`	Boolean

`function wazuh::activeresponse`

Parameter	Description	Default value	Data type
`$active_response_name`	Human readable name for `wazuh::activeresponse` usage.	n/a	String
`$active_response_disabled`	Toggles the active-response capability on and off.	n/a	String
`$active_response_command`	Links the active-response to the command.	n/a	String
`$active_response_location`	It can be set to `local`, `server`, `defined-agent`, or `all`.	local	String
`$active_response_level`	Can take values between `0` and `16`.	n/a	Integer
`$active_response_agent_id`	Specifies the ID of the agent on which to execute the active response command (used when defined-agent is set).	n/a	Integrer
`$active_response_rules_id`	List of rule IDs.	[]	List
`$active_response_timeout`	Active Response block for a certain amount of time.	undef	Integer
`$active_response_repeated_offenders`	Sets timeouts in minutes for repeat offenders. This list of increasing timeouts can contain a maximum of 5 entries.	empty	List

Wazuh agent class

`class wazuh::agent`

This contains variables that can be used to configure the Wazuh agent.

Active-Response variables

Parameter	Description	Default value	Data type
`$configure_active_response`	Enables Active Response on this host.	`true`	Boolean
`$active_response_disabled`	Toggles the active-response capability on and off.	`no`	String
`$active_response_ca_verification`	This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to no, the agent will accept any WPK package from the manager.	`yes`	String
`$active_response_repeated_offenders`	Sets timeouts in minutes for repeat offenders. This list of increasing timeouts can contain a maximum of 5 entries.	`[]`	Integer

Agent enrollment variables

Parameter	Description	Default value	Data type
`$wazuh_enrollment_enabled`	Enables/disables agent enrollment. If this variable is not set to '`yes` ', the complete enrollment tag will not be added to `/var/ossec/etc/ossec.conf`.	`undef`	String
`$wazuh_enrollment_manager_address`	Hostname or IP address of the manager where the agent will be enrolled.	`undef`	String
`$wazuh_enrollment_port`	Specifies the port on which the manager will send enrollment requests. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_name`	Specifies the agent name that will be used for enrollment. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_groups`	Group name to which the agent belongs. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_address`	Force IP address from the agent. The manager will extract the source IP address from the enrollment message if this is not set. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_ssl_cipher`	Override SSL used ciphers. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_server_ca_path`	Used for manager verification. If no CA certificate is set, the server will not be verified. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_cert_path`	Required when agent verification is enabled in the manager. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_agent_key_path`	Required when agent verification is enabled in the manager. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_auth_pass`	Enrollment password. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_auth_pass_path`	Required when enrollment is using password verification. Depends on `wazuh_enrollment_enabled`	`'/var/ossec/etc/authd.pass'`	String
`$wazuh_enrollment_auto_method`	Auto negotiates the most secure common SSL/TLS method with the manager, use "`yes` " for auto negotiate or "`no` " for TLS v1.2 only. Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_delay_after_enrollment`	Specifies the time agents should wait after a successful registration. Related parameter `delay_after_enrollment` Depends on `wazuh_enrollment_enabled`	`undef`	String
`$wazuh_enrollment_use_source_ip`	Force the manager to compute the IP address from the agent message. Depends on `wazuh_enrollment_enabled`	`undef`	String

Client variables

Parameter	Description	Default value	Data type
`$wazuh_reporting_endpoint`	Specifies the IP address or the hostname of the Wazuh manager to report.	`undef`	String
`$wazuh_register_endpoint`	Specifies the IP address or the hostname of the Wazuh manager against which to register.	n/a	String
`$ossec_port`	Specifies the port to send events to the manager. This must match the associated listening port configured on the Wazuh manager.	`1514`	String
`$ossec_protocol`	Specifies the protocol to use when connecting to the manager.	`tcp`	String
`$wazuh_max_retries`	The number of connection retries.	`5`	String
`$wazuh_retry_interval`	Time interval between connection attempts (seconds).	`5`	String
`$ossec_notify_time`	Specifies the time in seconds between agent check-ins to the manager.	`10`	String
`$ossec_time_reconnect`	Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the `notify_time` parameter.	`60`	String
`$ossec_auto_restart`	Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.	`yes`	String
`$ossec_crypto_method`	Choose the encryption of the messages that the agent sends to the manager.	`aes`	String
`$client_buffer_queue_size`	Sets the capacity of the agent buffer in number of events.	`5000`	Integer
`$client_buffer_events_per_second`	Specifies the number of events sent to the manager per second.	`500`	String

Localfile variables

Parameter	Description	Default value	Data type
`$ossec_local_files`	Files list for log analysis These files are listed in `params_agent.pp` in section `$default_local_files` . If a change is needed, it should be modified in the `params_agent.pp` .	Depends on the OS family.	List

Rootcheck variables

Parameter	Description	Default value	Data type
`$ossec_rootcheck_disabled`	Disable rootcheck on this host (Linux).	`no`	String
`$ossec_rootcheck_check_files`	Enable the rootcheck checkfiles option.	`yes`	String
`$ossec_rootcheck_check_trojans`	Enable rootcheck checktrojans option.	`yes`	String
`$ossec_rootcheck_check_dev`	Enable rootcheck checkdev option.	`yes`	String
`$ossec_rootcheck_check_sys`	Enable the rootcheck checksys option.	`yes`	String
`$ossec_rootcheck_check_pids`	Enable rootcheck checkpids option.	`yes`	String
`$ossec_rootcheck_check_ports`	Enable the rootcheck checkports option.	`yes`	String
`$ossec_rootcheck_check_if`	Enable rootcheck check_if option.	`yes`	String
`$ossec_rootcheck_frequency`	How often the rootcheck scan will run (in seconds).	`36000`	String
`$ossec_rootcheck_ignore_list`	List of files or directories to be ignored. These files and directories will be ignored during scans.	`[]`	List
`$ossec_rootcheck_rootkit_files`	Change the location of the rootkit files database.	`'/var/ossec/etc/shared/rootkit_files.txt'`	String
`$ossec_rootcheck_rootkit_trojans`	Change the location of the rootkit trojan's database.	`'etc/shared/rootkit_trojans.txt'`	String
`$ossec_rootcheck_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts.	`yes`	String
`$ossec_rootcheck_system_audit`	Specifies the path to an audit definition file for Unix-like systems.	`[]`	List
`$ossec_rootcheck_windows_disabled`	Disables rootcheck if the host has a Windows OS.	`no`	String
`$ossec_rootcheck_windows_windows_apps`	Specifies the path to a Windows application definition file.	`'./shared/win_applications_rcl.txt'`	String
`$ossec_rootcheck_windows_windows_malware`	Specifies the path to a Windows malware definitions file.	`'./shared/win_applications_rcl.txt'`	String

SCA variables

Parameter	Description	Default value	Data type
`$configure_sca`	Enables SCA section render on this host.	`true`	boolean
`$sca_amazon_enabled`	Enable SCA on this host (Amazon Linux 2). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_scan_on_start`	The SCA module will perform the scan immediately when started (Amazon Linux 2). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_amazon_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_amazon_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List
`$sca_rhel_scan_on_start`	The SCA module will perform the scan immediately when started (RHEL). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_rhel_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_rhel_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` excludes checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_rhel_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List
`$sca_else_scan_on_start`	The SCA module will perform the scan immediately when started (Linux). Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_else_interval`	The interval between module executions. Depends on `configure_sca` and `apply_template_os`	`12h`	String
`$sca_else_skip_nfs`	Enable or disable the scanning of network-mounted filesystems (Works on Linux and FreeBSD). Currently, `skip_nfs` excludes checking files on CIFS or NFS mounts. Depends on `configure_sca` and `apply_template_os`	`yes`	String
`$sca_else_policies`	A list of policies to run assessments can be included in this section. Depends on `configure_sca` and `apply_template_os`	`[]`	List

$sca_max_eps

Sets the maximum throughput for event reporting. Events are messages that generate alerts.

Default 50

Type String

Depends on configure_sca

$sca_synchronization_enabled

Enables periodic inventory synchronization.

Default yes

Type String

Depends on configure_sca

$sca_synchronization_interval

Specifies the initial time between inventory synchronizations.

Default 5m

Type String

Depends on configure_sca

$sca_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

Depends on configure_sca

$sca_synchronization_max_eps

Sets the maximum throughput for synchronization messages.

Default 10

Type String

Depends on configure_sca

Syscheck variables

Parameter	Description	Default value	Data type
`$configure_syscheck`	Enables syscheck section rendering on this host. If this variable is not set to 'true', the complete `syscheck` tag will not be added to `/var/ossec/etc/ossec.conf`.	`true`	Boolean
`$ossec_syscheck_disabled`	Disables syscheck on this host.	`no`	String
`$ossec_syscheck_frequency`	Enables syscheck section rendering on this host.	`43200`	String
`$ossec_syscheck_scan_on_start`	Specifies if syscheck scans immediately when started.	`yes`	String
`$ossec_syscheck_auto_ignore`	Specifies whether or not syscheck will ignore files that change too many times (manager only).	`undef`	String
`$ossec_syscheck_directories_1`	List of directories to be monitored. The directories should be comma-separated.	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_1`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_1` . Real time only works with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_1`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_1` .	`no`	String
`$ossec_syscheck_directories_2`	List of directories to be monitored. The directories should be comma-separated.	`'/etc,/usr/bin,/usr/sbin'`	String
`$ossec_syscheck_realtime_directories_2`	This will enable real-time/continuous monitoring on directories listed on `ossec_syscheck_directories_2` . The real-time settings work with directories, not individual files.	`no`	String
`$ossec_syscheck_whodata_directories_2`	This will enable who-data monitoring on directories listed on `ossec_syscheck_directories_2` .	`no`	String
`$ossec_syscheck_report_changes_directories_2`	Report file changes. This is limited to text files at this time.	`no`	String
`$ossec_syscheck_ignore_list`	List of files or directories to be ignored. Ignored files and directories are still being scanned, but the results are not reported.	`['/etc/mtab','/etc/hosts.deny',` `'/etc/mail/statistics',` `'/etc/random-seed',` `'/etc/random.seed',` `'/etc/adjtime',` `'/etc/httpd/logs',` `'/etc/utmpx','/etc/wtmpx',` `'/etc/cups/certs',` `'/etc/dumpdates',` `'/etc/svc/volatile',` `'/sys/kernel/security',` `'/sys/kernel/debug',` `'/dev/core',]`	String
`$ossec_syscheck_ignore_type_1`	Simple regex pattern to filter out files.	`'^/proc'`	String
`$ossec_syscheck_ignore_type_2`	Another simple regex pattern to filter out files.	`'.log$\|.swp$'`	String
`$ossec_syscheck_process_priority`	Sets the nice value for the syscheck process.	`10`	String
`$ossec_syscheck_synchronization_enabled`	Specifies whether there will be periodic inventory synchronizations or not.	`yes`	String
`$ossec_syscheck_synchronization_interval`	Specifies the initial number of seconds between every inventory synchronization. If synchronization fails, the value will be duplicated until it reaches the value of `max_interval` .	`5m`	String
`$ossec_syscheck_synchronization_max_eps`	Sets the maximum synchronization message throughput.	`10`	String
`$ossec_syscheck_synchronization_max_interval`	Specifies the maximum number of seconds between every inventory synchronization.	`1h`	String
`$ossec_syscheck_skip_nfs`	Specifies if syscheck should scan network-mounted filesystems. This option works on Linux and FreeBSD systems. Currently, `skip_nfs` will exclude checking files on CIFS or NFS mounts.	`yes`	String

$ossec_syscheck_max_eps

Sets the maximum throughput for reporting events. Events are messages that trigger alerts.

Default 50

Type String

$ossec_syscheck_notify_first_scan

Specifies whether the first Syscheck (FIM) scan reports stateless events.

Default no

Type String

$ossec_syscheck_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

Wodle Syscollector

Parameter	Description	Default value	Data type
`$wodle_syscollector_disabled`	Disable the Syscollector wodle.	`no`	String
`$wodle_syscollector_interval`	Time between system scans.	`1h`	String
`$wodle_syscollector_scan_on_start`	Run a system scan immediately when the service is started.	`yes`	String
`$wodle_syscollector_hardware`	Enables the hardware scan.	`yes`	String
`$wodle_syscollector_os`	Enables the scan of the OS.	`yes`	String
`$wodle_syscollector_network`	Enables the network scan.	`yes`	String
`$wodle_syscollector_packages`	Enables the scan of the packages.	`yes`	String
`$wodle_syscollector_ports`	Enables the scanning of the ports.	`yes`	String
`$wodle_syscollector_processes`	Enables the scan of the processes.	`yes`	String
`$wodle_syscollector_users`	Enables the scanning of user accounts.	`yes`	String
`$wodle_syscollector_groups`	Enables the scanning of user account groups.	`yes`	String
`$wodle_syscollector_services`	Enables the scanning of services.	`yes`	String
`$wodle_syscollector_browser_extensions`	Enables the scanning of browser extensions.	`yes`	String

$wodle_syscollector_max_eps

Sets the maximum throughput for reporting events. Events are messages that trigger alerts.

Default 50

Type String

$wodle_syscollector_notify_first_scan

Specifies whether the first scan reports stateless events.

Default no

Type String

$wodle_syscollector_synchronization_enabled

Specifies whether to perform periodic inventory synchronizations.

Default yes

Type String

$wodle_syscollector_synchronization_interval

Specifies the initial interval between inventory synchronizations.

Default 5m

Type String

$wodle_syscollector_synchronization_response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default 30

Type String

$wodle_syscollector_synchronization_max_eps

Sets the maximum throughput for synchronization messages.

Default 10

Type String

Misc Variables

Parameter	Description	Default value	Data type
`$agent_package_name`	Defines the package name using `params_agent.pp`	`wazuh-agent`	String
`$agent_package_version`	Defines package version	`5.0.0-1`	String
`$selinux`	Whether to install a SELinux policy to allow rotation of OSSEC logs.	`false`	Boolean
`$agent_name`	Configure agent name.	`undef`	String
`$manage_repo`	Install Wazuh through Wazuh repositories.	`true`	Boolean
`$manage_client_keys`	Manage client keys option.	`yes`	String
`$agent_auth_password`	Define a password for agent-auth	`undef`	String

User manual

Welcome to the Wazuh user manual. Use it as your reference library once your basic Wazuh installation is ready. In this section, you will find content on topics such as Wazuh server administration, Wazuh agent enrollment, Wazuh capabilities, and many others that are listed below.

Contents

Wazuh server

The Wazuh server is the Wazuh central component that analyzes data it receives from agents, external APIs, and network devices. It analyzes the received data by correlating and matching it against a predefined ruleset to generate alerts for security monitoring and management.

The Wazuh server comprises two main components; the Wazuh manager and Filebeat. The Wazuh manager is responsible for data analysis and alerting, while the indexer integration forwards the analyzed data to the Wazuh indexer. Refer to the Wazuh server installation documentation for information on how to install and set it up.

Contents

Wazuh manager

The Wazuh manager is responsible for data analysis and alerting. It can forward alerts through syslog, emails, or integrated external APIs. See the data analysis documentation for more information on how Wazuh performs data analysis.

The Wazuh manager comprises several services and components that are responsible for various functions. These include enrolling new Wazuh agents, aggregating security events, decoding logs, evaluating rules, and alerting. It is also responsible for other functions like validating the Wazuh agent’s identities and encrypting the communications between the Wazuh agent and the Wazuh server.

Agent enrollment service

The agent enrollment service is used to enroll Wazuh agents to the Wazuh manager. The enrollment service simplifies the enrollment of Wazuh agents and ensures that they are properly authenticated and configured to communicate securely with the Wazuh manager.

When a Wazuh agent is installed and started on an endpoint, it automatically contacts the Wazuh manager to initiate the enrollment process. The Wazuh manager generates a unique authentication key that encrypts its communication with the Wazuh agent. You can configure additional security measures for the enrollment process such as password authentication, Wazuh manager identity verification, and Wazuh agent identity verification. Refer to the documentation on Wazuh agent enrollment for more information on the enrollment process.

Configuration

The <auth> block below is the default agent enrollment service configuration on the /var/ossec/etc/ossec.conf file of the Wazuh server:

<auth>
  <disabled>no</disabled>
  <remote_enrollment>yes</remote_enrollment>
  <port>1515</port>
  <use_source_ip>no</use_source_ip>
  <force>
    <enabled>yes</enabled>
    <disconnected_time enabled="yes">1h</disconnected_time>
    <after_registration_time>1h</after_registration_time>
    <key_mismatch>yes</key_mismatch>
  </force>
  <purge>yes</purge>
  <use_password>no</use_password>
  <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
  <!-- <ssl_agent_ca></ssl_agent_ca> -->
  <ssl_verify_host>no</ssl_verify_host>
  <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
  <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
  <ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>

Where:

<disabled> enables or disables the process of the Wazuh agent enrolling and authenticating with the Wazuh manager. The default value is no. The allowed values are yes and no.
<remote_enrollment> enables the Wazuh manager to accept connections from new Wazuh agents using TLS encryption on port 1515 by default. The default value is yes. The allowed values are yes and no.
<port> specifies the TCP port number for listening to connections. The default value is 1515. The allowed value is any port number between 0 and 65535.
<use_source_ip> defines whether to use the client’s source IP address or the use of “any” to add a Wazuh agent. The allowed values are yes and no. When the value is no, the Wazuh agent can connect to the Wazuh manager even if the source IP used for enrollment changes. However, when the value is yes, the Wazuh agent cannot connect to the Wazuh manager if the source IP address changes.
<force> specifies the options to be configured for a Wazuh agent re-enrollment within its tag. For the re-enrollment to be successful, all the conditions must be met. The following options defines the settings for the force option:
- <enabled> specifies whether or not to force the insertion of a Wazuh agent if there is a duplicate name or IP address. If it is enabled, it will remove the old Wazuh agent with the same name or IP address. The default value is yes. The possible values are yes and no.
- <disconnected_time> specifies whether a replacement will be performed for only Wazuh agents that have been disconnected longer than the value configured in the setting. The default value is 1h (one hour). The allowed value is any number greater or equal to zero. It allows suffixes like s, h, m, and d to represent second, hour, minute, and day. The attribute setting enabled has the default value of yes, meaning replacement will only happen after the specified disconnection time is exceeded. The enabled attribute has two possibilities of yes and no.
- <after_registration_time> specifies that the Wazuh agent replacement will be performed only when the time has passed since the Wazuh agent registration is greater than the value configured in the setting. The default value is 1h. The allowed value is any number greater or equal to zero. It allows suffixes like s, h, m, and d to represent second, hour, minute, and day.
- <key_mismatch> defines that the Wazuh agent replacement occurs when the key held by the Wazuh agent differs from the one registered by the manager. The default value is yes. The possible values are yes and no.
<purge> specifies whether the client keys will be deleted when Wazuh agents are removed. When the value is no, removed Wazuh agents will remain in the client keys file marked as removed. When the value is set to yes, the client keys file will be purged. The default value is yes. The possible values are yes and no.
<use_password> determines the use of shared password authentication. When the value is no, this option is disabled. When the value is set to yes, a shared password will be read from the /var/ossec/etc/authd.pass file. If this file does not exist, a random password will be generated and stored in the /var/ossec/logs/ossec.log file on the Wazuh server. See the using password authentication documentation for more information.
<ciphers> sets the list of ciphers for network communication using SSL. The default value is HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH.
<ssl_agent_ca> specifies the path to the CA certificate used to verify clients. It can be referred to as a relative path under the Wazuh installation directory or a full path. The possible value is any valid path.
<ssl_verify_host> toggles source host verification on and off when a CA certificate is specified. The client source IP address will be validated using the Common Name field. The default value is no. The allowed values are yes and no.
<ssl_manager_cert> specifies the path to the server SSL certificate. It can be referred to as a relative path under the Wazuh installation directory or a full path. The default value is etc/sslmanager.cert. The possible value is any valid path.
<ssl_manager_key> specifies the path to the server's SSL key. It can be referred to as a relative path under the Wazuh installation directory or a full path. The default value is etc/sslmanager.key. The possible value is any valid path.
<ssl_auto_negotiate> toggles whether or not to auto select the SSL/TLS method. By default, only TLS v1.2 is allowed. When set to yes, the system will negotiate the most secure common method with the client. In older systems where the manager does not support TLS v1.2, this option will be enabled automatically. The default value is no. The allowed values are yes and no.

Restart the Wazuh manager via the command line interface with the following command whenever you make changes to the configuration file:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Agent connection service

The agent connection service listens for events from Wazuh agents to establish and maintain a persistent and secure communication channel. The Wazuh agent uses this secure channel to send security data to the Wazuh manager for analysis. By default, the service uses the TCP protocol to secure communication between the Wazuh agent and the Wazuh manager.

Configuration

The block below is the default connection service configuration on the Wazuh server /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>
</ossec_config>

Where:

<connection> specifies the type of incoming connection to accept. The default value is secure. The allowed values are secure and syslog.
<port> specifies the port to use to listen for events. The default port value is 1514 for secure connection and 514 for syslog connection. The allowed value is any port number between 1 and 65535.
<protocol> specifies the protocol to use for the connection. The default value is tcp. The allowed values are tcp and udp.
<queue_size> allows you to set the capacity of the remote daemon queue in the number of Wazuh agent events. The default value is 131072. The allowed value is an integer number between 1 and 262144. The remote queue is only available for Wazuh agent events, not syslog events. This option only works when the connection is set to secure. To learn more about this configuration setting, check our documentation on the Wazuh queue.

More options can be found in the remote section of the Wazuh documentation.

Restart the Wazuh manager via the command line interface with the following command to implement changes, if changes are made:

# systemctl restart wazuh-manager

# service wazuh-manager restart

For example, you can verify the operation of the connection service during the enrollment of a Wazuh agent on a Windows endpoint (with IP address 192.168.71.125) to a Wazuh manager (with IP address 192.168.71.203) using netstat. Also, a Wazuh agent running on any Wazuh supported endpoint forwards security events to the Wazuh manager on port 1514. It uses the configuration detailed in the agent connection service configuration section above.

Perform the following steps to verify the operation of the connection service between the Wazuh manager and the Wazuh agent:

Launch the command prompt on the Windows endpoint and run the netstat -a commands to list the connections on the endpoint:

netstat -a

C:\Users\Tony>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
    TCP    192.168.71.125:51787   a23-53-42-162:https    ESTABLISHED
  TCP    192.168.71.125:51788   a-0003:https           ESTABLISHED
  TCP    192.168.71.125:51789   a-0003:https           ESTABLISHED
  TCP    192.168.71.125:51790   a23-53-42-162:https    ESTABLISHED
  TCP    192.168.71.125:51791   192.168.71.203:1514    SYN_SENT

We can see that the Windows endpoint with IP address 192.168.71.125 has sent a TCP SYN_SENT packet and is waiting to establish a connection to the Wazuh server with IP address 192.168.71.203 on port 1514.

Run the netstat command to view when the Wazuh server establishes a connection with the Windows 10 endpoint.

netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.71.125:3389    192.168.71.1:25743     ESTABLISHED
  TCP    192.168.71.125:51572   a23-64-12-19:https     CLOSE_WAIT
  TCP    192.168.71.125:51573   192.229.221.95:http    CLOSE_WAIT
  TCP    192.168.71.125:51694   192.168.71.203:1514    ESTABLISHED
  TCP    192.168.71.125:51699   192.168.20.103:ms-do   SYN_SENT
  TCP    192.168.71.125:51701   192.168.20.101:ms-do   SYN_SENT
  TCP    192.168.71.125:51703   20.231.121.79:http     SYN_SENT
  TCP    192.168.71.125:51704   192.168.20.125:ms-do   SYN_SENT

We can see that the Windows endpoint with IP address 192.168.71.125 is connected to the Wazuh server with IP address 192.168.71.203 on port 1514.

Analysis engine

The Wazuh analysis engine analyzes data on several log types such as Windows events, SSH logs, web server logs, and others. It uses decoders to identify the type of information being processed and rules to identify specific patterns in the decoded event. These rules could trigger alerts and response actions like blocking an IP address and removing malware.

Data sources

Wazuh collects logs from various sources, allowing for comprehensive monitoring of all aspects of your IT infrastructure. This allows Wazuh to detect complex threats, reduce vulnerability exposure, ensure compliance with security policies, and respond swiftly to identified security incidents. Below are some of the common data sources supported by Wazuh:

Operating system logs: Wazuh collects logs generated by several operating systems, like Windows, Linux, and macOS. It can collect a variety of logs from Linux endpoints, including syslog, auditd, application logs, and others. On Windows endpoints, Wazuh collects Windows event logs from System, Applications, and Security event channels by default. Wazuh collects logs on macOS endpoints by using the macOS unified logging system (ULS). The macOS ULS centralizes the management and storage of logs across all the system levels.
Syslog events: Wazuh collects logs from a variety of syslog-enabled devices, including Linux/Unix systems and network devices that do not require Wazuh agent installation.
Agentless monitoring: The Wazuh agentless monitoring capability monitors endpoints that do not support agent installation. It requires an SSH connection between the endpoint and the Wazuh server. This capability enables monitoring of files, directories, or configurations and running commands on the endpoint.
Cloud provider logs: Wazuh monitors cloud infrastructure by collecting logs and events directly from cloud service providers like AWS, Azure, Google Cloud, and Office 365. These include logs from cloud services such as EC2 instances, S3 buckets, Azure VMs, and more.
Custom logs: You can configure Wazuh to collect and parse logs from several applications and third-party security tools, including VirusTotal, Windows Defender, ClamAV, and more.

Decoding

Decoding is the process of analyzing structured or unstructured data, such as logs from different data sources, to extract meaningful information that can be used for monitoring and alerting. The main purpose of decoding in Wazuh is to transform raw data into a format that the Wazuh manager can interpret and process. It involves two processes:

Pre-decoding phase: In this phase, the log analysis engine extracts syslog-like information such as timestamp, hostname, and program name from the log header. The pre-decoding phase simplifies the log structure and prepares it for further analysis. Consider the following sample log entry to illustrate the process of pre-decoding:
```
Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh2
```
We use the Wazuh Logtest tool to demonstrate the pre-decoding phase. Perform the steps below on the Wazuh server:
1. Run the /var/ossec/bin/wazuh-logtest from command line on the Wazuh server
2. Copy and paste the sample log above and click enter.
The extracted information after the pre-decoding phase is shown below:
```
Starting wazuh-logtest v4.8.0
Type one log per line

Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh

**Phase 1: Completed pre-decoding.
        full event: 'Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh'
        timestamp: 'Feb 14 12:19:04'
        hostname: '192.168.1.1'
        program_name: 'sshd'
```

Decoding: In this phase, the Wazuh analysis engine applies a decoder that matches the log. Decoders extract fields such as user names, IP addresses, error codes, URLs, and any other relevant information contained in the logs. The decoders below match the sample log. These decoders are in the /var/ossec/rulesets/decoders/0310-ssh_decoders.xml file on the Wazuh server:

<decoder name="sshd">
  <program_name>^sshd</program_name>
</decoder>

<decoder name="sshd-success">
  <parent>sshd</parent>
  <prematch>^Accepted</prematch>
  <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port (\S+)</regex>
  <order>user, srcip, srcport</order>
  <fts>name, user, location</fts>
</decoder>

The decoder sshd matches the program name sshd, while the decoder ssh-success extracts Stephen, 192.168.1.133, and 49765 from the sample log.

We use the Wazuh Logtest tool to demonstrate the decoding phase. Perform the steps below on the Wazuh server:

Run the /var/ossec/bin/wazuh-logtest from command line on the Wazuh server.
Copy and paste the sample log above and click enter.

The extracted information after the decoding phase is shown below:

Starting wazuh-logtest v4.7.5
Type one log per line

Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh

**Phase 1: Completed pre-decoding.
        full event: 'Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh'
        timestamp: 'Feb 14 12:19:04'
        hostname: '192.168.1.1'
        program_name: 'sshd'

**Phase 2: Completed decoding.
        name: 'sshd'
        parent: 'sshd'
        dstuser: 'Stephen'
        srcip: '192.168.1.133'
        srcport: '49765'

Rule evaluation and alerting

Once the log is decoded, the Wazuh manager compares it against a ruleset. Wazuh rulesets are defined in XML files and can be customized to suit different monitoring needs. These rules specify conditions that, when met, trigger alerts. Rule 5715 below matches the sample log from the earlier section. This rule is in the /var/ossec/ruleset/rules/0095-sshd_rules.xml file on the Wazuh server.

<rule id="5715" level="3">
  <if_sid>5700</if_sid>
  <match>^Accepted|authenticated.$</match>
  <description>sshd: authentication success.</description>
  <group>authentication_success,pci_dss_10.2.5,</group>
</rule>

Where:

<rule id="5715" level="3"> specifies the rule ID as 5715 and rule level as 3. The rule ID is a unique identifier for the rule, while the level represents the severity level of the event when the rule matches.
<if_sid>5700</if_sid> specifies a dependency on another rule with ID 5700. The rule will only be evaluated if rule 5700 has matched previously.
<match>^Accepted|authenticated.$</match> matches any log entry that starts with Accepted or ends with authenticated..
<description>sshd: authentication success.</description> describes what the rule detects. In this case, it indicates a successful SSH authentication.
<group>authentication_success,pci_dss_10.2.5,</group> assigns the rule to the authentication_success and pci_dss_10.2.5 groups.

By default, the Wazuh server generates alerts for any rule with a level above 2. In this scenario, the log triggers an alert because the rule level is 3 and this will be visible on the Wazuh dashboard.

You can create custom decoders and rules to analyze logs not supported by default. To learn how to create custom rules and decoders, refer to custom rules and custom decoders documentation.

Indexer integration

The indexer integration describes data forwarders that forward data from the Wazuh manager to the Wazuh indexer or third-party indexers.

Wazuh indexer

This integration provides a bridge between the Wazuh manager and the Wazuh indexer. It forwards data from the Wazuh manager to the Wazuh indexer for indexing. The Wazuh indexer integration consists of two forwarders: Filebeat and Wazuh indexer connector.

Filebeat

This component is a lightweight data shipper designed to securely forward alerts and archived events processed by the Wazuh manager to the Wazuh indexer for indexing and storage. It reads the output of the Wazuh analysis engine and ships events in real time.

Configuration

The code block below shows the default Filebeat configuration on the Wazuh server /etc/filebeat/filebeat.yml file. This configuration file is downloaded while performing step by step Wazuh server installation. To learn how to download, configure, and install Filebeat, refer to the configuring Filebeat section in the documentation.

# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
        - 127.0.0.1:9200
#        - <elasticsearch_ip_node_2>:9200
#        - <elasticsearch_ip_node_3>:9200

output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    Archives:

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

Where:

<output.elasticsearch.hosts> specifies the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost, 127.0.0.1:9200. Replace it with your Wazuh indexer address accordingly. You can separate the addresses using commas if you have more than one Wazuh indexer node.
<protocol> specifies the protocol to use for the connection. The default value is https. The allowed values are http and https.
<username> and <password> specifies the environment variable used to authenticate to the Wazuh indexer securely.
<ssl.certificate_authorities> specifies the path to the root certificates for HTTPS server verifications. The default value is /etc/filebeat/certs/root-ca.pem. The possible value is any valid path
<ssl.certificate> specifies the path to the Filebeat SSL certificate. The default value is /etc/filebeat/certs/wazuh-server.pem. The possible value is any valid path.
<ssl.key> specifies the path to the SSL key used by Filebeat. The default value is /etc/filebeat/certs/wazuh-server-key.pem. The possible value is any valid path.
<setup.template.json.enabled> enables or disables the use of custom templates. The default value is true.
<setup.template.json.path> specifies the file path to the template JSON file. The default value is /etc/filebeat/wazuh-template.json. The possible value is any valid path.
<setup.template.json.name> defines the name of the template. The default value is wazuh.
<setup.ilm.overwrite> when set to true, the lifecycle policy is overwritten at startup. The default value is true.
<setup.ilm.enabled> enables or disables index lifecycle management on any new indices created. The default value is false. The possible valid values are true and false.
<filebeat.modules> specifies the modules Filebeat will use.
<module> defines the module to use. The default value is wazuh.
<alerts> enables or disables the forwarding of alerts to the Wazuh indexer. When the configuration option of <enabled> is set to true, alerts are forwarded to the Wazuh indexer.
<archives> specifies the configurations that determine whether or not archive logs are processed and forwarded.
<logging.level> defines the log level. The default value is info which represents informational logs. The other log level are debug, error, and warning.
<logging.to_files> enables or disables logging to files. The default value is true. When set to true, filebeat writes all logs to a file.
<logging.files.path> specifies the directory where log files will be stored. The default log path is /var/log/filebeat.
<logging.files.name> specifies the name of the file that logs are stored. The default name is filebeat.
<logging.files.keepfiles> specifies the number of recently rotated log files to retain. The default value is 7. The allowed value is an integer number between 1 and 1024.
<logging.files.permissions> sets the file permissions for the log files. The default value is 0644, which implies that the owner of the log files can read and write to them, while others can only read.
<logging.metrics.enabled> enables or disables the logging of internal metrics. The default value is true. The possible values are true and false.
<seccomp> specifies a secomp (secure computing mode) policy that restricts the number of system calls filebeat process can issue.
<default_action> sets the default action for system calls to allow. This means that any system call not explicitly specified in the syscalls list will be allowed by default.
<syscalls> defines a list of system call names and the corresponding actions.
<action> specifies the action to take when any of the system calls listed in names is executed. The default value is allow. The other values are errno, trace, trap, kill_thread, kill_process, and log.
<names> defines a list of system call names. A minimum of one system call must be defined in the list. The rseq (restartable sequences) system call is used to accelerate user-space operations on shared memory across multiple threads. The rseq system call is allowed in this configuration.

Wazuh indexer connector

The Wazuh indexer connector currently receives vulnerability data from the Wazuh manager and securely forwards it to the Wazuh indexer. It gets the vulnerability data in JSON format following the Elastic Common Schema (ECS) and synchronizes its state with the Wazuh indexer to ensure data consistency and reliability. The Wazuh indexer connector is shipped together with the Wazuh manager.

The standard configuration for the indexer connector is specified in the /var/ossec/etc/ossec.conf file on the Wazuh server as shown below:

<ossec_config>
 <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>
</ossec_config>

Where:

<indexer> specifies the configuration options for the Wazuh indexer connector.
<enabled> enables or disables the Wazuh indexer connector. The allowed values for this option are yes and no. The value yes enables the Wazuh indexer connector and no disables it. The default value is yes.
<hosts> specifies a list of Wazuh indexer nodes to connect to. Use the host option for setting up each node connection.
<host> specifies the Wazuh indexer node URL or IP address to connect to. For example, http://172.16.1.11 or 192.168.3.2:9230. By default, the value is set to the localhost host: https://127.0.0.1:9200.
<ssl> specifies the configuration options for the SSL parameters.
<certificate_authorities> specifies a list of root certificate file paths for verification. Use the ca option for setting up each CA certificate file path.
<ca> specifies the root CA certificate for HTTPS server verifications. The default value is /etc/filebeat/certs/root-ca.pem. The possible value is any valid CA certificate.
<certificate> specifies the path to the Filebeat SSL certificate. The default value is /etc/filebeat/certs/filebeat-key.pem. The possible value is any valid key.
<key> specifies the certificate key used for authentication. The default value is /etc/filebeat/certs/filebeat-key.pem. The possible value is any valid key.

You can learn more about the available configuration options in the indexer section of the reference guide.

Third-party indexers

The Wazuh manager can forward alerts to third-party indexers. If you are using the Wazuh managers solely for log analysis and wish to forward alerts to third-party solutions for indexing and storage, there are alternative options available. Wazuh allows you to install the data forwarder of your choice on each Wazuh manager node to transfer the alerts to your desired solution. At the moment, Wazuh provides documentation for the following third-party solutions:

Solution	Description
ELK stack	Forwarding Wazuh manager alerts to ELK Stack using Logstash.
OpenSearch	Forwarding Wazuh manager alerts to OpenSearch using Logstash.
Splunk	Forwarding Wazuh manager alerts to Splunk using Logstash.
Splunk	Forwarding Wazuh server alerts to Splunk using the Splunk Universal Forwarder.

These options provide flexibility in integrating Wazuh with your existing monitoring and analytics infrastructure.

Alert management

Alerts are notifications generated by the Wazuh manager after processing events received from Wazuh agents and agentless devices. By default, the alerts are stored in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files.

By default, the Wazuh server uses Filebeat to forward generated alerts to the Wazuh indexer for indexing. Additionally, you can configure the Wazuh manager to forward alerts to other systems involving syslog servers, email systems, and databases.

Alert threshold

An alert threshold is the minimum severity level that must be exceeded for an alert to be triggered. The Wazuh manager assigns a severity level to each event from monitored endpoints based on the matching rule from the ruleset. By default, it only triggers alerts with a severity level of 3 or higher.

Configuration

The alert threshold is configured in the /var/ossec/etc/ossec.conf configuration file on the Wazuh server within the <alerts> XML tag.

The code block below shows the default alert threshold configuration for events and forwarding alerts via email:

<ossec_config>
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
</ossec_config>

Where:

The <log_alert_level> tag sets the minimum severity level to trigger alerts stored in the /var/ossec/logs/alerts/alerts.log and/or the /var/ossec/logs/alerts/alerts.json file. The default value is 3. The allowed value is any integer from 1 to 16 as referenced in the rules classification guide.
The <email_alert_level> tag sets the minimum severity level for an alert to generate an email notification. The default value is 12. The allowed value is any integer from 1 to 16. This setting overrides granular email alert configuration. However, the alert_by_email option within individual rules can override both global and granular alert level thresholds to trigger an email alert.

For details on configuring an alert threshold, refer to the alerts reference guide.

Note

Restart the Wazuh manager when you make any changes to the configuration file. This action ensures that the changes take effect.

Restart the Wazuh manager via the command line interface with the following command:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Forwarding alerts

The Wazuh manager forwards alerts to the Wazuh indexer by default for indexing and analytics capabilities. Additionally, the Wazuh manager provides the capability of configuring and forwarding alerts to other systems for analysis and backup.

Configuring syslog output

You can configure the Wazuh server to send alerts to a syslog server using the syslog_output option. Forwarding alerts to a syslog server can be useful for centralized monitoring and custom reporting.

Configuration

Syslog output is configured in the Wazuh server /var/ossec/etc/ossec.conf configuration file within the <ossec_config> block. By default, the Wazuh manager forwards alerts to syslog servers using port 514 via the UDP protocol.

The code block below shows a sample configuration to forward alerts to a syslog server:

<ossec_config>
  <syslog_output>
    <level>9</level>
    <server>192.168.1.241</server>
  </syslog_output>
</ossec_config>

The configuration options are defined as follows:

The <level> tag sets the minimum severity level of the alerts to be forwarded to the syslog server. The example value 9 indicates the Wazuh server only forwards alerts to the syslog server if the alert level is higher than 9. If this option is not defined, the Wazuh server forwards all alerts to the syslog server.
The <server> tag sets the IP address or hostname of the syslog server to forward the alerts. The IP address 192.168.1.241 in the configuration is used as an example.

You can learn more about the available configuration options in the syslog_output reference guide.

Restart the Wazuh manager service to apply the changes after every configuration:

# systemctl restart wazuh-manager

# service wazuh-manager restart

You can also forward alerts to multiple syslog servers by defining multiple <syslog_output> blocks within the <ossec_config> block in the /var/ossec/etc/ossec.conf configuration file.

<ossec_config>
  <syslog_output>
    <server>192.168.1.240</server>
  </syslog_output>

  <syslog_output>
    <level>9</level>
    <server>192.168.1.241</server>
  </syslog_output>
</ossec_config>

In the configuration above,

The first <syslog_output> block sends all alerts without filtering to the syslog server with IP address 192.168.1.240.
The second <syslog_output> block sends alerts to the syslog server 192.168.1.241 only if the alert level is higher than 9.

Configuring email alerts

Wazuh provides a feature to send alerts to email systems when they are generated on a Wazuh server. You can configure it to send email alerts to one or more email addresses when rules are triggered or based on customized settings. This configuration can help you for daily event reports and more.

A sample email sent by Wazuh when the rule ID 553 is triggered is shown below:

  Wazuh Notification.
  2024 Apr 29 08:58:30

  Received From: wazuh-server->syscheck
  Rule: 553 fired (level 7) -> "File deleted."
  Portion of the log(s):

  File '/var/ossec/test_dir/somefile.
  txt' deleted
  Mode: realtime

  Attributes:
   - Size: 0
   - Permissions: rw-r--r--
   - Date: Mon Apr 29 08:46:12 2024
   - Inode: 841858
   - User: root (0)
   - Group: root (0)
   - MD5: d41d8cd98f00b204e9800998ecf8427e
   - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
   - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855


--END OF NOTIFICATION

Generic email options

To configure Wazuh to send email alerts, we configure the email options within the <global> section of the /var/ossec/etc/ossec.conf file.

A sample email configuration to send alerts to the email address me@test.com is shown below:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>me@test.com</email_to>
    <smtp_server>mail.test.com</smtp_server>
    <email_from>wazuh@test.com</email_from>
  </global>
  ...
</ossec_config>

Once the above has been configured, the email_alert_level option needs to be set to the minimum alert level to trigger an email. By default, this level is set to 12.

This example configuration below sets the minimum level to send email alerts to 10:

<ossec_config>
  <alerts>
    <email_alert_level>10</email_alert_level>
  </alerts>
  ...
</ossec_config>

For more information about the available email configuration options, see the global and alerts reference guides.

Restart the Wazuh manager service to apply the changes after every configuration:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Warning

Wazuh doesn't handle SMTP authentication. If your email service uses this, you need to configure a server relay.

Granular email options

Wazuh allows granular configuration options for email alerts. This setting extends the generic email options configured in the <global> section of the /var/ossec/etc/ossec.conf file. Granular email configurations are defined within the <email_alerts> tag of the /var/ossec/etc/ossec.conf file.

Below are some sample granular configurations for sending alerts via email. For more information, see the email_alerts section.

Warning

The minimum severity level configured in the <alerts> section applies to and overrides these granular email configurations. For example, if you configure the Wazuh manager to send an email when rule 526 is triggered, but the rule has a level lower than the minimum level specified in the <alerts> section, the alert will not be sent.

Email alert based on level

This option configures the Wazuh manager to send email alerts when the severity level is equal to or greater than the set value. This option is configured as follows:

<email_alerts>
  <email_to>you@example.com</email_to>
  <level>4</level>
  <do_not_delay/>
</email_alerts>

This configuration allows the Wazuh manager to send an email to you@example.com when any rule with a level greater than or equal to 4 is triggered.

Note

If the severity level here is less than the email_alert_level configured in the <alerts> section, the email will not be sent.

Email alert based on the event location

The event_location option involves sending email alerts based on the location from where the event originated. The generated alert must match the event location to be forwarded via email. The allowed values for this option are the Wazuh agent name, hostname, IP address, or log file.

This option is configured as follows:

<email_alerts>
  <email_to>you@example.com</email_to>
  <event_location>server1</event_location>
  <do_not_delay/>
</email_alerts>

This configuration allows the Wazuh manager to send an email to you@example.com when the events that generated the alerts originated on the Wazuh agent with name server1.

Learn more about the event_location option in the reference guide.

Email based on rules ID

The rule_id option is used to send alert emails based on rule IDs. This option limits the sending of emails only when specific defined rules are tripped.

This option is configured as follows:

<email_alerts>
  <email_to>you@example.com</email_to>
  <rule_id>515, 516</rule_id>
  <do_not_delay/>
</email_alerts>

This configuration allows the Wazuh manager to send an email to you@example.com when the rules 515 or 516 are triggered.

Learn more about the rule_id option in the reference guide.

Email based on the rule group

The group option can be configured to send an email based on one or more rule groups that alerts belong to.

This option is configured as follows:

<email_alerts>
  <email_to>you@example.com</email_to>
  <group>pci_dss_10.6.1,</group>
</email_alerts>

This configuration allows the Wazuh manager to send an email to you@example.com when any rule that is part of the pci_dss_10.6.1 group is triggered on any Wazuh monitored endpoint.

Learn more about the group option in the reference guide.

Multiple options and multiple emails

Email alerts can be sent to multiple email addresses, each one with unique criteria.

The example configuration below shows how to send email alerts with multiple criteria to multiple email addresses:

<ossec_config>
  <email_alerts>
    <email_to>alice@test.com</email_to>
    <event_location>endpoint1|endpoint2</event_location>
  </email_alerts>

  <email_alerts>
    <email_to>is@test.com</email_to>
    <event_location>/log/secure$</event_location>
  </email_alerts>

  <email_alerts>
    <email_to>bob@test.com</email_to>
    <event_location>192.168.</event_location>
  </email_alerts>

  <email_alerts>
    <email_to>david@test.com</email_to>
    <level>12</level>
  </email_alerts>
</ossec_config>

This configuration sends:

An email to alice@test.com if any alert on endpoint1 or endpoint2 is triggered.
An email to is@test.com if the alerts came from the /log/secure file.
An email to bob@test.com if the alerts came from any endpoint on the 192.168.0.0/24 network.
An email to david@test.com if the alerts have a level equal to or higher than 12.

Force forwarding an alert by email

The minimum severity level to send an alert via email is 12 by default. You can configure the Wazuh manager to forcefully send an email alert below the configured minimum severity level. To do so, you need to use one of the rule options below:

alert_by_email to always alert by email.
no_email_alert to never alert by email.
no_log to not log this alert.

For example, the rule definition below sends an email every time rule 502 is triggered, regardless of what the minimum severity level is set to:

<rule id="502" level="3">
  <if_sid>500</if_sid>
  <options>alert_by_email</options>
  <match>Ossec started</match>
  <description>Ossec server started.</description>
</rule>

SMTP server with authentication

Wazuh email alerts do not support SMTP servers with authentication, such as Gmail. However, you can send these emails via a server relay like Postfix.

Perform the steps below on your relay server to configure Postfix with Gmail.

Run this command to install the required packages. Select No configuration, if prompted about the mail server configuration type.

# yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain

# apt-get update && apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

Append these lines to the /etc/postfix/main.cf file to configure Postfix. Create the file if missing.

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

Set the credentials of the sender in the /etc/postfix/sasl_passwd file and create a database file for Postfix. Replace the <USERNAME> and <PASSWORD> variables with sender’s email address username and password respectively.
```
# echo [smtp.gmail.com]:587 <USERNAME>@gmail.com:<PASSWORD> > /etc/postfix/sasl_passwd
# postmap /etc/postfix/sasl_passwd
```
Note

The password must be an App Password. App Passwords can only be used with accounts that have 2-Step Verification turned on.
Secure your password DB file so that only the root user has full read and write access to it. This is because the /etc/postfix/sasl_passwd and /etc/postfix/sasl_passwd.db files have plaintext credentials.
```
# chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
# chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
```
Restart Postfix to effect the configuration changes:
# systemctl restart postfix
# service postfix restart
Run the following command to test the configuration:
```
# echo "Test mail from postfix" | mail -s "Test Postfix" -r "<CONFIGURED_EMAIL>" <RECEIVER_EMAIL>
```
Replace:
- <CONFIGURED_EMAIL> with your configured email address.
- <RECEIVER_EMAIL> with the email address of the recipient.
The command sends an email to the receiver’s email with subject Test Postfix and body Test mail from postfix.

If you get the error message fatal: tls_fprint: error computing md5 message digest in the /var/log/maillog file, run the following commands to switch Postfix from the default MD5 hashing function to SHA-256:
```
# postconf -e smtp_tls_fingerprint_digest=sha256
# postconf -e smtpd_tls_fingerprint_digest=sha256
```
Configure email notifications within the <global> tag of the Wazuh server’s /var/ossec/etc/ossec.conf file as follows:
```
<global>
  <email_notification>yes</email_notification>
  <smtp_server>localhost</smtp_server>
  <email_from><USERNAME>@gmail.com</email_from>
  <email_to><RECEIVER_EMAIL></email_to>
</global>
```
Where:
- <email_notification> toggles the use of email alerting.
- <smtp_server> defines the SMTP server to use to deliver alerts.
- <email_from> specifies the email address of the configured sender. Replace <USERNAME> with your configured username of your email address.
- <email_to> specifies the email address of the recipient of alerts. Replace <RECEIVER_EMAIL> with the email address of the recipient.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Configuring database output

Wazuh supports forwarding alerts to database systems. You can configure the Wazuh manager to output generated alerts into a database. To achieve this configuration, you must compile the Wazuh manager from sources with the database type that you want to use. Wazuh currently supports MySQL and PostgreSQL databases.

Note

This guide assumes you have already installed MySQL or PostgreSQL and know how to create the users and the databases.

Prerequisites

You need to install the development libraries for the database system you want to configure and compile the Wazuh manager to use the required database system.

Install the development libraries for the database system:

For MySQL:

# yum install mysql-devel

# apt-get install libmysqlclient-dev

For PostgreSQL:

# yum install postgresql-devel

# apt-get install libpq-dev

Install the dependencies as outlined in the installing dependencies section.

Download and extract the latest version of Wazuh:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx

Execute the following commands to switch to the Wazuh directory and specify the database type to use, replacing the <DATABASE_TYPE> variable with either mysql or pgsql:
```
# cd wazuh-5.0.0/src
# make deps && make TARGET=server DATABASE=<DATABASE_TYPE>
```
Note

Depending on your system specifications, the compilation process might take some time.
Run the install.sh script. It displays a wizard to guide you through the installation process using the Wazuh sources:
```
# cd ..
# ./install.sh
```
When the script asks what kind of installation you want, type manager to install the Wazuh manager:
```
1- What kind of installation do you want (manager, agent, local, hybrid, or help)? manager
```
Note

During the installation, you can decide the installation path. Execute the install.sh and select the language, set the installation mode to manager, then set the installation path (Choose where to install Wazuh [/var/ossec]). The default path of installation is /var/ossec. A commonly used custom path might be /opt.

Warning

Be extremely careful not to select a critical installation directory if you choose a different path than the default. If the directory already exists, the installer will ask to delete the directory or proceed by installing Wazuh inside it.
The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with the command below:
# systemctl restart wazuh-manager
# service wazuh-manager restart

Database configuration

According to your database system, create a new database, set up the database user, and add the schema located in the src/os_dbd directory of the source code with the following commands:

For MySQL:

# mysql -u root -p

mysql> CREATE DATABASE Alerts_DB;
Query OK, 1 row affected (2.34 sec)

mysql> CREATE USER '<DATABASE_USER>'@'<DATABASE_SERVER_IP_ADDRESS>' IDENTIFIED BY '<DATABASE_USER_PASSWORD>';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to '<DATABASE_USER>'@'<DATABASE_SERVER_IP_ADDRESS>';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit;

Replace the following variables in the commands above:

<DATABASE_USER> with the user you want to create for the database server.
<DATABASE_SERVER_IP_ADDRESS> with the IP address of the database server.
<DATABASE_USER_PASSWORD> with the user password to access the database server.

# mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema

For PostgreSQL:

# sudo -u postgres createuser -P <DATABASE_USER>
# sudo -u postgres createdb -O <DATABASE_USER> Alerts_DB
# psql -U <DATABASE_USER> -d Alerts_DB -f src/os_dbd/postgresql.schema

Replace <DATABASE_USER> with the user you want to create for the database server.

Note

You will be prompted twice to provide a password when creating the user. Note this password as it is required when configuring the Wazuh manager.

Wazuh manager configuration

Perform the following steps to configure the Wazuh manager to send alerts and other data to the database system.

Add the following block of code within the <ossec_config> block of the /var/ossec/etc/ossec.conf file on the Wazuh server:
- For MySQL:
```
<database_output>
  <hostname><DATABASE_SERVER_IP_ADDRESS></hostname>
  <username><DATABASE_USER></username>
  <password><DATABASE_USER_PASSWORD></password>
  <database>Alerts_DB</database>
  <type>mysql</type>
</database_output>
```
- For PostgreSQL:
```
<database_output>
  <hostname><DATABASE_SERVER_IP_ADDRESS></hostname>
  <username><DATABASE_USER></username>
  <password><DATABASE_USER_PASSWORD></password>
  <database>Alerts_DB</database>
  <type>postgresql</type>
</database_output>
```
Where:
- <hostname> specifies the IP address of the database server. Replace <DATABASE_SERVER_IP_ADDRESS> the IP address of the database server.
- <username> specifies the user to access the database. Replace <DATABASE_USER> with the database user created above.
- <password> specifies the user password to access the database. Replace <DATABASE_USER_PASSWORD> with the user password created above.
- <database> specifies the name of the database in which to store the alerts. For example, Alerts_DB as specified in the configuration above.
- <type> specifies the type of database (MySQL or PostgreSQL). The allowed values are mysql or pgsql.
For more information on the database_output option, see the database_output section of the reference guide.

Restart the Wazuh manager service to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Run the command below to verify that the Wazuh manager is connected to the database:

# grep wazuh-dbd /var/ossec/logs/ossec.log

2024/06/24 14:49:11 wazuh-dbd: INFO: Connected to database 'Alerts_DB' at '127.0.0.1'.

The database will now start receiving data from the Wazuh manager.

Event logging

Logs are raw events received from the Wazuh agents, external APIs, and network devices. The Wazuh server stores all logs indefinitely. To maximize space optimization, the Wazuh manager automatically compresses log files.

Wazuh manages two types of logs, internal logs from the Wazuh server and external logs from monitored endpoints. These logs are stored indefinitely in the /var/ossec/logs/ directory of the Wazuh server.

The table below describes the log files and their storage location on the Wazuh server.

Log storage file	Log source	Description
`/var/ossec/logs/ossec.log`	Internal	Stores all informational level logs generated by the Wazuh server.
`/var/ossec/logs/api.log`	Internal	Stores logs generated by the Wazuh application when interacting with the Wazuh server APIs.
`/var/ossec/logs/cluster.log`	Internal	Stores logs generated by the activities of the Wazuh cluster.
`/var/ossec/logs/integrations.log`	Internal	Stores logs generated by the Wazuh integration module when interfacing with third-party applications and systems.
`/var/ossec/logs/active-responses.log`	Internal	Stores logs generated by the Wazuh Active Response module.
`/var/ossec/logs/firewall/firewall.log`	Internal	Stores logs generated by the firewall.
`/var/ossec/logs/archives/archives.log`	External	Stores logs received from third-party applications and systems in plaintext.
`/var/ossec/logs/archives/archives.json`	External	Stores logs received from third-party applications and systems in JSON.

Log compression and rotation

Log files can quickly accumulate and consume significant disk space in a system. To prevent this, the Wazuh manager compresses logs during its rotation process, helping to manage disk usage efficiently and maintain system performance. The Wazuh manager compresses log files daily or when they reach a certain threshold (file size, age, time, and more) and archives them. In the log rotation process, Wazuh creates a new log file with the original name to continuously write new events.

Log files are compressed daily and digitally signed using MD5, SHA1, and SHA256 hashing algorithms. The compressed log files are stored in the /var/ossec/logs/ directory within nested directories bearing names with the following format accordingly:

The log file name, indicating the name of the original log file.
The year, indicating the name of the current year.
The month, indicating the name of the current month of the year.

For example, a /var/ossec/logs/archives/archives.log file compressed on the 13th APR, 2024 is stored in the …/archives/2024/Apr/ directory. You can see the contents of directory by executing the following command:

# ls -la /var/ossec/logs/archives/2024/Apr/

total 0
drwxr-x--- 2 wazuh wazuh 62 Apr 17 08:15 .
drwxr-x--- 4 wazuh wazuh 28 Apr 12 07:30 ..
-rw-r----- 1 wazuh wazuh  0 Apr 13 00:00 ossec-archive-13.log.gz
-rw-r----- 1 wazuh wazuh  0 Apr 13 00:00 ossec-archive-13.log.sum

As seen in the output above, the string ossec and suffix day of the current month are prepended and appended respectively to the name of the compressed file and its checksum.

Based on your needs, you might configure the compressed files for removal after a specified period. Additionally, you can move them to log management systems, backup servers, or cloud-based storage devices for longer-term retention.

Archiving event logs

Events are logs generated by applications, endpoints, and network devices. The Wazuh server stores all events it receives, whether or not they trigger a rule. These events are stored in the Wazuh archives located at /var/ossec/logs/archives/archives.log and /var/ossec/logs/archives/archives.json. Security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports to hunt threats.

By default, the Wazuh archives are disabled because it stores logs indefinitely on the Wazuh server. When enabled, the Wazuh manager creates archived files to store and retain security data for compliance and forensic purposes.

Note

The Wazuh archives retain logs collected from all monitored endpoints, therefore consuming significant storage resources on the Wazuh server over time. So, it is important to consider the impact on disk space and performance before enabling them.

Enabling archiving

Perform the steps below to enable the archiving on your Wazuh server.

Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and set the value of the highlighted fields below to yes:
```
<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>yes</logall>
    <logall_json>yes</logall_json>

   ...
</ossec_config>
```
Where:
- <logall> enables or disables archiving of all log messages. When enabled, the Wazuh server stores the logs in a syslog format. The allowed values are yes and no.
- <logall_json> enables or disables logging of events. When enabled, the Wazuh server stores the events in a JSON format. The allowed values are yes and no.
Depending on the format you desire, you can set one or both values of the highlighted fields to yes. However, only the <logall_json>yes</logall_json> option allows you to create an index that can be used to visualize the events on the Wazuh dashboard.
Restart the Wazuh manager to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Depending on your chosen format, the file archives.log, archives.json, or both will be created in the /var/ossec/logs/archives/ directory on the Wazuh server.

Wazuh uses a default log rotation policy. It ensures that available disk space is conserved by rotating and compressing logs on a daily, monthly, and yearly basis.

Visualizing the events on the dashboard

Edit the Filebeat configuration file /etc/filebeat/filebeat.yml and change the value of archives: enabled from false to true:
```
archives:
 enabled: true
```
Restart Filebeat to apply the configuration changes:
```
# systemctl restart filebeat
```

Wazuh dashboard

Click the upper-left menu icon to open the main menu. Expand Dashboard management and navigate to Dashboards management > Index patterns. Next, click Create index pattern. Use wazuh-archives-* as the index pattern name, and set timestamp in the Time field drop-down list.

The GIF below shows how to create the index pattern.
To view the events on the dashboard, click the upper-left menu icon and navigate to Discover. Change the index pattern to wazuh-archives-*.

Use case: Detecting signed binary proxy execution

Signed binary proxy execution is a technique threat actors use to bypass application whitelisting by using trusted binaries to run malicious code. This technique is identified as T1218.010 based on the MITRE ATT&CK framework.

In this use case, we show how to abuse the Windows utility, regsvr32.exe, to bypass application controls. We then analyze events in the Wazuh archives to detect suspicious activity related to this technique.

Windows 11 configuration

Perform the steps below to install Sysmon and Atomic Red Team (ART) on a Windows 11 endpoint and emulate the signed binary proxy execution technique.

Sysmon integration

Perform the steps below to install and configure Sysmon on the Windows 11 endpoint.

Download Sysmon from the Microsoft Sysinternals page.
Download the Sysmon configuration file: sysmonconfig.xml.
Install Sysmon with the downloaded configuration file using PowerShell as an administrator:
```
> .\sysmon64.exe -accepteula -i .\sysmonconfig.xml
```
Add the following configuration within the <ossec_config> block to the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file to specify the location to collect Sysmon logs:
```
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
```
Restart the Wazuh agent to apply the changes by running the following PowerShell command as an administrator:
```
> Restart-Service -Name Wazuh
```

Atomic Red Team installation

Perform the following steps to install the Atomic Red Team PowerShell module on a Windows 11 endpoint using PowerShell as an administrator.

By default, PowerShell restricts the execution of running scripts. Run the command below to change the default execution policy to RemoteSigned:
```
> Set-ExecutionPolicy RemoteSigned
```

Install the ART execution framework:

> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
> Install-AtomicRedTeam -getAtomics

Import the ART module to use Invoke-AtomicTest function:

> Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

Use Invoke-AtomicTest function to show details of the technique T1218.010:

> Invoke-AtomicTest T1218.010 -ShowDetailsBrief

PathToAtomicsFolder = C:\AtomicRedTeam\atomics

T1218.010-1 Regsvr32 local COM scriptlet execution
T1218.010-2 Regsvr32 remote COM scriptlet execution
T1218.010-3 Regsvr32 local DLL execution
T1218.010-4 Regsvr32 Registering Non DLL
T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer

Attack emulation

Emulate the signed binary proxy execution technique on the Windows 11 endpoint.

Run the command below with Powershell as an administrator to perform the T1218.010 test:

> Invoke-AtomicTest T1218.010

PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1218.010-1 Regsvr32 local COM scriptlet execution
Done executing test: T1218.010-1 Regsvr32 local COM scriptlet execution
Executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Done executing test: T1218.010-2 Regsvr32 remote COM scriptlet execution
Executing test: T1218.010-3 Regsvr32 local DLL execution
Done executing test: T1218.010-3 Regsvr32 local DLL execution
Executing test: T1218.010-4 Regsvr32 Registering Non DLL
Done executing test: T1218.010-4 Regsvr32 Registering Non DLL
Executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer
Done executing test: T1218.010-5 Regsvr32 Silent DLL Install Call DllRegisterServer

Several calculator instances will pop up after a successful execution of the exploit.

Wazuh dashboard

Use the Wazuh archives to query and display events related to the technique being hunted. It's important to note that while consulting the archives, some events might already be captured as alerts on the Wazuh dashboard. You can use information from the Wazuh archives, including alerts and events that have no detection to create custom rules based on your specific requirements.

Apply a time range filter to view events that occurred within the last five minutes of when the test was performed. Filter to view logs from the specific Windows endpoint using agent.id, agent.ip or agent.name.

There are multiple hits that you can investigate to determine a correlation with the earlier attack emulation. For instance, you may notice a calculator spawning event similar to the one observed on the Windows endpoint during the test.
Type regsvr32 in the search bar to streamline and investigate events related to the regsvr32 utility.
Expand any of the events to view their associated fields.

Click on the JSON tab to view the JSON format of the archived logs.

You can extract and verify specific details on the activities such as commands, services, paths, and more from the JSON log. Below, you can identify the initial process creation and the attributes related to the executed command:

"data": {
      "win": {
        "eventdata": {
          "originalFileName": "REGSVR32.EXE",
          "image": "C:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe",
          "product": "Microsoft® Windows® Operating System",
          "parentProcessGuid": "{45cd4aff-35fc-6463-6903-000000001300}",
          "description": "Microsoft(C) Register Server",
          "logonGuid": "{45cd4aff-2ce5-6463-2543-290000000000}",

         "parentCommandLine": "C:\\\\Windows\\\\system32\\\\regsvr32.exe  /s /i C:\\\\AtomicRedTeam\\\\atomics\\\\T1218.010\\\\bin\\\\AllTheThingsx86.dll",

         "processGuid": "{45cd4aff-35fc-6463-6a03-000000001300}",
          "logonId": "0x294325",
          "parentProcessId": "7652",
          "processId": "4064",
          "currentDirectory": "C:\\\\Users\\\\THECOT~1\\\\AppData\\\\Local\\\\Temp\\\\",
          "utcTime": "2023-05-16 07:51:24.512",
          "hashes": "SHA1=8E2C6B7F92A560E0E856F8533D62A1B10797828F,MD5=5F7264BD237FAEA46FB240785B78AFAC,SHA256=D9BE711BE2BF88096BB91C25DF775D90B964264AB25EC49CF04711D8C1F089F6,IMPHASH=73F03653209E82368127EB826216A6AD",
          "parentImage": "C:\\\\Windows\\\\System32\\\\regsvr32.exe",
          "ruleName": "technique_id=T1117,technique_name=Regsvr32",
          "company": "Microsoft Corporation",
          "commandLine": "  /s /i C:\\\\AtomicRedTeam\\\\atomics\\\\T1218.010\\\\bin\\\\AllTheThingsx86.dll",
          "integrityLevel": "High",
          "fileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
          "user": "Windows11\\\\Testuser",
          "terminalSessionId": "2",
          "parentUser": "Windows11\\\\Testuser"
        },
        "system": {
          "eventID": "1",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",

         "message": "\"Process Create:\r\nRuleName: technique_id=T1117,technique_name=Regsvr32\r\nUtcTime: 2023-05-16 07:51:24.512\r\nProcessGuid: {45cd4aff-35fc-6463-6a03-000000001300}\r\nProcessId: 4064\r\nImage: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nFileVersion: 10.0.22621.1 (WinBuild.160101.0800)\r\nDescription: Microsoft(C) Register Server\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: REGSVR32.EXE\r\nCommandLine:   /s /i C:\\AtomicRedTeam\\atomics\\T1218.010\\bin\\AllTheThingsx86.dll\r\nCurrentDirectory: C:\\Users\\THECOT~1\\AppData\\Local\\Temp\\\r\nUser: Windows11\\Testuser\r\nLogonGuid: {45cd4aff-2ce5-6463-2543-290000000000}\r\nLogonId: 0x294325\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: SHA1=8E2C6B7F92A560E0E856F8533D62A1B10797828F,MD5=5F7264BD237FAEA46FB240785B78AFAC,SHA256=D9BE711BE2BF88096BB91C25DF775D90B964264AB25EC49CF04711D8C1F089F6,IMPHASH=73F03653209E82368127EB826216A6AD\r\nParentProcessGuid: {45cd4aff-35fc-6463-6903-000000001300}\r\nParentProcessId: 7652\r\nParentImage: C:\\Windows\\System32\\regsvr32.exe\r\nParentCommandLine: C:\\Windows\\system32\\regsvr32.exe  /s /i C:\\AtomicRedTeam\\atomics\\T1218.010\\bin\\AllTheThingsx86.dll\r\nParentUser: Windows11\\Testuser\"",

         "version": "5",
          "systemTime": "2023-05-16T07:51:24.5131006Z",
          "eventRecordID": "88509",
          "threadID": "3960",
          "computer": "Windows11",
          "task": "1",
          "processID": "3156",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },

Carrying out further investigations on other related events, you can see a process injection event created by the regsvr32 utility and the image loaded:

"data": {
      "win": {
        "eventdata": {
          "originalFileName": "mscoree.dll",
          "image": "C:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe",
          "product": "Microsoft® Windows® Operating System",
          "signature": "Microsoft Windows",

         "imageLoaded": "C:\\\\Windows\\\\SysWOW64\\\\mscoree.dll",

         "description": "Microsoft .NET Runtime Execution Engine",
          "signed": "true",
          "signatureStatus": "Valid",
          "processGuid": "{45cd4aff-35fc-6463-6a03-000000001300}",
          "processId": "4064",
          "utcTime": "2023-05-16 07:51:24.774",
          "hashes": "SHA1=52A6AB3E468C4956C00707DF80C7609EEE74D9AD,MD5=BEE4D173DA78E4D3AC9B54A95C6A464A,SHA256=36B0BA10BBB6575CA4A4CBDE585F6E19B86B3A80014B3C3D8335F861D8AEBFAB,IMPHASH=47F306C12509ADBBC266F7DA43529A4D",
          "ruleName": "technique_id=T1055,technique_name=Process Injection",
          "company": "Microsoft Corporation",
          "fileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
          "user": "Windows11\\\\Testuser"
        },
        "system": {
          "eventID": "7",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",

         "message": "\"Image loaded:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2023-05-16 07:51:24.774\r\nProcessGuid: {45cd4aff-35fc-6463-6a03-000000001300}\r\nProcessId: 4064\r\nImage: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nImageLoaded: C:\\Windows\\SysWOW64\\mscoree.dll\r\nFileVersion: 10.0.22621.1 (WinBuild.160101.0800)\r\nDescription: Microsoft .NET Runtime Execution Engine\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: mscoree.dll\r\nHashes: SHA1=52A6AB3E468C4956C00707DF80C7609EEE74D9AD,MD5=BEE4D173DA78E4D3AC9B54A95C6A464A,SHA256=36B0BA10BBB6575CA4A4CBDE585F6E19B86B3A80014B3C3D8335F861D8AEBFAB,IMPHASH=47F306C12509ADBBC266F7DA43529A4D\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: Windows11\\Testuser\"",

         "version": "3",
          "systemTime": "2023-05-16T07:51:24.7768916Z",
          "eventRecordID": "88510",
          "threadID": "3960",
          "computer": "Windows11",
          "task": "7",
          "processID": "3156",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },

Apply the data.win.eventdata.ruleName:technique_id=T1218.010,technique_name=Regsvr32 filter to see the technique ID as shown below.
Expand the event to view its associated fields.

Click on the JSON tab to view the JSON format of the archived logs.

From the below log, you can extract more structured details which makes it easier to analyze the event:

"data": {
      "win": {
        "eventdata": {
          "destinationPort": "443",
          "image": "C:\\\\Windows\\\\System32\\\\regsvr32.exe",
          "sourcePort": "63754",
          "initiated": "true",
          "destinationIp": "1.1.123.23",
          "protocol": "tcp",
          "processGuid": "{45cd4aff-36b5-645a-9e07-000000000e00}",
          "sourceIp": "192.168.43.16",
          "processId": "4704",
          "utcTime": "2023-05-09 21:19:25.361",

         "ruleName": "technique_id=T1218.010,technique_name=Regsvr32",

         "destinationIsIpv6": "false",
          "user": "Windows11\\\\Testuser",
          "sourceIsIpv6": "false"
        },
        "system": {
          "eventID": "3",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",

         "message": "\"Network connection detected:\r\nRuleName: technique_id=T1218.010,technique_name=Regsvr32\r\nUtcTime: 2023-05-09 21:19:25.361\r\nProcessGuid: {45cd4aff-36b5-645a-9e07-000000000e00}\r\nProcessId: 4704\r\nImage: C:\\Windows\\System32\\regsvr32.exe\r\nUser: Windows11\\Testuser\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.43.16\r\nSourceHostname: -\r\nSourcePort: 63754\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 185.199.108.133\r\nDestinationHostname: -\r\nDestinationPort: 443\r\nDestinationPortName: -\"",

         "version": "5",
          "systemTime": "2023-05-09T12:04:07.0231156Z",
          "eventRecordID": "63350",
          "threadID": "3096",
          "computer": "Windows11",
          "task": "3",
          "processID": "3156",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },

You can use events from the Wazuh archives to develop detection logic and write custom decoders and rules. You can also use the out-of-the-box wazuh-logtest tool to test and verify rules against provided logs. For more information, see the Custom rules, Custom decoders, and wazuh-logtest documentation.

External API integration

The Wazuh Integrator module allows Wazuh to connect to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle, and Maltiverse. You can also configure the Integrator module to connect to other software. These integrations empower security administrators to enhance orchestration, automate responses, and fortify their defenses against cyber threats.

Configuration

To configure an integration, add the following configuration within the <ossec_config> in the /var/ossec/etc/ossec.conf file on the Wazuh server:

<integration>
  <name> </name>
  <hook_url> </hook_url> <!-- Required for Slack, Shuffle, and Maltiverse -->
  <api_key> </api_key> <!-- Required for PagerDuty, VirusTotal, and Maltiverse -->
  <alert_format>json</alert_format> <!-- Required for Slack, PagerDuty, VirusTotal, Shuffle, and Maltiverse -->

  <!-- Optional filters -->
  <rule_id> </rule_id>
  <level> </level>
  <group> </group>
  <event_location> </event_location>
  <options> </options>
</integration>

Where:

<name> indicates the name of the service to integrate with. The allowed values are slack, pagerduty, virustotal, shuffle, maltiverse. For custom integrations, the name must be any string that begins with custom-.
<hook_url> is the URL that is used for communication with the software being integrated. It's mandatory for the Slack, Shuffle, and Maltiverse integrations.
<api_key> is the key you would have retrieved from the PagerDuty, VirusTotal, or Maltiverse API. This is mandatory for PagerDuty, VirusTotal, and Maltiverse.
<alert_format> writes the alert file in the JSON format. The Integrator module makes use of this alert file to fetch field values. The allowed value is json.
<rule_id> filters alerts by rule ID. The allowed values are comma-separated rule IDs.
<level> filters alerts by rule level so only alerts with the specified level or above are pushed. The allowed value is any alert level from 0 to 16.
<group> filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available. The allowed values are any rule group or comma-separated rule groups.
<event_location> filters alerts by where the event originated. The allowed value is any sregex expression.
<options> overwrites the previous fields or adds customization fields according to the information provided in the JSON object. The allowed value is json.

Note

Restart the Wazuh manager when you make any changes to the configuration file. This will ensure that the changes take effect.

Restart the Wazuh manager via the command line interface with the following command:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Optional filters

The Wazuh Integrator module uses the optional filters fields to determine which alerts should be sent to the external platforms. Only the alerts that meet the filter conditions are sent. If no filters are specified, all alerts are sent.

The following considerations must be taken into account when the filters are set:

It is possible to specify multiple group names using the <group> tag with a comma-separated list. If the alert's group matches any of the groups in the list, the alert is sent, otherwise, it is ignored.
It is possible to specify multiple rule IDs using the <rule_id> tag with a comma-separated list. The alert is sent if the alert's rule ID matches any of the IDs in the list, otherwise, it is ignored.
It is possible to specify the previously described fields together. The alert is sent if both the alert's rule ID and group match any of the IDs and groups in the lists, otherwise, it is ignored.

Note

It is recommended to carefully check the groups and rule identifiers mentioned above, as defining them incorrectly will result in expected alerts not being sent to the integration.

You can find the full configuration options for the Integrator module in the integration section of the reference guide.

Slack

Slack is a cloud-based collaboration platform that facilitates communication and teamwork within organizations. This integration uses Slack incoming webhooks and allows security professionals to receive real-time alerts directly within designated channels.

To set up this integration, perform the following steps:

Enable incoming webhooks and create one for your Slack channel. Follow the Slack guide on incoming webhooks for this.
Append the configuration below to the /var/ossec/etc/ossec.conf file on the Wazuh server. Replace <WEBHOOK_URL> with your incoming webhook.
```
<ossec_config>
  <integration>
    <name>slack</name>
    <hook_url><SLACK_WEBHOOK_URL></hook_url> 
    <alert_format>json</alert_format>
  </integration>
</ossec_config>
```
Note

You can set a JSON object with customization fields using the options tag. Visit the Slack API reference for information about available customization fields.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Once the configuration is complete, alerts start showing in the selected channel.

PagerDuty

PagerDuty is a SaaS incident response platform suitable for IT departments. PagerDuty executes incident response workflows by escalating alerts to the right individuals or teams based on schedules and escalation policies. The PagerDuty integration uses the PagerDuty API to forward Wazuh alerts to its Incidents Dashboard.

To set up this integration, perform the following steps:

Get your Events API v2 integration key by creating a PagerDuty new service.
Append the configuration below to the /var/ossec/etc/ossec.conf file on the Wazuh server. Replace PAGERDUTY_API_KEY with your PagerDuty integration key. The rule level filter is optional, and you can remove it or set another level value for the integration.
```
<ossec_config>
  <integration>
    <name>pagerduty</name>
    <api_key><PAGERDUTY_API_KEY></api_key> 
    <level>10</level>
    <alert_format>json</alert_format> 
  </integration>
</ossec_config>
```
Note

You can set a JSON object with customization fields using the options tag. Visit the PagerDuty API reference for information about available customization fields.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Once the configuration is complete, alerts start showing on the Pagerduty dashboard.

VirusTotal

VirusTotal is an online service that analyzes files and URLs to detect viruses, worms, trojans, and other malicious content using antivirus engines and website scanners. This integration allows the inspection of malicious files using the VirusTotal database. Find more information about this on the VirusTotal integration section.

To set up this integration, follow these steps:

Get your API key from the VirusTotal API key page.

Edit /var/ossec/etc/ossec.conf in the Wazuh server and include a configuration block such as the following. Replace <VIRUSTOTAL_API_KEY> with your VirusTotal API key.

<integration>
  <name>virustotal</name>
  <api_key><VIRUSTOTAL_API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Shuffle

Shuffle is an open source interpretation of SOAR. It transfers data throughout the enterprise with plug-and-play apps. The Shuffle integration allows forwarding Wazuh alerts into a Shuffle Workflow using a webhook.

To set up this integration, do the following:

Go to Shuffle, make a Workflow using the Email app, and select version 1.0.1.
Set Recipients and Subject in the email configuration. Put $exec in the Body to include the alert information.
Add a webhook to the Workflow.
Start the webhook and copy the webhook URL.
Edit /var/ossec/etc/ossec.conf in the Wazuh server and include a configuration block such as the following.
Replace <SHUFFLE_WEBHOOK_ID> with the Shuffle webhook ID. The rule level filter is optional. You can remove it or set another level value for the integration.
```
<integration>
  <name>shuffle</name>
  <hook_url>https://shuffler.io/api/v1/hooks/<SHUFFLE_WEBHOOK_ID></hook_url> 
  <level>3</level>
  <alert_format>json</alert_format>
</integration>
```
Note

You can set a JSON object with customization fields using the options tag. Visit the Shuffle API reference for information about available customization fields.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Once the configuration is complete, alerts start showing in the email inbox.

Maltiverse

Maltiverse is an open source and collaborative platform for indexing and searching Indicators of Compromise (IoCs). It aggregates information from over a hundred public, private, and community threat intelligence sources.

This integration identifies IoCs in Wazuh alerts via the Maltiverse API. It generates new alerts enriched with Maltiverse data. The Maltiverse data fields are based on the threat taxonomy of the ECS standard (Elastic Common Schema).

Perform the following steps to setup this integration:

Get your API key from the Maltiverse page.

Edit /var/ossec/etc/ossec.conf in the Wazuh server and include a configuration block such as the following. Replace <MALTIVERSE_API_KEY> with your Maltiverse API key. The rule level filter is optional. You can remove it or set another level value for the integration.

<integration>
  <name>maltiverse</name>
  <hook_url>https://api.maltiverse.com</hook_url>
  <level>3</level>
  <api_key><MALTIVERSE_API_KEY></api_key> <!-- Replace with your Maltiverse API key -->
  <alert_format>json</alert_format>
</integration>

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Once the configuration is complete, enriched alerts start showing in the Wazuh Dashboard if applicable.

Custom integration

The Wazuh Integrator module connects Wazuh with other external software. This is achieved by integrating the Wazuh alert system with the APIs of the software products through integration scripts.

Below is an example of a configuration block in the /var/ossec/etc/ossec.conf file for custom integration.

<!--Custom external Integration -->
<integration>
  <name>custom-integration</name>
  <hook_url><WEBHOOK></hook_url>
  <level>10</level>
  <group>multiple_drops,authentication_failures</group>
  <api_key><API_KEY></api_key> <!-- Replace with your external service API key -->
  <alert_format>json</alert_format>
 <options>{"data": "Custom data"}</options> <!-- Replace with your custom JSON object -->
</integration>

Replace:

<WEBHOOK> with the webhook URL of the external application.
<API_KEY> with the API key of the external application.

You can get detailed information on the configuration options for the Wazuh Integrator module in the reference guide.

Creating an integration script

You are recommended to follow the instructions below when creating an integration script:

Create the script in /var/ossec/integrations/ directory on the Wazuh server with the same name indicated in the configuration block.
The script must contain execution permissions and belong to the root user of the wazuh group. The commands below assign permissions and ownership to the /var/ossec/integrations/custom-script script.
```
# chmod 750 /var/ossec/integrations/custom-script
# chown root:wazuh /var/ossec/integrations/custom-script
```
The first line of the integration script must indicate its interpreter, or else Wazuh won’t know how to read and execute the script. The following example line indicates the Python interpreter:
```
#!/usr/bin/env python
```
The script checks the following arguments because it will receive configuration options from them.
- The first parameter includes the location of the file that contains the alert. The parameter is the /logs/alerts/alerts.json file passed by default in the Wazuh Integrator module:
```
alert_file = open(sys.argv[1])
```
- The second parameter contains the API key which is the api_key option defined in the <integration> block:
```
api_key = sys.argv[2]
```
- The third parameter contains the webhook URL which is the hook_url option defined in the <integration> block:
```
hook_url = sys.argv[3]
```
If none of the above are indicated, the parameters will be received empty.

Read the contents of the file indicated in the first parameter and extract, from the alert, the fields that are relevant for the integration. If JSON was used in the alert_format option, the information has to be loaded as a JSON object.

alert_level = alert_json['rule']['level']
ruleid = alert_json['rule']['id']
description = alert_json['rule']['description']
agentid = alert_json['agent']['id']
agentname = alert_json['agent']['name']
path = alert_json['syscheck']['path']

We recommend that you check the file /logs/alerts/alerts.json before starting the development of the integration script to find the format of the alerts to be interpreted.

You can see the example integration script for Jira in the How to integrate external software using Integrator blog post.

Queuing mechanisms

The Wazuh server includes a queue mechanism that streamlines the collection of events from monitored endpoints. It ensures continuous data flow from the Wazuh agents, syslog endpoints, and agentless devices to the Wazuh server thereby preventing event flooding. The Wazuh server queue utilizes the First In, First Out (FIFO) methodology; therefore, the first queued event is the first to be removed from the queue and processed. It is based on distributed processing, allowing for the parallelization of log analysis tasks. This improves the scalability and performance of the log processing pipeline enabling Wazuh to handle large volumes of log data effectively.

The Wazuh server has two native queues for managing event flows:

Wazuh agent communication queue (queue_rd)
Wazuh analysis engine queue (queue_and)

The Wazuh agent uses the Wazuh agent queue (queue_ad) to prevent event congestion. This queue ensures the Wazuh agent does not send events faster than the Wazuh server can process.

Wazuh agent communication queue (queue_rd)

The queue_rd queue resides in the server-side agent communication service. It receives events from Wazuh agents and sends them to the Wazuh analysis engine for event decoding and rule matching.

How to configure the Wazuh agent communication queue

Configure the Wazuh agent communication queue by editing the <queue_size> in the remote section of the /var/ossec/etc/ossec.conf file on the Wazuh server:
```
<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp,udp</protocol>
  <queue_size>131072</queue_size>
  <rids_closing_time>5m</rids_closing_time>
  <connection_overtake_time>600</connection_overtake_time>
  <agents>
    <allow_higher_versions>no</allow_higher_versions>
  </agents>
</remote>
```
The <queue_size> variable sets the queue capacity of the Wazuh agent communication queue. The table below shows the configuration for the <queue_size> variable.

Default value

Allowed values

131072

Any number between 1 and 262144.

Note

The Wazuh agent communication queue (queue_rd) is only available for Wazuh agent events, not remote syslog events. This option only works when the connection is set to secure.
Restart the Wazuh manager service to apply the changes
```
# systemctl restart wazuh-manager
```

When event drops are observed you can increase the value of the queue_size in the <remote> block of the /var/ossec/etc/ossec.conf file, and the worker_pool size in the /var/ossec/etc/internal_options.conf.

The table below shows the configuration of the worker_pool size on the Wazuh server.

remoted.worker_pool	Description	Number of threads that process the payload reception
	Default value	4
	Allowed value	Any integer between 1 and 16

You can monitor for event drops in the wazuh-remoted by querying the Wazuh server API or reading the daemon statistical state file.

Querying the Wazuh server API

You can query the statistical information of the wazuh-remoted by following the steps below:

On the Wazuh dashboard, navigate to Tools, then API Console.
Add the following to the API console and click the green arrow to send the request to query the Wazuh server API:
```
GET /manager/daemons/stats
```
The query result is shown on the left hand side in the screenshot below.

The query returns the queue size value, the number of events processed by the wazuh-remoted, and the number of events discarded.

Agent communication statistical state file

This statistical file for wazuh-remoted offers data regarding the remote daemon, such as queue size, discarded messages, the count of remote connections, and other important information.

Run the command below on the Wazuh server to read the file:

# cat /var/ossec/var/run/wazuh-remoted.state

Below is an example of the content of the wazuh-remoted.state file:

# State file for wazuh-remoted
# THIS FILE WILL BE DEPRECATED IN FUTURE VERSIONS
# Updated every 5 seconds.

# Queue size
queue_size='0'

# Total queue size
total_queue_size='131072'

# TCP sessions
tcp_sessions='1'

# Events sent to Analysisd
evt_count='126714'

# Control messages received
ctrl_msg_count='2637'

# Discarded messages
discarded_count='0'

# Total number of bytes sent
sent_bytes='4434745'

# Total number of bytes received
recv_bytes='93866086'

# Messages dequeued after the agent closes the connection
dequeued_after_close='0'

# Control messages queue usage
ctrl_msg_queue_usage='0'

# Control messages queue breakdown
ctrl_msg_queue_inserted='5587'
ctrl_msg_replaced='13'
ctrl_msg_processed='5587'

Wazuh analysis engine queue (queue_and)

The queue_and queue resides in the Wazuh analysis engine and streamlines the reception of events. The Wazuh analysis engine then matches the received logs against the rules on the Wazuh server.

How to configure the Wazuh analysis engine queue

The Wazuh analysis engine queue receives logs from Wazuh agents for analysis using the queue_and queue. All incoming log messages are categorized and queued in the following categories:

File integrity monitoring event decoder queue.
Syscollector event decoder queue.
Root check event decoder queue.
Host info event decoder queue.
Event decoder queue.
Windows event decoder queue.

Each queue category has a set of threads responsible for their First In, First Out (FIFO) event management. The number of threads is individually configurable per event type through the /var/ossec/etc/internal_options.conf file on the Wazuh server.

Note

To ensure that upgrades do not overwrite queue configurations, use the /var/ossec/etc/local_internal_options.conf file instead of the /var/ossec/etc/internal_options.conf file.

The table below shows the configuration options available for the Wazuh analysis engine queue (queue_and).

Queues (wazuh-analysisd.state)	Setting (local_internal_options.conf)	Default	Min	Max
syscheck_queue_usage	analysisd.decode_syscheck_queue_size	16384	128	2000000
syscollector_queue_usage	analysisd.decode_syscollector_queue_size	16384	128	2000000
rootcheck_queue_usage	analysisd.decode_rootcheck_queue_size	16384	128	2000000
sca_queue_usage	analysisd.decode_sca_queue_size	16384	128	2000000
hostinfo_queue_usage	analysisd.decode_hostinfo_queue_size	16384	128	2000000
winevt_queue_usage	analysisd.decode_winevt_queue_size	16384	128	2000000
dbsync_queue_usage	analysisd.dbsync_queue_size	16384	128	2000000
upgrade_queue_usage	analysisd.upgrade_queue_size	16384	128	2000000
event_queue_usage	analysisd.decode_event_queue_size	16384	128	2000000
rule_matching_queue_usage	analysisd.decode_output_queue_size	16384	128	2000000
alerts_queue_usage	analysisd.alerts_queue_size	16384	128	2000000
firewall_queue_usage	analysisd.firewall_queue_size	16384	128	2000000
statistical_queue_usage	analysisd.statistical_queue_size	16384	128	2000000
archives_queue_usage	analysisd.archives_queue_size	16384	128	2000000
	analysisd.fts_queue_size	16384	128	2000000
	analysisd.fts_list_size	32	12	512
	analysisd.fts_min_size_for_str	14	6	128
	analysisd.decoder_order_size	256	32	1024

The queue settings should be adjusted when “event drops” are observed on the Wazuh analysis engine. You can monitor for event drops in the wazuh-analysisd by querying the Wazuh server API or reading the daemon statistical state file.

Querying the Wazuh server API

The log category state can be queried using the Wazuh server API to check the statistical information from the Wazuh analysis engine. The new statistics show a breakdown of received or dropped events by event type. This is vital to adjust only the queue sizes that show dropping.

You can query the statistical information of the Wazuh analysis engine by following the steps below:

On the Wazuh dashboard, navigate to Tools, then API Console.
Add the following to the Console and click the green arrow to send the request to query the Wazuh server API:
```
GET /manager/daemons/stats
```
Scroll down to the wazuh-analysisd section of the query result shown on the right-hand side in the screenshot below.

The query returns the queue size value, the number of events processed by the Wazuh analysis engine, and the number of events discarded.

The Wazuh analysis engine queue can be configured per the event type through the /var/ossec/etc/internal_options.conf file on the Wazuh server.

Note

To ensure that upgrades do not overwrite queue configurations, use the /var/ossec/etc/local_internal_options.conf file instead of the /var/ossec/etc/internal_options.conf file.

The Wazuh analysis engine statistical state file

The statistical file for the Wazuh analysis engine is located at /var/ossec/var/run/wazuh-analysisd.state. The file can be useful when investigating event processing problems on the Wazuh server.

Run the command below on the Wazuh server to read the file:

# cat /var/ossec/var/run/wazuh-analysisd.state

Below is an example of the content of the wazuh-analysisd.state file:

# State file for wazuh-analysisd
# THIS FILE WILL BE DEPRECATED IN FUTURE VERSIONS

# Total events decoded
total_events_decoded='137726'

# Syscheck events decoded
syscheck_events_decoded='3935'

# Syscollector events decoded
syscollector_events_decoded='2590'

# Rootcheck events decoded
rootcheck_events_decoded='37'

# Security configuration assessment events decoded
sca_events_decoded='8991'

# Winevt events decoded
winevt_events_decoded='87993'

# Database synchronization messages dispatched
dbsync_messages_dispatched='26004'

# Other events decoded
other_events_decoded='8176'

# Events processed (Rule matching)
events_processed='112252'

# Events received
events_received='138283'

# Events dropped
events_dropped='0'

# Alerts written to disk
alerts_written='6707'

# Firewall alerts written to disk
firewall_written='0'

# FTS alerts written to disk
fts_written='0'

# Syscheck queue
syscheck_queue_usage='0.00'

# Syscheck queue size
syscheck_queue_size='16384'

# Syscollector queue
syscollector_queue_usage='0.00'

# Syscollector queue size
syscollector_queue_size='16384'

# Rootcheck queue
rootcheck_queue_usage='0.00'

# Rootcheck queue size
rootcheck_queue_size='16384'

# Security configuration assessment queue
sca_queue_usage='0.00'

# Security configuration assessment queue size
sca_queue_size='16384'

# Hostinfo queue
hostinfo_queue_usage='0.00'

# Hostinfo queue size
hostinfo_queue_size='16384'

# Winevt queue
winevt_queue_usage='0.00'

# Winevt queue size
winevt_queue_size='16384'

# Database synchronization message queue
dbsync_queue_usage='0.00'

# Database synchronization message queue size
dbsync_queue_size='16384'

# Upgrade module message queue
upgrade_queue_usage='0.00'

# Upgrade module message queue size
upgrade_queue_size='16384'

# Event queue
event_queue_usage='0.00'

# Event queue size
event_queue_size='16384'

# Rule matching queue
rule_matching_queue_usage='0.00'

# Rule matching queue size
rule_matching_queue_size='16384'

# Alerts log queue
alerts_queue_usage='0.00'

# Alerts log queue size
alerts_queue_size='16384'

# Firewall log queue
firewall_queue_usage='0.00'

# Firewall log queue size
firewall_queue_size='16384'

# Statistical log queue
statistical_queue_usage='0.00'

# Statistical log queue size
statistical_queue_size='16384'

# Archives log queue
archives_queue_usage='0.00'

# Archives log queue size
archives_queue_size='16384'

Wazuh agent queue (queue_ad)

The queue_ad queue resides in the agent-side agent connection service and manages event forwarding from the Wazuh agent to the Wazuh server. The queue collects logs like system events and security configuration assessment outputs before forwarding them to the Wazuh server. It also includes an anti-flooding mechanism that throttles event forwarding based on configurable parameters, mitigating the risk of overwhelming the processing capacity of the Wazuh server.

Wazuh queue decoder and rules

Wazuh provides an out-of-the-box decoder and rules to analyze the event flooding output and generate alerts on the Wazuh dashboard.

Decoder

The decoder is available in the /var/ossec/ruleset/decoders/0005-wazuh_decoders.xml file on the Wazuh server. The decoder is responsible for analyzing flooding events on the Wazuh server.

<decoder name="agent-buffer">
  <parent>wazuh</parent>
  <prematch offset="after_parent">^Agent buffer:</prematch>
  <regex offset="after_prematch">^ '(\S+)'.</regex>
  <order>level</order>
</decoder>

Rules

As shown below, the rules are defined with IDs from 201 to 205 and are available in the /var/ossec/ruleset/rules/0016-wazuh_rules.xml file on the Wazuh server.

<!-- Agent buffer rules -->
<rule id="201" level="0">
  <if_sid>200</if_sid>
  <match>^wazuh: Agent buffer: </match>
  <description>Agent event queue rule</description>
  <group>agent_flooding,</group>
</rule>

<rule id="202" level="7">
  <if_sid>201</if_sid>
  <field name="level">%</field>
  <description>Agent event queue is $(level) full.</description>
  <group>agent_flooding,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="203" level="9">
  <if_sid>201</if_sid>
  <field name="level">full</field>
  <description>Agent event queue is full. Events may be lost.</description>
  <group>agent_flooding,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="204" level="12">
  <if_sid>201</if_sid>
  <field name="level">flooded</field>
  <description>Agent event queue is flooded. Check the agent configuration.</description>
  <group>agent_flooding,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="205" level="3">
  <if_sid>201</if_sid>
  <field name="level">normal</field>
  <description>Agent event queue is back to normal load.</description>
  <group>agent_flooding,</group>
</rule>

Where:

Rule ID 201 is the base rule for the event queue.
Rule ID 202 is triggered when the event queue level reaches 90%.
Rule ID 203 is triggered when the event queue is full.
Rule ID 204 is triggered when the event queue is flooded.
Rule ID 205 is triggered when the event queue becomes normal after a flooding event.

Wazuh server cluster

The Wazuh server cluster is made up of multiple Wazuh server nodes in a distributed environment. This deployment strategy helps to provide horizontal scalability and improved performance. In an environment with many endpoints to monitor, you can combine this deployment strategy with a network load balancer to distribute the Wazuh agent connection load effectively across multiple nodes. This approach enables the Wazuh server to manage a large number of Wazuh agents more efficiently and ensure high availability.

Content

Architecture overview

The following diagram shows a typical Wazuh server cluster architecture:

In this architecture, there are multiple Wazuh server nodes within the cluster. The Wazuh server cluster consists of a master node and worker nodes. The Wazuh agents are configured to report to the server nodes in the cluster. This setup allows for horizontal scalability and enhances the performance of the Wazuh servers.

Types of nodes in a Wazuh server cluster

There are two types of nodes in the Wazuh server cluster, the master node and the worker node. The node types define the tasks of each node within the Wazuh server cluster and establish a hierarchy to determine which node's information takes precedence during data synchronizations. A Wazuh server cluster can only have one master node, during synchronizations, the data from the master node always takes precedence over the data from worker nodes. This ensures uniformity and consistency within the cluster.

Note

Configurations applied to the /var/ossec/etc/ossec.conf file on the master node are not automatically synchronized with the /var/ossec/etc/ossec.conf file on the worker nodes. You need to manually replicate the configurations to attain synchronization.

Additionally, restart nodes to apply configuration changes.

Master node

The master node centralizes and coordinates worker nodes, ensuring the critical and required data is consistent across all nodes. It provides the centralization of the following:

Receiving and managing agent registration and deletion requests.
Creating shared configuration groups.
Updating custom rules, decoders, SCA policies and CDB lists.

The Wazuh agent registration details, shared configuration, CDB list, custom SCA policies, custom decoders, and rules are synchronized from the master to the workers, ensuring that all nodes have the same configuration and rulesets. During synchronization, every version of these files on the worker node is overwritten with the files from the master node.

Worker node

A worker node is responsible for:

Redirecting Wazuh agent enrollment requests to the master node.
Synchronizing Wazuh agent registration details, shared configuration, CDB list, custom SCA policies, custom decoders, and rules from the master node.
Receiving and processing events from Wazuh agents.
Sending the Wazuh agent status update to the master node.

During synchronization, If any of the shared files are modified on a worker node, their contents are overwritten with the master node's contents during the next synchronization.

How the Wazuh server cluster works

The Wazuh server cluster is managed by the wazuh-clusterd daemon which communicates with all the nodes following a master-worker architecture. Refer to the Daemons section for more information about its use.

The image below shows the communications between a worker and a master node. Each worker-master communication is independent of each other since workers are the ones who start the communication with the master.

There are different independent threads running and each one is framed in the image:

Keep alive thread: Responsible for sending keep alive messages to the master in frequent intervals. It is necessary to keep the connection opened between master and worker nodes, since the cluster uses permanent connections.
Agent info thread: Responsible for sending OS information, labels configured, and the status of the Wazuh agents that are reporting to that node. The master also checks whether the agent exists or not before saving its status update. This is done to prevent the master from storing unnecessary information. For example, this situation is very common when an agent is removed but the master hasn't notified worker nodes yet.
Agent groups send thread: Responsible for sending information of agent groups assignment to worker nodes. The information is calculated in the master when an agent connects for the first time.
Local agent-groups thread: Responsible for reading all new agent groups information in the master. The master node needs to get agent-groups information from the database before sending it to all the worker nodes. To avoid requesting it once per each worker connection, the information is obtained and stored in a different thread called Local agent-groups thread, in the master node at intervals.
Integrity thread: Responsible for synchronizing files in the Wazuh server cluster, from the master node to the worker nodes. These files include the Wazuh agent keys file, user defined rules, decoders, custom SCA policies, CDB lists and group files.
Local integrity thread: Responsible for calculating the integrity of each file using its MD5 checksum and its modification time. To avoid calculating the integrity with each worker node connection, the integrity is calculated in a different thread, called the File integrity thread, in the master node at intervals.

All cluster logs are written in the /var/ossec/logs/cluster.log file of a default Wazuh installation.

Wazuh cluster nodes configuration

In a Wazuh server cluster, there can only be one master node in a cluster while all other Wazuh servers are the worker nodes. For both node types, the configuration file /var/ossec/etc/ossec.conf contains the cluster configuration values. We show how to configure a cluster with a master node and a single worker node.

Note

Additionally, restart nodes to apply configuration changes.

Master node

For the Wazuh server master node, set the following configuration within the <cluster> block in the configuration file /var/ossec/etc/ossec.conf:
```
<cluster>
    <name>wazuh</name>
    <node_name>master-node</node_name>
    <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
    <node_type>master</node_type>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>
```
Where:
- <name> is the name that will be assigned to the cluster.
- <node_name> is the name of the current node.
- <key> is a unique 32-characters long key and should be the same for all of the cluster nodes. We generate a unique key with the command openssl rand -hex 16.
- <node_type> sets the node type to either master or worker.
- <port> is the destination port for cluster communication.
- <bind_addr> is the IP address where the node is listening to (0.0.0.0 any IP).
- <node> specifies the address of the master node within the <nodes> block and this must be specified in all nodes including the master node itself. The address can be either an IP or a DNS.
- <hidden> toggles whether or not to show information about the cluster that generated an alert.
- <disabled> indicates whether the node will be enabled or not in the cluster.
You can learn more about the available configuration options in the cluster reference guide.
Restart the master node to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Worker node

For the Wazuh server worker node, within the <cluster>...</cluster> in the configuration file /var/ossec/etc/ossec.conf we set the following configuration.

<cluster>
  <name>wazuh</name>
  <node_name>worker01-node</node_name>
  <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
  <node_type>worker</node_type>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node><MASTER_NODE_IP_ADDRESS></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>

Restart the worker node to apply the configuration changes:

Execute the following command to check that everything worked as expected:

# /var/ossec/bin/cluster_control -l

Note

The command above can be executed on either a master or worker node.

NAME           TYPE    VERSION  ADDRESS
master-node    master  4.8.0   wazuh-master
worker01-node  worker  4.8.0   172.22.0.3

Data synchronization

The Wazuh server processes events from the Wazuh agents, external APIs, and network devices, raising alerts for threats and anomalies detected. Hence, all required information to receive events from the agents needs to be synchronized. This information is:

The Wazuh agents' keys, so the Wazuh server nodes can accept incoming connections from agents.
The Wazuh agents' shared configuration so the Wazuh server nodes can send the agents their configuration.
The Wazuh agents' groups assignments, so every Wazuh server node knows which configuration to send to the agents.
The custom decoders, rules, SCA policies and CDB lists so the Wazuh server nodes can correctly process events from the agents.
The Wazuh agents' last keep alive and OS information, which is received once the agents connect to a Wazuh server node and it's necessary to know whether an agent is reporting or not.

Having all this information synchronized allows any Wazuh server cluster nodes to process and raise alerts from the Wazuh agents properly. Data synchronization makes it possible to horizontally scale a Wazuh environment when new Wazuh agents are added.

Certificates deployment

Wazuh uses certificates to establish trust and confidentiality between its central components - the Wazuh indexer, Filebeat, and the Wazuh dashboard. Certificates are deployed for new installation of Wazuh or during upscaling of Wazuh central components. The required certificates are:

Root CA certificate: The root CA (Certificate Authority) certificate acts as the foundation of trust for a security ecosystem. It is used to authenticate the identity of all nodes within the system and to sign other certificates, thereby establishing a chain of trust.
Node certificates: Node certificates uniquely identify each node within the Wazuh cluster. They are used to encrypt and authenticate communications between the nodes.

Each node certificate must include either the IP address or the DNS name of the node. This is important for the verification process during communications, ensuring that the data is indeed being sent to and received from trusted nodes. These certificates, signed by the root CA, ensure that any communication between the nodes is trusted and verified through this central authority.
Admin certificate: The admin certificate is a client certificate with special privileges. The Wazuh indexer uses it to perform management and security-related tasks such as initializing and managing the Wazuh indexer cluster, creating, modifying, and deleting users, as well as managing roles and permissions. It also helps ensure that only authorized commands are executed within the cluster.

You can deploy certificates using two methods:

Using the wazuh-certs-tool.sh script
Using custom certificates

Using the `wazuh-certs-tool.sh` script (default method)

The wazuh-certs-tool.sh script simplifies certificate generation for Wazuh central components and creates all the certificates required for installation. You need to create or edit the configuration file config.yml. This file references the node details like node types and IP addresses or DNS names which are used to generate certificates for each of the nodes specified in it. A template could be downloaded from our repository. These certificates are created with the following additional information:

C: US
L: California
O: Wazuh
OU: Wazuh
CN: Name of the node

Generating Wazuh server certificates

Follow the steps below to create Wazuh server certificates using the wazuh-certs-tool.sh script:

Run the command below to download the wazuh-certs-tool.sh script in your installation directory:
```
# wget https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
```
Create a config.yml file with the following content. We specify only the details regarding the Wazuh server nodes as we are focusing on creating certificates for the Wazuh server. These certificates will be used to integrate the Wazuh server with Filebeat for secure data transmission.
```
nodes:
  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<WAZUH_MANAGER_IP_ADDRESS>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<WAZUH_MANAGER_IP_ADDRESS>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<WAZUH_MANAGER_IP_ADDRESS>"
    #  node_type: worker
```
Where:
- name represents a unique node name. You can choose any.
- ip represents the IP address or DNS name of the node.
- node type represents the node type to configure. Two types are available, master and worker. You can only have one master node per cluster.
- <WAZUH_MANAGER_IP_ADDRESS> represents the IP address of Wazuh manager nodes (master/worker)
Run the script to create the Wazuh server certificates:
```
# bash wazuh-certs-tool.sh -A
```
After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with the following content:
```
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── root-ca.key
├── root-ca.pem
├── server-key.pem
└── server.pem
```
The files in this directory are as follows:
- root-ca.pem and root-ca.key: These files represent the root Certificate Authority (CA). The .pem file contains the public certificate, while the .key file holds the private key used for signing other certificates.
  
  Note
  
  If you are deploying a complete Wazuh infrastructure and deploying certificates for the first time you need to conserve the root CA certificate. This will be used to create and sign certificates for the Wazuh indexer and Wazuh dashboard nodes.
- admin.pem and admin-key.pem: These files contain the public and private keys used by the Wazuh indexer to perform management and security-related tasks such as initializing the Wazuh indexer cluster, creating and managing users and roles.
- server.pem and server-key.pem: The server.pem file contains the public key, which is used by Filebeat to verify the authenticity of the Wazuh server during communication. Conversely, the server-key.pem file holds the private key, which is kept securely on the Wazuh server and used to authenticate itself to Filebeat.
  
  In a clustered environment comprising two or more Wazuh server nodes, unique pairs of public and private keys are generated for each node. These keys are specific to the node and are identified by the names defined in the name field of the config.yml file. These key pairs must then be transferred to their corresponding nodes.
Once the certificates are created, you need to rename and move the Wazuh server certificate to the appropriate Wazuh server nodes respectively. You need to place them in the default directory /etc/filebeat/certs/ as referenced in the file /etc/filebeat/filebeat.yml. You should create the directory if it doesn’t exist.
```
# mv /path/to/server-key.pem /etc/filebeat/certs/filebeat-key.pem
# mv /path/to/server.pem /etc/filebeat/certs/filebeat.pem
```

Generating Wazuh server certificates using the pre-existing root CA

Wazuh also gives the ability to create and sign the admin and node(s) certificates using a pre-existing root CA. It avoids having to recreate certificates for all the nodes.

Note

You need to use a pre-existing root CA to create Wazuh server certificates:

If you already have a root CA after generating certificates for the Wazuh indexer or Wazuh dashboard nodes.
If you need to re-install a Wazuh server node or add a new node to your Wazuh server cluster.

Create a config.yml file. You must specify the details for only the Wazuh server node(s) you want to create certificates for, depending on the cases described in the note above.
Run the command below to create Wazuh server certificates from the config.yml file using the pre-existing root CA keys:
```
# bash wazuh-certs-tool.sh -ws /path/to/root-ca.pem /path/to/root-ca.key
```
Where:
- The flag -ws indicates we are creating Wazuh server certificates.
- The file /path/to/root-ca.pem contains the root CA certificate.
- The file /path/to/root-ca.key contains the root CA key.
After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with content similar to the one below:
```
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── server-key.pem
└── server.pem
```
Once the certificates are created, you need to rename and move the Wazuh server certificate to the appropriate Wazuh server nodes respectively. You need to place them in the default directory /etc/filebeat/certs/ as referenced in the file /etc/filebeat/filebeat.yml. You should create the directory if it doesn’t exist.
```
# mv /path/to/server-key.pem /etc/filebeat/certs/filebeat-key.pem
# mv /path/to/server.pem /etc/filebeat/certs/filebeat.pem
```

Using custom certificates

Custom certificates can be created using tools like OpenSSL. You must create the root CA, node, and admin certificates described above.

Adding new Wazuh server nodes

You can upscale your Wazuh server cluster horizontally by adding new nodes. This allows for better handling of a larger number of Wazuh agents. Configuring failover mode or using a load balancer to point agents to the Wazuh server cluster can provide redundancy in case of node failures. It also improves the scalability and resilience of your security monitoring infrastructure.

The upscaling process involves creating certificates necessary for installation, followed by configuring existing components to establish connections with the new Wazuh server node(s). Then installing and configuring the new Wazuh server node(s), and finally testing the cluster to ensure the new nodes have joined.

We have organized the steps for upscaling the Wazuh server into two subsections: one for an all-in-one deployment and the other for a distributed deployment. Your choice between these methods depends on your existing deployment.

All-in-one deployment:

An all-in-one deployment refers to using the Wazuh installation assistant or the pre-built virtual machine image in Open Virtual Appliance (OVA) format provided by Wazuh. This deployment method installs all the Wazuh central components on a single endpoint. If you have a Wazuh all-in-one setup, follow the steps outlined in the "All-in-one deployment" subsections to upscale your Wazuh server cluster.
Distributed deployment:

The distributed deployment refers to when the Wazuh components are installed as separate entities following the step-by-step installation guide (applicable to the Wazuh indexer, server, and dashboard) or using the install assistant (for the Wazuh indexer, server, and dashboard). For an existing distributed deployment, refer to the "Distributed deployment" subsections to upscale your Wazuh server.

Ensure you select the appropriate sub-section based on your existing deployment. If you are unsure which method aligns with your infrastructure, consider reviewing your deployment architecture before proceeding.

Note

You need root user privileges to execute the commands in the next sub-sections.

Certificates creation

Wazuh uses certificates to establish trust and confidentiality between its components - the Wazuh indexer, Filebeat and the Wazuh dashboard. The Wazuh server comprises two components, the Wazuh manager and Filebeat. When adding new Wazuh server nodes, an SSL certificate is required for the Filebeat on the new node to communicate securely with the Wazuh indexer.

Perform the following steps on your existing Wazuh server node to generate the certificates required for secure communication among the Wazuh central components.

All-in-one deployment

We generate new certificates for the Wazuh components in an all-in-one deployment. This is necessary because the quickstart install script uses the localhost IP address 127.0.0.1 to create the certificates for the Wazuh indexer, server, and dashboard. Perform the following steps to create new certificates.

Create a config.yml file in the /root directory to add the new Wazuh server node(s):

# touch /root/config.yml

Edit the /root/config.yml file with it’s content as follows:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP_ADDRESS>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP_ADDRESS>

Replace the node names and IP values with your new node names and IP addresses.

You can assign a different node_type in your installation. In this documentation, we assign the master role to the existing node and the worker role to the new node.

Download and run wazuh-certs-tool.sh from your /root directory to create the certificates for the new node and recreate for the existing one:

# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A

19/06/2024 13:59:08 INFO: Generating the root certificate.
19/06/2024 13:59:09 INFO: Generating Admin certificates.
19/06/2024 13:59:09 INFO: Admin certificates created.
19/06/2024 13:59:09 INFO: Generating Wazuh indexer certificates.
19/06/2024 13:59:09 INFO: Wazuh indexer certificates created.
19/06/2024 13:59:09 INFO: Generating Filebeat certificates.
19/06/2024 13:59:09 INFO: Wazuh Filebeat certificates created.
19/06/2024 13:59:09 INFO: Generating Wazuh dashboard certificates.
19/06/2024 13:59:09 INFO: Wazuh dashboard certificates created.

Compress the certificates folder and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:
```
This will copy the certificates to the /home directory of the user on the target system. You can change this to specify a path to your installation directory.

Distributed deployment

For a distributed deployment, the certificates can be generated by either using the pre-existing root CA keys or creating a fresh set of certificates. We recommend you utilize pre-existing root CA keys to generate certificates for new nodes only. We describe both techniques below.

Using pre-existing root CA key

Perform the steps below on your existing Wazuh server node to generate the certificates using pre-existing root CA key.

Note

You will require a copy of the wazuh-certificates.tar file created during the initial configuration for the Wazuh indexer in steps 4 and 5 or a copy of the root CA keys. If neither is available, you can generate new certificates by following the steps outlined in the next section.

Create a config.yml file in the /root directory to add the new Wazuh server node(s):

# touch /root/config.yml

Edit the /root/config.yml file to include the node name and IP of the new node:

nodes:
  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

Replace the values with your node names and their corresponding IP addresses.

Extract the wazuh-certificates.tar file to get the root CA keys:

# mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files

Download and run wazuh-certs-tool.sh to create the certificates for the new Wazuh server node using the pre-existing root CA keys:

# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key

19/06/2024 16:42:37 INFO: Generating Admin certificates.
19/06/2024 16:42:37 INFO: Admin certificates created.
19/06/2024 16:42:37 INFO: Generating Filebeat certificates.
19/06/2024 16:42:38 INFO: Wazuh Filebeat certificates created.

Copy the newly created certificates to the wazuh-install-files directory making sure not to replace the admin certificates:

# cp wazuh-certificates/<NEW_WAZUH_SERVER_NODE_NAME>* wazuh-install-files
# cp wazuh-certificates/<EXISTING_WAZUH_SERVER_NODE_NAME>* wazuh-install-files

Compress the certificates directory into a new wazuh-certificates.tar file and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file as follows:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:
```
This command copies the certificates to the /home directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory.

Generating new certificates

You can follow the steps below to generate fresh certificates if the pre-existing root-ca keys have been deleted or are not accessible.

Create the /root/config.yml file to reference all your nodes:

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP_ADDRESS>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP_ADDRESS>

Download and execute the wazuh-certs-tool.sh script to create the certificates:

# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A

Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:
```
This command copies the certificates to the /home directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory.

Configuring existing components to connect with the new node

Before deploying an additional Wazuh node, it’s essential to reconfigure existing components to ensure communication within the cluster. This step involves updating configuration files and connection parameters so that the Wazuh manager, indexer, and dashboard recognize and properly interact with the newly added Wazuh server node.

All-in-one deployment

Create a file, env_variables.sh, in the /root directory of the existing node where you define your environmental variables as follows:
```
export NODE_NAME1=<WAZUH_INDEXER_NODE_NAME>
export NODE_NAME2=<EXISTING_WAZUH_SERVER_NODE_NAME>
export NODE_NAME3=<WAZUH_DASHBOARD_NODE_NAME>
```
Replace <WAZUH_INDEXER_NODE_NAME>, <EXISTING_WAZUH_SERVER_NODE_NAME>, <WAZUH_DASHBOARD_NODE_NAME> with the names of the Wazuh indexer, Wazuh server and Wazuh dashboard nodes respectively as defined in /root/config.yml.

Create a deploy-certificates.sh script in the /root directory and paste the following to it:

#!/bin/bash

# Source the environmental variables from the external file
source ~/env_variables.sh

rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Deploy the certificates by executing the following command:
```
# bash /root/deploy-certificates.sh
```
This deploys the SSL certificates to encrypt communications between the Wazuh central components.

Recommended action: Save a copy offline for potential future use and scalability. You can remove the wazuh-certificates.tar file on this node by running the command below to increase security:
```
# rm -rf ./wazuh-certificates
# rm -f ./wazuh-certificates.tar
```
Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP address and NODE_NAME as mentioned in /root/config.yml file:
```
network.host: "<WAZUH_INDEXER_IP_ADDRESS>"
node.name: "<WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<WAZUH_INDEXER_NODE_NAME>"
```
Edit the Filebeat configuration file /etc/filebeat/filebeat.yml to specify the indexer’s IP address:
```
output.elasticsearchhosts:
        - <WAZUH_INDEXER_IP_ADDRESS>:9200
```
Note

The structure of this section varies based on whether you completed your installation using the Wazuh installation assistant or the step-by-step guide. Here we used the quickstart script.
Generate a random encryption key that will be used to encrypt communication between the cluster nodes:
```
# openssl rand -hex 16
```
Save the output of the above command as it will be used later to configure both Wazuh server nodes.
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include connection details for the indexer node:
```
opensearch.hosts: https://<WAZUH_INDEXER_IP_ADDRESS>:9200
```

Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and replace the url value with the IP address or hostname of the Wazuh server master node:

hosts:
  - default:
      url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: <WAZUH_WUI_PASSWORD>
      run_as: false

Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf to enable the Wazuh server cluster:
```
<cluster>
  <name>wazuh</name>
  <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name>
  <node_type>master</node_type>
  <key><ENCRYPTION_KEY></key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node><MASTER_NODE_IP_ADDRESS></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
```
The configurable fields in the above section of the /var/ossec/etc/ossec.conf file are as follows:
- name indicates the name of the cluster.
- node_name indicates the name of the current node. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with name as specified in the /root/config.yml file.
- node_type specifies the role of the node. It has to be set to master.
- key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command openssl rand -hex 16.
- port indicates the destination port for cluster communication. Leave the default as 1516.
- bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- hidden shows or hides the cluster information in the generated alerts.
- disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

Restart the Wazuh central component and Filebeat to apply the changes.

# systemctl restart wazuh-indexer
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard
# systemctl restart filebeat

# service wazuh-indexer restart
# service wazuh-manager restart
# service wazuh-dashboard restart
# service filebeat restart

Distributed deployment

Deploy the Wazuh server certificates on your existing Wazuh server node by running the following commands. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with the node name of the Wazuh server you are configuring as defined in /root/config.yml.

# NODE_NAME=<EXISTING_WAZUH_SERVER_NODE_NAME>

# rm -rf /etc/filebeat/certs
# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Note

If the certificates were recreated as recommended in the note above.

You will also have to re-deploy the certificates on all your existing Wazuh nodes (indexer and dashboard).

After deploying the new certificate on the server, run the following commands to deploy the certificates to the Wazuh indexer and dashboard:

On the Wazuh indexer node(s):

# NODE_NAME=<WAZUH_INDEXER_NODE_NAME>

# rm -rf /etc/wazuh-indexer/certs
# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

On the Wazuh dashboard node:

# NODE_NAME=<WAZUH_DASHBOARD_NODE_NAME>

# rm -rf /etc/wazuh-dashboard/certs
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Recommended action: Save a copy offline for potential future use and scalability. You can remove the wazuh-certificates.tar file on this node by running the command below to increase security:

# rm -f ./wazuh-certificates.tar

Edit the Wazuh indexer configuration file at /etc/wazuh-indexer/opensearch.yml to specify the indexer’s IP address as specified in the /root/config.yml file:
```
network.host: "<WAZUH_INDEXER_IP_ADDRESS>"
node.name: "<WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<WAZUH_INDEXER_NODE_NAME>"
```
Edit the Filebeat configuration file /etc/filebeat/filebeat.yml (located in the Wazuh server node) to specify the indexer’s IP address:
```
output.elasticsearchhosts:
        - <WAZUH_INDEXER_IP_ADDRESS>:9200
```
Note

The structure of this section will vary depending on if you did your installation using the Wazuh installation assistant or the step-by-step guide. Here we used the Wazuh installation assistant.
Generate an encryption key that will be used to encrypt communication between the cluster nodes:
```
# openssl rand -hex 16
```
Save the output of the above command as it will be used later to configure cluster mode on both Wazuh server nodes.
Edit the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the indexer node’s IP:
```
opensearch.hosts: https://<WAZUH_INDEXER_IP_ADDRESS>:9200
```

Edit the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file located in the Wazuh dashboard node and replace the url value with the IP address or hostname of the Wazuh server master node:

hosts:
  - default:
      url: https://<EXISTING_WAZUH_SERVER_IP_ADDRESS>
      port: 55000
      username: wazuh-wui
      password: <WAZUH_WUI_PASSWORD>
      run_as: false

Edit the Wazuh server configuration file at /var/ossec/etc/ossec.conf to enable cluster mode:
```
<cluster>
  <name>wazuh</name>
  <node_name><EXISTING_WAZUH_SERVER_NODE_NAME></node_name>
  <node_type>master</node_type>
  <key><ENCRYPTION_KEY></key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
      <node><MASTER_NODE_IP_ADDRESS></node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
</cluster>
```
The configurable fields in the above section of the var/ossec/etc/ossec.conf file are as follows:
- name indicates the name of the cluster.
- node_name indicates the name of the current node. Replace <EXISTING_WAZUH_SERVER_NODE_NAME> with name as specified in the /root/config.yml file.
- node_type specifies the role of the node. It has to be set to master.
- key represents a key used to encrypt communication between cluster nodes. It should be the same on all the server nodes. To generate a unique key you can use the command openssl rand -hex 16.
- port indicates the destination port for cluster communication. Leave the default as 1516.
- bind_addr is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- nodes is the address of the master node and can be either an IP or a DNS hostname. This parameter must be specified in all nodes, including the master itself. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- hidden shows or hides the cluster information in the generated alerts.
- disabled indicates whether the node is enabled or disabled in the cluster. This option must be set to no.

Run the following commands on your respective nodes to apply the changes

Wazuh indexer node

# systemctl restart wazuh-indexer

# service wazuh-indexer restart

Wazuh server node(s)

# systemctl restart filebeat
# systemctl restart wazuh-manager

# service filebeat restart
# service wazuh-manager restart

Wazuh dashboard node

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Wazuh server node(s) installation

Once the certificates have been created and copied to the new node(s), you can now proceed with installing and configuring the new Wazuh server as a worker node.

Adding the Wazuh repository

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing:

# apt-get install gnupg apt-transport-https

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information:
```
# apt-get update
```

Installing the Wazuh manager

Install the Wazuh manager package.

# yum -y install wazuh-manager

# apt-get -y install wazuh-manager

Enable and start the Wazuh manager service.

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

RPM-based operating system:

# chkconfig --add wazuh-manager
# service wazuh-manager start

Debian-based operating system:

# update-rc.d wazuh-manager defaults 95 10
# service wazuh-manager start

Check the Wazuh manager status to ensure it is up and running.
# systemctl status wazuh-manager
# service wazuh-manager status

Install and configure Filebeat

Install the Filebeat package.

# yum -y install filebeat

# apt-get -y install filebeat

Download the preconfigured Filebeat configuration file:

# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/5.0/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file and replace the following value:
- hosts which represents the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost hosts: ["127.0.0.1:9200"]. Replace it with your Wazuh indexer IP address accordingly.
  
  If you have more than one Wazuh indexer node, you can separate the addresses using commas. For example, hosts: ["10.0.0.1:9200", "10.0.0.2:9200", "10.0.0.3:9200"]:
```
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: <WAZUH_INDEXER_IP_ADDRESS>:9200
  protocol: https
```
Create a Filebeat keystore to securely store authentication credentials:
```
# filebeat keystore create
```

Add the admin user and password to the secrets keystore:

# echo admin | filebeat keystore add username --stdin --force
# echo <ADMIN_PASSWORD> | filebeat keystore add password --stdin --force

In case you are running an all-in-one deployment and using the default admin password, you could get it by running the following command:

# sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Download the alerts template for the Wazuh indexer:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/5.x/filebeat/wazuh-filebeat-0.5.tar.gz | tar -xvz -C /usr/share/filebeat/module

Deploying certificates

Run the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_SERVER_NODE_NAME> with the name of the Wazuh server node you are configuring as defined in /root/config.yml. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

Create an environment variable to store the node name:
```
NODE_NAME=<NEW_WAZUH_SERVER_NODE_NAME>
```

Deploy the certificates:

# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/filebeat.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/filebeat-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

Starting the service

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

RPM based operating system:

# chkconfig --add filebeat
# service filebeat start

Debian-based operating system:

# update-rc.d filebeat defaults 95 10
# service filebeat start

Run the following command to verify that Filebeat is successfully installed:

# filebeat test output

An example output is shown below:

elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Configuring the Wazuh server worker nodes

Configure the Wazuh server worker node to enable cluster mode by editing the following settings in the /var/ossec/etc/ossec.conf file:
```
<cluster>
    <name>wazuh</name>
    <node_name><NEW_WAZUH_SERVER_NODE_NAME></node_name>
    <node_type>worker</node_type>
    <key><ENCRYPTION_KEY></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node><MASTER_NODE_IP_ADDRESS></node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
</cluster>
```
The configurable fields in the above section of the ossec.conf file are as follows:
- <name> indicates the name of the cluster.
- <node_name> indicates the name of the current node. Each node of the cluster must have a unique name. Replace <NEW_WAZUH_SERVER_NODE_NAME> with the name specified in the /root/config.yml file.
- <node_type> specifies the role of the node. It has to be set as a worker.
- <key> represents the key created previously for the master node. It has to be the same for all the nodes. In case you have an already distributed infrastructure, copy this key from the master node’s /var/ossec/etc/ossec.conf file.
- <port> indicates the destination port for cluster communication. Leave the default as 1516.
- <bind_addr> is the network IP to which the node is bound to listen for incoming requests (0.0.0.0 means the node will use any IP).
- <nodes> contain the address of the master node which can be either an IP or a DNS hostname. Replace <MASTER_NODE_IP_ADDRESS> with the IP address of your master node.
- <hidden> shows or hides the cluster information in the generated alerts.
- <disabled> indicates whether the node is enabled or disabled in the cluster. This option must be set to no.
You can learn more about the available configuration options in the cluster reference guide.

Restart the Wazuh manager service.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Testing the cluster

Now that the installation and configuration are completed, you can proceed with testing your cluster to ensure that the new Wazuh server node has been connected. Two possible ways of doing this:

Using the cluster control tool
Using the Wazuh API console

Using the cluster control tool

Verify that the Wazuh server cluster is enabled and all the nodes are connected by executing the following command on any of the Wazuh server nodes:

# /var/ossec/bin/cluster_control -l

A sample output of the command:

NAME             TYPE    VERSION  ADDRESS
wazuh-server-1   master  4.8.0    10.0.0.1
wazuh-server-2   worker  4.8.0    10.0.0.2

Note that 10.0.0.1, 10.0.0.2 are example IP addresses.

Using the Wazuh API console

You can also check your new Wazuh server cluster by using the Wazuh API Console accessible via the Wazuh dashboard.

Access the Wazuh dashboard using the credentials below.

URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
Username: admin
Password: <ADMIN_PASSWORD> or admin in case you already have a distributed architecture and using the default password.

Navigate to Server management > Dev Tools. On the console, run the query below:

GET /cluster/healthcheck

This query will display the global status of your Wazuh server cluster with the following information for each node:

Name indicates the name of the server node
Type indicates the role assigned to a node(Master or Worker)
Version indicates the version of the Wazuh-manager service running on the node
IP is the IP address of the node
n_active_agents indicates the number of active agents connected to the node

Having completed these steps, the Wazuh infrastructure has been successfully scaled up, and the new server nodes have been integrated into the cluster.

If you want to uninstall the Wazuh server, see Uninstall the Wazuh server documentation.

Agent connections

The configuration of the Wazuh agents has to be modified to report to the Wazuh server cluster. We configure the Wazuh agent to report to the Wazuh server cluster by editing the <client></client> block in the agent’s configuration file /var/ossec/etc/ossec.conf.

There are two methods to handle the Wazuh agent connection to the Wazuh server cluster nodes including:

Pointing Wazuh agents to the Wazuh cluster (Failover mode).
Pointing Wazuh agents to the Wazuh cluster with a load balancer.

Note

We recommend using a load balancer for enrolling and connecting Wazuh agents. This way, the agents register and report to the Wazuh server cluster nodes in a distributed way, and it will be the load balancer who assigns which worker they will report to. Using this option we can better distribute the load, and in case of a fall in some worker nodes, its agents will reconnect to another one.

Connecting Wazuh agents to the Wazuh cluster (Failover mode)

In this method, we add a list of Wazuh server nodes (master/workers) to the Wazuh agent configuration file /var/ossec/etc/ossec.conf. In case of a disconnection, the agent will connect to another node on the list to continue reporting.

After configuring the Wazuh server cluster, we configure the Wazuh agents to connect and report to the Wazuh server cluster nodes as shown below.

Suppose we have the following IP addresses for the Wazuh server nodes:

master: 172.0.0.3
worker01: 172.0.0.4
worker02: 172.0.0.5

Edit the <client></client> block of the Wazuh agent /var/ossec/etc/ossec.conf file to add the IP addresses of the Wazuh server nodes:

<client>
    <server>
        <address>172.0.0.4</address>
        <port>1514</port>
    </server>
    <server>
        <address>172.0.0.5</address>
        <port>1514</port>
    </server>
    <server>
        <address>172.0.0.3</address>
        <port>1514</port>
    </server>
    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
    <notify_time>20</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
</client>

Restart the Wazuh agent to apply changes:

# systemctl restart wazuh-agent

# service wazuh-agent restart

Using this method, if the worker01 node is not available, the agents will report to the worker02. If both worker nodes are unavailable, the agent will report to the master node. This process is performed cyclically between all the nodes that we place in the /var/ossec/etc/ossec.conf of the agents.

Connecting Wazuh agents to the Wazuh cluster with a load balancer

Wazuh agents can be configured to report to a load balancer to evenly distribute incoming Wazuh agent traffic among all available Wazuh server nodes in a cluster. This way, Wazuh agents can report to newly added Wazuh server nodes without modifying the Wazuh agents' configuration.

Perform the following steps to point a Wazuh agent to a load balancer.

Edit the Wazuh agent configuration in /var/ossec/etc/ossec.conf to add the Load Balancer IP address. In the <server></server> block, replace the <LOAD_BALANCER_IP_ADDRESS> with the load balancer IP address:
```
<client>
  <server>
    <address><LOAD_BALANCER_IP_ADDRESS></address>
    …
  </server>
</client>
```

Restart the Wazuh agents to apply changes:

# systemctl restart wazuh-agent

# service wazuh-agent restart

Load balancers

A load balancer distributes workloads across multiple resources. In this case, it distributes Wazuh agents among the different worker nodes in a Wazuh server cluster.

Wazuh recommends the following load balancers including NGINX and HAProxy. You can choose any of the load balancer services as per your need.

NGINX

NGINX is an open source web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. In this scenario, we use it as a load balancer to distribute Wazuh agent traffic within a Wazuh server cluster.

Installation

There are different installation instructions for installing NGINX based on the choice of your Linux distribution.

Download the packages from the Official page.
Follow the steps related to that guide to install the packages.

Configuration

The way NGINX and its modules work are determined in it’s configuration file. By default, the configuration file of NGINX is named nginx.conf and located in the /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx directory depending on the installation type.

Perform the steps below to configure NGINX as a load balancer.

Add the content below to the NGINX nginx.conf configuration file:

stream {
   upstream master {
       server <MASTER_NODE_IP_ADDRESS>:1515;
   }
   upstream mycluster {
   hash $remote_addr consistent;
       server <MASTER_NODE_IP_ADDRESS>:1514;
       server <WORKER_NODE_IP_ADDRESS>:1514;
       server <WORKER_NODE_IP_ADDRESS>:1514;
   }
   server {
       listen 1515;
       proxy_pass master;
   }
   server {
       listen 1514;
       proxy_pass mycluster;
   }
}

Replace:

<MASTER_NODE_IP_ADDRESS> with the IP address of the Wazuh server master node in your cluster.
<WORKER_NODE_IP_ADDRESS> with the IP address of the Wazuh server worker nodes in your cluster.

You can find more details in the NGINX guide for configuring TCP and UDP load balancer.

Verify the NGINX configuration file for syntax errors:

# nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload the NGINX service to apply the changes:
```
# nginx -s reload
```

HAProxy

High Availability Proxy (HAProxy) is a free and open source software that provides a high availability load balancer and proxy for TCP and HTTP-based applications. Using a load balancer, such as HAProxy, ensures the Wazuh agents enroll and report to Wazuh manager nodes in a distributed way. HAProxy supports several load balancing including round-robin, leastconn, source, and others. The load balancer assigns manager nodes to the Wazuh agents based on the selected algorithm, improving load distribution. If a Wazuh manager node fails, the Wazuh agents reconnect to another node in the cluster.

Installation

There are two main ways to install HAProxy.

Using system packages and Personal Package Archive (PPA).
Using Docker images.

Note

The provided examples and configurations are based on Ubuntu and HAProxy 2.8.

Install HAProxy
```
# apt install haproxy -y
```

Check the installation

# haproxy -v

HAProxy version 2.8.5-1ubuntu3 2024/04/01 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.5.html
Running on: Linux 6.8.0-76060800daily20240311-generic #202403110203~1714077665~22.04~4c8e9a0 SMP PREEMPT_DYNAMIC Thu A x86_64

Add the PPA repository

# apt update && apt install software-properties-common -y
# add-apt-repository ppa:vbernat/haproxy-2.8 -y

Install HAProxy
```
# apt install haproxy -y
```

Check the installation

# haproxy -v

HAProxy version 2.8.9-1ppa1~jammy 2024/04/06 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.9.html
Running on: Linux 6.8.0-76060800daily20240311-generic #202403110203~1714077665~22.04~4c8e9a0 SMP PREEMPT_DYNAMIC Thu A x86_64

We provide the following files for installing HAProxy with Docker.

Dockerfile

FROM haproxytech/haproxy-ubuntu:2.8

COPY haproxy.cfg /etc/haproxy/haproxy.cfg
COPY haproxy-service /etc/init.d/haproxy
COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /etc/init.d/haproxy
RUN chmod +x /entrypoint.sh

ENTRYPOINT [ "/entrypoint.sh" ]

entrypoint.sh

#!/usr/bin/env bash

# Start HAProxy service
service haproxy start

tail -f /dev/null

haproxy-service

#!/bin/sh
### BEGIN INIT INFO
# Provides:            haproxy
# Required-Start:      $local_fs $network $remote_fs $syslog $named
# Required-Stop:       $local_fs $remote_fs $syslog $named
# Default-Start:       2 3 4 5
# Default-Stop:        0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
# Description:         This file should be used to start and stop haproxy.
### END INIT INFO

# Author: Arnaud Cornet <acornet@debian.org>

PATH=/sbin:/usr/sbin:/bin:/usr/bin
BASENAME=haproxy
PIDFILE=/var/run/${BASENAME}.pid
CONFIG=/etc/${BASENAME}/${BASENAME}.cfg
HAPROXY=/usr/sbin/haproxy
RUNDIR=/run/${BASENAME}
EXTRAOPTS=

test -x $HAPROXY || exit 0

if [ -e /etc/default/${BASENAME} ]; then
       . /etc/default/${BASENAME}
fi

test -f "$CONFIG" || exit 0

[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions


check_haproxy_config()
{
       $HAPROXY -c -f "$CONFIG" $EXTRAOPTS >/dev/null
       if [ $? -eq 1 ]; then
       log_end_msg 1
       exit 1
       fi
}

haproxy_start()
{
       [ -d "$RUNDIR" ] || mkdir "$RUNDIR"
       chown haproxy:haproxy "$RUNDIR"
       chmod 2775 "$RUNDIR"

       check_haproxy_config

       start-stop-daemon --quiet --oknodo --start --pidfile "$PIDFILE" \
       --exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \
       $EXTRAOPTS || return 2
       return 0
}

haproxy_stop()
{
       if [ ! -f $PIDFILE ] ; then
       # This is a success according to LSB
       return 0
       fi

       ret=0
       tmppid="$(mktemp)"

       # HAProxy's pidfile may contain multiple PIDs, if nbproc > 1, so loop
       # over each PID. Note that start-stop-daemon has a --pid option, but it
       # was introduced in dpkg 1.17.6, post wheezy, so we use a temporary
       # pidfile instead to ease backports.
       for pid in $(cat $PIDFILE); do
       echo "$pid" > "$tmppid"
       start-stop-daemon --quiet --oknodo --stop \
               --retry 5 --pidfile "$tmppid" --exec $HAPROXY || ret=$?
       done

       rm -f "$tmppid"
       [ $ret -eq 0 ] && rm -f $PIDFILE

       return $ret
}

haproxy_reload()
{
       check_haproxy_config

       $HAPROXY -f "$CONFIG" -p $PIDFILE -sf $(cat $PIDFILE) -D $EXTRAOPTS \
       || return 2
       return 0
}

haproxy_status()
{
       if [ ! -f $PIDFILE ] ; then
       # program not running
       return 3
       fi

       for pid in $(cat $PIDFILE) ; do
       if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then
               # program running, bogus pidfile
               return 1
       fi
       done

       return 0
}


case "$1" in
start)
       log_daemon_msg "Starting haproxy" "${BASENAME}"
       haproxy_start
       ret=$?
       case "$ret" in
       0)
       log_end_msg 0
       ;;
       1)
       log_end_msg 1
       echo "pid file '$PIDFILE' found, ${BASENAME} not started."
       ;;
       2)
       log_end_msg 1
       ;;
       esac
       exit $ret
       ;;
stop)
       log_daemon_msg "Stopping haproxy" "${BASENAME}"
       haproxy_stop
       ret=$?
       case "$ret" in
       0|1)
       log_end_msg 0
       ;;
       2)
       log_end_msg 1
       ;;
       esac
       exit $ret
       ;;
reload|force-reload)
       log_daemon_msg "Reloading haproxy" "${BASENAME}"
       haproxy_reload
       ret=$?
       case "$ret" in
       0|1)
       log_end_msg 0
       ;;
       2)
       log_end_msg 1
       ;;
       esac
       exit $ret
       ;;
restart)
       log_daemon_msg "Restarting haproxy" "${BASENAME}"
       haproxy_stop
       haproxy_start
       ret=$?
       case "$ret" in
       0)
       log_end_msg 0
       ;;
       1)
       log_end_msg 1
       ;;
       2)
       log_end_msg 1
       ;;
       esac
       exit $ret
       ;;
status)
       haproxy_status
       ret=$?
       case "$ret" in
       0)
       echo "${BASENAME} is running."
       ;;
       1)
       echo "${BASENAME} dead, but $PIDFILE exists."
       ;;
       *)
       echo "${BASENAME} not running."
       ;;
       esac
       exit $ret
       ;;
*)
       echo "Usage: /etc/init.d/${BASENAME} {start|stop|reload|restart|status}"
       exit 2
       ;;
esac

:

haproxy.cfg configuration file to get the service up and running.

Perform the following steps to install HAProxy with docker.

Put the files in the same directory:

Verify the files are in the same directory:

# tree
.
├── Dockerfile
├── entrypoint.sh
├── haproxy.cfg
└── haproxy-service

Build the image.
```
# docker build --tag=haproxy-deploy .
```

Run the HAProxy service:

# docker run haproxy-deploy

TCPLOG: true HTTPLOG: true
* Starting haproxy haproxy
[NOTICE]   (33) : haproxy version is 2.8.9-1842fd0
[NOTICE]   (33) : path to executable is /usr/sbin/haproxy
[ALERT]    (33) : config : parsing [/etc/haproxy/haproxy.cfg:3] : 'pidfile' already specified. Continuing.

Configuration

Perform the following steps to configure HAProxy to work with a Wazuh server cluster.

Create a haproxy.cfg file in the /etc/haproxy/ directory and add the following configuration:

haproxy.cfg

global
          chroot          /var/lib/haproxy
          pidfile         /var/run/haproxy.pid
          maxconn         4000
          user            haproxy
          group           haproxy
          stats socket /var/lib/haproxy/stats level admin
          log 127.0.0.1 local2 info

defaults
          mode http
          maxconn 4000
          log global
          option redispatch
          option dontlognull
          option tcplog
          timeout check 10s
          timeout connect 10s
          timeout client 1m
          timeout queue 1m
          timeout server 1m
          retries 3

frontend wazuh_register
          mode tcp
          bind :1515
          default_backend wazuh_register

backend wazuh_register
          mode tcp
          balance leastconn
          server master <IP_ADDRESS_OR_DNS_OF_WAZUH_MASTER_NODE>:1515 check
          server worker1 <IP_ADDRESS_OR_DNS_OF_WAZUH_WORKER_NODE>:1515 check
          server workern <IP_ADDRESS_OR_DNS_OF_WAZUH_WORKER_NODE>:1515 check

# Do not include the following if you will enable HAProxy Helper
frontend wazuh_reporting_front
          mode tcp
          bind :1514 name wazuh_reporting_front_bind
          default_backend wazuh_reporting

backend wazuh_reporting
          mode tcp
          balance leastconn
          server master <IP_ADDRESS_OR_DNS_OF_WAZUH_MASTER_NODE>:1514 check
          server worker1 <IP_ADDRESS_OR_DNS_OF_WAZUH_WORKER_NODE>:1514 check
          server worker2 <IP_ADDRESS_OR_DNS_OF_WAZUH_WORKER_NODE>:1514 check

Replace:

<IP_ADDRESS_OR_DNS_OF_WAZUH_MASTER_NODE> with the IP address or DNS of the Wazuh server master node in your cluster.
<IP_ADDRESS_OR_DNS_OF_WAZUH_WORKER_NODE> with the IP address or DNS of the Wazuh server worker nodes in your cluster.

The configuration above is made of the following sections defined below.

A backend section which is a set of Wazuh server cluster nodes that receive forwarded agent connections. It includes the following parameters:
- The load balancing mode.
- The load balance algorithm to use.
- A list of Wazuh servers and ports. The example that follows has the default one pointing to the master node.
```
backend wazuh_register
   mode tcp
   balance leastconn
   server master_node <WAZUH_REGISTRY_HOST>:1515 check
```
A frontend section defines how to forward requests to backends. It's composed of the following parameters:
- The type of load balancing.
- The port to bind the connections.
- The default backend to forward requests
```
frontend wazuh_register
   mode tcp
   bind :1515
   default_backend wazuh_register
```

Start the service to apply the configuration:

# service haproxy start

* Starting haproxy haproxy
[NOTICE]   (13231) : haproxy version is 2.8.9-1ppa1~jammy
[NOTICE]   (13231) : path to executable is /usr/sbin/haproxy
[ALERT]    (13231) : config : parsing [/etc/haproxy/haproxy.cfg:3] : 'pidfile' already specified. Continuing.

HAProxy helper

This is an optional tool to manage HAProxy configuration depending on the Wazuh server cluster status in real time. It provides the Wazuh manager with the ability to automatically balance the Wazuh agent TCP sessions.

Key features of HAProxy helper

Some of its key features are:

Adding and removing servers to the Wazuh backend (1514/tcp) when detecting changes on the Wazuh server cluster. For example, new workers connected.
Balancing excess Wazuh agents per node when adding new servers to the Wazuh backend.
Balancing agents when detecting an imbalance that exceeds the given tolerance.

The HAProxy helper runs in an independent thread that initiates with the wazuh-cluster daemon. It follows this process.

Enabling the HAProxy helper

To use this feature, you need a HAProxy instance balancing the Wazuh server cluster using the least connections algorithm.

Note

The recommended version of HAProxy is the 2.8 LTS.

Dataplane API configuration

The HAProxy helper uses the Dataplane API to communicate with HAProxy and update the configuration according to the changes in the Wazuh server cluster.

This is the basic configuration for the Dataplane API. Replace <DATAPLANE_USER> and <DATAPLANE_PASSWORD> with the chosen user and password.

dataplaneapi:
   host: 0.0.0.0
   port: 5555
   transaction:
       transaction_dir: /tmp/haproxy
   user:
   - insecure: true
      password: <DATAPLANE_PASSWORD>
      name: <DATAPLANE_USER>
haproxy:
   config_file: /etc/haproxy/haproxy.cfg
   haproxy_bin: /usr/sbin/haproxy
   reload:
      reload_delay: 5
      reload_cmd: service haproxy reload
      restart_cmd: service haproxy restart

Note

If you use HTTPS as the Dataplane API communication protocol, you must set the tls field and related subfields: tls_port, tls_certificate and tls_key in the configuration. The tls_ca field is only necessary when using client-side certificates.

To generate the certificate files for both the HAProxy instance and the Wazuh server, use the following command.

# openssl req -x509 -newkey rsa:4096 -keyout <KEY_FILE_NAME> -out <CERTIFICATE_FILE_NAME> -sha256 -nodes -addext "subjectAltName=DNS:<FQDN>" -subj "/C=US/ST=CA/O=Wazuh>/CN=<CommonName>"

dataplaneapi:
   scheme:
      - https
   host: 0.0.0.0
   port: 5555
   transaction:
      transaction_dir: /tmp/haproxy
   tls:
      tls_port: 6443
      tls_certificate: /etc/haproxy/ssl/<HAPROXY_CERTIFICATE_FILE>
      tls_key: /etc/haproxy/ssl/<HAPROXY_CERTIFICATE_KEY_FILE>
      tls_ca: /etc/haproxy/ssl/<CLIENT_SIDE_CERTIFICATE_FILE>
   user:
   -  insecure: true
      password: <DATAPLANE_PASSWORD>
      name: <DATAPLANE_USER>
haproxy:
   config_file: /etc/haproxy/haproxy.cfg
   haproxy_bin: /usr/sbin/haproxy
   reload:
      reload_delay: 5
      reload_cmd: service haproxy reload
      restart_cmd: service haproxy restart

Depending on the HAProxy installation method, follow these steps to enable the HAProxy helper.

Warning

For the HAProxy helper to operate correctly, ensure there's no frontend with port 1514 in the haproxy.cfg file.

Download the binary file for the installed HAProxy version. You can find the available versions here.

# curl -sL https://github.com/haproxytech/dataplaneapi/releases/download/v2.8.X/dataplaneapi_2.8.X_linux_x86_64.tar.gz | tar xz && cp dataplaneapi /usr/local/bin/

Put the configuration in /etc/haproxy/dataplaneapi.yml and start the process
```
# dataplaneapi -f /etc/haproxy/dataplaneapi.yml &
```

Verify the API is running properly. Replace <DATAPLANE_USER> and <DATAPLANE_PASSWORD> with the chosen user and password.

# curl -X GET --user <DATAPLANE_USER>:<DATAPLANE_PASSWORD> http://localhost:5555/v2/info

{"api":{"build_date":"2024-05-13T12:09:33.000Z","version":"v2.8.X 13ba2b34"},"system":{}}

# curl -k -X GET --user <DATAPLANE_USER>:<DATAPLANE_PASSWORD> https://localhost:6443/v2/info

{"api":{"build_date":"2024-05-13T12:09:33.000Z","version":"v2.8.X 13ba2b34"},"system":{}}

Put the configuration into dataplaneapi.yaml

# tree
.
├── dataplaneapi.yml
├── Dockerfile
├── entrypoint.sh
├── haproxy.cfg
└── haproxy-service

Modify Dockerfile to include dataplaneapi.yaml during the build

FROM haproxytech/haproxy-ubuntu:2.8

COPY haproxy.cfg /etc/haproxy/haproxy.cfg
COPY dataplaneapi.yml /etc/haproxy/dataplaneapi.yml
COPY haproxy-service /etc/init.d/haproxy
COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /etc/init.d/haproxy
RUN chmod +x /entrypoint.sh

ENTRYPOINT [ "/entrypoint.sh" ]

FROM haproxytech/haproxy-ubuntu:2.8

COPY haproxy.cfg /etc/haproxy/haproxy.cfg
COPY dataplaneapi.yml /etc/haproxy/dataplaneapi.yml
COPY haproxy-service /etc/init.d/haproxy
COPY entrypoint.sh /entrypoint.sh

COPY <HAPROXY_CERTIFICATE_FILE> /etc/haproxy/ssl/<HAPROXY_CERTIFICATE_FILE>
COPY <HAPROXY_CERTIFICATE_KEY_FILE> /etc/haproxy/ssl/<HAPROXY_CERTIFICATE_KEY_FILE>
COPY <CLIENT_SIDE_CERTIFICATE_FILE> /etc/haproxy/ssl/<CLIENT_SIDE_CERTIFICATE_FILE>

RUN chmod +x /etc/init.d/haproxy
RUN chmod +x /entrypoint.sh

ENTRYPOINT [ "/entrypoint.sh" ]

Modify the entrypoint.sh to start the dataplaneapi process

#!/usr/bin/env bash

# Start HAProxy service
service haproxy start
# Start HAProxy Data Plane API
dataplaneapi -f /etc/haproxy/dataplaneapi.yml &

tail -f /dev/null

Build and run the image

# docker build --tag=haproxy-deploy .

# docker run -p 5555:5555 haproxy-deploy

# docker run -p 6443:6443 haproxy-deploy

TCPLOG: true HTTPLOG: true
* Starting haproxy haproxy
[NOTICE]   (33) : haproxy version is 2.8.9-1842fd0
[NOTICE]   (33) : path to executable is /usr/sbin/haproxy
[ALERT]    (33) : config : parsing [/etc/haproxy/haproxy.cfg:3] : 'pidfile' already specified. Continuing.

Verify the API is running properly. Replace <DATAPLANE_USER> and <DATAPLANE_PASSWORD> with the chosen user and password.

# curl -X GET --user <DATAPLANE_USER>:<DATAPLANE_PASSWORD> http://localhost:5555/v2/info

# curl -k -X GET --user <DATAPLANE_USER>:<DATAPLANE_PASSWORD> https://localhost:6443/v2/info

{"api":{"build_date":"2024-05-13T14:06:03.000Z","version":"v2.9.3 59f34ea1"},"system":{}}

As an example, you can configure a basic HAProxy helper within an already configured Wazuh server cluster master node. Perform the following steps on the Wazuh server master node only.

Add the highlighted HAProxy helper configuration section to the /var/ossec/etc/ossec.conf file:

<cluster>
   <name>wazuh</name>
   <node_name>master-node</node_name>
   <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
   <node_type>master</node_type>
   <port>1516</port>
   <bind_addr>0.0.0.0</bind_addr>
   <nodes>
      <node><WAZUH_MASTER_ADDRESS></node>
   </nodes>
   <hidden>no</hidden>
   <disabled>no</disabled>
   <haproxy_helper>
      <haproxy_disabled>no</haproxy_disabled>
      <haproxy_address><HAPROXY_ADDRESS></haproxy_address>
      <haproxy_user><DATAPLANE_USER></haproxy_user>
      <haproxy_password><DATAPLANE_PASSWORD></haproxy_password>
   </haproxy_helper>
</cluster>

Where:

haproxy_disabled indicates whether the helper is disabled or not in the master node.
haproxy_address specifies the IP or DNS address to connect with HAProxy.
haproxy_user specifies the username to authenticate with HAProxy.
haproxy_password specifies the password to authenticate with HAProxy.

Learn more about haproxy_helper options in the reference guide.

<cluster>
   <name>wazuh</name>
   <node_name>master-node</node_name>
   <key>c98b62a9b6169ac5f67dae55ae4a9088</key>
   <node_type>master</node_type>
   <port>1516</port>
   <bind_addr>0.0.0.0</bind_addr>
   <nodes>
      <node><WAZUH_MASTER_ADDRESS></node>
   </nodes>
   <hidden>no</hidden>
   <disabled>no</disabled>
   <haproxy_helper>
      <haproxy_disabled>no</haproxy_disabled>
      <haproxy_address><HAPROXY_ADDRESS></haproxy_address>
      <haproxy_user><DATAPLANE_USER></haproxy_user>
      <haproxy_password><DATAPLANE_PASSWORD></haproxy_password>
      <haproxy_protocol>https</haproxy_protocol>
      <haproxy_port>6443</haproxy_port>
      <haproxy_cert><HAPROXY_CERTIFICATE_FILE></haproxy_cert>
      <client_cert><CLIENT_SIDE_CERTIFICATE_FILE></client_cert>
      <client_cert_key><CLIENT_SIDE_CERTIFICATE_KEY_FILE></client_cert_key>
   </haproxy_helper>
</cluster>

Where:

haproxy_disabled indicates whether the helper is disabled or not in the master node.
haproxy_address specifies the IP or DNS address to connect with HAProxy.
haproxy_user specifies the username to authenticate with HAProxy.
haproxy_password specifies the password to authenticate with HAProxy.
haproxy_protocol specifies the protocol to use for the HAProxy Dataplane API communication. It is recommended to set it to https.
haproxy_port specifies the port used for the HAProxy Dataplane API communication.
haproxy_cert <haproxy_cert> specifies the certificate file used for the HTTPS communication. It must be the same as the one defined in the tls_certificate parameter in the dataplaneapi.yml file.
client_cert <client_cert> specifies the certificate file used in the client side of the HTTPS communication. It must be the same as the one defined in the tls_ca parameter in the dataplaneapi.yml file.
client_cert_key <client_cert_key> specifies the certificate key file used in the client side of the HTTPS communication.

Learn more about haproxy_helper options in the reference guide.

Restart the Wazuh server master node:
```
# systemctl restart wazuh-manager
```

Verify the HAProxy helper is running:

# tail /var/ossec/logs/cluster.log

2024/04/05 19:23:06 DEBUG: [Cluster] [Main] Removing '/var/ossec/queue/cluster/'.
2024/04/05 19:23:06 DEBUG: [Cluster] [Main] Removed '/var/ossec/queue/cluster/'.
2024/04/05 19:23:06 INFO: [Local Server] [Main] Serving on /var/ossec/queue/cluster/c-internal.sock
2024/04/05 19:23:06 DEBUG: [Local Server] [Keep alive] Calculating.
2024/04/05 19:23:06 DEBUG: [Local Server] [Keep alive] Calculated.
2024/04/05 19:23:06 INFO: [Master] [Main] Serving on ('0.0.0.0', 1516)
2024/04/05 19:23:06 DEBUG: [Master] [Keep alive] Calculating.
2024/04/05 19:23:06 DEBUG: [Master] [Keep alive] Calculated.
2024/04/05 19:23:06 INFO: [Master] [Local integrity] Starting.
2024/04/05 19:23:06 INFO: [Master] [Local agent-groups] Sleeping 30s before starting the agent-groups task, waiting for the workers connection.
2024/04/05 19:23:06 INFO: [HAPHelper] [Main] Proxy was initialized
2024/04/05 19:23:06 INFO: [HAPHelper] [Main] Ensuring only exists one HAProxy process. Sleeping 12s before start...
2024/04/05 19:23:06 INFO: [Master] [Local integrity] Finished in 0.090s. Calculated metadata of 34 files.
2024/04/05 19:23:14 INFO: [Master] [Local integrity] Starting.
2024/04/05 19:23:14 INFO: [Master] [Local integrity] Finished in 0.005s. Calculated metadata of 34 files.
2024/04/05 19:23:18 DEBUG2: [HAPHelper] [Proxy] Obtained proxy backends
2024/04/05 19:23:18 DEBUG2: [HAPHelper] [Proxy] Obtained proxy frontends
2024/04/05 19:23:18 INFO: [HAPHelper] [Main] Starting HAProxy Helper
2024/04/05 19:23:18 DEBUG2: [HAPHelper] [Proxy] Obtained proxy servers

Wazuh server API

The Wazuh server API is an open source RESTful API that allows interaction with the Wazuh manager from a web browser, a command-line tool such as cURL, or any script or program capable of making web requests. The Wazuh dashboard relies on the Wazuh server API to remotely manage the Wazuh server infrastructure. You can utilize the Wazuh server API to perform common tasks such as adding agents, restarting the manager(s) or agent(s), or looking up details about File Integrity Monitoring (FIM).

Here is a list of the Wazuh server API capabilities:

Wazuh agent management
Wazuh manager control and overview
Cluster control and overview
File integrity monitoring control and search
MITRE ATT&CK overview
Ruleset information
Testing and verification of rules and decoders
Syscollector information
Role-Based Access Control (RBAC)
API management (HTTPS, configuration)
Users management
Statistical information
Error handling
Query remote configuration

Refer to the Wazuh server API reference for details about all the Wazuh server API endpoints. Also consider use cases for example usage of the Wazuh server API.

Contents

Getting started

This guide provides the essential information needed to utilize the Wazuh server API.

Starting and stopping the Wazuh server API

When you install the Wazuh manager, the Wazuh server API is also installed by default as part of the process. You can manage or monitor the Wazuh server API by executing the systemctl or service commands with the Wazuh manager service:

# systemctl start/status/stop/restart wazuh-manager

# service wazuh-manager start/status/stop/restart

Using the Wazuh server API via the Wazuh dashboard

You can interact with the Wazuh server API via the Wazuh dashboard. To do this, you need to log into the Wazuh dashboard with a user that has administrator privileges. For example, the default admin user has administrator privileges. To access the Wazuh server API console on the dashboard, click on the menu icon and navigate to Server management > Dev Tools.

In the API Console, input the method, request endpoint, and any query parameters, then click the play button to execute the request. See Understanding the Wazuh server API request and response to learn more about the basic concepts.

Logging into the Wazuh server API via command line

To ensure secure access, all Wazuh server API endpoints require authentication. Users must include a JSON Web Token (JWT) in every request. JWT is an open standard (RFC 7519) that defines a compact and self-contained method for securely transmitting information between parties as a JSON object. Follow the steps below to log into the Wazuh server API using POST /security/user/authenticate and obtain a token necessary for accessing the API endpoints:

Run the following command to send a user authentication POST request to the Wazuh server API and store the returned JWT in the TOKEN variable. Replace <WAZUH_API_USER> and <WAZUH_API_PASSWORD> with your credentials.
```
# TOKEN=$(curl -u <WAZUH_API_USER>:<WAZUH_API_PASSWORD> -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
```
Note
- If SSL (HTTPS) is enabled in the API and it is using the default self-signed certificates, you need to add the parameter -k to avoid the server connection verification. We recommend using the raw=true query parameter when authenticating via cURL commands, as it simplifies handling by returning the token in plain text, especially useful for long JWTs.
- The default Wazuh server API credential is wazuh:wazuh. But if the Wazuh deployment was performed using the installation script, the Wazuh API user is wazuh and you can extract the password from wazuh-install-files.tar by running the command tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'wazuh\'" -A 1.
- You can reset the password for the wazuh user if you cannot retrieve the password.

Verify that the token has been generated:

# echo $TOKEN

The output should be a lengthy string similar to the following:

eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzA3ODk4NTEzLCJleHAiOjE3MDc4OTk0MTMsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.ACcJ3WdV3SnTOC-PV2oGZGCyH3GpStSOu161UHHT7w6eUm_REOP_g8SqqIJDDW0gCcQNJTEECortIuI4zj7nybNhACRlBrDBZoG4Re4HXEpAchyFQXwq0SsZ3HHSj7eJinBF0pJDG0D8d1_LkcoxaX3FpxpsCZ4xzJ492CpnVZLT8qI4

If the authentication fails, the output will either display an error message or remain blank. In such cases, double-check your user credentials and ensure you have network connectivity to the Wazuh server API.

Send an API request to confirm that everything is working as expected:

# curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.12.0",
      "revision": "rc1",
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/v4.12.0/LICENSE",
      "hostname": "centos8a",
      "timestamp": "2025-08-18T19:05:19Z"
   },
   "error": 0
}

Once logged in, you can access any API endpoint using the below structure. Replace <METHOD> with the desired method and <ENDPOINT> with the string corresponding to the endpoint you wish to access. If you are not using an environment variable, replace $TOKEN with the obtained JWT.

# curl -k -X <METHOD> "https://localhost:55000/<ENDPOINT>" -H  "Authorization: Bearer $TOKEN"

Logging into the Wazuh server API via scripts

This section details the process of logging into the Wazuh server API using scripts, which is a fundamental step for automating interactions with the Wazuh server. The examples provided aim to showcase real-world applications, demonstrating both default (false) or plain text (true) raw parameters. The raw parameter, when set to true, implies that the response should be in plain text or in a minimally processed form. Conversely, when the raw parameter is false, the response is in a more structured JSON format to facilitate parsing and integration. These scripts are intended for users looking to enhance their operational efficiency through automation or those seeking to understand how to programmatically access the Wazuh server API for custom integrations.

Logging in with a Python script

You can authenticate to the Wazuh server API using a Python script. The following script wazuh_api_authenticator.py authenticates with the Wazuh server API to obtain a JWT. It then uses the token within the request header to retrieve a summary of the statuses of Wazuh agents.

#!/usr/bin/env python3

import json
import requests
import urllib3
from base64 import b64encode

# Disable insecure https warnings (for self-signed SSL certificates)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Configuration
protocol = 'https'
host = 'localhost'
port = 55000
user = '<WAZUH_API_USER>'
password = '<WAZUH_API_PASSWORD>'
login_endpoint = 'security/user/authenticate'

login_url = f"{protocol}://{host}:{port}/{login_endpoint}"
basic_auth = f"{user}:{password}".encode()
login_headers = {'Content-Type': 'application/json',
                 'Authorization': f'Basic {b64encode(basic_auth).decode()}'}

print("\nLogin request ...\n")
response = requests.post(login_url, headers=login_headers, verify=False)
token = json.loads(response.content.decode())['data']['token']
print(token)

# New authorization header with the JWT we got
requests_headers = {'Content-Type': 'application/json',
                    'Authorization': f'Bearer {token}'}

print("\n- API calls with TOKEN environment variable ...\n")

print("Getting API information:")

response = requests.get(f"{protocol}://{host}:{port}/?pretty=true", headers=requests_headers, verify=False)
print(response.text)

print("\nGetting agents status summary:")

response = requests.get(f"{protocol}://{host}:{port}/agents/summary/status?pretty=true", headers=requests_headers, verify=False)
print(response.text)

print("\nEnd of the script.\n")

Replace <WAZUH_API_USER> and <WAZUH_API_PASSWORD> with the correct credentials.

Install the Python requests module:

# python3 -m pip install requests

Note

The Python module urllib3 version 2.0 and above only supports OpenSSL version 1.1.1 or later. If your system has an older version of OpenSSL, you will need to either:

Upgrade OpenSSL to version 1.1.1 or higher.
Downgrade urllib3 to a version compatible with your current OpenSSL version.

Please ensure your software dependencies are properly aligned to avoid compatibility issues.

Run the Python script wazuh_api_authenticator.py:

# python3 wazuh_api_authenticator.py

Login request ...
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjAyMjMxNjU2LCJleHAiOjE2MDIyMzUyNTYsInN1YiI6IndhenVoIiwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.V60_otHPaT4NTkrS6SF3GHva0Z9r5p4mqe5Cn0hk4o4
- API calls with TOKEN environment variable ...
Getting API information:
{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.7.4",
      "revision": 40717,
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/master/LICENSE",
      "hostname": "wazuh-master",
      "timestamp": "2024-05-14T21:34:15Z"
   },
   "error": 0
}
Getting agents status summary:
{
   "data": {
       "connection": {
           "active": 1,
           "disconnected": 0,
           "never_connected": 0,
           "pending": 0,
           "total": 1
       },
       "configuration": {
           "synced": 1,
           "not_synced": 0,
           "total": 1
       }
   },
   "error": 0
}
End of the script.

Logging in with a Bash script

You can also authenticate to the Wazuh server API using a Bash script. The following script wazuh_api_authenticator.sh authenticates with the Wazuh server API to obtain a JWT. It then uses the token within the request header to retrieve a summary of operating systems used by Wazuh agents.

#!/bin/bash

echo -e "\n- Getting token...\n"

TOKEN=$(curl -u <WAZUH_API_USER>:<WAZUH_API_PASSWORD> -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")

echo -e "\n- API calls with TOKEN environment variable ...\n"

echo -e "Getting default information:\n"

curl -k -X GET "https://localhost:55000/?pretty=true" -H  "Authorization: Bearer $TOKEN"

echo -e "\n\nGetting /agents/summary/os:\n"

curl -k -X GET "https://localhost:55000/agents/summary/os?pretty=true" -H  "Authorization: Bearer $TOKEN"

echo -e "\n\nEnd of the script.\n"

Replace <WAZUH_API_USER> and <WAZUH_API_PASSWORD> with the correct credentials

Run the Bash script wazuh_api_authenticator.sh:

# bash wazuh_api_authenticator.sh

- Getting token...
Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3059  100  3059    0     0  17089      0 --:--:-- --:--:-- --:--:-- 17089
- API calls with TOKEN environment variable ...
Getting default information:
{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.7.4",
      "revision": 40717,
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/master/LICENSE",
      "hostname": "wazuh-master",
      "timestamp": "2024-05-14T21:34:15Z"
   },
   "error": 0
}
Getting /agents/summary/os:
{
    "data": {
        "affected_items": [
            "windows"
        ],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": []
    },
    "message": "Showing the operative system of all specified agents",
    "error": 0
}
End of the script.

Understanding the Wazuh server API request and response

A standard Wazuh server API request consists of three essential components: the request method (GET, POST, PUT, or DELETE), the API URL, which specifies the endpoint being accessed, and the authorization header. This header must contain a JWT to authenticate and authorize the request. Below is an example cURL request:

# curl -k -X GET "https://localhost:55000/agents/summary/os?pretty=true" -H  "Authorization: Bearer $TOKEN"

The cURL command for each request contains the following fields:

Field	Description
`-X GET/POST/PUT/DELETE`	Specify a request method to use when communicating with the HTTP server.
`http://<WAZUH_MANAGER_IP_ADDRESS>:55000/<ENDPOINT>` `https://<WAZUH_MANAGER_IP_ADDRESS>:55000/<ENDPOINT>`	The API URL to use. Specify `http` or `https` depending on whether SSL is activated in the API or not.
`-H "Authorization: Bearer <YOUR_JWT_TOKEN>"`	Include an extra header in the request to specify the JWT.
`-k`	Suppress SSL certificate errors (only if you use the default self-signed certificates).

All responses are in JSON format, and most of them follow this structure:

Field	Optional Sub-fields	Description
data	affected_items	List each of the successfully affected items in the request.
	total_affected_items	Total number of successfully affected items.
	failed_items	List containing each of the failed items in the request.
	total_failed_items	Total number of failed items.
message		Result description.
error		For HTTP `200` responses, it determines if the response was complete (`0`), failed (`1`), or partial (`2`). For HTTP `4xx` or `5xx` responses, it determines the error code related to the failure.

By default, responses that contain data collections return a maximum of 500 elements. You can use the offset and limit parameters to iterate through large collections. While the limit parameter allows for up to 100,000 items, we recommend not exceeding the default limit of 500 items to avoid unexpected behaviors like timeouts and excessively large responses. Use with caution.
All responses include an HTTP status code: 2xx (success), 4xx (client error), 5xx (server error), etc.
All requests (except POST /security/user/authenticate and POST /security/user/authenticate/run_as) accept the pretty parameter to convert the JSON response to a more human-readable format.
The Wazuh server API stores logs in the api.log or api.json files, depending on the chosen log format. These log files are located at /var/ossec/logs/ on the Wazuh server. You can change the verbosity level in the Wazuh API configuration file.
The Wazuh API logs are rotated based on time by default. Rotation only occurs after adding a new entry to the log. For instance, time-based rotation triggers when a new entry is added on a different day, not necessarily every midnight. Rotated logs are stored in /var/ossec/logs/api/<YEAR>/<MONTH>/ and compressed using gzip.
All Wazuh server API requests will be aborted if no response is received after the time duration defined in the request_timeout field of the server API configuration file /var/ossec/api/configuration/api.yaml. You can use the wait_for_complete parameter to disable this timeout, which is particularly useful for calls that might exceed the expected duration, such as PUT /agents/upgrade.

Note

To adjust the maximum API response time, update the request_timeout value in the /var/ossec/api/configuration/api.yaml file on the Wazuh server.

Example response without errors (HTTP status code 200):

{
  "data": {
    "affected_items": [
      "master-node",
      "worker1"
    ],
    "total_affected_items": 2,
    "failed_items": [],
    "total_failed_items": 0
  },
  "message": "Restart request sent to all specified nodes",
  "error": 0
}

Example response with errors (HTTP status code 200):

{
  "data": {
    "affected_items": [],
    "total_affected_items": 0,
    "total_failed_items": 4,
    "failed_items": [
      {
        "error": {
          "code": 1707,
          "message": "Cannot send request, agent is not active",
          "remediation": "Please, check non-active agents connection and try again. Visit
          https://documentation.wazuh.com/current/user-manual/registering/index.html and
          https://documentation.wazuh.com/current/user-manual/agents/agent-connection.html
          to obtain more information on registering and connecting agents"
        },
        "id": [
          "001",
          "002",
          "009",
          "010"
        ]
      },
    ]
  },
  "message": "Restart command was not sent to any agent",
  "error": 1
}

Example of partial response (HTTP status code 200):

{
  "data": {
    "affected_items": [
      {
        "ip": "10.0.0.9",
        "id": "001",
        "name": "Carlos",
        "dateAdd": "2020-10-07T08:14:32Z",
        "node_name": "unknown",
        "registerIP": "10.0.0.9",
        "status": "never_connected"
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 1,
    "failed_items": [
      {
        "error": {
          "code": 1701,
          "message": "Agent does not exist",
          "remediation": "Please, use `GET /agents?select=id,name` to find all available agents"
        },
        "id": [
          "005"
        ]
      }
    ]
  },
  "message": "Some agents information was not returned",
  "error": 2
}

Example response to report an unauthorized request (HTTP status code 401):

{
  "title": "Unauthorized",
  "detail": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.",
}

Example response to report a permission denied error (HTTP status code 403):

{
  "title": "Permission Denied",
  "detail": "Permission denied: Resource type: *:*",
  "remediation": "Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/current/user-manual/api/rbac/configuration.html",
  "error": 4000,
  "dapi_errors": {
    "unknown-node": {
      "error": "Permission denied: Resource type: *:*"
    }
  }
}

Practical examples of Wazuh server API usage

In this section, we demonstrate how to send various types of requests to the Wazuh server API using cURL, Python scripts, and PowerShell scripts. These examples serve as foundational knowledge for more advanced use cases you may envision.

CURL

cURL is a command-line tool for sending HTTP/HTTPS requests and commands. It comes pre-installed on many Linux and macOS endpoints, allowing users to interact with the Wazuh server API directly from the command line. Note that you must obtain a JWT before executing any endpoints. In the examples below, we use the raw option to retrieve the token and save it as an environment variable ($TOKEN). For detailed instructions on obtaining the JWT, please refer to the getting started section.

GET

The following GET request retrieves basic information about the Wazuh server API, such as its title, version, revision, license, hostname, and the current timestamp:

# curl -k -X GET "https://localhost:55000/?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.12.0",
      "revision": "rc1",
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/v4.12.0/LICENSE",
      "hostname": "centos8a",
      "timestamp": "2025-08-18T19:19:56Z"
   },
   "error": 0
}

POST

The following POST request to the Wazuh server API creates a new user on the Wazuh server by specifying the username test_user and password Test_user1 in the request body.

# curl -k -X POST "https://localhost:55000/security/users" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"username\":\"test_user\",\"password\":\"Test_user1\"}"

{
  "data": {
    "affected_items": [
      {
        "username": "test_user",
        "roles": []
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "User was successfully created",
  "error": 0
}

DELETE

The following DELETE request to the Wazuh server API deletes all agent groups on the Wazuh server.

# curl -k -X DELETE "https://localhost:55000/groups?pretty=true&groups_list=all" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      "group1",
      "group2",
      "group3"
    ],
    "total_affected_items": 3,
    "total_failed_items": 0,
    "failed_items": [],
    "affected_agents": [
      "001",
      "002",
      "003",
      "005",
      "006",
      "007",
      "008",
      "009",
      "010"
    ]
  },
  "message": "All selected groups were deleted",
  "error": 0
}

Python

You can use a Python script to retrieve information about disconnected agents, including their last keep-alive time and IDs. To do this, the script first authenticates with the Wazuh server API using basic authentication to obtain a bearer token, then makes a GET request to retrieve the required information.

Save the following Python script as get_agent_keep_alive.py:

#!/usr/bin/env python3

import json
from base64 import b64encode

import requests  # To install requests, use: pip install requests
import urllib3

# Configuration
endpoint = '/agents?select=lastKeepAlive&select=id&status=disconnected'

protocol = 'https'
host = '<WAZUH_SERVER_API_IP_ADDRESS>'
port = '<WAZUH_SERVER_API_PORT>'
user = '<WAZUH_API_USER>'
password = '<WAZUH_API_PASSWORD>'

# Disable insecure https warnings (for self-signed SSL certificates)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Functions
def get_response(request_method, url, headers, verify=False, body=None):
    """Get API result"""
    if body is None:
        body = {}

    request_result = getattr(requests, request_method.lower())(url, headers=headers, verify=verify, data=body)

    if request_result.status_code == 200:
        return json.loads(request_result.content.decode())
    else:
        raise Exception(f"Error obtaining response: {request_result.json()}")

# Variables
base_url = f"{protocol}://{host}:{port}"
login_url = f"{base_url}/security/user/authenticate"
basic_auth = f"{user}:{password}".encode()
headers = {
           'Authorization': f'Basic {b64encode(basic_auth).decode()}',
           'Content-Type': 'application/json'
           }
headers['Authorization'] = f'Bearer {get_response("POST", login_url, headers)["data"]["token"]}'

# Request
response = get_response("GET", url=base_url + endpoint, headers=headers)

# WORK WITH THE RESPONSE AS YOU LIKE
print(json.dumps(response, indent=4, sort_keys=True))

Replace the following variables below:

<WAZUH_SERVER_API_IP_ADDRESS> with your Wazuh server IP address.
<WAZUH_SERVER_API_PORT> with the Wazuh server API port number (port 5500 by default).
<WAZUH_API_USER> and <WAZUH_API_PASSWORD> with the correct credentials.

Install the Python requests module:

# python3 -m pip install requests

Note

The Python module urllib3 version 2.0 and above only supports OpenSSL version 1.1.1 or later. If your system has an older version of OpenSSL, you will need to either:

Upgrade OpenSSL to version 1.1.1 or higher.
Downgrade urllib3 to a version compatible with your current OpenSSL version.

Please ensure your software dependencies are properly aligned to avoid compatibility issues.

Run the Python script to retrieve information about the disconnected agents:

# python3 get_agent_keep_alive.py

{
    "data": {
        "affected_items": [
            {
                "id": "009",
                "lastKeepAlive": "2020-05-23T12:39:50Z"
            },
            {
                "id": "010",
                "lastKeepAlive": "2020-05-23T12:39:50Z"
            }
        ],
        "failed_items": [],
        "total_affected_items": 2,
        "total_failed_items": 0
    },
    "message": "All selected agents information was returned",
    "error": 0
}

PowerShell

You can also use a PowerShell script to fetch details on disconnected agents, including their last keep-alive time and IDs. To do this, the script first authenticates with the Wazuh server API using basic authentication to obtain a bearer token, then makes a GET request to retrieve the required information.

Save the following PowerShell script as get_agent_keep_alive.ps1:

function Ignore-SelfSignedCerts {
    add-type @"
        using System.Net;
        using System.Security.Cryptography.X509Certificates;

        public class PolicyCert : ICertificatePolicy {
            public PolicyCert() {}
            public bool CheckValidationResult(
                ServicePoint sPoint, X509Certificate cert,
                WebRequest wRequest, int certProb) {
                return true;
            }
        }
"@
    [System.Net.ServicePointManager]::CertificatePolicy = new-object PolicyCert
}

# Configuration
$endpoint = "/agents?select=lastKeepAlive&select=id&status=disconnected"
$method = "get"

$protocol = "https"
$host_name = "<WAZUH_SERVER_API_IP_ADDRESS>"
$port = "<WAZUH_SERVER_API_PORT>"
$username = "<WAZUH_API_USER>"
$password = "<WAZUH_API_PASSWORD>"

# Variables
$base_url = $protocol + "://" + $host_name + ":" + $port
$login_url = $base_url + "/security/user/authenticate"
$endpoint_url = $base_url + $endpoint
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username, $password)))
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", 'application/json')
$headers.Add("Authorization", "Basic " + $base64AuthInfo)

Ignore-SelfSignedCerts
$token_response = Invoke-RestMethod -Uri $login_url -Headers $headers
$headers["Authorization"] = "Bearer " + $token_response.data.token

# Request
try{
    $response = Invoke-RestMethod -Method $method -Uri $endpoint_url -Headers $headers
}catch{
    $response = $_.Exception.Response
}

# WORK WITH THE RESPONSE AS YOU LIKE
Write-Output $response.data

Replace the following variables below:

<WAZUH_SERVER_API_IP_ADDRESS> with your Wazuh server IP address.
<WAZUH_SERVER_API_PORT> with the Wazuh server API port number (port 5500 by default).
<WAZUH_API_USER> and <WAZUH_API_PASSWORD> with the correct credentials.

Run the PowerShell script on a Windows endpoint to retrieve information about the disconnected agents:

> powershell .\get_agent_keep_alive.ps1

affected_items                                   total_affected_items total_failed_items failed_items
--------------                                   -------------------- ------------------ ------------
{@{lastKeepAlive=2020-05-23T12:39:50Z; id=009},  2                    0                  {}
@{lastKeepAlive=2020-05-23T12:39:50Z; id=010}}

Configuration

Note

Please review securing the Wazuh server API section for more information on how to protect the Wazuh server API.

Wazuh server API configuration file

The Wazuh server API configuration is located in the /var/ossec/api/configuration/api.yaml file on the Wazuh server. By default, all settings are commented out. To apply a different configuration, uncomment and edit the desired line.

Here are all the available settings for the /var/ossec/api/configuration/api.yaml configuration file. For more information on each of the settings, check the configuration options:

host: ['0.0.0.0', '::']
port: 55000

drop_privileges: yes
experimental_features: no
max_upload_size: 10485760
authentication_pool_size: 2

intervals:
   request_timeout: 10

https:
   enabled: yes
   key: "server.key"
   cert: "server.crt"
   use_ca: False
   ca: "ca.crt"
   ssl_protocol: "auto"
   ssl_ciphers: ""

logs:
   level: "info"
   format: "plain"
   max_size:
    enabled: false

cors:
   enabled: no
   source_route: "*"
   expose_headers: "*"
   allow_headers: "*"
   allow_credentials: no

access:
   max_login_attempts: 50
   block_time: 300
   max_request_per_minute: 300

upload_configuration:
   remote_commands:
      localfile:
         allow: yes
         exceptions: []
      wodle_command:
         allow: yes
         exceptions: []
   limits:
      eps:
         allow: yes
    agents:
      allow_higher_versions:
         allow: yes
    indexer:
      allow: yes
    integrations:
      virustotal:
         public_key:
            allow: yes
            minimum_quota: 240

Warning

When running a Wazuh server cluster, the master node does not automatically send its local Wazuh server API configuration file to the worker nodes. Each node maintains its own Wazuh server API configuration. Therefore, if any changes are made to the configuration file on the master node, you must manually update the configuration on each worker node to ensure consistency. Ensure that the IP address and port are not overwritten in the local configuration of each worker.

Make sure to restart the Wazuh server API using the Wazuh manager service after editing the configuration file:

# systemctl restart wazuh-manager

# service wazuh-manager restart

API configuration options

host

Allowed values	Default value	Description
A list of valid IP addresses or hostnames	['0.0.0.0', '::']	IP addresses or hostnames of the Wazuh manager where the Wazuh server API is running.

port

Allowed values	Default value	Description
Any value between 1 and 65535	55000	Port where the Wazuh server API will listen.

use_only_authd

Deprecated since version 4.3.0.

Allowed values	Default value	Description
yes, true, no, false	false	Force the use of wazuh-authd when registering and removing agents.

drop_privileges

Allowed values	Default value	Description
yes, true, no, false	true	Run wazuh-api process as the `wazuh` user.

experimental_features

Allowed values	Default value	Description
yes, true, no, false	false	Enable features under development

max_upload_size

Allowed values	Default value	Description
Any positive integer	10485760	Set the maximum body size that the API can accept, in bytes (0 -> limitless)

authentication_pool_size

New in version 4.11.2.

Allowed values	Default value	Description
Any integer between 1 and 50	2	Number of processes dedicated to processing authentication requests.

intervals

Sub-fields	Allowed values	Default value	Description
request_timeout	Any positive integer	10	Set the maximum response time (in seconds) for each API request

https

Sub-fields	Allowed values	Default value	Description
enabled	yes, true, no, false	true	Enable or disable SSL (https) in the Wazuh server API.
key	Any text string	server.key	Name of the private key. Stored in `/var/ossec/api/configuration/ssl`.
cert	Any text string	server.crt	Name of the certificate. Stored in `/var/ossec/api/configuration/ssl`.
use_ca	yes, true, no, false	false	Whether to use a certificate from a Certificate Authority or not.
ca	Any text string	ca.crt	Name of the certificate of the Certificate Authority (CA). Stored in `/var/ossec/api/configuration/ssl`.
ssl_protocol	TLS, TLSv1, TLSv1.1, TLSv1.2, auto	auto	SSL protocol to allow. Its value is not case sensitive.
ssl_ciphers	Any text string	None	SSL ciphers to allow. Its value is not case sensitive.

logs

Sub-fields	Allowed values	Default value	Description
level	disabled, info, warning, error, debug, debug2 (each level includes the previous level)	info	Set the verbosity level of the Wazuh server API logs.
path	Any text string.	logs/api.log	Deprecated since version 4.3.0. Path where the Wazuh server API logs will be saved.
format	plain, json or both (plain,json)	plain	Set the format of the Wazuh server API logs.

max_size

Sub-fields	Allowed values	Default value	Description
enabled	yes, true, no, false	false	Toggle between time-based and size-based Wazuh API log rotation. Enabling this option disables time-based rotation, enabling rotation based on file size instead.
size	Any positive number followed by a valid unit. K/k for kilobytes, M/m for megabytes.	1M	Set the maximum file size to not trigger size-based log rotation. Lower than 1 M values are considered as 1 M.

cors

Sub-fields	Allowed values	Default value	Description
enabled	yes, true, no, false	false	Enable or disable the use of CORS in the Wazuh server API.
source_route	Any text string	`*`	Sources for which the resources will be available. For example `http://client.example.org`.
expose_headers	Any text string	`*`	Which headers can be exposed as part of the response.
allow_headers	Any text string	`*`	Which HTTP headers can be used during the actual request.
allow_credentials	yes, true, no, false	false	Tell browsers whether to expose the response to frontend JavaScript or not.

access

Sub-fields	Allowed values	Default value	Description
max_login_attempts	Any positive integer	50	Set a maximum number of login attempts during a specified `block_time` number of seconds.
block_time	Any positive integer	300	Established period of time (in seconds) to attempt login requests. If the established number of requests (`max_login_attempts`) is exceeded within this time limit, the IP address is blocked until the end of the block time period.
max_request_per_minute	Any positive integer	300	The maximum number of requests allowed per minute. It applies to all Wazuh server API endpoints except for authentication requests. Reaching this limit in less than a minute blocks all incoming requests from any user for the remaining time. A value of `0` disables this feature. For `POST /events` requests, the effective value is `30` for values greater than 30.

upload_configuration

remote_commands (localfile and wodle "command")

Sub-fields	Allowed values	Default value	Description
allow	yes, true, no, false	true	Allow uploading configurations with remote commands through the Wazuh server API. Setting this option to `false` prevents uploading `ossec.conf` files that contain the wodle "command" option or the `<command>` option inside the localfile tag.
exceptions	command list	[ ]	Set a list of commands allowed to be uploaded through the API. These exceptions can always be uploaded regardless of the `allow` configuration.

limits

eps

Sub-fields	Allowed values	Default value	Description
allow	yes, true, no, false	true	Allow uploading configurations with modified EPS limits through the Wazuh server API. Setting this option to `false` prevents uploading `ossec.conf` files if the `<limits><eps>` section inside the global tag has changed.

agents

allow_higher_versions

Sub-fields	Allowed values	Default value	Description
allow	yes, true, no, false	true	Allow uploading configurations that accept higher agent versions through the Wazuh server API. Setting this option to `false` prevents uploading `ossec.conf` files that contain the `<allow_higher_versions>` section with the `yes` value inside the auth or remote tags.

indexer

Sub-fields	Allowed values	Default value	Description
allow	yes, true, no, false	true	Allows uploading an updated indexer configuration section through the Wazuh server API. Setting this option to `false` prevents updating the indexer configuration when uploading `ossec.conf`.

integrations

virustotal (public_key)

Sub-fields	Allowed values	Default value	Description
allow	yes, true, no, false	true	Allows uploading an updated Virus Total integration configuration section using a public API key through the Wazuh server API. Setting this option to `false` prevents updating the integrations Virus Total configuration when uploading `ossec.conf`.
minimum_quota	Any positive integer	240	Minimum quota value for Virus Total public API key.

Wazuh server API security configuration

You can query and modify the security configuration, including auth_token_exp_timeout and rbac_mode settings, exclusively through the Wazuh server API endpoints: GET /security/config, PUT /security/config, and DELETE /security/config. The auth_token_exp_timeout defines the duration in seconds before an authentication token expires and requires renewal. The rbac_mode determines the overall behavior of the Role-Based Access Control system, which can be configured to either broadly permit or restrict access to resources and endpoints based on user roles and permissions. Refer to the Role-Based Access Control documentation for more details. The configuration is applied to every Wazuh server API in a cluster if applicable.

For more information on each of the settings, please check the security configuration options.

auth_token_exp_timeout: 900
rbac_mode: white

Warning

For security reasons, changing the security configuration revokes all JWTs. You will need to log in and obtain a new token after the change.

Security configuration options

auth_token_exp_timeout

Allowed values	Default value	Description
Any positive integer	900	Set how many seconds it takes for JWT tokens to expire.

rbac_mode

Allowed values	Default value	Description
black,white	white	Set the behavior of RBAC. By default, everything is allowed in black mode while everything is denied in white mode. Choose the rbac_mode that better suits the desired RBAC infrastructure. In black mode it is very easy to deny a few specific action-resources pairs with just some policies while white mode is more secure and requires building from scratch.

Configuration endpoints

The Wazuh server API has several endpoints that allow querying its current configuration. To modify the general API configuration, edit the /var/ossec/api/configuration/api.yaml file as detailed in the Wazuh server API configuration file section.

Get configuration

GET /manager/api/config: Get the complete local Wazuh server API configuration.
GET /cluster/api/config: Get the complete Wazuh server API configuration of all (or a list) of the cluster nodes.
GET /security/config: Get the current security configuration.

Modify configuration

PUT /security/config: Modify the security configuration.

Restore configuration

DELETE /security/config: Restore the default security configuration.

SSL certificate

Note

This process is done automatically when the Wazuh server API is run for the first time.

The SSL certificate ensures secure communication between the Wazuh server API and its clients. The certificate files are stored within the /var/ossec/api/configuration/ssl/ directory.

Take the following steps to generate new certificates for the Wazuh server API:

Generate the key and certificate request (the openssl package is required):
```
# cd /var/ossec/api/configuration/ssl
# openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -keyout server.key -out server.crt
```
By default, the key's password must be entered every time the server is run. If the key was generated by the Wazuh server API or the command above, it would not have a password.
(Optional) Secure the key with a password:
```
# ssh-keygen -p -f server.key
```
You will be prompted to enter and confirm the new password.

Securing the Wazuh server API

The communication between the Wazuh dashboard and the Wazuh server API is encrypted with HTTPS by default. The Wazuh server API will generate its own private key and certificate during the first run if users do not supply them. Additionally, the Wazuh server API automatically creates the following username-password pair when installed with the OVA installation:

wazuh:wazuh
wazuh-wui:wazuh-wui

If the Wazuh deployment was performed using the installation assistant script, the Wazuh API username is wazuh and you can extract the password by running the following command:

# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'wazuh\'" -A 1

Therefore, securing the Wazuh server API is crucial after installing the Wazuh manager.

Warning

We highly recommend changing the default passwords and to use your own certificate since the one created by the Wazuh server API is self-signed.

Recommended changes to secure the Wazuh server API

1. Modify HTTPS parameters

The Wazuh server API has HTTPS enabled by default. If there is no available certificate in /var/ossec/api/configuration/ssl/, the Wazuh server will generate the private key and a self-signed certificate when it is started. If that is the case and the API log format is set as plain, the following lines will appear in /var/ossec/logs/api.log:

INFO: HTTPS is enabled but cannot find the private key and/or certificate. Attempting to generate them.
INFO: Generated private key file in WAZUH_PATH/api/configuration/ssl/server.key.
INFO: Generated certificate file in WAZUH_PATH/api/configuration/ssl/server.crt.

You can change these HTTPS options, including their status or the path to the certificate, by editing the Wazuh server API configuration file located at /var/ossec/api/configuration/api.yaml:

https:
  enabled: yes
  key: "server.key"
  cert: "server.crt"
  use_ca: False
  ca: "ca.crt"
  ssl_protocol: "auto"
  ssl_ciphers: ""

Restart the Wazuh server API using the Wazuh manager service to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

2. Change the default password for the administrative users

You can change the default password for the administrative users wazuh and wazuh-wui using the following Wazuh server API request: PUT /security/users/{user_id}.

Note

The password for users must be between 8 and 64 characters long. It should contain at least one uppercase, lowercase letter, number, and symbol.

We show an example of changing the password using curl below:

Get a list of users along with their user IDs:

# curl -k -X GET "https://localhost:55000/security/users?pretty=true" -H  "Authorization: Bearer $TOKEN"

Change the password of the desired user:
```
# curl -k -X PUT "https://localhost:55000/security/users/<USER_ID>" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"password": "<NEW_PASSWORD>"}'
```
Replace <USER_ID> with the user’s ID and <NEW_PASSWORD> with the new password.

Warning

Changing the wazuh-wui user password will affect the Wazuh dashboard. You will have to update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file accordingly with the new credentials. To learn more, see the Wazuh dashboard configuration file document.

3. Change the default host and port

By default, the host is set to ['0.0.0.0', '::'], allowing the Wazuh server API to accept incoming connections on all available network interfaces. To restrict access, edit the Wazuh server API configuration in /var/ossec/api/configuration/api.yaml:

host: ['0.0.0.0', '::']

You can also change the default port:

port: 55000

After configuring these parameters, restart the Wazuh server API using the Wazuh manager service with Systemd or SysV init:

# systemctl restart wazuh-manager

# service wazuh-manager restart

4. Set maximum number of requests per minute

To prevent overloading the Wazuh server API, you can implement rate limiting to establish the maximum number of requests the API can handle per minute. If this limit is exceeded, the API will reject further requests from any user for the rest of the period.

The default limit is 300 requests per minute. Adjust this by changing the max_request_per_minute setting in /var/ossec/api/configuration/api.yaml.

Note

To disable rate limiting, set its value to 0.

5. Set maximum number of login attempts

To protect against brute force attacks, you can limit login attempts from the same IP address within a specific timeframe. Exceeding this limit blocks the IP address for the duration of that period.

By default, you're allowed 50 login attempts per 300-second period. To adjust these limits, edit the max_login_attempts and/or block_time settings in /var/ossec/api/configuration/api.yaml.

You can find a complete Wazuh server API configuration guide here.

Role-Based Access Control

Role-based access control (RBAC) adds the capability to control access to different endpoints and resources through the Wazuh server API based on users' privileges.

Contents

How it works

The operation of RBAC on the Wazuh server API relies on the interactions among four key components: users, roles, rules, and policies.

Users are entities who send requests to the Wazuh server API endpoints.
Roles are essentially collections of access rights, each defined by specific rules and policies it is associated with.
Rules determine the conditions under which policies apply, dictating the execution of permissions.
Policies are detailed sets of permissions that outline the allowed actions on various resources.

This structure enables users to be assigned roles that already encompass the necessary rules and policies, streamlining the permission management process by negating the need for direct policy assignment to each user. As a result, updating permissions for groups of users becomes more efficient through role adjustments.

Implementing RBAC in the Wazuh environment allows for precise access management. Consider the example below depicting fine-grained control of permissions assigned to roles within an organization:

Security analysts: They get read-only access to monitoring tools and incident reports. This enables them to analyze and identify potential threats without the risk of changing any configurations or data.
Security engineers: They receive roles with read, modify, and delete permissions for a wider range of resources. This allows them to adjust security policies, modify system configurations, and update rules to respond to incidents.

This division of roles ensures that each team member has access tailored to their responsibilities and expertise. It enhances overall security by enforcing the principle of least privilege, giving team members only the access they need.

RBAC Policies

Policies control the Wazuh server API permissions using three elements: actions, resources, and effect.

Actions represent a hierarchy of actions that a user may perform. They indicate both the element to which the action belongs and the action itself. The structure they follow looks like the example below, where the restart of an agent is specified.

agent:restart

Resources are any entity that can be subject to an action. The set of resources is dynamic, but the types are static. Some examples of resources are "agent 001", "agents in group default" or "node of a cluster". The symbol * can be used as a wildcard to indicate all the resources of a type, instead of specifying them one by one. For example:

agent:id:001
node:id:*

Effect can only be "allow" or "deny", depending on the effective permission to be applied.

Note

Please visit the RBAC reference for a complete list of resources and actions.

RBAC modes

You can configure RBAC in Wazuh in two distinct and opposite modes: black and white. The selected mode shapes the behavior of the policies created. Setting a policy's effect parameter to allow permits that policy in both black and white modes. Conversely, setting the effect to deny prohibits it in both modes. Therefore, the RBAC mode only affects actions that are not specified within each policy.

White list mode: The system forbids all actions by default. The administrator configures roles to grant permissions.
Black list mode: The system allows all actions by default. The administrator configures roles to restrict permissions.

Configuration

Note

You must log into the Wazuh server API before attempting to add or modify any RBAC configuration, such as policies, roles, users, or security rules. The getting started section contains a detailed guide on how to log into the Wazuh server API.

Set RBAC mode

As explained in the how it works section, you can modify the RBAC mode and change it to white or black using the PUT /security/config endpoint. You can also restore it to default with the DELETE /security/config endpoint.

Here is an example of how to change RBAC mode using a cURL command. We recommend that you export the authentication token to an environment variable as explained in the getting started section. Replace <DESIRED_RBAC_MODE> with the mode to enable (white or black):

# curl -k -X PUT "https://localhost:55000/security/config?pretty=true" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"rbac_mode\":\"<DESIRED_RBAC_MODE>\"}"

{
   "message": "Configuration was successfully updated",
   "error": 0
}

Warning

For security reasons, changing the RBAC mode revokes all tokens. You will need to log in again to obtain a new token after the change.

Create a new policy

Policies specify which actions you can take on given resources. You can use the POST /security/policies endpoint to create a new policy.

For example, a Managed Security Service Provider (MSSP) can grant a group of analysts in “Team Alpha” access to Wazuh agents in a specific customer’s environment. To do this, you must create a policy outlining permissible actions on those agents. Define the necessary policy as follows:

{
  "name": "customer_x_agents",
  "policy": {
    "actions": [
      "agent:read"
    ],
    "resources": [
      "agent:id:001",
      "agent:id:002",
      "agent:id:003",
      "agent:id:004"
    ],
    "effect": "allow"
  }
}

To create this policy, use the following Wazuh server API request:

# curl -k -X POST "https://localhost:55000/security/policies?pretty=true" -H  "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"name\":\"customer_x_agents\",\"policy\":{\"actions\":[\"agent:read\"],\"resources\":[\"agent:id:001\",\"agent:id:002\",\"agent:id:003\",\"agent:id:004\"],\"effect\":\"allow\"}}"

The Wazuh server API response will be something similar to this. Note the highlighted policy ID as this will be used later on to assign the policy to the role:

{
  "data": {
    "affected_items": [
      {
        "id": 100,
        "name": "customer_x_agents",
        "policy": {
          "actions": [
            "agent:read"
          ],
          "resources": [
            "agent:id:001",
            "agent:id:002",
            "agent:id:003",
            "agent:id:004"
          ],
          "effect": "allow"
        },
        "roles": []
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Policy was successfully created",
  "error": 0
}

This policy grants read access to Wazuh agents with IDs 001, 002, 003, and 004. You can create additional policies as needed and modify any policy, for example, to add new agents.

To retrieve the policy ID and other information, use the GET /security/policies endpoint. For a comprehensive list of resources and actions, refer to the RBAC reference page.

Create a new role

Roles are links between users and policies. You can assign multiple users to the same role and link multiple policies to a role. Create roles using the POST /security/roles endpoint.

Building on the previous example of "Team Alpha" in an MSSP, we will create the role described below to assign "Team Alpha" to it later:

{
  "name": "team-alpha"
}

To create this role, use the following Wazuh server API request:

# curl -k -X POST "https://localhost:55000/security/roles?pretty=true" -H  "accept: application/json" -H  "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"name\":\"team-alpha\"}"

The Wazuh server API response will be something similar to this. Note the highlighted role ID as this will be used later on to link policies to this role:

{
  "data": {
    "affected_items": [
      {
        "id": 100,
        "name": "team-alpha",
        "policies": [],
        "users": [],
        "rules": []
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Role was successfully created",
  "error": 0
}

Create a new user

Create a new user by sending a request to the POST /security/users endpoint. Specify the following information, using "alpha-member-1" as an example username:

{
  "username": "alpha-member-1",
  "password": "Alpha-Member-1"
}

To create this user, use the following Wazuh server API request:

# curl -k -X POST "https://localhost:55000/security/users?pretty=true" -H  "accept: application/json" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"username\":\"alpha-member-1\",\"password\":\"Alpha-Member-1\"}"

The Wazuh server API response will be something similar to this:

{
  "data": {
    "affected_items": [{
      "id": 101,
      "username": "alpha-member-1",
      "allow_run_as": false,
      "roles": []
    }],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "User was successfully created",
  "error": 0
}

The allow_run_as parameter on the highlighted line, when set to true, enables the assignment of roles to the user based on the authorization context information.

Edit allow_run_as

By default, new users cannot authenticate using an authorization context. To enable this option, activate the allow_run_as parameter for the user by sending a request to PUT /security/users/{user_id}/run_as endpoint.

# curl -k -X PUT "https://localhost:55000/security/users/<USER_ID>/run_as?allow_run_as=true" -H  "Authorization: Bearer $TOKEN"

Replace <USER_ID> with the user’s ID.

The output should look like this:

{
  "data": {
    "affected_items": [{
      "id": 101,
      "username": "alpha-member-1",
      "allow_run_as": true,
      "roles": []
    }],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Parameter allow_run_as has been enabled for the user",
  "error": 0
}

Assign policies to roles

Use the POST /security/roles/{role_id}/policies endpoint to assign policies to a specific role by specifying the role's ID and the IDs of the policies. A role can have multiple policies, and a policy can link to multiple roles.

The POST /security/roles/{role_id}/policies endpoint includes a position parameter that determines the order of policy application, as some policies may conflict. For details on managing these conflicts, see the Priority of roles and policies section.

For example, to assign the customer_x_agents policy to the team-alpha role with role_id 100 and policy_id 100, use the following request:

# curl -k -X POST "https://localhost:55000/security/roles/100/policies?policy_ids=100&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "id": 100,
        "name": "team-alpha",
        "policies": [
          100
        ],
        "users": [],
        "rules": []
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "All policies were linked to role 100",
  "error": 0
}

This approach simplifies permission management for all members of "team-alpha" by allowing you to add or modify policies for the group rather than assigning permissions to each team member individually.

Create a new rule

To create a new rule, make a request to the POST /security/rules endpoint. Security rules are used to check if their content is inside an auth_context. If so, they assign the roles whose rule is met to the user who entered the auth_context. Only users whose allow_run_as is true can use authorization context based login. Find more information in the authorization context section. For example, consider the following rule alpha_rule to match the alpha-member-1 user:

{
  "name": "alpha_rule",
  "rule": {
    "FIND": {
      "username": "alpha-member-1"
    }
  }
}

Run the following command to create the rule:

# curl -k -X POST "https://localhost:55000/security/rules?pretty=true" -H  "accept: application/json" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"name\":\"alpha_rule\",\"rule\":{\"FIND\":{\"username\":\"alpha-member-1\"}}}"

{
   "data": {
      "affected_items": [
         {
            "id": 100,
            "name": "alpha_rule",
            "rule": {
               "FIND": {
                  "username": "alpha-member-1"
               }
            },
            "roles": []
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "Security rule was successfully created",
   "error": 0
}

Refer to the Wazuh server API RBAC rules section for more information about creating rules.

Assign rules to roles

Use the POST /security/roles/{role_id}/rules endpoint to assign rules directly to a specific role by specifying the role ID and the IDs of the rules. A role can have multiple rules, and you can assign a single rule to multiple roles.

To assign rules, you need to specify both the rule ID and the role ID. For example, to add alpha_rule with ID 100 to the team-alpha role with role_id 100, use this request:

# curl -k -X POST "https://localhost:55000/security/roles/100/rules?rule_ids=100&pretty=true" -H  "accept: application/json" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "id": 100,
            "name": "team-alpha",
            "policies": [
               100
            ],
            "users": [
               100
            ],
            "rules": [
               100
            ]
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All security rules were linked to role 100",
   "error": 0
}

Assign roles to a user

Use the POST /security/users/{username}/roles endpoint to assign users to one or more roles. You can add existing users to a role by specifying the user ID and role ID.

The POST /security/users/{username}/roles endpoint features a position parameter to set the order of role application, which is crucial when roles contain conflicting policies. For more details, see Priority of roles and policies.

Following the previous example, you can assign the user alpha-member-1 to the team-alpha role, with role_id 100, use this request:

# curl -k -X POST "https://localhost:55000/security/users/101/roles?role_ids=100&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "id": 101,
        "username": "alpha-member-1",
        "allow_run_as": true,
        "roles": [
          100
        ]
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "All roles were linked to user sales-member-1",
  "error": 0
}

The user can now execute actions defined in its policies by linking alpha-member-1 to the team-alpha role.

Priority of roles and policies

When a role has two or more conflicting policies assigned or a user belongs to conflicting roles, the priority of the policies determines the final permission. Consider this example:

example_role:
    policy0:
        actions:
            agent:read
        resources:
            agent:id:001
        effect: allow
    policy1:
        actions:
            agent:read
        resources:
            agent:id:001
        effect: deny

In this scenario, example_role links to both policy0, allowing reading of agent 001, and policy1, denying it. The system applies the most recently added policy to the role. Thus, the policy listed last when viewing the role's policies with the GET /security/roles endpoint takes precedence. Here, the user would not have permission to read agent 001. The same principle applies when a user has multiple roles; the last applied role dictates behavior in conflicts.

You can specify a policy or the position of the role in the list (starting at 0) using the position parameter when creating a new policy-role or role-user relationship. This allows placing a new, conflicting policy in a different list position to override a subsequent policy. For instance, setting policy1 to position 0 in example_role would move it to the first position in the list, making policy0 apply last and grant the user read access to agent 001:

example_role:
    policy1:
        actions:
            agent:read
        resources:
            agent:id:001
        effect: deny
    policy0:
        actions:
            agent:read
        resources:
            agent:id:001
        effect: allow

To see the final policies applied to the current user, use the GET /security/users/me/policies endpoint:

# curl -k -X GET "https://localhost:55000/security/users/me/policies?pretty=true" -H "Authorization: Bearer $TOKEN"

{
  "data": {
    "agent:read": {
        "agent:id:001": "allow"
    },
    "rbac_mode": "white"
        "roles": []
  },
  "message": "Current user processed policies information was returned",
  "error": 0
}

Authorization Context

This guide outlines how to start using the authorization context login method.

Authorization context login method

The authorization context login method (POST /security/user/authenticate/run_as) dynamically obtains permissions. It enables any authorized user to acquire any desired permissions without assignment to a specific role, bypassing the usual user-role relationships. This requires a precise formalization of the authorization context.

To employ this method, you must first allow a user to use the authorization context (details on creating and enabling a user for authorization context is available in the RESTful API RBAC configuration section). Once you have established the necessary security rules, you must send an authorization context containing all the required information. The system will verify this against the security rules and grant the associated permissions.

The image below outlines the decision process for granting permissions through authorization context, detailing the steps from a user's login attempt to the assignment of permissions based on enabled settings and rule validation.

The command below demonstrates how to authenticate a user using the authorization context feature. Replace <WAZUH_API_USER> and <WAZUH_API_PASSWORD> with your credentials:

# curl -k -u <WAZUH_API_USER>:<WAZUH_API_PASSWORD> -X POST https://localhost:55000/security/user/authenticate/run_as -H 'content-type: application/json' -d '{
        "name": "Initial_auth",
        "auth": {
                "name": "Bill",
                "office": ["20", "21", "30"]
        }
}'

{
        "data": {
                "token": "<YOUR_JWT_TOKEN>"
        }
}

API log for authorization context login method

As explained in the last section, authorization context grants additional permissions to any authorized user. The API logs tag these extra permissions with a unique identifier following the username, linking to the used authorization context.

Here are API log examples for authorization context login and basic login methods:

Authorization context login method:

2022/02/10 11:23:14 INFO: wazuh (66a28efb5f8db2e93da2b5fb107bec35) 127.0.0.1 "POST /security/user/authenticate/run_as" with parameters {"raw": "true"} and body {"name": "Initial_auth", "auth": {"name": "Bill", "office": ["20", "21", "30"]}} done in 0.363s: 200
2022/02/10 11:23:18 INFO: wazuh (66a28efb5f8db2e93da2b5fb107bec35) 127.0.0.1 "GET /" with parameters {} and body {} done in 0.051s: 200

Basic login method:

2022/02/02 08:59:19 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.253s: 200
2022/02/02 08:59:23 INFO: wazuh 127.0.0.1 "GET /" with parameters {} and body {} done in 0.039s: 200

If JSON log format is enabled, logs for the authorization context login method will appear as follows:

{
  "timestamp": "2022/02/10 11:23:14",
  "levelname": "INFO",
  "data": {
    "type": "request",
    "payload": {
      "user": "wazuh",
      "hash_auth_context": "66a28efb5f8db2e93da2b5fb107bec35",
      "ip": "127.0.0.1",
      "http_method": "POST",
      "uri": "POST /security/user/authenticate/run_as",
      "parameters": {
        "raw": "true"
      },
      "body": {
        "name": "Initial_auth",
        "auth": {
          "name": "Bill",
          "office": [
            "20",
            "21",
            "30"
          ]
        }
      },
      "time": "0.352s",
      "status_code": 200
    }
  }
}
{
  "timestamp": "2022/02/10 11:23:18",
  "levelname": "INFO",
  "data": {
    "type": "request",
    "payload": {
      "user": "wazuh",
      "hash_auth_context": "66a28efb5f8db2e93da2b5fb107bec35",
      "ip": "127.0.0.1",
      "http_method": "GET",
      "uri": "GET /",
      "parameters": {},
      "body": {},
      "time": "0.159",
      "status_code": 200
    }
  }
}

Rules and roles

A rule defines logical and search operations that apply to an incoming authorization context. Thus, when the Wazuh server API processes an authentication request via an authorization context, it checks all rules against it, granting the user any roles associated with the rules that yield an affirmative result.

Let's use the following authorization context to illustrate each operation within the rules and how it matches up to the examples:

{
    "name": "Initial_auth",
    "auth": {
        "name": "Wazuh",
        "office": ["20", "21", "30"]
    }
}

Search operations

The search operations in the rules are used to search in the authorization context for a specific object or string.

MATCH: This operation will search in the authorization context the structure indicated inside MATCH. An exact match is not necessary. I.e., in the following case, it will try to search for auth key and, within it, an office key whose value must contain the number 20:
```
{
    "MATCH": {
        "auth": {
            "office": "20"
        }
    }
}
```
MATCH$: This operation is the same as MATCH with the difference that it is strict in terms of content. It will be evaluated as False even if the clause is contained in a larger set (list) in the authorization context. The previous example would not be evaluated as True since the content of the auth key is not an exact match. To get this rule evaluated as True, it would be necessary to use the exact list of values:
```
{
    "MATCH$": {
        "auth": {
            "office": ["20", "21", "30"]
        }
    }
}
```
FIND: This operation is a recursive MATCH at all levels of the authorization context. In the MATCH case, the structure is searched at the root of the authorization context. In the FIND case, the structure will be searched at all depth levels. In the following example it is unneeded to specify the key auth because the FIND operation will search the key office inside all the authorization contexts:
```
{
    "FIND": {
        "office": "20"
    }
}
```
FIND$: This operation is a recursive MATCH$ at all depth levels of the authorization context. As with the MATCH$ operation, the exact list of values in the office key must be included if we want it to be evaluated as True. The name is optional as it depends on how specific it needs to be:
```
{
    "FIND$": {
        "name": "Wazuh",
        "office": ["20", "21", "30"]
    }
}
```

Logical operations

In defining rules for authorization contexts, logical operations play a crucial role. Here are the three core logical operations:

AND: Requires all contained clauses to be true for the overall expression to be true. For example:

{
    "AND": [
        {
            "MATCH$": {
                "name": "r'.+'"
            }
        },
        {
            "FIND": {
                "auth": {
                    "office": "20"
                }
            }
        }
    ]
}

OR: The result is true if at least one of the enclosed clauses is satisfied. For example:

{
    "OR": [
        {
            "MATCH$": {
                "name": "NameNotFound"
            }
        },
        {
            "FIND$": {
                "auth": {
                    "name": "Wazuh",
                    "office": ["20", "21", "30"]
                }
            }
        }
    ]
}

NOT: This operation inverts the result of the enclosed clause, resulting in it being true only if the enclosed clause is false. For example:

{
    "NOT": {
        "OR": [
            {
                "MATCH$": {
                    "name": "NameNotFound"
                }
            },
            {
                "FIND$": {
                    "auth": {
                        "name": "Wazuh",
                        "office": ["20", "30"]
                    }
                }
            }
        ]
    }
}

Advanced examples

Example 1

Consider the following rule that a user wants to match:

{
    "id": "1",
    "name": "Second",
    "rules": [{
      "OR": [
        {
          "FIND$": {
            "office": "r'^[0-9]+$'"
          }
        },
        {
          "AND": [
            {
              "MATCH": {
                "authLevel": "administrator",
                "department": "Technical"
              }
            }
          ]
        }
      ]
    }]
  }

Using the authorization context below, the user intends to gain the necessary permissions:
```
{
    "name": "Eleventh_auth",
    "auth": {
        "test": "New",
        "department": [
            "Technical1"
        ],
        "authLevel": [
            "basic1"
        ]
    },
    "authLevel": [
        "administrator"
    ],
    "department": [
        "Technical"
    ]
}
```
The OR operation in the rule contains two sub-operations: a FIND$ operation looking for an office key matching any positive number and an AND operation requiring a MATCH on both authLevel as administrator and department as Technical. The FIND$ operation fails due to the absence of the office key in the context, but the AND operation succeeds as the authorization context directly matches the required authLevel and department. Consequently, since one of the conditions within the OR operation succeeds, the rule matches, allowing the authorization process to proceed.

Example 2

Consider the following rule that a user wants to match:

{
    "id": "2",
    "name": "Second",
    "rules": [
        {
            "AND": [
                {
                    "MATCH": {
                        "office": "r'^[0-9]+$'"
                    }
                },
                {
                    "FIND": {
                        "r'^auth[a-zA-Z]+$'": [
                            "r'^admin[a-z0-9]+$'"
                        ],
                        "area": [
                            "agents"
                        ]
                    }
                },
                {
                    "OR": [
                        {
                            "MATCH$": {
                                "name": "Wazuh",
                                "office": "20"
                            }
                        },
                        {
                            "OR": [
                                {
                                    "FIND": {
                                        "department": [
                                            "Commercial"
                                        ]
                                    }
                                },
                                {
                                    "MATCH": {
                                        "authLevel": [
                                            "administrator"
                                        ],
                                        "department": [
                                            "Technical"
                                        ]
                                    }
                                }
                            ]
                        }
                    ]
                }
            ]
        }
    ]
}

For this match, the user utilizes the following authorization context:

{
    "name": "First_example",
    "auth": {
        "disabled": false,
        "name": "Wazuh",
        "office": "20",
        "department": [
            "Technical"
        ],
        "bindings": {
            "authLevel": [
                "basic",
                "advanced-agents",
                "administrator"
            ],
            "area": [
                "agents",
                "syscheck",
                "syscollector"
            ]
        },
        "test": {
            "new": {
                "test2": [
                    "new"
                ],
                "test3": {
                    "test4": [
                        "a",
                        "b",
                        "c",
                        "d4"
                    ]
                }
            },
            "test": "new2"
        }
    }
}

In this case, the outermost AND operation passes because the authorization context contains the key-value pair "office": "20". The FIND operation also meets the criteria with the help of the regular expression matching. The concluding OR operation contains a MATCH$ that is satisfied with the office value of 20 and the name of Wazuh at the root of the context. Since this clause evaluates to true, and it is within an OR operation, the overall OR operation yields true. As a result, the user's authorization context satisfies the rule.

RBAC Reference

RBAC policies consist of three elements: actions, resources, and effect. Each API endpoint involves one or more actions and can be performed on specific resources.

For example, the GET /agents endpoint is used to obtain the information of one or all agents. This endpoint applies the action agent:read on the resource agent:id or agent:group. For example, agent:id:001 (agent 001) or agent:id:* (all agents). All the existing resources, available actions, and the endpoints affected by each one can be found on this reference page.

This reference also contains a set of default roles and policies that can be immediately used instead of creating new ones.

Resources

Resources	Description	Example
:	References "any" or "all" resources across all scopes. Actions using these resources are called resourceless.
agent:group	Reference agents via group name. This resource is disaggregated into the agent's IDs belonging to the specified group.	agent:group:web
agent:id	Reference agents via agent ID	agent:id:001
group:id	Reference agent groups via group ID	group:id:default
node:id	Reference cluster node by node ID	node:id:worker1
decoder:file	Reference decoder file via its filename	decoder:file:0005-wazuh_decoders.xml
list:file	Reference list file via its filename	list:file:audit-keys
rule:file	Reference rule file via its filename	rule:file:0610-win-ms_logs_rules.xml
policy:id	Reference security policy via its ID	policy:id:1
role:id	Reference security role via its ID	role:id:1
rule:id	Reference security rule via its ID	rule:id:1
user:id	Reference security user via its ID	user:id:1

Actions

In each action, the affected endpoints are specified along with the necessary resources, following this structure: <Method> <Endpoint> (<Resource>).

Active_response

The /active-response endpoint of the Wazuh server API allows users to interact with the Wazuh Active Response module.

active-response:command

PUT /active-response (agent:id, agent:group)

Agent

The /agents endpoint of the Wazuh server API allows users to enroll and manage agents on the Wazuh server.

agent:create

agent:delete

DELETE /agents (agent:id, agent:group)

agent:modify_group

agent:reconnect

PUT /agents/reconnect (agent:id, agent:group)

agent:restart

agent:upgrade

agent:uninstall

GET /agents/uninstall (*:*)

Cluster

The /cluster endpoint of the Wazuh server API allows users to manage the configuration and health of the master node and the worker nodes in the Wazuh cluster.

Decoders

The /decoder endpoint of the Wazuh server API enables users to manage and retrieve information about the decoders included in the Wazuh server.

decoders:read

decoders:update

PUT /decoders/files/{filename} (*:*)

decoders:delete

Events

The /event endpoint of the Wazuh server API allows users to ingest security events to the Wazuh analysis engine.

event:ingest

POST /events (*:*)

Group

The /groups endpoint of the Wazuh server API enables users to group Wazuh agents into distinct subsets for centralized configurations.

group:create

POST /groups (*:*)

group:delete

DELETE /groups (group:id)

group:modify_assignments

group:read

group:update_config

PUT /groups/{group_id}/configuration (group:id)

Lists

The /lists endpoint of the Wazuh server API allows users to retrieve and manage the CDB lists that are used for checking malicious files on Wazuh agents.

lists:read

lists:update

PUT /lists/files/{filename} (*:*)

lists:delete

Logtest

The /logtest endpoint of the Wazuh server API allows users to test and verify new rules and decoders against provided log examples in the Wazuh analysis engine.

logtest:run

Manager

The /manager endpoint of the Wazuh server API enables users to manage and collect relevant information from the Wazuh manager.

manager:read_api_config

GET /manager/api/config (*:*)

manager:restart

PUT /manager/restart (*:*)

manager:update_config

PUT /manager/configuration (*:*)

MITRE

The /mitre endpoint of the Wazuh server API allows users to retrieve a high-level overview of the corresponding tactics and techniques from the MITRE ATT&CK database.

mitre:read

Rootcheck

The /rootcheck endpoint of the Wazuh server API enables users to interact with the Wazuh rootcheck module and retrieve results from the scans on the Wazuh agents.

rootcheck:clear

rootcheck:read

rootcheck:run

PUT /rootcheck (agent:id, agent:group)

Rules

The /rules endpoint of the Wazuh server API lets users manage and retrieve information about the Wazuh rules that are used to analyze incoming events and generate alerts.

rules:read

rules:update

PUT /rules/files/{filename} (*:*)

rules:delete

DELETE /rules/files/{filename} (rule:file)

SCA

The /sca endpoint of the Wazuh server API allows users to interact with the Wazuh SCA module and collect relevant SCA scan results from Wazuh agents.

sca:read

Security

The /security endpoint of the Wazuh server API enables administrators to manage security-related aspects within the Wazuh environment.

security:create_user

POST /security/users (*:*)

security:create

security:delete

security:edit_run_as

PUT /security/users/{user_id}/run_as (*:*)

security:read_config

GET /security/config (*:*)

security:read

security:revoke

PUT /security/user/revoke (*:*)

security:update_config

security:update

File integrity monitoring

The /syscheck endpoint of the Wazuh server API allows users to interact with the Wazuh File Integrity Monitoring module as it initiates routine scans and retrieves syscheck results.

syscheck:clear

syscheck:read

syscheck:run

PUT /syscheck (agent:id, agent:group)

Syscollector

The /syscollector endpoint of the Wazuh server API allows users to collect system information from monitored endpoints and send them to the Wazuh server.

syscollector:read

Task

The /tasks endpoint of the Wazuh server API enables users to get status information about the tasks performed by the Wazuh manager.

task:status

GET /tasks/status (*:*)

Vulnerability

The /vulnerability endpoint of the Wazuh server API allows users to perform vulnerability detector scans and collect relevant information about vulnerabilities from Wazuh agents. This API endpoint has been deprecated since version 4.7.

vulnerability:read

GET /vulnerability/{agent_id} (agent:id, agent:group) - Deprecated since version 4.7
GET /vulnerability/{agent_id}/last_scan (agent:id, agent:group) - Deprecated since version 4.7
GET /vulnerability/{agent_id}/summary/{field} (agent:id, agent:group) - Deprecated since version 4.7

vulnerability:run

PUT /vulnerability (*:*) - Deprecated since version 4.7

Default policies

agents_all_*

Grant full access to all agents related functionalities.

agents_all_resourceless:
  actions:
    - agent:create
    - group:create
    - agent:uninstall
  resources:
    - '*:*:*'
  effect: allow
agents_all_agents:
  actions:
    - agent:read
    - agent:delete
    - agent:modify_group
    - agent:reconnect
    - agent:restart
    - agent:upgrade
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
agents_all_groups:
  actions:
    - group:read
    - group:delete
    - group:update_config
    - group:modify_assignments
  resources:
    - group:id:*
  effect: allow

agents_commands_*

Allow sending active response commands to Wazuh agents.

agents_commands_agents:
  actions:
    - active-response:command
  resources:
    - agent:id:*
  effect: allow

agents_read_*

Grant read access to all agents related functionalities.

agents_read_agents:
  actions:
    - agent:read
  resources:
    - agent:id:*
    - agent:group:*
  effect: allow
agents_read_groups:
  actions:
    - group:read
  resources:
    - group:id:*
  effect: allow

cluster_all_*

Provide full access to all cluster/manager related functionalities.

cluster_all_resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
    - manager:update_config
    - manager:restart
  resources:
    - '*:*:*'
  effect: allow
cluster_all_nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:restart
    - cluster:update_config
  resources:
    - node:id:*
  effect: allow

cluster_read_*

Provide read access to all cluster/manager related functionalities.

cluster_read_resourceless:
  actions:
    - cluster:status
    - manager:read
    - manager:read_api_config
  resources:
    - '*:*:*'
  effect: allow
cluster_read_nodes:
  actions:
    - cluster:read_api_config
    - cluster:read
    - cluster:read_api_config
  resources:
    - node:id:*
  effect: allow

decoders_all_*

Allow managing all decoder files in the Wazuh server.

decoders_all_files:
  actions:
    - decoders:read
    - decoders:delete
  resources:
    - decoder:file:*
  effect: allow
decoders_all_resourceless:
  actions:
    - decoders:update
  resources:
    - '*:*:*'
  effect: allow

decoders_read_*

Allow reading all decoder files in the Wazuh server.

decoders_read_decoders:
  actions:
    - decoders:read
  resources:
    - decoder:file:*
  effect: allow

events_ingest_*

Allow sending events to the Wazuh analysis engine.

events_ingest_resourceless:
  actions:
    - event:ingest
  resources:
    - '*:*:*'
  effect: allow

lists_all_*

Allow managing all CDB lists files on the Wazuh server.

lists_all_files:
  actions:
    - lists:read
    - lists:delete
  resources:
    - list:file:*
  effect: allow
lists_all_resourceless:
  actions:
    - lists:update
  resources:
    - '*:*:*'
  effect: allow

lists_read_*

Allow reading the path of all the lists in the Wazuh server.

lists_read_lists:
  actions:
    - lists:read
  resources:
    - list:file:*
  effect: allow

logtest_all_*

Provide access to all logtest related functionalities.

logtest_all_logtest:
  actions:
    - logtest:run
  resources:
    - '*:*:*'
  effect: allow

mitre_read_*

Allow reading MITRE database information.

mitre_read_mitre:
  actions:
    - mitre:read
  resources:
    - '*:*:*'
  effect: allow

rootcheck_all_*

Allow reading, running and clearing rootcheck information.

rootcheck_all_rootcheck:
  actions:
    - rootcheck:clear
    - rootcheck:read
    - rootcheck:run
  resources:
    - agent:id:*
  effect: allow

rootcheck_read_*

Allow reading all rootcheck information.

rootcheck_read_rootcheck:
  actions:
    - rootcheck:read
  resources:
    - agent:id:*
  effect: allow

rules_all_*

Allow managing all rule files in the Wazuh server.

rules_all_files:
  actions:
    - rules:read
    - rules:delete
  resources:
    - rule:file:*
  effect: allow
rules_all_resourceless:
  actions:
    - rules:update
  resources:
    - '*:*:*'
  effect: allow

rules_read_*

Allow reading all rule files in the system.

rules_read_rules:
  actions:
    - rules:read
  resources:
    - rule:file:*
  effect: allow

sca_read_*

Allow reading the agent sca information.

sca_read_sca:
  actions:
    - sca:read
  resources:
    - agent:id:*
  effect: allow

security_all_*

Provide full access to all security related functionalities.

security_all_resourceless:
  actions:
    - security:create
    - security:create_user
    - security:edit_run_as
    - security:read_config
    - security:update_config
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
security_all_security:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - role:id:*
    - policy:id:*
    - user:id:*
    - rule:id:*
  effect: allow

syscheck_all_*

Allow reading, running and clearing syscheck information.

syscheck_all_syscheck:
  actions:
    - syscheck:clear
    - syscheck:read
    - syscheck:run
  resources:
    - agent:id:*
  effect: allow

syscheck_read_*

Allow reading syscheck information.

syscheck_read_syscheck:
  actions:
    - syscheck:read
  resources:
    - agent:id:*
  effect: allow

syscollector_read_*

Allow reading agents information.

syscollector_read_syscollector:
  actions:
    - syscollector:read
  resources:
    - agent:id:*
  effect: allow

task_status_*

Allow reading tasks information.

task_status_task:
  actions:
    - task:status
  resources:
    - '*:*:*'
  effect: allow

users_all_*

Provide full access to all users related functionalities.

users_all_resourceless:
  actions:
    - security:create_user
    - security:edit_run_as
    - security:revoke
  resources:
    - '*:*:*'
  effect: allow
users_all_users:
  actions:
    - security:read
    - security:update
    - security:delete
  resources:
    - user:id:*
  effect: allow

users_modify_run_as_*

Provides the capability to modify the users' run_as parameter.

users_modify_run_as_flag:
  actions:
    - security:edit_run_as
  resources:
    - '*:*:*'
  effect: allow

vulnerability_read_*

Allow reading agents' vulnerabilities information.

vulnerability_read_vulnerability:
  actions:
    - vulnerability:read
  resources:
    - agent:id:*
  effect: allow

vulnerability_run_*

Allow running a vulnerability detector scan.

vulnerability_run_resourceless:
  actions:
    - vulnerability:run
  resources:
    - '*:*:*'
  effect: allow

Default roles

administrator

The administrator role has full access to all endpoints in the Wazuh server API.

Policies

agents_all_*

agents_commands_*

cluster_all_*

decoders_all_*

lists_all_*

logtest_all_*

mitre_read_*

rootcheck_all_*

rules_all_*

sca_read_*

security_all_*

syscheck_all_*

syscollector_read_*

task_status_*

vulnerability_read_*

vulnerability_run_*

Rules

wui_elastic_admin

wui_opendistro_admin

agents_admin

The agent administrator role has full access to all agents related functionalities.

Policies

agents_all_*

agents_readonly

Read only role for agents related functionalities.

Policies

agents_read_*

cluster_admin

Manager administrator of the Wazuh server cluster, this role has full access to all manager related functionalities.

Policies

cluster_all_*

cluster_readonly

Read only role for manager related functionalities.

Policies

cluster_read_*

readonly

Read only role, this role can read all the information of the system.

Policies

agents_read_*

cluster_read_*

decoders_read_*

lists_read_*

mitre_read_*

rootcheck_read_*

rules_read_*

sca_read_*

syscheck_read_*

syscollector_read_*

vulnerability_read_*

users_admin

Users administrator of the system, this role provides full access to all users related functionalities.

Policies

users_all_*

Default rules

Warning

run_as permissions through these mapping rules can only be obtained with wazuh-wui user. These rules will never match an authorization context for any other Wazuh server API user.

wui_elastic_admin

Administrator permissions for the elastic users of the Wazuh dashboard.

rule:
    FIND:
        username: "elastic"

wui_opendistro_admin

Administrator permissions for the opendistro users of the Wazuh dashboard.

rule:
    FIND:
        user_name: "admin"

Filtering data using Wazuh Query Language (WQL)

Advance filtering is possible using the Wazuh API's queries. Queries are specified using the q parameter. A query has the following structure:

Field name: Field name to filter by. If an incorrect field name is used, an error will be raised.
Operator: Operator to filter by:
- =: equality.
- !=: not equality.
- <: smaller.
- >: bigger.
- ~: like as.
- (): grouping operators.
Value: Value to filter by.
Separator: Operator to join multiple "queries":
- ,: represents an OR.
- ;: represents an AND.

Note

Reserved characters need to be percent-encoded, especially semicolons (; → %3B). You can use --data-urlencode inside cURL to make the process easier.

Examples

For example, to filter Ubuntu agents with a version higher than 18, the following query would be used. Remember that the value of the parameter q is being encoded with --data-urlencode:

# curl -G --data-urlencode "q=os.name=ubuntu;os.version>18" -k -X GET "https://localhost:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-master",
            "id": "000"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent4",
            "id": "004"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent5",
            "id": "005"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent6",
            "id": "006"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent7",
            "id": "007"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent8",
            "id": "008"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         }
      ],
      "total_affected_items": 8,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

The same field can be used multiple times to get a more accurate result. For example, filtering agents with a version higher than Ubuntu 18 but lower than Ubuntu 18.04.4:

# curl -G --data-urlencode "q=os.name=ubuntu;os.version>18;os.version<18.04.4" -k -X GET "https://localhost:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

An example of using the OR (,) operator and LIKE AS (~) can be filtering agents whose operating system name contains windows or centos.

# curl -G --data-urlencode "q=os.name~centos,os.name~windows" -k -X GET "https://localhost:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "major": "6",
               "name": "Microsoft Windows 7 Ultimate Edition Professional Service Pack 1",
               "version": "6.1.7601"
            },
            "name": "jmv74211-PC",
            "id": "013"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Getting the ubuntu agents with id other than 0 and lower than 4, whose name contains the substring waz and whose major version is 16 or 18, is an example that involves multiple operators at the same time:

# curl -G --data-urlencode "q=id!=0;id<4;name~waz;(os.major=16,os.major=18)" -k -X GET "https://localhost:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent1",
            "id": "001"
         },
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent2",
            "id": "002"
         },
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent3",
            "id": "003"
         }
      ],
      "total_affected_items": 3,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Getting agents with an ID higher than 007 that run on Windows or whose operating system major version is either 14 or 18:

# curl -G --data-urlencode "q=id>007;(os.name~windows,(os.major=14,os.major=18))" -k -X GET "https://localhost:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent8",
            "id": "008"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         },
         {
            "os": {
               "major": "6",
               "name": "Microsoft Windows 7 Ultimate Edition Professional Service Pack 1",
               "version": "6.1.7601"
            },
            "name": "jmv74211-PC",
            "id": "013"
         }
      ],
      "total_affected_items": 4,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Use cases

This section provides several use cases to demonstrate some of the potentials of the Wazuh server API. You can find details about all possible API requests in the reference section.

Exploring the ruleset

Often when an alert fires, it is helpful to know details about the rule itself. The following request enumerates the attributes of rule 1002:

# curl -k -X GET "https://localhost:55000/rules?rule_ids=1002&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "filename": "0020-syslog_rules.xml",
            "relative_dirname": "ruleset/rules",
            "id": 1002,
            "level": 2,
            "status": "enabled",
            "details": {
               "match": {
                  "pattern": "core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted"
                }
            },
            "pci_dss": [],
            "gpg13": [
               "4.4"
            ],
            "gdpr": [],
            "hipaa": [],
            "nist_800_53": [],
            "groups": [
               "syslog",
               "errors"
            ],
            "description": "Unknown problem somewhere in the system."
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected rules were returned",
   "error": 0
}

It can also be helpful to know which rules matching a specific criteria are available. For example, you can view all the rules in the web group, with a PCI tag of 10.6.1, and containing the word failures with the command below:

# curl -k -X GET "https://localhost:55000/rules?pretty=true&limit=500&search=failures&group=web&pci_dss=10.6.1" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "filename": "0260-nginx_rules.xml",
        "relative_dirname": "ruleset/rules",
        "id": 31316,
        "level": 10,
        "status": "enabled",
        "details": {
          "frequency": "8",
          "timeframe": "240",
          "if_matched_sid": "31315",
          "same_source_ip": "",
          "mitre": "\n      "
        },
        "pci_dss": [
          "10.6.1",
          "10.2.4",
          "10.2.5",
          "11.4"
        ],
        "gpg13": [
          "7.1"
        ],
        "gdpr": [
          "IV_35.7.d",
          "IV_32.2"
        ],
        "hipaa": [
          "164.312.b"
        ],
        "nist_800_53": [
          "AU.6",
          "AU.14",
          "AC.7",
          "SI.4"
        ],
        "groups": [
          "authentication_failures",
          "tsc_CC7.2",
          "tsc_CC7.3",
          "tsc_CC6.1",
          "tsc_CC6.8",
          "nginx",
          "web"
        ],
        "description": "Nginx: Multiple web authentication failures."
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "All selected rules were returned",
  "error": 0
}

Testing rules and decoders

You can use the Wazuh server API to start a wazuh-logtest session or use an existing session for testing and validating custom or default rules and decoders. The following request creates a logtest session and displays matching rules and decoders for the provided log. It also reveals the predecoding phase, alongside other information.

# curl -k -X PUT "https://localhost:55000/logtest" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"event\":\"Jun 29 15:54:13 focal multipathd[557]: sdb: failed to get sysfs uid: No data available\",\"log_format\":\"syslog\",\"location\":\"user->/var/log/syslog\"}"

{
  "error": 0,
  "data": {
    "token": "bc3ca27a",
    "messages": [
      "WARNING: (7309): 'null' is not a valid token",
      "INFO: (7202): Session initialized with token 'bc3ca27a'"
    ],
    "output": {
      "timestamp": "2020-10-15T09:40:53.630+0000",
      "rule": {
        "level": 0,
        "description": "FreeIPA messages grouped",
        "id": "82202",
        "firedtimes": 1,
        "mail": false,
        "groups": [
          "freeipa"
        ]
      },
      "agent": {
        "id": "000",
        "name": "wazuh-master"
      },
      "manager": {
        "name": "wazuh-master"
      },
      "id": "1602754853.1000774",
      "cluster": {
        "name": "wazuh",
        "node": "master-node"
      },
      "full_log": "Jun 29 15:54:13 focal multipathd[557]: sdb: failed to get sysfs uid: No data available",
      "predecoder": {
        "program_name": "multipathd",
        "timestamp": "Jun 29 15:54:13",
        "hostname": "focal"
      },
      "decoder": {
        "name": "freeipa"
      },
      "location": "user->/var/log/syslog"
    },
    "alert": false,
    "codemsg": 1
  }
}

Analyzing the File Integrity Monitoring (FIM) database of a Wazuh agent

You can utilize the Wazuh server API to display information about all files monitored by the Wazuh FIM module. The following example shows all events associated with Python .py files installed on a monitored endpoint with agent ID 001:

# curl -k -X GET "https://localhost:55000/syscheck/001?pretty=true&search=.py" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "file": "/etc/python2.7/sitecustomize.py",
        "perm": "rw-r--r--",
        "sha1": "67b0a8ccf18bf5d2eb8c7f214b5a5d0d4a5e409d",
        "changes": 1,
        "md5": "d6b276695157bde06a56ba1b2bc53670",
        "inode": 29654607,
        "size": 155,
        "uid": "0",
        "gname": "root",
        "mtime": "2020-04-15T17:20:14Z",
        "sha256": "43d81125d92376b1a69d53a71126a041cc9a18d8080e92dea0a2ae23be138b1e",
        "date": "2020-05-25T14:28:41Z",
        "uname": "root",
        "type": "file",
        "gid": "0"
      },
      {
        "file": "/etc/python3.6/sitecustomize.py",
        "perm": "rw-r--r--",
        "sha1": "67b0a8ccf18bf5d2eb8c7f214b5a5d0d4a5e409d",
        "changes": 1,
        "md5": "d6b276695157bde06a56ba1b2bc53670",
        "inode": 29762235,
        "size": 155,
        "uid": "0",
        "gname": "root",
        "mtime": "2020-04-18T01:56:04Z",
        "sha256": "43d81125d92376b1a69d53a71126a041cc9a18d8080e92dea0a2ae23be138b1e",
        "date": "2020-05-25T14:28:41Z",
        "uname": "root",
        "type": "file",
        "gid": "0"
      }
    ],
    "total_affected_items": 2,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "FIM findings of the agent were returned",
  "error": 0
}

You can find a file using its SHA1 or MD5 hash. In the following examples, we retrieve the same using both its SHA1 and MD5 hash:

# curl -k -X GET "https://localhost:55000/syscheck/001?pretty=true&hash=bc929cb047b79d5c16514f2c553e6b759abfb1b8" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "file": "/sbin/swapon",
        "perm": "rwxr-xr-x",
        "sha1": "bc929cb047b79d5c16514f2c553e6b759abfb1b8",
        "changes": 1,
        "md5": "085c1161d814a8863562694b3819f6a5",
        "inode": 14025822,
        "size": 47184,
        "uid": "0",
        "gname": "root",
        "mtime": "2020-01-08T18:31:23Z",
        "sha256": "f274025a1e4870301c5678568ab9519152f49d3cb907c01f7c71ff17b1a6e870",
        "date": "2020-05-25T14:29:44Z",
        "uname": "root",
        "type": "file",
        "gid": "0"
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "FIM findings of the agent were returned",
  "error": 0
}

# curl -k -X GET "https://localhost:55000/syscheck/001?pretty=true&hash=085c1161d814a8863562694b3819f6a5" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "file": "/sbin/swapon",
        "perm": "rwxr-xr-x",
        "sha1": "bc929cb047b79d5c16514f2c553e6b759abfb1b8",
        "changes": 1,
        "md5": "085c1161d814a8863562694b3819f6a5",
        "inode": 14025822,
        "size": 47184,
        "uid": "0",
        "gname": "root",
        "mtime": "2020-01-08T18:31:23Z",
        "sha256": "f274025a1e4870301c5678568ab9519152f49d3cb907c01f7c71ff17b1a6e870",
        "date": "2020-05-25T14:29:44Z",
        "uname": "root",
        "type": "file",
        "gid": "0"
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "FIM findings of the agent were returned",
  "error": 0
}

Getting information about the manager

You can retrieve various details about the Wazuh manager through the Wazuh server API. These details include configuration, status, logs, and more. The following example demonstrates how to retrieve the status of each Wazuh daemon:

# curl -k -X GET "https://localhost:55000/manager/status?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "wazuh-analysisd": "running",
        "wazuh-authd": "running",
        "wazuh-monitord": "running",
        "wazuh-execd": "running",
        "wazuh-logcollector": "running",
        "wazuh-remoted": "running",
        "wazuh-syscheckd": "running",
        "wazuh-clusterd": "running",
        "wazuh-modulesd": "running",
        "wazuh-db": "running",
        "wazuh-apid": "stopped"
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Processes status were successfully read in specified node",
  "error": 0
}

You can dump the Wazuh manager current configuration with the request below (the response is shortened for brevity):

# curl -k -X GET "https://localhost:55000/manager/configuration?pretty=true&section=global" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
    "affected_items": [
      {
        "global": {
          "jsonout_output": "yes",
          "alerts_log": "yes",
          "logall": "no",
          "logall_json": "no",
          "email_notification": "yes",
          "email_to": "me@test.example",
          "smtp_server": "mail.test.example",
          "email_from": "wazuh@test.example",
          "email_maxperhour": "12",
          "email_log_source": "alerts.log",
          "white_list": [
            "127.0.0.1",
            "^localhost.localdomain$",
            "8.8.8.8",
            "8.8.4.4"
          ]
        }
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Configuration was successfully read in specified node",
  "error": 0
}

Exploring Wazuh agent management

You can use the Wazuh server API to manage the Wazuh agents.

The following request enumerates two active agents:

# curl -k -X GET "https://localhost:55000/agents?pretty=true&offset=1&limit=2&select=status%2Cid%2Cmanager%2Cname%2Cnode_name%2Cversion&status=active" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "manager": "centos8a",
            "name": "ag-centos9s",
            "id": "001",
            "node_name": "wazuh-1",
            "status": "active",
            "version": "Wazuh v4.12.0"
         },
         {
            "manager": "centos8b",
            "name": "ag-ubuntu22",
            "id": "002",
            "node_name": "wazuh-2",
            "status": "active",
            "version": "Wazuh v4.12.0"
         }
      ],
      "total_affected_items": 3,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Add a new Wazuh agent by sending an API request with the agent name and its IP address:

# curl -k -X POST "https://localhost:55000/agents?pretty=true" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d "{\"name\":\"NewHost\",\"ip\":\"10.0.10.11\"}"

{
  "data": {
    "id": "013",
    "key": "MDEzIE5ld0hvc3RfMiAxMC4wLjEwLjEyIDkzOTE0MmE4OTQ4YTNlMzA0ZTdiYzVmZTRhN2Q4Y2I1MjgwMWIxNDI4NWMzMzk3N2U5MWU5NGJiMDc4ZDEzNjc="
  },
  "error": 0
}

Ingest security events

You can utilize the Wazuh server API to ingest security events into the Wazuh manager for analysis.

There's a limit of 30 requests per minute and 100 events per request. This limit prevents endpoints from ingesting large amounts of data too fast. Check max_request_per_minute to lower this limit even further or disable the feature.

# curl -k -X POST "https://localhost:55000/events" -H  "Authorization: Bearer $TOKEN" -H  "Content-Type: application/json" -d '{"events": ["Event value 1", "{\"someKey\": \"Event value 2\"}"]}'

{
  "data": {
    "affected_items": [

    ],
    "total_affected_items": 2,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "All events were forwarded to analisysd",
  "error": 0
}

Conclusion

In conclusion, these examples showcase the capabilities of the Wazuh API. Explore the reference document to discover the full range of available Wazuh server API requests.

Reference

Wazuh indexer

The Wazuh indexer is a real-time, full-text search and analytics engine for security data. Log data ingested into the Wazuh server is analyzed and forwarded to the indexer for indexing and storage. These events are then queried on the Wazuh dashboard.

The Wazuh indexer stores data as JSON documents. Each document associates a set of keys, field names, or attributes with their corresponding values, which can be characters, numbers, booleans, dates, arrays of values, geolocations, or other kinds of data.

The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. It distributes documents across different containers, known as shards. In turn, it distributes these shards across cluster nodes. By distributing the documents across multiple shards and distributing those shards across multiple nodes, the Wazuh indexer ensures redundancy. Redundancy ensures the Wazuh indexer's availability in the event of a failure and boosts query capacity across cluster nodes.

Contents

Wazuh indexer indices

An index is a collection of documents that relate to each other. The Wazuh indexer uses indices to store and organize security data for fast retrieval. Wazuh uses the following index patterns to store this data:

wazuh‑alerts-* - This is the index pattern for alerts generated by the Wazuh server.
wazuh‑archives-* - This is the index pattern for all events sent to the Wazuh server.
wazuh‑monitoring-* - This is the index pattern for the status of the Wazuh agents.
wazuh‑statistics-* - This is the index pattern that shows the performance metrics of the Wazuh server. It contains information that shows how many events are received, processed and dropped by the Wazuh server.
wazuh-states-vulnerabilities-* - This is the index pattern for information about vulnerabilities detected in the endpoints being monitored.
wazuh-states-inventory-hardware-* - This is the index pattern for basic information about hardware components on a monitored endpoint.
wazuh-states-inventory-hotfixes-* - This is the index pattern for updates installed on a Windows endpoint. The Wazuh vulnerability detection module uses this to discover what vulnerabilities have been patched on a Windows endpoint.
wazuh-states-inventory-interfaces-* - This is the index pattern for up and down status information, and packet transfer information about network interfaces on a monitored endpoint.
wazuh-states-inventory-networks-* - This is the index pattern for IPv4 and IPv6 addresses associated with each network interface on a monitored endpoint.
wazuh-states-inventory-packages-* - This is the index pattern for currently installed software packages on an endpoint.
wazuh-states-inventory-ports-* - This is the index pattern for open network ports on a monitored endpoint.
wazuh-states-inventory-processes-* - This is the index pattern for system processes running on a monitored endpoint.
wazuh-states-inventory-protocols-* - This is the index pattern for network routing configuration details and protocols for each network interface on a monitored endpoint.
wazuh-states-inventory-system-* - This is the index pattern for information on the operating system, hostname, and architecture on a monitored endpoint.
wazuh-states-inventory-browser-extensions-* - This is the index pattern for information about browser extensions on a monitored endpoint.
wazuh-states-inventory-services-* - This is the index pattern for information about system services on a monitored endpoint.
wazuh-states-inventory-groups-* - This is the index pattern for information about user groups on a monitored endpoint.
wazuh-states-inventory-users-* - This is the index pattern for information about user accounts on a monitored endpoint.

You can create a custom index pattern or modify the default index patterns.

Creating custom index pattern

This section describes how to create a custom index pattern, for example, my-custom-alerts-*, alongside the default pattern, wazuh-alerts-*. Switch to the root user and perform the steps below.

Stop the Filebeat service:
```
# systemctl stop filebeat
```

Download the Wazuh template and save it into a file (for example, template.json):

# curl -so template.json https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/extensions/elasticsearch/7.x/wazuh-template.json

Open the template file and locate this line at the beginning of the file:
```
"index_patterns": [
  "wazuh-alerts-4.x-*",
  "wazuh-archives-4.x-*"
],
```
Add your custom pattern to look like this:
```
"index_patterns": [
  "wazuh-alerts-4.x-*",
  "wazuh-archives-4.x-*",
  "my-custom-alerts-*"
],
```
The asterisk character (*) on the index patterns is important because Filebeat will create indices using a name that follows this pattern, which is necessary to apply the proper format to visualize the alerts on the Wazuh dashboard.
Save the modifications and insert the new template into the Wazuh indexer. This will replace the existing template:
```
# curl -XPUT -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD> 'https://<INDEXER_IP_ADDRESS>:9200/_template/wazuh' -H 'Content-Type: application/json' -d @template.json
```
Replace:
- <INDEXER_IP_ADDRESS> with the IP address of your Wazuh indexer
- <INDEXER_USERNAME> and <INDEXER_PASSWORD> with the Wazuh indexer username and password. You can obtain the Wazuh indexer credentials for fresh deployments using the command:
  
  Note
  
  If using the Wazuh OVA, use the default credentials admin:admin or refer to the password management section.
```
# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
```
```
{"acknowledged":true}
```
Note

{"acknowledged":true} indicates that the template was inserted correctly.

Warning

Perform step 5 only if you want to replace the default alert index pattern wazuh-alerts-* and/or the default archive index pattern wazuh‑archives-* with my-custom-alerts-*.
Open the Wazuh alerts configuration file /usr/share/filebeat/module/wazuh/alerts/manifest.yml and optionally the archives file /usr/share/filebeat/module/wazuh/archives/manifest.yml and replace the index name.

For example, from:
```
- name: index_prefix
  default: wazuh-alerts-
```
To this:
```
- name: index_prefix
  default: my-custom-alerts-
```
Note

The index name must not contain the characters #, \, /, *, ?, ", <, >, |, ,, and must not start with _, -, or +. Also, all the letters must be lowercase.
(Optional) If you want to use the new index pattern by default, open the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file and add the below configuration:
```
pattern: my-custom-alerts-*
```
This will make the Wazuh server automatically create and/or select the new index pattern.

Restart Filebeat and the Wazuh server components:

# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-indexer
# systemctl restart wazuh-dashboard

Warning

If you already have indices created with the previous name, they won't be changed. You can still change to the previous index pattern to see them, or you can perform reindexing to rename the existing indices.

Checking indices information

You can check for information about Wazuh indices in two ways.

Using the web user interface.
Making a request to the Wazuh indexer API.

Using the web user interface

In the Wazuh dashboard upper left menu ☰, go to Indexer management > Index Management.
Click on Indices.

If the pattern is not present in the Wazuh dashboard, create a new one using the index pattern used in the template my-custom-alerts-*, and make sure to use timestamp as the Time Filter field name.

Using the Wazuh indexer API

You can query the indices information using the Wazuh indexer API from the Wazuh dashboard or the Wazuh server.

Wazuh dashboard

Navigate to ☰ > Indexer management > Dev Tools:
```
GET /_cat/indices/wazuh-*?v
```

Command line interface

Obtain the Wazuh indexer username and password for fresh deployments using the below command:
```
# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1
```
Note

If using the Wazuh OVA, use the default credentials admin:admin or refer to the password management section.

Run the following command to query your index status. Replace <INDEXER_USERNAME> and <INDEXER_PASSWORD> with the username and password obtained. Replace <INDEXER_IP_ADDRESS> with your Wazuh indexer IP address or FQDN. You can replace wazuh-* with a more specific pattern for your query, such as wazuh-alerts-*.

# curl -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD> https://<INDEXER_IP_ADDRESS>:9200/_cat/indices/wazuh-*?v

health status index                       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   wazuh-statistics-2023.30w   xtHZtGqBR0WNJWbs5sjrnQ   1   0       2394            0      1.2mb          1.2mb
green  open   wazuh-alerts-4.x-2023.07.28 VbBfAasJTsiqw3lwRhY5sg   3   0        513            0      1.9mb          1.9mb
green  open   wazuh-alerts-4.x-2023.07.27 7s2x8INqRVmtz5uqMDuA7Q   3   0        515            0        2mb            2mb
green  open   wazuh-alerts-4.x-2023.07.05 0h4cyLJoQYiMvMnqyLDnag   3   0         49            0    370.4kb        370.4kb
green  open   wazuh-alerts-4.x-2023.07.07 kp_N4c7RRuOE91KkuqPuAw   3   0         98            0    397.7kb        397.7kb
green  open   wazuh-alerts-4.x-2023.07.29 rbAC4befS7epxOjiSzFRQQ   3   0       1717            0      3.9mb          3.9mb
green  open   wazuh-monitoring-2023.31w   1WwxsGQHRfG1_DOIZD-Lag   1   0        954            0    771.9kb        771.9kb
green  open   wazuh-alerts-4.x-2023.07.20 SQbaQC24SgO9eWO_AsBI_w   3   0       1181            0      2.8mb          2.8mb
green  open   wazuh-statistics-2023.28w   jO52bS6eRamtB2YNmfGzIA   1   0        676            0    501.1kb        501.1kb

The wazuh‑alerts-* indices

The Wazuh server analyzes events received from monitored endpoints and generates alerts when the events match a detection rule. These alerts are saved using the wazuh-alerts-* indices.

The Wazuh server logs the alert data into the /var/ossec/logs/alerts/alerts.json and /var/ossec/logs/alerts/alerts.log files by default. Once saved in the /var/ossec/logs/alerts/alerts.json file, it forwards the JSON alert document to the Wazuh indexer API for indexing. The indexed files are stored in the /var/lib/wazuh-indexer/nodes/0/indices directory of the Wazuh indexer.

When forwarding alerts to the Wazuh indexer, the Wazuh server formats the current date into an index name. For example, the Wazuh server will define the index names wazuh-alerts-4.x-2023.03.17 and wazuh-alerts-4.x-2023.03.18 for March 17th and 18th alerts, respectively. The Wazuh indexer then creates alert indices using the defined wazuh‑alerts-* index names.

You can modify the default index name in the /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json file of the Wazuh server. To do this, navigate to the date_index_name field and date_rounding key to change the default index name formatting in the /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json file:

{
  "description": "Wazuh alerts pipeline",
  "processors": [
     { "json" : { "field" : "message", "add_to_root": true } },
     {
     "geoip": {
     "field": "data.srcip",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
     }
     },
     {
     "geoip": {
     "field": "data.win.eventdata.ipAddress",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
     }
     },
     {
     "geoip": {
     "field": "data.aws.sourceIPAddress",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
     }
     },
     {
     "geoip": {
     "field": "data.gcp.jsonPayload.sourceIP",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
     }
     },
     {
     "geoip": {
     "field": "data.office365.ClientIP",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
     }
     },
     {
     "date": {
     "field": "timestamp",
     "target_field": "@timestamp",
     "formats": ["ISO8601"],
     "ignore_failure": false
     }
     },
     {
     "date_index_name": {
     "field": "timestamp",
     "date_rounding": "d",
     "index_name_prefix": "{{fields.index_prefix}}",
     "index_name_format": "yyyy.MM.dd",
     "ignore_failure": false
     }
     },
     { "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "beat", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "input_type", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "tags", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "count", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "@version", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "log", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "offset", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "type", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "host", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "fields", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "event", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "fileset", "ignore_missing": true, "ignore_failure": true } },
     { "remove": { "field": "service", "ignore_missing": true, "ignore_failure": true } }
  ],
  "on_failure" : [{
     "drop" : { }
  }]
}

Where the values:

M - stands for month
w - stands for week
d - stands for day

The wazuh‑archives-* indices

In addition to logging alerts to the /var/ossec/logs/alerts/alerts.json and /var/ossec/logs/alerts/alerts.log files, you can enable the Wazuh archives to log and index all the events the Wazuh server receives. This includes events that are analyzed by Wazuh and events that do not trigger alerts.

Storing and indexing all events might be useful for later analysis and compliance requirements. However, you must consider that enabling logging and indexing of all events will increase the storage requirement on the Wazuh server.

By default, the Wazuh indexer creates event indices for each unique day. You can modify the default index name in the /usr/share/filebeat/module/wazuh/archives/ingest/pipeline.json file of the Wazuh server. To do this:

Navigate to the date_index_name field.
Locate the date_rounding key and change the default index name formatting in the /usr/share/filebeat/module/wazuh/archives/ingest/pipeline.json file.

The sections below provide details on how to enable the wazuh archives and set up the wazuh-archives-* indices.

Enabling Wazuh archives

Edit /var/ossec/etc/ossec.conf on the Wazuh server and set the <logall_json> line to yes. This enables logging to archives.json of all events. Forwarding to the Wazuh indexer requires the logging of all events in JSON format.
```
<logall_json>yes</logall_json>
```

Restart the Wazuh manager to make the change effective.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Edit /etc/filebeat/filebeat.yml and change enabled to true in the archives mapping. This enables events to be forwarded to the Wazuh indexer.
```
filebeat.modules:
 - module: wazuh
  alerts:
   enabled: true
  archives:
   enabled: true
```
Restart the Filebeat service to apply the change:
```
# systemctl restart filebeat
```

Test that the Filebeat service works properly:

# filebeat test output

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

Defining the index pattern

In the Wazuh dashboard upper left menu ☰, go to Dashboard management > Dashboard Management and click Index Patterns.
Click on Create index pattern.
Set wazuh-archives-* as the Index pattern name. This defines the index pattern to match the events being forwarded and indexed. Click on Next step.
Select timestamp for the Time field.

Note

Be careful to choose timestamp instead of @timestamp.
Click on Create index pattern.

Viewing the index pattern

Click Explore on the upper left menu ☰, and then click Discover.
Select wazuh-archives-* to view the events.

The wazuh-monitoring-* indices

The connection status of an enrolled Wazuh agent at any moment is one of the following:

Active
Disconnected
Pending
Never connected

Wazuh stores a history of the connection status of all its agents. By default, it indexes the agent connection status using the wazuh‑monitoring-* indices.

The Wazuh dashboard requires these indices to display information about agent status. For example, by clicking ☰ > Agents management > Summary, you can see information such as the Wazuh agent's connection status and historical evolution within set timeframes.

The wazuh‑statistics-* indices

The Wazuh dashboard uses the wazuh‑statistics-* indices to display statistics about the Wazuh server usage and performance. The information displayed includes the number of events decoded, bytes received, and TCP sessions.

To visualize this information in the Wazuh dashboard, go to Server management > Statistics.

The wazuh-states-vulnerabilities-* indices

The wazuh-states-vulnerabilities-* index is used in Wazuh to store data related to the vulnerability state of monitored assets. This index typically contains information about vulnerabilities detected on monitored endpoints, including details such as the severity, status, affected software, and vulnerability reference. The * at the end of the index pattern allows for the creation of multiple indices with similar names, segmented by time or other factors. This enables efficient storage and retrieval of vulnerability data over time.

To visualize this information in the Wazuh dashboard, click on Vulnerability Detection from the Wazuh dashboard home page.

The wazuh-states-inventory-hardware-* indices

The wazuh-states-inventory-hardware-* index contains the baseline hardware inventory collected from monitored endpoints. Each document in this index represents details about the endpoint's hardware components, such as CPU and memory.

This index provides security teams and administrators with visibility into the underlying hardware of each endpoint. By tracking this information, Wazuh makes it possible to detect hardware changes, validate asset configurations, and support compliance or auditing efforts.

Since hardware details rarely change under normal circumstances, unexpected modifications captured in this index can serve as a signal for anomalies. For example, if you navigate to IT Hygiene > System > Hardware, you will see information relating to the hardware.

The wazuh-states-inventory-hotfixes-* indices

The wazuh-states-inventory-hotfixes-* index stores information about Windows updates (hotfixes) installed on monitored endpoints. Each entry in this index corresponds to a specific update, including details such as the hotfix identifier, description, and installation date.

This index is closely related to the Wazuh vulnerability detection module. By cross-referencing installed hotfixes with known vulnerability databases, Wazuh can determine which vulnerabilities have already been patched and which ones remain unpatched on an endpoint.

Beyond vulnerability management, this index also helps administrators to verify system update compliance, audit patch history, and ensure that critical updates are consistently applied across their environment.

To find information relating to the hotfixes on Windows endpoints, navigate to IT Hygiene > Software > Windows KBs.

The wazuh-states-inventory-interfaces-* indices

The wazuh-states-inventory-interfaces-* index stores detailed information about the network interfaces on monitored endpoints. Each document records attributes such as interface status (up or down), MAC address, and packet transfer statistics.

This index gives administrators visibility into the networking interfaces on their systems. By tracking interface activity and configuration changes, we detect unusual behavior such as interfaces going down unexpectedly, new interfaces appearing, or abnormal packet transfer patterns.

In addition to aiding security investigations, this index is also useful for operational monitoring, capacity planning, and verifying that network configurations remain consistent with organizational standards.

To find information relating to an endpoint's network interface, navigate to IT Hygiene > Network > Interfaces.

The wazuh-states-inventory-networks-* indices

The wazuh-states-inventory-networks-* index contains information about the IPv4 and IPv6 addresses assigned to network interfaces on monitored endpoints. Each record shows details on the interface to IP address mapping, enabling visibility into how an endpoint is connected to the network.

This index is valuable for tracking changes in network configurations, such as new IP addresses being assigned and old ones being removed. Such changes can indicate legitimate reconfiguration, but they may also point to misconfigurations or suspicious activity.

By maintaining this inventory, Wazuh helps administrators validate network settings, support compliance requirements, and investigate security incidents where IP address history and assignments are needed.

To find information relating to an endpoint's IP address assignment, navigate to IT Hygiene > Network > Addresses.

The wazuh-states-inventory-packages-* indices

The wazuh-states-inventory-packages-* index stores information about the software packages currently installed on monitored endpoints. Each record details a package and includes details such as the package name, version, and vendor.

This index provides the foundation for software inventory management within Wazuh. It also enables administrators to track changes in the software stack, verify compliance with organizational policies, and spot the presence of unauthorized or outdated applications.

This index is a critical component of Wazuh vulnerability detection, which cross-references package versions with known vulnerabilities to identify endpoints that may be exposed. In this way, the index not only aids asset management but also plays a direct role in improving security posture.

To find information relating to an endpoint's software packages, navigate to IT Hygiene > Software > Packages.

The wazuh-states-inventory-ports-* indices

The wazuh-states-inventory-ports-* index records the open network ports detected on monitored endpoints. It includes details such as port numbers, associated services, and listening states.

By maintaining visibility into exposed ports, this index helps administrators identify unauthorized services, track changes in system exposure, and reduce the attack surface. Unsanctioned open ports can be an early sign of compromise or misconfiguration, making this data essential for both security monitoring and compliance audits.

To find information relating to ports on a monitored endpoint, navigate to IT Hygiene > Network > Traffic.

The wazuh-states-inventory-processes-* indices

The wazuh-states-inventory-processes-* index contains information about the processes running on monitored endpoints. Each entry describes attributes like process name, PID (process ID), and an associated user.

Tracking running processes allows Wazuh to detect suspicious or unauthorized software execution. This visibility is crucial for spotting malware, persistence mechanisms, or rogue processes that may evade traditional defenses. It also provides administrators with a historical reference for system activity, supporting forensic investigations.

To find information relating to processes on a monitored endpoint, navigate to IT Hygiene > Processes.

The wazuh-states-inventory-protocols-* indices

The wazuh-states-inventory-protocols-* index stores details about the network routing configuration and supported protocols for each network interface on monitored endpoints. This includes protocol types, routing tables, and interface associations.

Monitoring this information enables organizations to ensure network configurations align with expected baselines. Unexpected protocol changes or routing entries can indicate misconfigurations or malicious activity, such as traffic redirection or tunneling attempts.

To find information relating to protocols on a monitored endpoint, navigate to IT Hygiene > Network > Protocols.

The wazuh-states-inventory-system-* indices

The wazuh-states-inventory-system-* index provides system-level details about each monitored endpoint, including the operating system, version, hostname, and architecture.

This index acts as a master record of core system attributes, supporting inventory management, compliance tracking, and security investigations. It also allows administrators to group and correlate alerts based on system name, OS type, and architecture.

To find system-level information relating to monitored endpoints, navigate to IT Hygiene > System > OS.

The wazuh-states-inventory-browser-extensions-* indices

The wazuh-states-inventory-browser-extensions-* indices store detailed information about browser extensions installed across monitored endpoints. It captures data such as extension name, version, browser type, and installation source.

This helps security teams identify unauthorized or vulnerable extensions, enforce browser security policies, and ensure compliance with corporate browsing standards.

To find information relating to browser extensions on a monitored endpoint, navigate to IT Hygiene > Software > Browser extensions.

The wazuh-states-inventory-services-* indices

The wazuh-states-inventory-services-* indices records information about active and inactive system services. Each entry includes details such as service name, status, startup type, and associated executable paths.

By maintaining this inventory, administrators can monitor for unauthorized or misconfigured services, detect persistence mechanisms used by malware, and validate service configurations during audits or incident investigations.

To find information relating to services on a monitored endpoint, navigate to IT Hygiene > Services.

The wazuh-states-inventory-groups-* indices

The wazuh-states-inventory-groups-* indices track the system and domain groups present on monitored endpoints. They contain data on group names, identifiers, and associated privileges.

This allows administrators to review access control structures, detect privilege escalations or unauthorized group memberships, and maintain proper role-based access control (RBAC) within the IT infrastructure.

To find information relating to user groups on a monitored endpoint, navigate to IT Hygiene > Identity > Groups.

The wazuh-states-inventory-users-* indices

The wazuh-states-inventory-users-* indices catalogs user accounts found on monitored endpoints, including usernames, group assignment, privilege levels, and login status.

It supports identity and access management by helping detect unauthorized user creation, track administrative accounts, and correlate user activity with security alerts. This visibility enhances auditing, insider threat detection, and compliance reporting.

To find information relating to user accounts on a monitored endpoint, navigate to IT Hygiene > Identity > Users.

Re-indexing

When changes are made to the index’s data schema, it becomes necessary to re-index data to reflect these changes. Existing data may not match the updated schema without re-indexing, leading to data inconsistencies or errors during queries. Re-indexing lets you copy all or a subset of your data from a source index into a destination index.

To re-index an existing index, perform the following steps on either the Wazuh dashboard or the Wazuh server.

Wazuh dashboard

Click on the upper left menu ☰ and go to Indexer management then Dev Tools.

Enter the following API call, replacing my-source-index with the source index pattern and my-destination-index with the destination index pattern.

POST /_reindex
{
   "source":{
      "index":"my-source-index"
   },
   "dest":{
      "index":"my-destination-index"
   }
}

For example:

POST /_reindex
{
   "source":{
      "index":"wazuh-alerts-*"
   },
   "dest":{
      "index":"example-alerts"
   }
}

{
  "took": 23655,
  "timed_out": false,
  "total": 26849,
  "updated": 0,
  "created": 26849,
  "deleted": 0,
  "batches": 27,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []
}

Command line interface

Run the following command on any Wazuh central component that is allowed to authenticate to the Wazuh API. Replace <INDEXER_USERNAME> and <INDEXER_PASSWORD> with the indexer username and password:

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"my-source-index"
   },
   "dest":{
      "index":"my-destination-index"
   }
}'

For example:

root@wazuh-server:~$ curl -k -u "INDEXER_USERNAME:INDEXER_PASSWORD" -XPOST "https://<INDEXER_IP_ADDRESS>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
   "source":{
      "index":"wazuh-alerts-*"
   },
   "dest":{
      "index":"example-alerts"
   }
}'

{"took":18025,"timed_out":false,"total":26854,"updated":26854,"created":0,"deleted":0,"batches":27,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}

Wazuh indexer tuning

This guide shows how to change settings to optimize the Wazuh indexer performance. To change the Wazuh indexer password, see the Password management section.

Memory locking

When the system is swapping memory, the Wazuh indexer may not work as expected. Therefore, it is important for the health of the Wazuh indexer node that none of the Java Virtual Machine (JVM) is ever swapped out to disk. To prevent any Wazuh indexer memory from being swapped out, configure the Wazuh indexer to lock the process address space into RAM as follows.

Note

You require root user privileges to run the commands described below.

Add the below line to the /etc/wazuh-indexer/opensearch.yml configuration file on the Wazuh indexer to enable memory locking:
```
bootstrap.memory_lock: true
```
Modify the limit of system resources. Configuring system settings depends on the operating system of the Wazuh indexer installation.
1. Create a new directory for the file that specifies the system limits:
  # mkdir -p /etc/systemd/system/wazuh-indexer.service.d/
2. Run the following command to create the wazuh-indexer.conf file in the newly created directory with the new system limit added:
  # cat > /etc/systemd/system/wazuh-indexer.service.d/wazuh-indexer.conf << EOF [Service] LimitMEMLOCK=infinity EOF
1. Create a new directory for the file that specifies the system limits:
  # mkdir -p /etc/init.d/wazuh-indexer.service.d/
2. Run the following command to create the wazuh-indexer.conf file in the newly created directory with the new system limit added:
  # cat > /etc/init.d/wazuh-indexer.service.d/wazuh-indexer.conf << EOF [Service] LimitMEMLOCK=infinity EOF
Edit the /etc/wazuh-indexer/jvm.options file and change the JVM flags. Set a Wazuh indexer heap size value to limit memory usage. JVM heap limits prevent the OutOfMemory exception if the Wazuh indexer tries to allocate more memory than is available due to the configuration in the previous step. The recommended value is half of the system RAM. For example, set the size as follows for a system with 8 GB of RAM.
```
-Xms4g
-Xmx4g
```
Where the total heap space:
- -Xms4g - initial size is set to 4Gb of RAM.
- -Xmx4g - maximum size is to 4Gb of RAM.
Warning

To prevent performance degradation due to JVM heap resizing at runtime, the minimum (Xms) and maximum (Xmx) size values must be the same.

Restart the Wazuh indexer service:

# systemctl daemon-reload
# systemctl restart wazuh-indexer

Verify that the setting was changed successfully, by running the following command to check that mlockall value is set to true:

# curl -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD> "https://<INDEXER_IP_ADDRESS>:9200/_nodes?filter_path=**.mlockall&pretty"

{
  "nodes" : {
    "sRuGbIQRRfC54wzwIHjJWQ" : {
      "process" : {
        "mlockall" : true
      }
    }
  }
}

If the output is false, the request has failed, and the following line appears in the /var/log/wazuh-indexer/wazuh-indexer.log file:

Unable to lock JVM Memory

Shards and replicas

The Wazuh indexer offers the possibility of splitting an index into multiple segments called shards. Each shard is a fully functional and independent "index" that can be hosted on any node in the Wazuh indexer cluster. The splitting is important for two main reasons:

Horizontal scaling.
Distribution and parallelization operations across shards, increasing performance and throughput.

In addition, the Wazuh indexer allows users to make one or more copies of the index shards in what are called replica shards, or replicas for short. Replication is important for two reasons:

Provides high availability in case a shard or a node fails.
Allows the search volume and throughput to scale since searches can be executed on all replicas in parallel.

Number of shards for an index

Before creating the first index, consider carefully how many shards will be needed. It is not possible to change the number of shards without re-indexing.

The number of shards needed for optimal performance depends on the number of nodes in the Wazuh indexer cluster. As a general rule, the number of shards must be the same as the number of nodes. For example, a cluster with three nodes should have three shards, while a cluster with only one node would only need one.

Number of replicas for an index

The number of replicas depends on the available storage for the indices. Here is an example of how a Wazuh indexer cluster with three nodes and three shards could be set up.

No replica: Each node has one shard. If one node goes down, an incomplete index of only two shards is available.
One replica: Each node has one shard and one replica. If one node goes down, a full index is still available.
Two replicas: Each node has the full index with one shard and two replicas. With this setup, the cluster continues to operate even if two nodes go down. Although this seems to be the best solution, it increases the storage requirements.

The image below shows a Wazuh indexer cluster with three nodes, each containing a primary shard and two replica shards.

Setting the number of shards

Warning

The number of shards and replicas are defined per index at the time of index creation. Once the index is created, although the number of replicas can be changed dynamically, the number of shards cannot be changed without re-indexing.

The default installation of a Wazuh indexer node creates each index with three primary shards and no replicas. You can modify the number of primary shards and replicas by loading a new template using the Wazuh API.

In the following example, we set the number of shards for a single-node Wazuh indexer to 1. Perform the following steps on the Wazuh indexer node or any central component allowed to authenticate using the Wazuh API.

Download the Wazuh indexer template:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/extensions/elasticsearch/7.x/wazuh-template.json -o w-indexer-template.json

Edit w-indexer-template.json to set index.number_of_shards to 1. To avoid Filebeat overwriting the existing template, set the order to 1. Multiple matching templates in the same order result in a non-deterministic merging order.

{
  "order": 1,
  "index_patterns": [
    "wazuh-alerts-4.x-*",
    "wazuh-archives-4.x-*"
  ],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "1",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.mapping.total_fields.limit": 10000,
    ...

Load the new settings.

# curl -X PUT "https://<INDEXER_IP_ADDRESS>:9200/_template/wazuh-custom" -H 'Content-Type: application/json' -d @w-indexer-template.json -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD>

{"acknowledged":true}

Confirm that the configuration was successfully updated.

# curl "https://<INDEXER_IP_ADDRESS>:9200/_template/wazuh-custom?pretty&filter_path=wazuh-custom.settings" -k -u <INDEXER_USERNAME>:<INDEXER_PASSWORD>

{
  "wazuh-custom" : {
    "settings" : {
      "index" : {
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "5s",
        "number_of_shards" : "1",
        "auto_expand_replicas" : "0-1",
        "number_of_replicas" : "0",
        ...

If the index has already been created, it must be re-indexed.

Setting the number of replicas

The number of replicas can be changed dynamically using the Wazuh indexer API. In a single-node cluster, the number of replicas should be set to zero. This is accomplished by running the following command on the Wazuh indexer node or any central component allowed to authenticate using the Wazuh API:

curl -k -u "<INDEXER_USERNAME>:<INDEXER_PASSWORD>" -XPUT "https://<INDEXER_IP_ADDRESS>:9200/wazuh-alerts-" -H 'Content-Type: application/json' -d'
{
  "settings": {
    "index": {
      "number_of_replicas": 0
    }
  }
}'

Migrating Wazuh indices

In this section, we focus on migrating Wazuh indices by using snapshots. This helps to restore alerts from one Wazuh indexer cluster to another without losing the original timestamp.

Setup shared file system

We recommend the use of a Network File System (NFS) to create a shared file system for the snapshot repository.

NFS server

Perform the following steps to set up NFS on a dedicated server:

Create a target directory for the snapshot repository in the /mnt directory:
```
# mkdir /mnt/snapshots
```

Install NFS by running the following commands:

# yum update
# yum install -y nfs-utils
# yum install exportfs
# systemctl enable nfs-server
# systemctl start nfs-server

# apt -y install nfs-kernel-server
# systemctl start nfs-kernel-server.service

Add the /mnt/snapshots directory to the /etc/exports file using the command below. Replace the <NETWORK_ADDRESS/CIDR> variable with your network address.
```
# echo "/mnt/snapshots     <NETWORK_ADDRESS/CIDR>(rw,sync,no_root_squash,no_subtree_check)" | sudo tee -a /etc/exports
```
Where:
- rw - Allows both read and write access to the shared directory.
- sync - Forces the NFS server to write changes to the disk immediately, making the file system synchronous.
- no_root_squash - Allows the "root" user on the NFS client system to have full, unrestricted access to files on the NFS server.
- no_subtree_check - Disables subtree checking, which can improve performance for large directory trees.
Apply the NFS configuration:
```
# exportfs -a
```

Wazuh indexer

Perform the following steps on the Wazuh indexer node (s) to complete the shared file system setup.

Create a target directory for the snapshot repository in the /mnt directory:
```
# mkdir /mnt/snapshots
```

Install the NFS client:

# yum -y install nfs-utils

# apt -y install nfs-common

Mount the shared directory /mnt/snapshots on the Wazuh indexer node(s). Replace the <NFS_SERVER_IP> variable with the IP address of the NFS server:
```
# mount -t nfs <NFS_SERVER_IP>:/mnt/snapshots /mnt/snapshots
```
Grant the wazuh-indexer user ownership of the /mnt/snapshots directory:
```
# chown wazuh-indexer:wazuh-indexer /mnt/snapshots
```

Add the configuration: path.repo: /mnt/snapshots to the /etc/wazuh-indexer/opensearch.yml file to specify the repository path:

network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"

node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
path.repo: /mnt/snapshots

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.>plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alert>

Restart the Wazuh indexer to apply the configuration changes:
```
# systemctl restart wazuh-indexer
```

Warning

Make sure to confirm that the /mnt/snapshots directory has the wazuh-indexer:wazuh-indexer ownership on the Wazuh indexer nodes using the ll utility.

Repeat the Setup shared file system > Wazuh indexer steps on the destination Wazuh indexer(s) to use the NFS share directory, /mnt/snapshots, as its snapshot repository.

Setup snapshot repository

On the Wazuh dashboard, perform the following steps:

Click on the upper left menu ☰, go to Indexer management > Snapshot Management > Repositories, and select Create repository to create a new snapshot repository.
Enter a repository name, select the repository type Shared file system, enter the repository location /mnt/snapshots, and select Add to register the new repository.

Repeat the above steps on the destination Wazuh cluster to set up a similar snapshot repository.

Take snapshots

Click on the upper left menu ☰, and go to Indexer management > Snapshot Management > Snapshots.
Select Take snapshot, and enter a Snapshot name.
Select or input source index patterns.
Select the earlier created repository to store the snapshots.
Select Advanced options and check the Include cluster state in snapshots option.
Select Add to create a new snapshot.

The snapshot files are saved in the repository location /mnt/snapshots.

Restore snapshots

To complete the Wazuh indices migration steps, restore the snapshots taken from the old Wazuh indexers to the destination Wazuh indexers. Perform the following steps on the destination Wazuh indexer.

Note

It is necessary to have performed the steps in the Setup shared file system and Setup snapshot repository sections on the destination Wazuh cluster before proceeding to Restore snapshots.

Restart the Wazuh indexer nodes in the destination Wazuh cluster to load the snapshot files using the command:
```
# systemctl restart wazuh-indexer
```
Click on the upper left menu ☰, go to Indexer management > Snapshot Management > Snapshots, and refresh the Snapshots page. The snapshots in the repository location /mnt/snapshots will show on the destination Wazuh cluster’s dashboard.
Select the snapshot and click on Restore. Delete the restored_ prefix to restore the indices to their original names. The restored_ prefix exists to avoid conflicting index names.
Select Advanced options and make sure all the options are unchecked.
Select Restore snapshot to complete the migration process.

Wazuh indexer configuration on hardened endpoints

Wazuh indexer uses the Java Native Access (JNA) library for executing some platform-dependent native code. On Linux, the native code backing these libraries is extracted at runtime into a temporary directory and then mapped into executable pages in the indexer's address space. This requires the underlying files not to be on a filesystem mounted with the noexec option.

By default, the Wazuh indexer will create its temporary directory within /tmp. However, some hardened Linux installations mount /tmp with the noexec option by default. This prevents JNA from working correctly.

Ensuring executable permissions in the Wazuh indexer temp directory

To resolve this problem, either remove the noexec option from your /tmp filesystem or configure the Wazuh indexer to use a different location. Follow the steps below to change the temporary directory of the Wazuh indexer by setting the $OPENSEARCH_TMPDIR environment variable.

Note

You need root user privileges to run all the commands described below.

Create the temporary directory and set the appropriate permissions.

# mkdir /var/lib/wazuh-indexer/tmp
# chown wazuh-indexer:wazuh-indexer /var/lib/wazuh-indexer/tmp

Add Environment=OPENSEARCH_TMPDIR=/var/lib/wazuh-indexer/tmp to the /lib/systemd/system/wazuh-indexer.service file, which is the systemd configuration file of the Wazuh indexer. The configuration file should be similar to the following:

[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=true
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_TMPDIR=/var/lib/wazuh-indexer/tmp  Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/default/wazuh-indexer

Restart the Wazuh indexer service to apply the changes.
```
# systemctl restart wazuh-indexer
```

Handling unwanted Wazuh indexer restarts on Ubuntu

Modifying the Java temporary directory for the Wazuh indexer on some Ubuntu endpoints causes needrestart to detect normal Java operations in the directory as library changes. As a result, needrestart incorrectly flags the Wazuh indexer service as using outdated libraries and either prompts for a restart or automatically restarts the Wazuh indexer service. This occurs even when system package updates are unrelated to the Wazuh indexer. A workaround is to exclude the Wazuh indexer service from needrestart checks with the command below.

# echo '$nrconf{blacklist_rc} = [ qr(^wazuh-indexer) ];' > "/etc/needrestart/conf.d/wazuh-indexer.conf"

Note

This setting will make needrestart always ignore the Wazuh indexer service, even in cases where a restart would be legitimate. Therefore, users may choose to apply it at their discretion and risk.

Wazuh indexer cluster

The Wazuh indexer cluster consists of multiple Wazuh indexer nodes. Deploying the Wazuh indexer as a cluster helps to provide horizontal scalability, high availability, and improved performance.

This section provides the following information about the Wazuh indexer cluster:

Certificates deployment

Wazuh uses certificates to establish trust and confidentiality between its central components - the Wazuh indexer, the Wazuh dashboard, and Filebeat. Certificates are deployed for new installation of Wazuh or during upscaling of Wazuh central components. The required certificates are:

Root CA certificate: The root CA (Certificate Authority) certificate acts as the foundation of trust for a security ecosystem. It is used to authenticate the identity of all nodes within the system and to sign other certificates, thereby establishing a chain of trust.
Node certificates: Node certificates uniquely identify each node within the Wazuh cluster. They are used to encrypt and authenticate communications between the nodes.

Each node certificate must include either the IP address or the DNS name of the node. This is important for the verification process during communications, ensuring that the data is indeed being sent to and received from trusted nodes. These certificates, signed by the root CA, ensure that any communication between the nodes is trusted and verified through this central authority.
Admin certificate: The admin certificate is a client certificate with special privileges. The Wazuh indexer uses it to perform management and security-related tasks such as initializing and managing the Wazuh indexer cluster, creating, modifying, and deleting users, as well as managing roles and permissions. It also helps ensure that only authorized commands are executed within the cluster.

You can deploy certificates using two methods:

Using the `wazuh-certs-tool.sh` script (default method)

C: US
L: California
O: Wazuh
OU: Wazuh
CN: Name of the node

Generating Wazuh indexer certificates

Follow the steps below to create Wazuh indexer certificates using the wazuh-certs-tool.sh script:

Run the command below to download the wazuh-certs-tool.sh script in your installation directory:
```
# wget https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
```
Create a config.yml file with the following content. We specify only the details regarding the Wazuh indexer nodes as we are focusing on creating certificates for the Wazuh indexer.
```
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<WAZUH_INDEXER_IP>"
    #- name: node-2
    #  ip: "<WAZUH_INDEXER_IP>"
    #- name: node-3
    #  ip: "<WAZUH_INDEXER_IP>"
```
Where:
- name represents a unique node name. You can choose any.
- ip represents the IP address or DNS name of the node.
Run the script to create the Wazuh indexer certificates:
```
# bash wazuh-certs-tool.sh -A
```
After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with the following content:
```
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── root-ca.key
├── root-ca.pem
├── node-1-key.pem
└── node-1.pem
```
The files in this directory are as follows:
- root-ca.pem and root-ca.key: These files represent the root Certificate Authority (CA). The .pem file contains the public certificate, while the .key file holds the private key used for signing other certificates.
  
  Note
  
  If you are deploying a complete Wazuh infrastructure and deploying certificates for the first time you need to conserve the root CA certificate. This will be used to create and sign certificates for the Wazuh server and Wazuh dashboard nodes.
- admin.pem and admin-key.pem: These files contain the public and private keys used by the Wazuh indexer to perform management and security-related tasks such as initializing the Wazuh indexer cluster, creating and managing users and roles.
- node-1.pem and node-1-key.pem: The node-1.pem file contains the public key, which is distributed and trusted by other Wazuh components to authenticate the indexer node. Conversely, the node-1-key.pem file holds the private key, which is kept securely on the Wazuh indexer and used for authentication and encryption in communication with other Wazuh components.
  
  In a clustered environment comprising two or more Wazuh indexer nodes, unique pairs of public and private keys are generated for each node. These keys are specific to the node and are identified by the names defined in the name field of the config.yml file. These key pairs must then be transferred to their corresponding nodes.
Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory /etc/wazuh-indexer/certs/ as referenced in the file /etc/wazuh-indexer/opensearch.yml. You should create the directory if it doesn’t exist.
```
# mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem
```

Generating Wazuh indexer certificates using the pre-existing root CA

Wazuh also gives the ability to create and sign the admin and node(s) certificates using a pre-existing root CA. It avoids having to recreate certificates for all the nodes.

Note

You need to use a pre-existing root CA to create Wazuh indexer certificates:

If you already have a root CA after generating certificates for the Wazuh server or Wazuh dashboard nodes.
If you need to re-install a Wazuh indexer node or add a new node to your Wazuh indexer cluster.

Create a config.yml file. You must specify the details for only the Wazuh indexer node(s) you want to create certificates for, depending on the cases described in the note above.
Run the command below to create Wazuh indexer certificates from the config.yml file using the pre-existing root CA keys:
```
# bash wazuh-certs-tool.sh -wi /path/to/root-ca.pem /path/to/root-ca.key
```
Where:
- The flag -wi indicates we are creating Wazuh indexer certificates.
- The file /path/to/root-ca.pem contains the root CA certificate.
- The file /path/to/root-ca.key contains the root CA key.
After deploying the certificates, a directory wazuh-certificates will be created in the installation directory with content similar to the one below:
```
wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── node-1-key.pem
└── node-1.pem
```
Once the certificates are created, you need to rename and move the Wazuh indexer certificate to the appropriate Wazuh indexer nodes respectively. You need to place them in the default directory /etc/wazuh-indexer/certs/ as referenced in the file /etc/wazuh-indexer/opensearch.yml. You should create the directory if it doesn’t exist.
```
# mv /path/to/node-1-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# mv /path/to/node-1.pem /etc/wazuh-indexer/certs/indexer.pem
```

Using custom certificates

Custom certificates can be created using tools like OpenSSL. You must create the root CA, node, and admin certificates described above.

Adding Wazuh indexer nodes

Adding a new node to the Wazuh indexer cluster can enhance the capacity and resilience of the security monitoring infrastructure.

The upscale process involves creating certificates, configuring existing components to connect with the new Wazuh indexer node(s), and then installing and configuring the new node(s).

We have organized the steps for upscaling the Wazuh indexer into two subsections: one for an all-in-one deployment and the other for a distributed deployment. The choice between these methods depends on your existing deployment and the infrastructure you aim to upscale.

All-in-one deployment:

If you have a Wazuh all-in-one deployment, follow the steps outlined in the "All-in-one deployment" subsection to upscale your Wazuh indexer.
Distributed deployment:

For an existing distributed deployment, please refer to the "Distributed deployment" subsections to upscale your Wazuh indexer.

If you are unsure which method aligns with your infrastructure, we recommend reviewing your deployment architecture before proceeding.

Note

You need root user privileges to execute the commands below.

Certificates creation

Perform the outlined steps on your existing Wazuh indexer node to generate the certificates required for secure communication among the Wazuh central components.

All-in-one deployment

We recommend creating entirely new certificates for your Wazuh indexer nodes. Perform the following steps to create new certificates.

Create a config.yml file in the /root directory to add the new Wazuh indexer node(s):
```
# touch /root/config.yml
```

Edit the /root/config.yml file to include the following content and replace the values with your node names and their corresponding IP addresses:

nodes:
# Wazuh indexer nodes
  indexer:
    - name: <EXISTING_WAZUH_INDEXER_NODE_NAME>
      ip: <EXISTING_WAZUH_INDEXER_IP>
    - name: <NEW_WAZUH_INDEXER_NODE_NAME>
      ip: <NEW_WAZUH_INDEXER_IP>

# Wazuh server nodes
  server:
    - name: <WAZUH_SERVER_NODE_NAME>
      ip: <WAZUH_SERVER_IP>

# Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP>

Download and run ./wazuh-certs-tool.sh from your /root directory to recreate the certificates for the old and new nodes:
```
# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A
```
Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
```
This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory.

Distributed deployment

We recommend you utilize pre-existing root CA keys to generate certificates for new nodes.

Perform the steps below on one indexer node only.

Create a config.yml file in the /root directory to add the new Wazuh indexer node(s):
```
# touch /root/config.yml
```
Edit the /root/config.yml file to include the node name and IP of the new node. Replace the values with your node names and their corresponding IP addresses:
```
nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <NEW_WAZUH_INDEXER_NODE_NAME>
      ip: <NEW_WAZUH_INDEXER_IP>
```

Extract the wazuh-certificates.tar file:

# mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files

Download and run ./wazuh-certs-tool.sh to create the certificates for the new indexer node using the pre-existing root CA keys:

# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key

Copy the newly created certificates to the wazuh-install-files folder making sure not to replace the admin certificates:

# cp wazuh-certificates/<NEW_WAZUH_INDEXER_NODE_NAME>* wazuh-install-files

Note

If the pre-existing root CA keys have been deleted or if you are not able to access them, you can proceed with creating new certificates for all the nodes as follows:

Create the /root/config.yml file to reference all your nodes.

nodes:
# Wazuh indexer nodes
  indexer:
    - name: <EXISTING_WAZUH_INDEXER_NODE_NAME>
      ip: <EXISTING_WAZUH_INDEXER_IP>
    - name: <NEW_WAZUH_INDEXER_NODE_NAME>
      ip: <NEW_WAZUH_INDEXER_IP>

# Wazuh server nodes
  server:
    - name: <WAZUH_SERVER_NODE_NAME>
      ip: <WAZUH_SERVER_IP>

# Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP>

Execute the wazuh-certs-tool.sh script to create the certificates.

# curl -sO https://packages.wazuh.com/5.0/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A

Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
```
This will copy the certificates to the home directory of the logged in user on the target system. You can change this to specify a path to your installation directory.

Compress the certificates folder into a new wazuh-certificates.tar file and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:
```
# tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP>:
```
This will copy the certificates to the home directory of the logged-in user on the target system. You can change this to specify a path to your installation directory.

Configuring existing components to connect with the new node

All-in-one deployment

Create a file, env_variables.sh, in the /root directory of the existing node where you define your environment variables as follows:
```
export NODE_NAME1=<EXISTING_WAZUH_INDEXER_NODE_NAME>
export NODE_NAME2=<WAZUH_SERVER_NODE_NAME>
export NODE_NAME3=<WAZUH_DASHBOARD_NODE_NAME>
```
Replace:
- <EXISTING_WAZUH_INDEXER_NODE_NAME>, <WAZUH_SERVER_NODE_NAME>, <WAZUH_DASHBOARD_NODE_NAME> respectively with the names of the Wazuh indexer, Wazuh server, and Wazuh dashboard nodes as defined in /root/config.yml.

Create a deploy-certificates.sh script in the /root directory and add the following content:

#!/bin/bash

# Source the environmental variables from the external file
source ~/env_variables.sh

rm -rf /etc/wazuh-indexer/certs
mkdir /etc/wazuh-indexer/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME1.pem ./$NODE_NAME1-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem
mv -n /etc/wazuh-indexer/certs/$NODE_NAME1-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
chmod 500 /etc/wazuh-indexer/certs
chmod 400 /etc/wazuh-indexer/certs/*
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

rm -rf /etc/filebeat/certs
mkdir /etc/filebeat/certs
tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME2.pem ./$NODE_NAME2-key.pem ./root-ca.pem
mv -n /etc/filebeat/certs/$NODE_NAME2.pem /etc/filebeat/certs/wazuh-server.pem
mv -n /etc/filebeat/certs/$NODE_NAME2-key.pem /etc/filebeat/certs/wazuh-server-key.pem
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

rm -rf /etc/wazuh-dashboard/certs
mkdir /etc/wazuh-dashboard/certs
tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME3.pem ./$NODE_NAME3-key.pem ./root-ca.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
mv -n /etc/wazuh-dashboard/certs/$NODE_NAME3-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
chmod 500 /etc/wazuh-dashboard/certs
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Deploy the certificates by executing the following command:
```
# bash /root/deploy-certificates.sh
```
This deploys the SSL certificates to encrypt communications between the Wazuh central components.

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:
```
# rm -rf ./wazuh-certificates
# rm -f ./wazuh-certificates.tar
```

Edit the indexer configuration file at /etc/wazuh-indexer/opensearch.yml to include the new node(s) as follows. Uncomment or add more lines, according to your /root/config.yml definitions. Create the discovery.seed_hosts section if it doesn’t exist:

network.host: "<EXISTING_WAZUH_INDEXER_IP>"
node.name: "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
- "<NEW-WAZUH-INDEXER-NODE-NAME>"
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
  - "<EXISTING_WAZUH_INDEXER_IP>"
  - "<NEW_WAZUH_INDEXER_IP>"
plugins.security.nodes_dn:
- "CN=<EXISTING-WAZUH-INDEXER-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=<NEW-WAZUH-INDEXER-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"

Edit the Filebeat configuration file /etc/filebeat/filebeat.yml to add the new Wazuh indexer node(s). Uncomment or add more lines, according to your /root/config.yml definitions:

output.elasticsearch.hosts:
        - <EXISTING_WAZUH_INDEXER_IP>:9200
        - <NEW_WAZUH_INDEXER_IP>:9200
output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}

Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):
```
opensearch.hosts: ["https://<EXISTING_WAZUH_INDEXER_IP>:9200", "https://<NEW_WAZUH_INDEXER_IP>:9200"]
```

Restart the following services to apply the changes:

# systemctl restart wazuh-indexer
# systemctl restart filebeat
# systemctl restart wazuh-manager
# systemctl restart wazuh-dashboard

# service wazuh-indexer restart
# service filebeat restart
# service wazuh-manager restart
# service wazuh-dashboard restart

Distributed deployment

network.host: "<EXISTING_WAZUH_INDEXER_IP>"
node.name: "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
cluster.initial_master_nodes:
- "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
- "<NEW-WAZUH-INDEXER-NODE-NAME>"
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
  - "<EXISTING_WAZUH_INDEXER_IP>"
  - "<NEW_WAZUH_INDEXER_IP>"
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=<WAZUH-INDEXER2-NODE-NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"

Edit the Filebeat configuration file /etc/filebeat/filebeat.yml (the file is located in the Wazuh server) to add the new Wazuh indexer node(s). Uncomment or add more lines, according to your /root/config.yml definitions:

output.elasticsearch.hosts:
        - <EXISTING_WAZUH_INDEXER_IP>:9200
        - <NEW_WAZUH_INDEXER_IP>:9200
output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}

Edit the Wazuh dashboard configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml to include the new Wazuh indexer node(s):

opensearch.hosts: ["https://<EXISTING_WAZUH_INDEXER_IP>:9200", "https://<NEW_WAZUH_INDEXER_IP>:9200"]

Note

You’ll have to re-deploy certificates on your existing Wazuh node(s) if they were recreated as recommended in the note above.

Run the following commands on each of your nodes to deploy the certificates:

On Wazuh indexer node(s):

# NODE_NAME=<EXISTING_WAZUH_INDEXER_NODE_NAME>

# rm -rf /etc/wazuh-indexer/certs
# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

On Wazuh server node(s):

# NODE_NAME=<WAZUH_SERVER_NODE_NAME>

# rm -rf /etc/filebeat/certs
# mkdir /etc/filebeat/certs
# tar -xf ./wazuh-certificates.tar -C /etc/filebeat/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/filebeat/certs/$NODE_NAME.pem /etc/filebeat/certs/wazuh-server.pem
# mv -n /etc/filebeat/certs/$NODE_NAME-key.pem /etc/filebeat/certs/wazuh-server-key.pem
# chmod 500 /etc/filebeat/certs
# chmod 400 /etc/filebeat/certs/*
# chown -R root:root /etc/filebeat/certs

On Wazuh dashboard node:

# NODE_NAME=<WAZUH_DASHBOARD_NODE_NAME>

# rm -rf /etc/wazuh-dashboard/certs
# mkdir /etc/wazuh-dashboard/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./root-ca.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem
# mv -n /etc/wazuh-dashboard/certs/$NODE_NAME-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem
# chmod 500 /etc/wazuh-dashboard/certs
# chmod 400 /etc/wazuh-dashboard/certs/*
# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs

Run the following commands on your respective nodes to apply the changes:

Wazuh indexer node

# systemctl restart wazuh-indexer

# service wazuh-indexer restart

Wazuh server node

# systemctl restart filebeat
# systemctl restart wazuh-manager

# service filebeat restart
# service wazuh-manager restart

Wazuh dashboard node

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Wazuh indexer node(s) installation

Once the certificates have been created and copied to the new node(s), you can now proceed with installing the Wazuh indexer node. Follow the steps below to install the new Wazuh indexer node(s).

Install package dependencies:

# yum install coreutils

# apt-get install debconf adduser procps

Add the Wazuh repository:

Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository:

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages:

# apt-get install gnupg apt-transport-https

Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository:

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information:
```
# apt-get update
```

Install the Wazuh indexer:

# yum -y install wazuh-indexer

# apt-get -y install wazuh-indexer

Configuring the Wazuh indexer

Edit the /etc/wazuh-indexer/opensearch.yml configuration file and replace the following values:

network.host: Sets the address of this node for both HTTP and HTTPS traffic. The node will bind to this address and use it as its publish address. This field accepts an IP address or a hostname.

Use the same node address set in /root/config.yml to create the SSL certificates.
node.name: Name of the Wazuh indexer node as defined in the /root/config.yml file. For example, node-1.
cluster.initial_master_nodes: List of the names of the master-eligible nodes. These names are defined in the /root/config.yml file. Uncomment the node-2 line or add more lines, and change the node names according to your /root/config.yml definitions:
```
cluster.initial_master_nodes:
- "<EXISTING_WAZUH_INDEXER_NODE_NAME>"
- "<NEW_WAZUH_INDEXER_NODE_NAME>"
```
discovery.seed_hosts: List of the addresses of the master-eligible nodes. Each element can be either an IP address or a hostname. Uncomment this setting and set the IP addresses of each master-eligible node:
```
discovery.seed_hosts:
  - "<EXISTING_WAZUH_INDEXER_IP>"
  - "<NEW_WAZUH_INDEXER_IP>"
```
plugins.security.nodes_dn: List of the distinguished names of the certificates of all the Wazuh indexer cluster nodes. Uncomment the line for node-2 and change the common names (CN) and values according to your settings and your /root/config.yml definitions:
```
plugins.security.nodes_dn:
- "CN=<EXISTING_WAZUH_INDEXER_NODE_NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=<NEW_WAZUH_INDEXER_NODE_NAME>,OU=Wazuh,O=Wazuh,L=California,C=US"
```

Deploying certificates

Execute the following commands in the directory where the wazuh-certificates.tar file was copied to, replacing <NEW_WAZUH_INDEXER_NODE_NAME> with the name of the Wazuh indexer node you are configuring as defined in /root/config.yml. For example, node-1. This deploys the SSL certificates to encrypt communications between the Wazuh central components:

NODE_NAME=<NEW_WAZUH_INDEXER_NODE_NAME>

# mkdir /etc/wazuh-indexer/certs
# tar -xf ./wazuh-certificates.tar -C /etc/wazuh-indexer/certs/ ./$NODE_NAME.pem ./$NODE_NAME-key.pem ./admin.pem ./admin-key.pem ./root-ca.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME.pem /etc/wazuh-indexer/certs/indexer.pem
# mv -n /etc/wazuh-indexer/certs/$NODE_NAME-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs

Recommended action: If no other Wazuh components are going to be installed on this node, remove the wazuh-certificates.tar file by running the command below to increase security. Alternatively, save a copy offline for potential future use and scalability:

# rm -f ./wazuh-certificates.tar

Starting the service

Run the following commands to start the Wazuh indexer service:

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

RPM-based operating system

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Cluster initialization

Run the Wazuh indexer indexer-security-init.sh script on any Wazuh indexer node to load the new certificate information and start the cluster:
```
# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
```
Note

You only have to initialize the cluster once, there is no need to run this command on every node.

Confirm the configurations work by running the command below on your Wazuh server node:

# filebeat test output

An example output is shown below:

elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2
elasticsearch: https://10.0.0.2:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.2
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Testing the cluster

After completing the above steps, you can proceed to test your cluster and ensure that the indexer node has been successfully added. There are two possible methods to do this:

Using the securityadmin script

The securityadmin script helps configure and manage the security settings of OpenSearch. The script lets you load, backup, restore, and migrate the security configuration files to the Wazuh indexer cluster.

Run the command below on any of the Wazuh indexer nodes to execute the securityadmin script and initialize the cluster:

# /usr/share/wazuh-indexer/bin/indexer-security-init.sh

The output should be similar to the one below. It should show the number of Wazuh indexer nodes in the cluster:

**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 192.168.21.152:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.6.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

Using the Wazuh indexer API

You can also get information about the number of nodes in the cluster by using the Wazuh indexer API.

Run the command below on any of the Wazuh indexer nodes and check the output for the field number_of_nodes to ensure it corresponds to the expected number of Wazuh indexer nodes:

# curl -XGET https:/<EXISTING_WAZUH_INDEXER_IP>:9200/_cluster/health?pretty -u admin:<ADMIN-PASSWORD> -k

Replace:

<EXISTING_WAZUH_INDEXER_IP> with the IP address of any of your indexer nodes.
<ADMIN-PASSWORD> with your administrator password.

The output of the command should be similar to the following:

{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 11,
  "active_shards" : 20,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

You can access the Wazuh dashboard with your credentials.

URL: https://<WAZUH_DASHBOARD_IP>
Username: admin
Password: <ADMIN_PASSWORD> or admin in case you already have a distributed architecture and using the default password.

After the above steps are completed, your new node(s) will now be part of your cluster and your infrastructure distributed.

Wazuh indexer cluster tuning

This guide shows how to change settings to optimize the Wazuh indexer cluster performance. To change the Wazuh indexer password, see the Password management section.

Configure shard allocation awareness or forced awareness

This is most applicable in cases where the Wazuh indexer nodes are spread across geographically dispersed zones.

To configure awareness, add zone attributes to the /etc/wazuh-indexer/opensearch.yml file on the Wazuh indexer nodes for the different zones.

For example: You have two zones named zone A and B. You will add the following configuration to the /etc/wazuh-indexer/opensearch.yml file on each Wazuh indexer node in zone A and B respectively:

node.attr.zone: zoneA

node.attr.zone: zoneB

Allocation awareness is best used if storage on the Wazuh indexer nodes in zone A and zone B is less than 50% utilized. This allows for adequate storage capacity to allocate replicas in the zone.

Forced awareness is an option if Wazuh indexer nodes in both zone A and B lack sufficient capacity to store all primary and replica shards. This ensures that if there's a zone failure, the Wazuh indexer won't overwhelm your remaining zone, preventing your cluster from being locked due to storage shortage.

Choosing allocation awareness or forced awareness depends on how much space you have in each zone to balance your primary and replica shards.

Shard allocation awareness

Shard allocation awareness attempts to spread primary and replica shards across multiple zones. It is used to allocate a replica shard to a zone different from its primary zone.

In the event of node failure within a zone, you can be rest assured that your replica shards are distributed among your remaining zones. This enhances fault tolerance, safeguarding your data against zone failures and individual node failures.

To configure shard allocation awareness, update the cluster settings:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.awareness.attributes": "zone"
  }
}

You can either use persistent or transient settings. We recommend using the persistent setting because it persists through a cluster reboot. The transient setting does not persist through a cluster reboot.

Note

If only one zone is available (such as after zone failures), the Wazuh indexer allocates replica shards to the only remaining zone.

Forced awareness

Using the forced awareness implies that primary and replica shards are never allocated to the same zone.

To configure forced awareness, specify all the possible values for your zone attributes:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.awareness.attributes": "zone",
    "cluster.routing.allocation.awareness.force.zone.values":["zoneA", "zoneB"]
  }
}

In case there are other zones, add the other zones to the cluster.routing.allocation.awareness.force.zone.values field.

Warning

If a node fails, forced awareness does not allocate the replicas to another node in the same zone. Instead, the cluster enters a yellow state and only allocates the replicas when nodes in the other zone(s) come online.

Allocation filtering

This allows a node to be excluded from shard allocation. A common use case is when you want to decommission a node within a zone.

To move shards off a node before decommissioning it, create a filter that excludes the node using its IP address. This will move all shards allocated to that node before it is shut down. You can also use a wildcard * in a situation where there are more than one node within an IP range to be decommissioned.

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.exclude._ip": "192.168.0.*"
  }
}

Set node attributes for each node in a cluster

By default, each Wazuh indexer node is a master-eligible, data, ingest, and coordinating node. Deciding on the number of nodes, assigning node types, and choosing the hardware for each node type depends on your use case.

Cluster manager nodes

Cluster manager nodes manage all cluster-wide configurations and modifications, including adding, removing, and allocating shards to nodes, as well as generating and deleting indices and fields.

A distributed consensus technique is used to elect a single cluster-manager node from among the cluster-manager eligible nodes. This cluster-manager node is reelected in the event that the incumbent node fails.

You can specify that a Wazuh indexer node is the cluster manager node, even though this is already done by default.

Set a Wazuh indexer node role to cluster_manager by adding the following configuration to the /etc/wazuh-indexer/opensearch.yml file:

node.roles: [ cluster_manager ]

Data nodes

The data node is responsible for storing and searching data. It performs all data related operations (indexing, searching, aggregating) on local shards. These are the worker nodes of your Wazuh indexer cluster and need more disk space than any other node type.

Set a Wazuh indexer node role as a data node by adding the following configuration to the /etc/wazuh-indexer/opensearch.yml file:

node.roles: [ data, ingest ]

As you add data nodes it is important to keep them balanced between zones. For example, if you have three zones, add a data node for each zone. We recommend using storage and RAM-heavy nodes.

Coordinating nodes

The coordinating node delegates client requests to the shards on the data nodes, collects and aggregates the results into one final result, and sends it back to the Wazuh dashboard.

Every node is a coordinating node by default, however to make a node a dedicated coordinating node, set node.roles to an empty list:

node.roles: []

Index lifecycle management

Index lifecycle management helps to optimize the Wazuh indexer cluster performance by controlling the lifecycle of an index. You can perform periodic operations, such as index rollovers and deletions. These periodic operations are configured using Index State Management (ISM) policies.

Index State Management (ISM) lets you automate these operational tasks. You can implement lifecycle policies, such as retention policies, for your data using ISM. ISM triggers index operations automatically based on your policies and the changes detected in index age, size, and documents count.

This section discusses some configuration options to manage the index lifecycle for optimization of the Wazuh indexer storage.

Index retention

Security standards require keeping data available for audits for a minimum period of time. For data older than this retention period, you might want to delete it to save storage space.

You can define specific policies to handle deletions automatically. You might also find these policies useful for index rollovers.

Creating a retention policy

Using the Visual editor

Click on the upper left menu ☰, go to Indexer management, and select Index Management. Choose State management policies and click Create policy. Select Visual editor and click Continue.
Enter a unique Policy ID in the Policy info section. For example, wazuh-alert-retention-policy. You can optionally describe the policy in the Description field.
Click Add template under ISM templates and enter an index pattern such as wazuh-alerts-* to apply this policy to future alert indices automatically. The priority is set to the default value of 1 and can be set to any other value. The index with higher priority value is treated first.
Click Add state to create a state for index deletion. Enter a name such as delete_alerts.
Click Add action and select Delete in the Action type. Click Add action. Then click Save state.
Click Add state again to create an initial state. Enter a name, such as initial.
Choose Add before from the Order tab and select delete_alerts.
Click Add transition and select delete_alerts as the Destination state.
Select Minimum Index Age in Condition. Input the retention value, for example, 90d for 90 days, in the Minimum Index Age.
Click Add transition. Click Save state. Click Create.
Change the Initial State to Initial.

Using the JSON editor

Click on the upper left menu ☰, go to Indexer management, and choose Index Management. Choose State management policies and click Create policy. Select JSON editor and click Continue.
Enter a unique Policy ID in the Policy info section. For example, wazuh-alert-retention-policy. You can optionally enter a description within your JSON policy definition.

In the Define policy section, replace the content with your JSON policy definition. Your definition must look similar to this.

{
    "policy": {
        "policy_id": "wazuh-alert-retention-policy",
        "description": "Wazuh alerts retention policy",
        "schema_version": 17,
        "error_notification": null,
        "default_state": "retention_state",
        "states": [
            {
                "name": "retention_state",
                "actions": [],
                "transitions": [
                    {
                        "state_name": "delete_alerts",
                        "conditions": {
                            "min_index_age": "90d"
                        }
                    }
                ]
            },
            {
                "name": "delete_alerts",
                "actions": [
                    {
                        "retry": {
                            "count": 3,
                            "backoff": "exponential",
                            "delay": "1m"
                        },
                        "delete": {}
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": [
            {
                "index_patterns": [
                    "wazuh-alerts-*"
                ],
                "priority": 1
            }
        ]
    }
}

Adjust the “min_index_age”: from “90d” to your preferred number of days for minimum index retention.

Click Create.

Applying the retention policy to alerts index

Click on the upper left menu ☰, go to Indexer management, and choose Index Management. Choose Indices.
Select the index or indices to attach the policy.
Click Actions > Apply policy.
Select the policy created in the previous steps from the Policy ID menu. Click Apply.

Set up hot-warm architecture

This section shows how to configure indexes to be stored in hot and warm nodes. A hot-warm architecture is made up of hot and warm nodes with the following characteristics:

A hot node is typically fast and expensive due to its high computing resources.
A warm node is slower and cheaper due to lower computing resources.

You can design a hot-warm architecture where you first index your data to hot nodes and after a certain period move them to warm nodes. This architecture is suited for you if you have older data that you don't often query. The older data is moved, to be stored on a slower, and less expensive hardware. This architecture helps save money on computing costs.

Rather than increasing the number of hot nodes, you can add warm nodes for data that you don’t access as frequently.

To configure a hot-warm storage architecture, add temp attributes to the respective nodes.

Note

You can set the attribute name and value to whatever you want as long as it’s consistent for all your hot and warm nodes.

Configure a hot node

To configure a hot node, add the following configuration to the /etc/wazuh-indexer/opensearch.yml file:

node.attr.temp: hot

Restart the Wazuh indexer service:

# systemctl restart wazuh-indexer

Configure a warm node

To configure a warm node, add the following configuration to the /etc/wazuh-indexer/opensearch.yml file:

node.attr.temp: warm

Restart the Wazuh indexer service:

# systemctl restart wazuh-indexer

Create indexer state management policy

Perform the following steps on the Wazuh dashboard console.

Confirm that the temp attributes assigned earlier were applied:
```
GET _cat/nodeattrs?v&h=node,attr,value
```

Create an ISM policy to assign indices using the wazuh-alerts-5.x-* index pattern to hot nodes and move them to warm nodes after a defined time:

PUT _plugins/_ism/policies/hot_warm
{
    "policy": {
        "description": "Send shards from hot to warm nodes",
        "schema_version": 17,
        "error_notification": null,
        "default_state": "hot",
        "states": [
            {
                "name": "hot",
                "actions": [],
                "transitions": [
                    {
                        "state_name": "warm",
                        "conditions": {
                            "min_index_age": "30d"
                        }
                    }
                ]
            },
            {
                "name": "warm",
                "actions": [
                    {
                        "retry": {
                            "count": 3,
                            "backoff": "exponential",
                            "delay": "1m"
                        },
                        "replica_count": {
                            "number_of_replicas": 0
                        }
                    },
                    {
                        "retry": {
                            "count": 3,
                            "backoff": "exponential",
                            "delay": "1m"
                        },
                        "allocation": {
                            "require": {
                                "temp": "warm"
                            },
                            "include": {},
                            "exclude": {},
                            "wait_for": false
                        }
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": [
            {
                "index_patterns": [
                    "wazuh-alerts-*"
                ],
                "priority": 1
            }
        ]
    }
}

Adjust the min_index_age from 30d to your preferred number of days to define the minimum number of days to store the indices on a hot node.

Now all future indices created using the wazuh-alerts-5.x-* index pattern will be allocated to a hot node. After the min_index_age condition is met, the indices are moved to a warm node and all replicas removed. The removal of the replicas ensures that storage is managed on the warm node since the data will not be queried frequently.

Apply the ISM policy to existing indices

Choose Indices in Index Management.
Select the index or indices to attach the policy.
Click Actions > Apply policy.
Select the hot-warm policy in Policy ID.
Click Apply to add the policy to the selected indices.

Cluster management

Using the Wazuh indexer API

Perform the following cluster management queries on the Wazuh dashboard console by navigating to Indexer management > Dev Tools.

Check the general Wazuh indexer cluster health:
```
GET _cluster/health
```
To check cluster health based on awareness attribute, use the following:
```
GET _cluster/health?level=awareness_attributes
```
To check the cluster health based on a specific index, use the following:
```
GET _cluster/health/<INDEX-PATTERN>
```
List all Wazuh indexer nodes and their roles:
```
GET _cat/nodes
```
Check the Wazuh indexer node where an index is stored:
```
GET _cat/shards/wazuh-alerts-*?v
```

Check ISM policy for an index pattern:

GET _opendistro/_ism/explain/wazuh-alerts-*

Check statistics about the Wazuh indexer cluster:
```
GET _cluster/stats/nodes/*
```
Check storage allocation. This can be used to determine if the Wazuh indexer node is full. If the indexer node is full, implement the index lifecycle management to free up old indices.
```
GET _cat/allocation?v&s=node
```
Check Wazuh indexer node attributes:
```
GET _cat/nodeattrs?v&h=node,attr,value
```

Wazuh indexer API

The Wazuh indexer API is an open source RESTful API that allows interaction with the Wazuh indexer from the Wazuh dashboard, a command-line tool such as cURL, or any script or program capable of making web requests. The Wazuh indexer API provides endpoints for managing and querying data within the Wazuh indexer. Using this API, users can perform various operations, such as searching logs, managing indexes, and handling data related to security alerts and compliance reports. The Wazuh indexer API is designed to support automation and scalability, offering a flexible approach to accessing and analyzing data for security insights, obtaining operational metrics, and reporting.

Here is a list of some of the Wazuh indexer API capabilities:

Index management
User management
Managing and searching through indexes
Log ingestion
Manage notifications
Manage nodes in a single or multi-node cluster
Snapshot and repository management
Statistical information collection
Error handling
Configuration management
Index lifecycle management

Take a look at the Wazuh indexer API use cases for practical examples of how the Wazuh indexer API can be utilized.

Contents

Getting started

This guide provides the essential information needed to utilize the Wazuh indexer API.

Starting and stopping the Wazuh indexer API

By default, the Wazuh indexer API is included in the Wazuh indexer installation. You can manage or monitor the Wazuh indexer API by executing the systemctl or service commands with the Wazuh indexer service:

# systemctl start/status/stop/restart wazuh-indexer

# service wazuh-indexer start/status/stop/restart

Logging into the Wazuh indexer API

You need to be authenticated to be able to use the Wazuh indexer API service. Users can authenticate to the Wazuh indexer API using various supported methods and can select the one that best meets their requirements. Logging in to the Wazuh dashboard with a user with appropriate privileges gives the user access to the Wazuh indexer API via the dashboard. The sections below describe some options for how a user can access the Wazuh indexer API via scripts or command lines.

HTTP basic authentication

HTTP basic authentication is one of the simplest methods of accessing the Wazuh indexer API. The client provides credentials as a username and password with every request in this mechanism. These credentials are included in the Authorization header of the HTTP request. While this makes implementation straightforward and compatible with most tools and systems, it is less secure as the risk of exposure is high.

HTTP basic authentication is enabled by default, and its settings are specified within the basic_internal_auth_domain section in the /etc/wazuh-indexer/opensearch-security/config.yml configuration file. The default setting is seen below:

basic_internal_auth_domain:
  description: "Authenticate via HTTP Basic against internal users database"
  http_enabled: true
  transport_enabled: true
  order: 4
  http_authenticator:
    type: basic
    challenge: true
  authentication_backend:
    type: intern

The format to authenticate to the Wazuh indexer API using basic authentication is below. In this example, we use cURL to connect and authenticate:

# curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> https://localhost:9200/

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "XUqydNCQTuCnvtXobnRZ8w",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806",
    "build_date" : "2024-08-30T10:06:03.028357Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

JSON Web Token (JWT)

The JSON Web Token (JWT) is another method of authenticating to the Wazuh indexer API. JWT is an open standard (RFC 7519) that defines a compact and self-contained method for securely transmitting information between parties as a JSON object.

A JWT can be self-generated, and the validation key can be stored in the /etc/wazuh-indexer/opensearch-security/config.yml file or generated and validated through a JSON Web Key Set (JWKS) endpoint to retrieve the key from its location on the issuer’s server.

JWT authentication is not enabled by default, and its settings are specified within the jwt_auth_domain section in the /etc/wazuh-indexer/opensearch-security/config.yml configuration file. Follow the steps below to enable and log into the Wazuh indexer using JWT authentication:

Open the /etc/wazuh-indexer/opensearch-security/config.yml configuration file and update the highlighted settings:

jwt_auth_domain:
  description: "Authenticate via Json Web Token"
  http_enabled: true
  transport_enabled: false
  order: 0
  http_authenticator:
    type: jwt
    challenge: false
    config:
      signing_key: "<ENCODED_SIGNING_KEY>"
      jwt_header: "Authorization"
      jwt_url_parameter: null
      jwt_clock_skew_tolerance_seconds: 30
      roles_key: <ROLES_KEY>
      subject_key: <SUBJECT_KEY>
  authentication_backend:
    type: noop

Note

Replace <ENCODED_SIGNING_KEY> with your base64 encoded HMAC key or public RSA/ECDSA pem key. Update the values of <ROLES_KEY> with the name of a backend user the JWT should attach to, and <SUBJECT_KEY> to a descriptive subject name that identifies the JWT. For example, setting the values to admin and automationUser respectively will attach the JWT to the internal admin user and name the JWT as automationUser.

Run the /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh script to load the configuration changes made in the /etc/wazuh-indexer/opensearch-security/config.yml file:

# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

Authenticate to the Wazuh indexer API using your JWT, as seen below. In this example, we use cURL to connect and authenticate:

# curl -k -XGET "https://localhost:9200" -H "Authorization: Bearer <WAZUH_INDEXER_JWT>"

Replace <WAZUH_INDEXER_JWT> with your JWT. The expected output is as seen below:

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "XUqydNCQTuCnvtXobnRZ8w",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806",
    "build_date" : "2024-08-30T10:06:03.028357Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Optionally, you can use your JWT as an environment variable.

You can access any API endpoint using the below structure. Replace <METHOD> with the desired method, <ENDPOINT> with the string corresponding to the endpoint you wish to access, and <WAZUH_INDEXER_JWT> with your JWT. If you are using an environment variable, replace <WAZUH_INDEXER_JWT> with your environment variable, for example $TOKEN.

# curl -k -X <METHOD> "https://localhost:9200/<ENDPOINT>" -H "Authorization: Bearer <WAZUH_INDEXER_JWT>"

Configuration options

The JWT configurations are specified under the authc key in the /etc/wazuh-indexer/opensearch-security/config.yml configuration file. The configuration parameters are described below:

jwt_auth_domain

Sub-fields	Allowed values	Default value	Description
`http_enabled`	true, false	false	Defines if JWT-based authentication is enabled for HTTP requests.
`order`	Any positive integer	0	Indicates the sequence in which authentication domains are evaluated. This is particularly relevant when multiple authentication mechanisms are configured.

jwt_auth_domain.http_authenticator

Sub-fields	Allowed values	Default value	Description
`type`	jwt	jwt	Specifies the authentication domain.
`challenge`	true, false	false	Specifies if a challenge should be presented to the user during authentication.

jwt_auth_domain.http_authenticator.config

Sub-fields	Allowed values	Default value	Description
`signing_key`	Any Base64 encoded secret or public key	null	The signing key(s) is used to verify the JWT token. Where a symmetric key algorithm is used, set the value to the Base64 encoded secret. If an asymmetric algorithm is used, set the value to the public key. Use a comma list or enumerate the keys.
`jwt_header`	Any string	Authorization	The HTTP header that transmits the JWT in HTTP requests. The value typically has the following Bearer schema: `Authorization: Bearer <token>`. Using a value other than `Authorization` prevents the field from being properly redacted in audit logs.
`jwt_url_parameter`	Any string	null	Used to define the name of a URL parameter if the token is not transmitted in the HTTP header but rather as a URL.
`subject_key`	Any string	null	Sets the name of the key in the JSON payload that stores the username. If a value is not set, the subject registered claim is used instead.
`roles_key`	Any string	null	Sets the name of the key in the JSON payload that stores the user’s role(s). Multiple values are supported by a comma-separated list of roles.
`required_audience`	Any string	null	Sets the name of the audience that the JWT must specify. Multiple values are supported as a comma-separated list.
`required_issuer`	Any string	null	Sets the target issuer of a JWT stored in the JSON payload.
`jwt_clock_skew_tolerance_seconds`	Any positive integer	30	Sets a time window (in seconds) to compensate for any disparity between the JWT authentication server and Wazuh indexer node clock times. It prevents authentication failures due to misalignment.

jwt_auth_domain.authentication_backend

Sub-fields	Allowed values	Default value	Description
`type`	noop	noop	This value is set to no operation (`noop`) because JWTs are self-contained and the user is authenticated at the HTTP level.

Note

The JWT values are case-sensitive. Ensure the casing matches to avoid errors

Using the Wazuh indexer API via the Wazuh dashboard

Using the Wazuh indexer API from the Wazuh dashboard enables users to run API requests directly within the dashboard’s Web User Interface (WUI). Through the Wazuh dashboard, users can use the API to perform searches, manage index settings, view document details, and retrieve insights without direct access to the command line. To use the Wazuh indexer API from the Wazuh dashboard, you must log in with a user with appropriate privileges. For example, the default admin user has administrator privileges. To access the Wazuh indexer API, click the menu icon and navigate to Index management > Dev Tools.

The API Console is made up of two panes. The pane on the left collects the API request, while the pane on the right displays the query result. On the left pane, input the HTTP method, request endpoint, and any query parameters, then click the play button to execute the request. The pane on the right displays the result of the API request. See Understanding the Wazuh indexer API request and response to learn more about the basic concepts.

Using the Wazuh indexer API via the command line

The Wazuh indexer API can also be accessed through a terminal. We use any client that can send HTTP requests to communicate with the API through the terminal, such as cURL. The Wazuh indexer API service listens for incoming requests on TCP port 9200 and requires authentication, such as a username and password, to authorize the API request.

In the example below, we use cURL to check the cluster health status of the Wazuh indexes:

# curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> https://localhost:9200/_cluster/health?pretty

{
  "cluster_name" : "wazuh-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 16,
  "active_shards" : 16,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials.

Using the Wazuh indexer API via a script

Accessing the Wazuh indexer API with a script is a convenient way to interact with the API when automation is required. The Wazuh indexer supports any programming language that can process HTTP requests. This section demonstrates how to use Python and Bash to interact with the Wazuh indexer API. This approach allows for the development of custom workflows that can integrate the indexer data into broader security operations, automate repetitive tasks, or quickly retrieve data for analysis and reporting.

Using Python

The Python requests library allows us to send HTTP requests to the Wazuh Indexer API endpoints. With a Python script, we can automatically handle authentication, parse, and manipulate the Wazuh indexer responses within the script. In the check_wazuh_indexer_health.py script below, we query the Wazuh indexer health status using Python.

import requests
from requests.auth import HTTPBasicAuth

# Base URL and endpoint
Wazuh_indexer_url = "https://localhost:9200"
endpoint = "/_cluster/health"

# Full URL
url = wazuh_indexer_url + endpoint

# Credentials for authentication
username = "<WAZUH_INDEXER_USERNAME>"
password = "<WAZUH_INDEXER_PASSWORD>"

# Disable SSL warnings
requests.packages.urllib3.disable_warnings()

try:
    # GET request to check cluster health
    response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False)

    # Check if the request was successful
    if response.status_code == 200:
        # Parse and print the response JSON data
        cluster_health = response.json()
        print("Cluster Health Status")
        print(f"Status: {cluster_health['status']}")
        print(f"Number of Nodes: {cluster_health['number_of_nodes']}")
        print(f"Active Primary Shards: {cluster_health['active_primary_shards']}")
        print(f"Active Shards: {cluster_health['active_shards']}")
    else:
        print(f"Failed to retrieve cluster health. Status Code: {response.status_code}")
        print(response.text)

except Exception as e:
    print("Error connecting to Wazuh Indexer:", e)

Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials. Follow the steps below to run the script.

Install the Python requests module:
```
# python3 -m pip install requests
```

Run the check_wazuh_indexer_health.py Python script:

# python3 check_wazuh_indexer_health.py

Cluster Health Status
Status: green
Number of Nodes: 1
Active Primary Shards: 16
Active Shards: 16

Note

When using the script in a production environment, it is advised to use environment variables or a secrets manager to secure the authentication credentials from exposure. See Securing the Wazuh indexer API for more information.

The script is run from the Wazuh indexer node. You can run it from a remote host by replacing the value of wazuh_indexer_url with the IP address or hostname of the Wazuh indexer node.

Using Bash

You can also interact with the Wazuh indexer API using a bash script. A bash script is preferable when you do not want to install additional programs like Python. In the following check_wazuh_indexer_health.sh bash script, we query the Wazuh indexer API to retrieve the cluster health status.

#!/bin/bash

# Base URL and endpoint for Wazuh Indexer API
WAZUH_INDEXER_URL="https://localhost:9200"
ENDPOINT="/_cluster/health"
FULL_URL="${WAZUH_INDEXER_URL}${ENDPOINT}"
USERNAME="<WAZUH_INDEXER_USERNAME>"
PASSWORD="<WAZUH_INDEXER_PASSWORD>"

# Make the API request using basic authentication
response=$(curl -s -k -u "$USERNAME:$PASSWORD" "$FULL_URL")
# Check if the request was successful
if [ $? -eq 0 ]; then
  echo "Cluster Health Status:"
  # Check if jq is installed
  if command -v jq > /dev/null; then
    echo "$response" | jq .
  else
    echo "Warning: 'jq' is not installed. Displaying raw JSON response:"
    echo "$response"
  fi
else
  echo "Error: Failed to retrieve cluster health."
fi

Run the check_wazuh_indexer_health script:

# ./check_wazuh_indexer_health

Cluster Health Status:
{
  "cluster_name": "wazuh-cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 30,
  "active_shards": 30,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

Note

The script is run from the Wazuh indexer node. You can run it from a remote host by replacing the value of indexer_url with the IP address or hostname of the Wazuh indexer node.

Understanding the Wazuh indexer API request and response

A standard Wazuh indexer API request consists of three essential components: the request method (GET, POST, PUT, or DELETE), the API URL, which specifies the endpoint being accessed, and user credentials for authentication and authorization of the request. Below is an example cURL request:

# curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -XGET https://localhost:9200/_cluster/health?pretty

The cURL command for each request contains the following fields:

Field	Description
`-X GET/POST/PUT/DELETE`	Specify a request method to use when communicating with the HTTP server.
`http://<WAZUH_INDEXER_IP>:9200/` `<ENDPOINT>` `https://<WAZUH_INDEXER_IP>:9200/` `<ENDPOINT>`	The API URL to use. Specify `http` or `https` depending on whether SSL is activated in the API.
`-k`	Suppress SSL certificate errors (only if you use the default self-signed certificates).
`-u`	Used to specify user credentials for HTTP Basic Authentication. It allows you to provide a username and password required by the indexer API.

The number of documents a single query returns is restricted to 10,000 results. This is controlled by the index.max_result_window setting. If you need more results, you can either:
- Use pagination by adjusting the from and size parameters to paginate the result. This must still be within the 10,000 limit.
- Increase the index.max_result_window value in the cluster settings. This option is not advised as it can increase memory usage and degrade performance.
All responses include an HTTP status code: 2xx (success), 4xx (client error), 5xx (server error), etc.
All requests accept the pretty parameter to convert the JSON response to a more human-readable format.
The Wazuh indexer API stores logs in /var/log/wazuh-indexer/wazuh-cluster.log and /var/log/wazuh-indexer/wazuh-cluster_server.json.

Example response without errors (HTTP status code 200)

{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "has_api_access" : true,
  "disabled_endpoints" : { }
}

Example response with errors (HTTP status code 200)

{
  "status" : "NOT_FOUND",
  "message" : "actiongroup 'admin' not found."
}

Example response to report a permission denied error (HTTP status code 403)

{
  "error":{
     "root_cause":[
        {
           "type":"security_exception",
           "reason":"no permissions for [cluster:monitor/main] and User [name=admin, backend_roles=[all_access], requestedTenant=null]"
        }
     ],
     "type":"security_exception",
     "reason":"no permissions for [cluster:monitor/main] and User [name=admin, backend_roles=[all_access], requestedTenant=null]"
  },
  "status":403
}

Example response to report a resource not found exception (HTTPS status code 404)

{
  "error" : {
    "root_cause" : [
      {
        "type" : "index_not_found_exception",
        "reason" : "no such index [testindex]",
        "index" : "testindex",
        "resource.id" : "testindex",
        "resource.type" : "index_or_alias",
        "index_uuid" : "_na_"
      }
    ],
    "type" : "index_not_found_exception",
    "reason" : "no such index [testindex]",
    "index" : "testindex",
    "resource.id" : "testindex",
    "resourcez.type" : "index_or_alias",
    "index_uuid" : "_na_"
  },
  "status" : 404
}

Practical examples of Wazuh indexer API methods

GET

The following GET request retrieves basic information about the Wazuh indexer API, such as its cluster name, version, revision, hostname, and compatibility information.

curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -X GET https://localhost:9200/

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "XUqydNCQTuCnvtXobnRZ8w",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806",
    "build_date" : "2024-08-30T10:06:03.028357Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

PUT

The following PUT request to the Wazuh indexer API updates the Wazuh indexer cluster setting to change the value of search.max_buckets to 75000. The search.max_buckets setting controls the maximum aggregation buckets allowed in response to a single query.

# curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -H "Content-Type: application/json" -X PUT "https://localhost:9200/_cluster/settings?pretty" -d '{"transient": {"search.max_buckets": 75000}}'

{
  "acknowledged" : true,
  "persistent" : { },
  "transient" : {
    "search" : {
      "max_buckets" : "75000"
    }
  }
}

DELETE

In this example, we use this DELETE request to remove documents from indexes from a specified time. First, we run a query to list the target indexes:

curl -X POST "https://localhost:9200/wazuh-alerts-4.x-2024*/_search?pretty" \
-H "Content-Type: application/json" \
-u "<WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD>" \
-k \
-d '{
  "query": {
    "range": {
      "@timestamp": {
        "gt": "2024-11-25T00:00:00Z"
      }
    }
  }
}'

In the query above, we query the index wazuh-alerts-4.x-2024 using a wildcard * to match all associated documents in the index pattern. We also use a timestamp query to filter and return only the documents with a timestamp greater than (gt) the specified value.

{
  "took" : 23,
  "timed_out" : false,
  "_shards" : {
    "total" : 30,
    "successful" : 30,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 8,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    ...

In the output above, we observe eight (8) documents matching the query. Next, we use DELETE to remove these documents from the index.

curl -X DELETE "https://localhost:9200/wazuh-alerts-4.x-2024*?pretty" -H "Content-Type: application/json" -u "$indexer_username:$indexer_password" -k -d '{
  "query": {
    "range": {
      "@timestamp": {
        "gt": "2024-11-25T00:00:00Z"
      }
    }
  }
}'

In the output, we see that the query ran successfully.

{
  "acknowledged" : true
}

To verify the documents are deleted, we run the initial query to search for the documents. As seen from the output, no matches indicate that the documents are deleted.

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 0,
    "successful" : 0,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : 0.0,
    "hits" : [ ]
  }
}

Practical examples of Wazuh indexer API access tools

This section demonstrates how to send requests to the Wazuh indexer API using cURL, Python scripts, Bash scripts, and the Wazuh dashboard. These examples serve as foundational knowledge for more advanced use cases you may envision.

cURL

cURL is a command-line tool for sending HTTP/HTTPS requests and commands. It comes pre-installed on many Linux, macOS, and Windows endpoints, allowing users to interact directly with the Wazuh indexer API from the command line. In the examples below, we store the Wazuh API credentials as environment variables and interact with different endpoints. For detailed instructions on obtaining authentication, please refer to the Logging into the Wazuh indexer API section.

Note

When sending a cURL request that contains JSON data, we must set the content type to JSON using the header -H "Content-Type: application/json"

Python

You can use a Python script to retrieve information about documents from any index in the Wazuh indexer. In this example, we query the wazuh-alerts* index to find the top three (3) users with the most successful logins via SSH on monitored endpoints. The script authenticates with the Wazuh indexer API using any authentication method (we use JWT in this example). Then, it makes a POST request to retrieve the required information.

Save the following Python script as top_successful_login.py:

import requests
import json

# Base URL and endpoint
indexer_url = "https://localhost:9200"
endpoint = "/wazuh-alerts*/_search"
url = indexer_url + endpoint

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer <WAZUH_INDEXER_JWT>"
}

# Query payload
payload = {
    "size": 0,
    "query": {
        "match": {
            "rule.description": "PAM: Login session opened."
        }
    },
    "aggs": {
        "successful_logins_by_user": {
            "terms": {
                "field": "data.dstuser",
                "size": 3,
                "order": {
                    "_count": "desc"
                }
            }
        }
    }
}

# Disable SSL warnings
requests.packages.urllib3.disable_warnings()

# Execute the API request
try:
    response = requests.post(url, headers=headers, data=json.dumps(payload), verify=False)
    response.raise_for_status()  # Raise an exception for HTTP errors
    result = response.json()  # Parse the JSON response

    # Process and display the results
    print("Top three (3) Users with Most Successful Login Sessions:")
    if "aggregations" in result and "successful_logins_by_users" in result["aggregations"]:
        buckets = result["aggregations"]["successful_logins_by_users"]["buckets"]
        if buckets:
            for user in buckets:
                print(f"User: {user['key']}, Count: {user['doc_count']}")
        else:
            print("No data found for the query.")
    else:
        print("Unexpected response format.")
except requests.exceptions.RequestException as e:
    print(f"Error querying Wazuh API: {e}")

Replace <WAZUH_INDEXER_JWT> with your JWT. An output similar to the one below is observed. In the output, we can see the top three (3) users with the most amount of successful logins recorded:

Top three (3) Users with Most Successful Login Sessions:
User: root(uid=0), Count: 22
User: wazuh(uid=1000), Count: 3
User: test(uid=2000), Count: 2

Bash

In this example, we query the wazuh-alerts* index to find the top three (3) users with the most failed login attempts. The script authenticates with the Wazuh indexer API using the JWT authentication method. In this example, we demonstrate how to export the JWT as an environment variable to avoid putting the token inside the script.

Follow the steps below.

Export your JWT as an environment variable:
```
# export JWT_AUTH_TOKEN="<WAZUH_INDEXER_JWT>"
```
Replace <WAZUH_INDEXER_JWT> with your appropriate JWT.
Verify that the token is exported:
```
# echo $JWT_AUTH_TOKEN
```

Save the following script as top_failed_login.sh:

#!/bin/bash

# Wazuh indexer API URL
WAZUH_INDEXER_URL="https://localhost:9200/wazuh-alerts*/_search"

# JSON query payload
PAYLOAD=$(cat <<EOF
{
  "size": 0,
  "query": {
    "match": {
      "rule.description": "PAM: User login failed."
    }
  },
  "aggs": {
    "failed_logins_by_user": {
      "terms": {
        "field": "data.dstuser",
        "size": 3,
        "order": {
          "_count": "desc"
        }
      }
    }
  }
}
EOF
)

# Execute the API request
RESPONSE=$(curl -s -k -X POST "$WAZUH_INDEXER_URL?pretty" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $JWT_AUTH_TOKEN" \
  -d "$PAYLOAD")

# Check if the response contains valid data
if [[ $? -ne 0 || -z "$RESPONSE" ]]; then
  echo "Error: Failed to fetch data from Wazuh indexer API"
  exit 1
fi

echo "Top three (3) Users with Most Failed Login Session"
echo "$RESPONSE"

Make the script executable:
```
# chmod u+x top_failed_login.sh
```

Run the top_failed_login.sh script:

# ./top_failed_login.sh

...
        {
          "key" : "root",
          "doc_count" : 19
        },
        {
          "key" : "test",
          "doc_count" : 9
        },
        {
          "key" : "nobody",
          "doc_count" : 4
        }
      ]
    }
  }
}

Configuration

Wazuh indexer API configuration file

The Wazuh indexer API configuration is located in the /etc/wazuh-indexer/opensearch.yml file on the Wazuh indexer.

For more information on each of the available settings, check the configuration options. Here are the default settings in the /etc/wazuh-indexer/opensearch.yml configuration file:

network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"

node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

Warning

When running a Wazuh indexer cluster, the master node does not automatically send its local Wazuh indexer API configuration file to the worker nodes. Each node maintains its own Wazuh indexer API configuration. Therefore, if any changes are made to the configuration file on the master node, you must manually update the configuration on each worker node to ensure consistency. Ensure that the IP address and port are not overwritten in each worker's local configuration.

After any change is made to the configuration file, you must restart the Wazuh indexer API using the Wazuh indexer service:

# systemctl start/status/stop/restart wazuh-indexer

# service wazuh-indexer start/status/stop/restart

Wazuh indexer API configuration options

network

Sub-fields	Allowed values	Default value	Description
`host`	A list of valid IP address(es) or hostname(s)	`127.0.0.1`	IP addresses or hostnames of the Wazuh indexer where the Wazuh indexer API is running.
`bind_host`	IP address	`127.0.0.1`	This setting binds a node to an address(es) for incoming connections. The default value is the value specified in the `network.host` setting.
`publish_host`	IP address	`127.0.0.1`	This is the address(es) that a node publishes to other nodes in a cluster to enable them to connect.

Note

The address must be the same as the node address set in the config.yml file used during Wazuh component installation or during certificate generation.

http

Sub-fields	Allowed values	Default value	Description
`port`	Any value between 1 and 65535	`9200-9300`	The port is where the Wazuh indexer API will listen. If a range of ports is specified, the node will bind to the first available port in the range.
`node`	Any valid alphanumeric string	`n/a`	The name of the Wazuh indexer node is defined in the `config.yml` file during certificate generation. For example, node-1.
`max_content_length`	Any valid numerical value. Different units like bytes, kilobytes (KB), megabytes (MB), and gigabytes (GB) are supported.	`100mb`	Sets the maximum payload size for Wazuh indexer API requests.
`connect_timeout`	Any time value followed by a valid unit (i.e. ms, s, m)	`0ms`	Specifies the maximum time the HTTP client will wait to connect with a remote server. Setting the value to 0 disables the timeout.
`max_chunk_size`	Any data size value followed by a valid unit (i.e. b, kb, mb)	`8192b`	Controls the maximum size of a chunk in HTTP responses when chunked transfer encoding is used.
`compression`	`true`, `false`	`false`	This setting enables support for compression using `Accept-Encoding` when applicable. When HTTPS is enabled, the default value is false. Otherwise, the default is `true`. Disabling compression for HTTPS helps mitigate potential security risks, such as BREACH attacks.
`compression_level`	Any integer between 1 - 9	`3`	Specifies the compression level used for HTTP responses when HTTP compression is enabled. The lower the value, the lower the CPU usage and faster response times.
`max_initial_line_length`	Any data size value followed by a valid unit (i.e. b, kb, mb)	`4096b`	Specifies the maximum allowed length of the initial line of an HTTP request. The "initial line" refers to the line containing the HTTP method, URL, and protocol version.
`type`	Any supported HTTP implementation.	`org.opensearch.security.http.SecurityHttpServerTransport`	Specifies the type of HTTP implementation or HTTP server module to use for handling HTTP requests.
`pipelining.max_events`	Any positive integer	`10000`	Controls the maximum number of HTTP pipelined events that the server can handle for a single connection.
`type.default`	Any supported HTTP implementation.	`netty4`	This is the default HTTP server implementation used if no custom `http.type` is explicitly specified.
`content_type.required`	`true`, `false`	`true`	Specifies whether requests sent to the Wazuh indexer must include a Content-Type header (e.g., `application/json`). This setting enforces stricter HTTP request validation, ensuring that the content format is explicitly declared.
`host`	IP address	`[]`	Sets the address for HTTP communication on a Wazuh indexer node.
`publish_port`	Any value between 1 and 65535	`-1`	Specifies the port on which the node advertises its HTTP service to external clients. Setting the value to `-1` uses the value set in `http.port`.
`read_timeout`	Any time value followed by a valid unit (i.e. ms, s, m)	`0ms`	Configures the maximum time the HTTP server will wait for a complete client request to be received. The connection will be closed if the request is not received within the timeframe.
`max_content_length`	Any data size value followed by a valid unit (i.e. b, kb, mb)	`100mb`	Specifies the maximum size of HTTP request bodies that the Wazuh indexer will accept. This includes the payload of incoming HTTP requests, such as documents, bulk operations, or queries.
`bind_host`	IP address	`[]`	Specifies an address(es) a Wazuh indexer node binds to listen for incoming HTTP connections.
`reset_cookies`	`true`, `false`	`false`	Controls whether the Wazuh indexer should send a `Set-Cookie` header with an empty value in HTTP responses, effectively clearing any cookies previously set by the client.
`max_warning_header_count`	Any positive integer	`-1`	Specifies the maximum number of warning headers that can be included in an HTTP response. Setting the value to `-1` means the number of warning headers is unlimited.
`tracer.include`	A glob pattern (wildcard-based) that matches the request's URI. e.g.: /_search, /_bulk, or * (all requests).	`[]`	Specifies which HTTP requests should be included in tracing logs. Tracing logs are detailed logs of incoming and outgoing HTTP requests, primarily used for debugging or monitoring.
`tracer.exclude`	A glob pattern (wildcard-based) that matches the URI of requests. Example: /favicon.ico, /_cat/*.	`[]`	Specifies which HTTP requests should be excluded from tracing logs, even if they match the pattern in `http.tracer.include`.
`max_warning_header_size`	Any data size value followed by a valid unit (i.e. b, kb, mb)	`-1b`	Specifies the maximum cumulative size of all warning headers in an HTTP response. These headers are used to communicate deprecation warnings, potential issues, or other alerts related to the request.
`detailed_errors.enabled`	`true`, `false`	`true`	Controls whether detailed error messages are included in HTTP responses when requests fail.
`max_header_size`	Any data size value followed by a valid unit (i.e. b, kb, mb)	`8192b`	Specifies the maximum size of an HTTP request header that the Wazuh indexer server will accept.
`publish_host`	IP address	`[]`	Specifies the address(es) that a Wazuh indexer node publishes to other nodes for HTTP communication.

http.cors

Sub-fields	Allowed values	Default value	Description
`enabled`	`true`, `false`	`false`	This setting enables or disables Cross-Origin Resource Sharing (CORS) for HTTP requests.
`max-age`	Any time value representing duration in seconds.	`1728000`	Defines how long the results of a preflight request (for CORS) can be cached.
`allow-origin`	Any string representing a domain.	`""`	Specifies which domains are allowed to access the Wazuh indexer. Wildcards are supported.
`allow-headers`	Any HTTP header	`X-Requested-With,Content-Type,Content-Length`	Specifies which HTTP headers can be included in the request.
`allow-credentials`	`true`, `false`	`false`	Controls whether cookies and authentication information (such as HTTP credentials) are included in cross-origin requests made to the Wazuh indexer server.
`allow-methods`	Any HTTP method	`OPTIONS,HEAD,GET,POST,PUT,DELETE`	Defines which HTTP methods (e.g., GET, POST, PUT) are allowed for cross-origin requests.

logger

Sub-fields	Allowed values	Default value	Description
`level`	`TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`	`INFO`	Defines the logging verbosity of the system, controlling what kind of log messages are captured and recorded.

path

Sub-fields	Allowed values	Default value	Description
`data`	Any valid path	`/var/lib/wazuh-indexer`	Specifies a path to the directory where the Wazuh indexer data is stored.
`logs`	Any valid path	`/var/log/wazuh-indexer`	Specifies the path to store Wazuh indexer log files.
`shared_data`	Any valid path	`""`	Specifies the directory path where the Wazuh indexer stores shared data files.
`home`	Any valid path	`/usr/share/wazuh-indexer`	Specifies the root directory where the Wazuh indexer core files and directories are stored.
`repo`	Any valid path	`[]`	Specifies the directory or directories where the Wazuh indexer will store repository data for snapshots and restores.

search

Sub-fields \| Allowed values		Default value	Description
`max_buckets` \| integer		`65535`	This refers to the maximum aggregation buckets allowed in a single search response.
`default_allow_partial_results`	`true`, `false`	`true`	Controls if partial search results are returned or not when a search request times out or a shard encounters an issue. If the search request includes an `allow_partial_search_results` parameter, it will override this default behavior.
`cancel_after_time_interval`	Any time value followed by a valid unit (i.e. ms, s, m)	`-1`	This sets the time to automatically cancel a search request if it exceeds the specified duration. When set to `-1`, there is no timeout.
`search.default_search_timeout`	Any time value followed by a valid unit (i.e. ms, s, m)	`-1`	Defines the default maximum time a query will wait for results before timing out. It helps enforce time limits for searches while allowing partial results if `allow_partial_search_results` is enabled.

Securing the Wazuh indexer API

The communication to the Wazuh indexer API is encrypted with HTTPS by default. This is facilitated by the self-signed certificates generated during installation. Users can also supply their certificates to encrypt the traffic. A user named admin is also created during the installation that has administrative access to the Wazuh indexer API. It is recommended that the default password is changed and CA-signed certificates are used rather than self-signed certificates, especially when the Wazuh indexer is accessible over the internet.

Recommended changes to secure the Wazuh indexer API

Change the default password for the administrative users

The password for the default administrative user admin can be changed via the Wazuh dashboard or through a Wazuh indexer API. On the dashboard, navigate to Index management > Security > Internal users > admin then input and save a new password.

Note

The password should be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character.

To change the user password using the API, we use the _plugins/_security/api/account endpoint. Below is an example of changing the password for the current user using the API:

PUT _plugins/_security/api/account
{
    "current_password": "<OLD_PASSWORD>",
    "password": "<NEW_PASSWORD>"
}

Change <OLD_PASSWORD> and <NEW_PASSWORD> to the corresponding values.

Restrict network access

We advise restricting network access to the Wazuh indexer using network capabilities such as security groups, firewalls, etc., to limit the exposure of the Wazuh indexer API to only trusted networks.

Limit API exposure

Exposing all endpoints can increase the attack surface of the Wazuh indexer API. We can specify the Wazuh indexer API endpoints we want to be accessible using the /etc/wazuh-indexer/opensearch-security/allowlist.yml configuration file. This configuration allows us to specify the HTTP methods and endpoints that can be accessed. The below shows the syntax:

config:
  enabled: true
  requests:
    /<ENDPOINT1>:
      - <HTTP_METHOD1>
      - <HTTP_METHOD2>

    /<ENDPOINT2>:
      - <HTTP_METHOD1>
      - <HTTP_METHOD2>

For example, if we want to add GET and PUT request methods for /_cluster/settings endpoint to the allowlist:

config:
  enabled: true
  requests:
    /_cluster/settings:
      - GET
      - PUT

After a change is made, run the /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh script to load the configuration changes:

# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

Note

The allowlist.yml configuration works with an explicit deny approach. This means when it is enabled, only the endpoints specified in the allowlist are accessible. This does not apply to the admin user.

Enforce rate limiting

Configuring API rate limiting is a useful control to limit client requests to the Wazuh indexer node within a specified time frame. It helps prevent resource exhaustion caused by excessive or malicious traffic, ensuring the stability and availability of the cluster for all users. Rate limiting safeguards against potential Denial of Service (DoS) attacks and enforces fair usage policies. We have the option to set limits based on usernames or IP addresses. These settings are specified in the /etc/wazuh-indexer/opensearch-security/config.yml configuration file.

The rate limit for username limits the number of authentication trials a user can make before being blocked. The following configuration is an example of the username rate limiting:

auth_failure_listeners:
  internal_authentication_backend_limiting:
    type: username
    authentication_backend: internal
    allowed_tries: 3
    time_window_seconds: 60
    block_expiry_seconds: 60
    max_blocked_clients: 100000
    max_tracked_clients: 100000

The allowed settings are highlighted below.

auth_failure_listeners

Sub-fields	Allowed values	Description
`type`	username, ip	Specifies the type of rate limiting. Set to `username`.
`authentication_backend`	`internal`, `ldap`, `jwt`	Specifies the authentication backend.
`allowed_tries`	Any positive integer	Sets the maximum number of allowed login attempts before blocking the user.
`time_window_seconds`	Any positive integer	Sets the time window to enforce `allowed_tries`. For example, if `allowed_tries` is 3 and `time_window_seconds` is 60, a username has 3 attempts to log in successfully within a 60-second period before login attempts are blocked.
`block_expiry_seconds`	Any positive integer	Sets the time window for a username to remain blocked.
`max_blocked_clients`	Any positive integer	Sets the maximum number of blocked usernames. This limits heap usage to avoid a potential DoS attack.
`max_tracked_clients`	Any positive integer	Sets the maximum number of tracked usernames with failed login attempts. This limits heap usage to avoid a potential DoS attack.
`ignore_hosts`		Specifies a list of IP addresses or hostname patterns to ignore while evaluating rate-limiting rules. `config.dynamic.hosts_resolver_mode` must be set to `ip-hostname` to support hostname matching.

After a change is made, run the /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh script to load the configuration changes:

# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

Use cases

This section provides several use cases to demonstrate some of the potentials of the Wazuh indexer API.

Exploring alerts

Wazuh stores triggered alerts in the wazuh-alerts* index in the Wazuh indexer; we can use the Wazuh indexer API to query the alerts. In this use case, we identify the most risky users. This is done using the _search endpoint to search through all alerts in the index and aggregate the srcuser field to identify the top three (3) users associated with triggered alerts.

Follow the steps below.

Navigate to Index management > Dev Tools.

Input the following query and execute:

POST /wazuh-alerts*/_search
{
  "size": 0,
  "aggs": {
    "top_risky_users": {
      "terms": {
        "field": "data.dstuser",
        "size": 3,
        "order": { "_count": "desc" }
      }
    }
  }
}

As seen in the response, three different users and their number of occurrences are identified. This depicts the users with the most alerts. This information is useful to security analysts and threat hunters as they prioritize defense and discovery efforts.

{
  "took": 19,
  "timed_out": false,
  "_shards": {
    "total": 9,
    "successful": 9,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 2352,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "top_risky_users": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 10,
      "buckets": [
        {
          "key": "root(uid=0)",
          "doc_count": 21
        },
        {
          "key": "cain",
          "doc_count": 18
        },
        {
          "key": "abel",
          "doc_count": 5
        }
      ]
    }
  }
}

Getting information about the Wazuh indexer configuration

You can retrieve details about the Wazuh indexer through the Wazuh indexer API, such as configuration settings, status, logs, and more. The following example demonstrates how to retrieve the current security configuration (authentication) settings of the Wazuh indexer.

Navigate to Index management > Dev Tools.

Input the following query and execute:

GET _plugins/_security/api/securityconfig

The following output shows us the current authentication settings in the Wazuh indexer.

{
  "config": {
    "dynamic": {
      "filtered_alias_mode": "warn",
      "disable_rest_auth": false,
      "disable_intertransport_auth": false,
      "respect_request_indices_options": false,
      "kibana": {
        "multitenancy_enabled": true,
        "private_tenant_enabled": true,
        "default_tenant": "",
        "server_username": "kibanaserver",
        "index": ".kibana"
      },
      "http": {
        "anonymous_auth_enabled": false,
        "xff": {
          "enabled": false,
          "internalProxies": """192\.168\.0\.10|192\.168\.0\.11""",
          "remoteIpHeader": "X-Forwarded-For"
        }
      },
      "authc": {
        "jwt_auth_domain": {
          "http_enabled": true,
          "order": 0,
          "http_authenticator": {
            "challenge": false,
            "type": "jwt",
            "config": {
              "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key",
              "jwt_header": "Authorization",
              "jwt_clock_skew_tolerance_seconds": 30,
              "roles_key": "roles",
              "subject_key": "sub"
            }
          },
          "authentication_backend": {
            "type": "noop",
            "config": {}
          },
          "description": "Authenticate via Json Web Token"
        },
        "ldap": {
          "http_enabled": false,
          "order": 5,
          "http_authenticator": {
            "challenge": false,
            "type": "basic",
            "config": {}
          },
          "authentication_backend": {
            "type": "ldap",
            "config": {
              "enable_ssl": false,
              "enable_start_tls": false,
              "enable_ssl_client_auth": false,
              "verify_hostnames": true,
              "hosts": [
                "localhost:8389"
              ],
              "userbase": "ou=people,dc=example,dc=com",
              "usersearch": "(sAMAccountName={0})"
            }
          },
          "description": "Authenticate via LDAP or Active Directory"
        },
        "basic_internal_auth_domain": {
          "http_enabled": true,
          "order": 4,
          "http_authenticator": {
            "challenge": true,
            "type": "basic",
            "config": {}
          },
          "authentication_backend": {
            "type": "intern",
            "config": {}
          },
          "description": "Authenticate via HTTP Basic against internal users database"
        },
        "proxy_auth_domain": {
          "http_enabled": false,
          "order": 3,
          "http_authenticator": {
            "challenge": false,
            "type": "proxy",
            "config": {
              "user_header": "x-proxy-user",
              "roles_header": "x-proxy-roles"
            }
          },
          "authentication_backend": {
            "type": "noop",
            "config": {}
          },
          "description": "Authenticate via proxy"
        },
        "clientcert_auth_domain": {
          "http_enabled": false,
          "order": 2,
          "http_authenticator": {
            "challenge": false,
            "type": "clientcert",
            "config": {
              "username_attribute": "cn"
            }
          },
          "authentication_backend": {
            "type": "noop",
            "config": {}
          },
          "description": "Authenticate via SSL client certificates"
        },
        "kerberos_auth_domain": {
          "http_enabled": false,
          "order": 6,
          "http_authenticator": {
            "challenge": true,
            "type": "kerberos",
            "config": {
              "krb_debug": false,
              "strip_realm_from_principal": true
            }
          },
          "authentication_backend": {
            "type": "noop",
            "config": {}
          }
        }
      },
      "authz": {
        "roles_from_another_ldap": {
          "http_enabled": false,
          "authorization_backend": {
            "type": "ldap",
            "config": {}
          },
          "description": "Authorize via another Active Directory"
        },
        "roles_from_myldap": {
          "http_enabled": false,
          "authorization_backend": {
            "type": "ldap",
            "config": {
              "enable_ssl": false,
              "enable_start_tls": false,
              "enable_ssl_client_auth": false,
              "verify_hostnames": true,
              "hosts": [
                "localhost:8389"
              ],
              "rolebase": "ou=groups,dc=example,dc=com",
              "rolesearch": "(member={0})",
              "userrolename": "disabled",
              "rolename": "cn",
              "resolve_nested_roles": true,
              "userbase": "ou=people,dc=example,dc=com",
              "usersearch": "(uid={0})"
            }
          },
          "description": "Authorize via LDAP or Active Directory"
        }
      },
      "auth_failure_listeners": {},
      "do_not_fail_on_forbidden": false,
      "multi_rolespan_enabled": true,
      "hosts_resolver_mode": "ip-only",
      "do_not_fail_on_forbidden_empty": false,
      "on_behalf_of": {
        "enabled": false
      }
    }
  }
}

Run a report on cluster health and statistics

Keeping track of the Wazuh indexer health and associated node statistics is important to identify and resolve performance issues promptly. This use case demonstrates how we can programmatically interact with the Wazuh indexer API to generate reports.

Export your Wazuh indexer authentication credentials as environment variables:
```
# export WAZUH_INDEXER_USER= "<WAZUH_INDEXER_USERNAME>"
# export WAZUH_INDEXER_PASS = "<WAZUH_INDEXER_PASSWORD>"
```
Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with your Wazuh indexer username and password.

Create a file indexer_check_report.sh and input the following script to the file:

#!/bin/bash

# Configuration
BASE_URL="https://localhost:9200"  # Change IP/hostname if you are not running script locally
DATE=$(date +%Y-%m-%d)
OUTPUT_FILE="wazuh_indexer_report_${DATE}.html"
USER="${WAZUH_INDEXER_USER}"
PASS="${WAZUH_INDEXER_PASS}"

api_request() {
  local endpoint=$1
  curl -s -k -u $USER:$PASS -H "Content-Type: application/json" "$BASE_URL$endpoint"
}

# Fetch cluster health
fetch_cluster_health() {
  api_request "/_cluster/health"
}

# Fetch index statistics
fetch_index_stats() {
  api_request "/_cat/indices?format=json"
}

# Fetch node statistics
fetch_node_stats() {
  api_request "/_nodes/stats"
}

# Format JSON to indented HTML
format_json_html() {
  local json=$1
  echo "$json" | jq '.' | sed 's/&/&amp;/g; s/</\&lt;/g; s/>/\&gt;/g' | awk '{print "<div>" $0 "</div>"}'
}

# Generate HTML report
generate_html_report() {
  local cluster_health=$1
  local index_stats=$2
  local node_stats=$3

  cat <<EOF > \$OUTPUT_FILE

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Wazuh Indexer Report</title>
  <style>
    body { font-family: Arial, sans-serif; }
    h1 { text-align: center; }
    table { width: 100%; border-collapse: collapse; margin: 20px 0; }
    th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
    th { background-color: #f4f4f4; }
    .json-block { font-family: monospace; background-color: #f9f9f9; padding: 10px; border: 1px solid #ddd; overflow-x: auto; }
    .json-block div { white-space: pre; }
  </style>

</head>
<body>
  <h1>Wazuh Indexer Report</h1>
  <h2>Cluster Health</h2>
  <div class="json-block">
    \$(format_json_html "\$cluster_health")
  </div>
  <h2>Index Statistics</h2>
  <table>
    <tr>
      <th>Index</th>
      <th>Status</th>
      <th>Docs Count</th>
      <th>Store Size</th>
    </tr>
EOF

  # Parse and append index stats
  echo "\$index_stats" | jq -r '.[] | "<tr><td>\(.index)</td><td>\(.status)</td><td>\(.docs_count)</td><td>\(.store.size)</td></tr>"' >> \$OUTPUT_FILE

  cat <<EOF >> \$OUTPUT_FILE
  </table>
  <h2>Node Statistics</h2>
  <div class="json-block">
    \$(format_json_html "\$node_stats")
  </div>
</body>
</html>
EOF
}

# Main execution
echo "Fetching cluster health..."
cluster_health=\$(fetch_cluster_health)
echo "Fetching index statistics..."
index_stats=\$(fetch_index_stats)
echo "Fetching node statistics..."
node_stats=\$(fetch_node_stats)

echo "Generating HTML report..."
generate_html_report "\$cluster_health" "\$index_stats" "\$node_stats"
echo "Report generated at \$OUTPUT_FILE"

Execute the indexer_check_report.sh script:
```
# ./indexer_check_report.sh
```

Upon successful execution of the script, a report is created where we can see the cluster health and state of the indexes. The below image shows an example of the report.

Query vulnerability data

Wazuh indexer API also facilitates the querying of vulnerability detection data. Vulnerability data is stored in the wazuh-states-vulnerabilities* index. We can query the index for any vulnerability data. In the example below, we search for a particular CVE CVE-2020-14393 to identify if any monitored endpoint is affected:

GET /wazuh-states-vulnerabilities*/_search
{
  "query": {
    "term": {
      "vulnerability.id": "CVE-2020-14393"
    }
  }
}

The query result below shows the value of hits.total.value key indicates that 1 monitored endpoint is affected by the CVE:

{
  "took": 36,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 8.063168,
    "hits": [
      {
        "_index": "wazuh-states-vulnerabilities-wazuh-virtualbox",
        "_id": "001_0004793434acd501b092a6921d3a92a63d8a1d69_CVE-2020-14393",
        "_score": 8.063168,
        "_source": {
          "agent": {
            "id": "001",
            "name": "centosagent",
            "type": "wazuh",
            "version": "v4.9.1"
          },
          "host": {
            "os": {
              "full": "CentOS Linux 7.9.2009",
              "kernel": "3.10.0-1160.119.1.el7.x86_64",
              "name": "CentOS Linux",
              "platform": "centos",
              "type": "centos",
              "version": "7.9.2009"
            }
          },
          "package": {
            "architecture": "x86_64",
            "description": "A database access API for perl",
            "installed": "2022-12-01T19:56:04.000Z",
            "name": "perl-DBI",
            "size": 2008211,
            "type": "rpm",
            "version": "1.627-4.el7"
          },
          "vulnerability": {
            "category": "Packages",
            "classification": "CVSS",
            "description": "A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.",
            "detected_at": "2024-12-11T00:14:31.360Z",
            "enumeration": "CVE",
            "id": "CVE-2020-14393",
            "published_at": "2020-09-16T14:15:12Z",
            "reference": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00074.html, https://bugzilla.redhat.com/show_bug.cgi?id=1877409, https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html, https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643, http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/",
            "scanner": {
              "vendor": "Wazuh"
            },
            "score": {
              "base": 3.6,
              "version": "2.0"
            },
            "severity": "Low"
          },
          "wazuh": {
            "cluster": {
              "name": "wazuh-VirtualBox"
            },
            "schema": {
              "version": "1.0.0"
            }
          }
        }
      }
    ]
  }
}

Threat hunting

The Wazuh indexer API is helpful during threat hunting exercises where you have to query external systems. This use case demonstrates how we can extract source IPs from alerts and run them against AbuseIPDB; we generate a report showing if the source IP is contained in AbuseIPDB’s bad reputation IP listing. Follow the steps below.

Sign up for a free AbuseIPDB account and obtain an AbuseIPDB API key.
Export your Wazuh indexer authentication credentials and the AbuseIPDB API key as environment variables:
```
# export WAZUH_INDEXER_USER= "<WAZUH_INDEXER_USERNAME>"
# export WAZUH_INDEXER_PASS= "<WAZUH_INDEXER_PASSWORD>"
# export ABUSEIPDB_KEY="<ABUSEIPDB_KEY>"
```
Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with your Wazuh indexer username and password. Replace ABUSEIPDB_KEY with your AbuseIPDB API key collected in step 1.

Create a file ip_reputation_check.sh and input the following script to the file:

#!/bin/bash

# Configuration
WAZUH_INDEXER_BASE_URL="https://localhost:9200"  # Add Wazuh indexer IP/Hostname if the script is not executed locally.
INDEX_NAME="wazuh-alerts*"
ABUSEIPDB_API_URL="https://api.abuseipdb.com/api/v2/check"
ABUSEIPDB_API_KEY="${ABUSEIPDB_KEY}"
USER="${WAZUH_INDEXER_USER}"
PASS="${WAZUH_INDEXER_PASS}"
DATE=$(date +%Y-%m-%d)
OUTPUT_FILE="ip_report_${DATE}.html"

# Fetch unique source IP addresses from Wazuh Indexer
fetch_source_ips() {
  curl -s -k -u $USER:$PASS -H "Content-Type: application/json" \
    -X POST "$WAZUH_INDEXER_BASE_URL/$INDEX_NAME/_search" -d '{
      "size": 0,
      "aggs": {
        "unique_ips": {
          "terms": {
            "field": "data.srcip",
            "size": 100
          }
        }
      }
    }' | jq -r '.aggregations.unique_ips.buckets[].key'
}

# Check an IP address against AbuseIPDB
check_ip_abuseipdb() {
  local ip=$1
  curl -s -G "$ABUSEIPDB_API_URL" \
    --data-urlencode "ipAddress=$ip" \
    -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: application/json"
}

# Generate HTML report
generate_html_report() {
  local ips=("$@")

  echo "<!DOCTYPE html>" > $OUTPUT_FILE
  echo "<html><head><title>AbuseIPDB Report</title></head><body>" >> $OUTPUT_FILE
  echo "<h1>AbuseIPDB Report for Source IPs</h1>" >> $OUTPUT_FILE
  echo "<table border='1'><tr><th>IP Address</th><th>Abuse Confidence Score</th><th>Last Reported</th><th>Reports</th></tr>" >> $OUTPUT_FILE

  for ip in "${ips[@]}"; do
    response=$(check_ip_abuseipdb "$ip")
    confidence_score=$(echo "$response" | jq -r '.data.abuseConfidenceScore // "N/A"')
    last_reported=$(echo "$response" | jq -r '.data.lastReportedAt // "N/A"')
    total_reports=$(echo "$response" | jq -r '.data.totalReports // "N/A"')

    echo "<tr><td>$ip</td><td>$confidence_score</td><td>$last_reported</td><td>$total_reports</td></tr>" >> $OUTPUT_FILE
  done

  echo "</table></body></html>" >> $OUTPUT_FILE
}

# Main Script Execution
echo "Fetching source IPs from Wazuh Indexer..."
source_ips=($(fetch_source_ips))

if [ ${#source_ips[@]} -eq 0 ]; then
  echo "No source IPs found."
  exit 1
fi

echo "Found ${#source_ips[@]} unique source IPs. Checking them against AbuseIPDB..."
generate_html_report "${source_ips[@]}"

echo "Report generated: $OUTPUT_FILE"

Execute the ip_reputation_check.sh script:
```
# ./ip_threat_hunt.sh
```

Upon successful execution of the script, a report is created as seen in the image below.

Reference

Wazuh dashboard

The Wazuh dashboard is a central component for analyzing and visualizing security data. It allows users to oversee and interpret security information generated from various sources. With its intuitive interface, users can create dynamic visualizations, customize views, and delve into detailed investigations of security incidents.

The Wazuh dashboard facilitates real-time monitoring of system health and security events. It also aids in compliance management and threat detection, making it a useful for security professionals aiming to fortify their organization's cybersecurity posture.

Browser compatibility

The Wazuh dashboard supports the following web browsers:

Chrome 95 or later
Firefox 93 or later
Safari 13.7 or later

Other Chromium-based browsers might also work. Internet Explorer 11 is not supported.

The following section provides an overview of the Wazuh dashboard, covering topics from navigating the user interface to troubleshooting.

Navigating the Wazuh dashboard

Dashboards

The Wazuh dashboard is designed to provide an overview of security-related incidents and activities in your environment in real-time. The Wazuh dashboard aggregates and visualizes data from different sources, enabling administrators and security analysts to identify and respond to potential threats. It features a user-friendly interface that displays dashboards for endpoint security, threat intelligence, security operations and cloud security. It also shows the summary for the connected or disconnected Wazuh agents, and highlights the severity levels of alerts triggered within the last 24 hours.

Endpoint security

This section shows dashboards for:

Threat intelligence

This section shows dashboards for:

Security operations

This section shows the dashboards for IT hygiene data such as system inventory data and vulnerabilities, and regulatory standards including:

Cloud security

This section shows dashboards for:

Agents management

Wazuh agents management offers options for managing agents, agent groups, and agent configurations.

Summary

This section shows details of monitored endpoints and options for deploying Wazuh agents.

Endpoint Groups

Users can view existing groups, create new endpoint groups, and organize endpoints based on these groups.

Server management

Wazuh server management offers options for managing rules, decoders, CDB lists, clusters, security configurations such as user, roles, policies and more.

Rules

The Rules section allows users to query existing rules using Wazuh Query Language and manage custom rules.

Decoders

The Decoders section allows users to query existing decoders using Wazuh Query Language and manage custom decoders.

Constant Database (CDB) lists

A CDB list is a text file you can use to save a list of users, file hashes, IP addresses, and domain names. CDB lists can act as either allow or deny lists. You can learn more about CDB lists in the documentation.

Navigating the Wazuh dashboard: CDB lists

Status

Users can view the status of different Wazuh daemons, the overall Wazuh agent status, Wazuh manager information, and more.

Cluster

The Cluster section shows the information about your Wazuh cluster.

Statistics

Statistics of the Listener Engine and Analysis Engine of the Wazuh server are visible in this section.

Logs

Logs stored in /var/ossec/logs/ossec.log in the Wazuh manager are shown in the section below.

Settings

Users can modify the Wazuh server configuration file located at /var/ossec/etc/ossec.conf from the Wazuh dashboard.

Dev Tools

Users can make API calls to extract detailed information about security events, Wazuh agents, inventory, vulnerabilities, and more.

Ruleset Test

The Ruleset Test option allows users to test Wazuh rules from the Wazuh dashboard.

Security

This section includes the configurations for managing the internal users in Wazuh. It is available.

The Roles tab shows the existing roles alongside the Policies assigned to those roles. It also includes the option for creating users.

Navigating the Wazuh dashboard: Security: Roles

The Policies tab shows the policies that define the actions that can be performed by the internal users. These policies are assigned to Roles.

Navigating the Wazuh dashboard: Security: Policies

The Roles mapping tab presents users with the option to assign different roles and policies to internal users.

Navigating the Wazuh dashboard: Security: Roles mapping

Index management

The Wazuh indexer is a real-time, full-text search and analytics engine for security data. Log data ingested into the Wazuh server is analyzed and forwarded to the Wazuh indexer for indexing and storage.

Index and Snapshot Management

The Wazuh indexer management menu provides a graphical user interface for managing your Wazuh indexers, snapshots, and the security of who or what has access to them. Please see the Wazuh indexer documentation to find out more.

Security

This section includes the configuration for access to Wazuh resources based on the roles and permissions assigned to the users. Please see the Wazuh RBAC documentation to find out more.

Sample Data

This section gives you the option of adding sample data to any of the listed modules. These data can be seen on the module dashboard, giving you insight into how these modules can be utilized to your benefit.

Dev Tools

This section allows you to make API queries for Wazuh indexer operations, such as cluster management, exploring indexer data, debugging errors, and more.

Dashboard management

Dashboard Management

The Wazuh Dashboard Management section includes the options for creating and managing your index patterns, saved objects, and advanced settings you can make to your Wazuh dashboard.

Navigating the Wazuh dashboard: Dashboards management

Reporting

The reporting section shows your generated reports.

Server APIs

In this section, you can list all your inserted API credentials. Each entry has multiple available actions to manage it. Remember that a functional API is needed to add or edit an entry. Check your API connection status before adding them to the Wazuh dashboard.

Navigating the Wazuh dashboard: API connections

Users can also receive notifications when a new Wazuh update is available, with the option to dismiss these notifications. You can opt out of future alerts by checking the Disable updates notifications option.

App Settings

The Configuration tab gives a quick look at the Wazuh dashboard configuration file. It also allows the user to modify the Wazuh dashboard settings. The documentation for the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml file can be found in the Wazuh dashboard settings section.

From the Miscellaneous tab, you can run a health check on the Wazuh components.

Navigating the Wazuh dashboard: App settings - Miscellaneous

About

This section provides information about your currently installed Wazuh dashboard package, such as version, revision, and installation date. If you want to discover what's new on each release, you can go to our Changelog file to check it out.

Creating custom dashboards

This section describes the process of creating a set of custom visualizations using the Wazuh dashboard component. We also show how to add individually created visualizations together to create a custom dashboard.

Visualizing the data

Data visualization enhances the ability to comprehend complex security data by providing a visual representation. This representation reveals patterns, trends, anomalies, and insights. This simplifies the interpretation of large datasets and makes it easier to identify security threats, assess the overall state of security, and make informed decisions.

There are different visualization techniques that can help make data clear and appealing. These visuals can be saved, combined for dashboards, and shared with others using the Wazuh dashboard.

We will cover the practical aspect of dashboard creation by creating different types of visualizations in the Wazuh dashboard and then integrating the visualizations to create a custom dashboard.

Creating visualizations

To create a visualization, click the upper-left menu icon and navigate to Explore > Visualize. This action will open a page where a list of visualizations is displayed if any have already been created. If not, the page will display a Create new visualization button.

Click on Create new visualization, and then select the visualization type from the New Visualization screen. This screen presents various visualization types, as shown below:

Choose the visualization option that best suits your data by clicking on the visualization type box. Here, we selected the Area chart visualization.

After selecting the visualization type, for most of the visualization types, the next step is to choose the desired index to work with. This will be the data source that the visualization will be built on. The visualization type selected will redirect you to the screen displayed below.

Wazuh dashboard aggregation

The Wazuh dashboard visualization contains two main aggregation objects:

Metrics aggregation.
Bucket aggregation.

Metric aggregation

Metric aggregation calculates metrics by aggregating data values. This contains the actual values of the metric to be calculated. Metric aggregation is typically represented on the Y-axis.

There are different types of metric aggregations as shown below:

Average: This is the average of a numeric field. It calculates the arithmetic mean of an existing set of data values. The average is obtained by adding up all the data values and dividing their sum by the total count.

Average aggregation helps in calculating the average duration of security incidents, average severity score of alerts, average response time to resolve incidents, and more.
Count: This is the number of data values that match a query within the selected index pattern. It counts the number of data points in a set and provides the total count of a queried event.

Count aggregation helps determine the total number of security events, the number of alerts triggered by a specific rule, the number of failed login attempts, and more.
Max: This is the maximum value of a numeric field within a selected index pattern. Max identifies the highest value among a group of values.

Max aggregation helps identify the maximum severity level of alerts, maximum CPU usage, and more.
Median: This is the median value in a numeric field. Median determines the middle value in a sorted set of values within a selected index pattern by separating the higher half from the lower half of the data.

Median aggregation helps to provide the middle value of event durations, helping to identify the typical or median response time.
Min: This is the minimum value in a numeric field set. Min identifies the lowest value among a group of values.

Min aggregation helps determine the minimum severity level of alerts, minimum disk space usage, minimum number of successful logins, and more.
Percentile Ranks: This is the ranking for values within a given numeric field in percentile. Percentile rank calculates the percentage of values below a specific value in a set and expresses how a given value compares to the distribution of the data.

Percentile rank aggregation helps in assessing the relative severity of alerts in comparison to the entire dataset. This determines the percentile rank of a specific severity score.
Percentile: This aggregation changes numeric field values into percentile bands. Percentile identifies specific data values that correspond to specific percentiles. For example, the 90th percentile represents the value below which 90% of the data falls.
Standard Deviation: This measures the amount of variation in a set of numeric field values. It evaluates the average distance between each value and the mean value.

Standard deviation aggregation can help identify changes in event durations. This provides insights into the volatility or stability of security events.
Sum: This is the total sum of a numeric field. Sum calculates the total sum of a set of values by adding up all the values in the dataset within a selected index pattern.

Sum aggregation helps in determining the total count of specific event types, the total number of successful logins, the total disk space used, and more.
Top Hit: This aggregation identifies the top data point based on a specified criteria or sort order. Top hit is commonly used to extract specific information from the dataset based on the top metric.

Top hit aggregation helps in extracting key information from security events, such as retrieving the most recent log entry for a particular host or user.
Unique Count: This is the count of unique values within a designated field. It counts the number of unique or distinct values in a set. Unique count disregards any duplicate event and provides the count of unique values.

Unique count aggregation helps in determining the number of distinct IP addresses accessing a system, the number of unique users triggering alerts, the count of unique event types, and more.

Parent pipeline aggregations

This category of pipeline aggregations is able to compute new buckets based on other parent aggregations.

Cumulative Sum: This is the calculation of the running sum of a metric across a specified set of data points. It shows the progressive total as each data point is added. Cumulative sum aggregation can be used to track the total count of security events over time, providing insights into the cumulative impact of incidents.
Derivative: This is the calculation of the rate of change of values over time. Derivative is the difference between consecutive values in a time series or dataset. Derivative aggregation helps in calculating the rate of change in event counts or severity scores. This enables the detection of sudden spikes or anomalies.
Moving Avg: This is the calculation of the average of a metric over a moving window of data points. It provides a neat representation of the data, hence reducing noise or fluctuations. Moving average aggregation helps in smoothing out fluctuations in event counts or resource usage, enabling trend analysis or anomaly detection.
Serial Diff: This is the difference between consecutive values in a time series or ordered dataset. It measures the absolute change from one data point to the next. Serial diff aggregation helps in identifying the difference in event counts or resource usage between consecutive data points, showing changes or trends.

Sibling pipeline aggregations

This category of aggregations computes new aggregations which will be at the same level as the sibling aggregation from which its input was provided from.

Average Bucket: This is the average value of a metric within each bucket of a specified aggregation. Average bucket provides the average value per group or category. Average bucket aggregation helps in calculating the average severity score or event count within specific time intervals or categories.
Max Bucket: This is the maximum value of a metric within each bucket of a specified aggregation. It identifies the highest value per group. Max bucket aggregation enables the identification of the maximum severity level or event count within specific time intervals or categories.
Min Bucket: This is the minimum value of a metric within each bucket of a specified aggregation. It identifies the lowest value per group or category. Min bucket aggregation helps identify the minimum severity level or event count within specific time intervals or categories.
Sum Bucket: This is the total sum of a metric within each bucket of a specified aggregation. It adds up the values per group. Sum bucket aggregation helps in calculating the total count or severity score within specific time intervals or categories.

Bucket aggregation

This is used to determine the type of information we are trying to get from the dataset. The bucket aggregation determines how the data is segmented or grouped such as by date. It is typically represented on the X-axis.

The following are the types of bucket aggregations:

Date Histogram: This aggregation is used to display data organized by a date.
Date Range: This aggregation is used to report the values within a date range which we can specify.
Filters: This aggregation is used to apply filters on data.
Histogram: This aggregation is used for numeric fields, where we can provide the integer interval for the selected field.
IPv4 Range: This aggregation provides us with the option to set the range using IPv4 addresses.
Range: This aggregation is used to provide the range of numeric field values.
Significant Terms: This aggregation returns interesting or unusual occurrences of terms in a set.
Terms: This aggregation enables us to pick the top or bottom n elements of the selected field.

Both the Y-axis and the X-axis are used to plot the data points on a visualization chart.

Basic charts

The following is a list of the basic charts for visualization:

Bar, area, and line charts: These charts are used for comparing different series in x-axis and y-axis.
Pie charts: These charts are used when all of the fields are related to each other.
Heat maps: These are used to shade the cells within a matrix.

Bar charts

Bar charts are a type of visualization that is used to compare specific measures for different data categories. These are the most common types of visualization and are easy to create and interpret. Bar charts are used to present categorical data in the form of rectangular bars with heights/lengths that are proportional to the given values.

Creating a Bar chart

Horizontal Bar: This is a type of bar chart where rectangular bars are displayed horizontally. The length or width of each bar corresponds to a particular value. This allows an easy comparison between different data points. Horizontal bar charts are often used to visualize data that has distinct categories or to show rankings.

The steps below show how to create a horizontal bar visualization that shows varying numbers of MITRE tactics detected within a set timeframe.

Click Create new visualization from the Visualize tab, select the Horizontal Bar visualization format and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Y-axis, in Metrics:
- Aggregation = Count
Add a X-axis in Bucket and set the following values:
- Aggregation = Terms
- Field = rule.mitre.tactic
- Order by = Metric: Count
- Order = Descending
- Size = 10
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Vertical Bar: This is a type of bar chart where the bars are displayed vertically, with the length or height of each bar representing a particular value. Vertical bar charts are suitable for comparing data across different categories. They are commonly used to display rankings, comparisons, or the distribution of values.

The steps below detail how to create a vertical bar visualization that shows varying numbers of MITRE tactics detected within a set timeframe.

Click Create new visualization from the Visualize tab, select the Vertical Bar visualization format and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Y-axis, in Metrics:
- Aggregation = Count
Add a X-axis in Bucket and set the following values:
- Aggregation = Terms
- Field = rule.mitre.tactic
- Order by = Metric: Count
- Order = Descending
- Size = 10
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Pie charts

This is a circular chart that is divided into sectors, with each sector representing a percentage of a whole data set. They are commonly used to show market share, composition of data, or distribution of categories. The total slice size of a pie chart is calculated by the metrics aggregation. In the case of a pie chart, we use the count, sum, and unique count.

The steps below show how to create a Pie chart visualization that shows MITRE tactics count within a timeframe.

Creating a Pie chart

Click Create new visualization from the Visualize tab, select the Pie visualization format and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Slice size, in Metrics:
- Aggregation = Count
Add a Split slices in Bucket and set the following values:
- Aggregation = Terms
- Field = rule.mitre.tactic
- Order by = Metric: Count
- Order = Descending
- Size = 10
Customize the Pie chart by toggling on show label in the Options section.
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Area charts

This is used to display graphically quantitative data using filled-in areas. The areas between axes and lines are typically filled with colors or patterns to differentiate between different categories or data points. This emphasizes the quantity beneath a line chart. Area charts are useful for showing the magnitude and distribution of data over time or categories. They are often used to display trends, comparisons, or cumulative values.

The steps below show how to create an Area chart that visualizes a histogram of Wazuh rule levels and their maximum fired times.

Creating an Area chart

Click Create new visualization from the Visualize tab, select the Area visualization format, and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Y-axis, in Metrics:
- Aggregation = Max
- Field = rule.level
Add another Y-axis in Metric and set the following values:
- Aggregation = Max
- Field = rule.firedtimes
Add an X-axis in Bucket and set the following values:
- Aggregation = Date Histogram
- Field = timestamp
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Line charts

This visualization represents data points connected by straight lines. It is commonly used to display trends, patterns, relationships over time or a continuous range. By plotting data along a Cartesian coordinate system, lines are drawn to connect the data points. This provides a clear depiction of how the values change.

The steps below show how to create a Line chart that visualizes the Wazuh rule levels triggered maximum times within a timeframe.

Creating a Line chart

Click Create new visualization from the Visualize tab, select the Line visualization format, and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Y-axis, in Metrics:
- Aggregation = Max
- Field = rule.level
Add an X-axis in Buckets and set the following values:
- Aggregation = Date Histogram
- Field = timestamp
- Minimum interval = Minute
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Heat maps

This is a graphical representation that uses colors to visualize the density of certain variables. Heat maps display data points as colored cells, with each color representing a different value or level of intensity. Heat maps are useful for identifying patterns, trends, or variations within a dataset.

The steps below show how to create a Heat map that visualizes the mapping of MITRE tactics and techniques.

Creating a Heat Map

Click Create new visualization from the Visualize tab, select the Heat Map visualization format, and use wazuh-alerts-* as the index pattern name.
Set the following value in the Data section, on the Y-axis, in Metrics:
- Aggregation = Count
Add an X-axis in Buckets and set the following values:
- Aggregation = Terms
- Field = rule.mitre.tactic
- Order by = Metric: Count
- Order = Descending
- Size = 5
Add a Y-axis in Buckets and set the following values:
- Aggregation = Terms
- Field = rule.mitre.techniques
- Order by = Metric: Count
- Order = Descending
- Size = 5
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Data

Data metric visualization is a single number that displays any count or calculation.

The following is a list of data visualizations:

Data table: This is where the data is shown in tabular form.
Metric: This is where a single number is displayed, which we can use to show any important metric data.
Goal and gauge: This is used when we want to display any progress.

Data table

This is a tabular representation of data that is organized into rows and columns. It provides a structured format to display and analyze data. Each row represents a specific entry, and each column represents a different variable. Data tables are widely used for data analysis, reporting, and providing a clear overview of multiple variables.

The following steps show how to create a Data table to visualize the maximum count of Wazuh rule levels that were triggered.

Creating a Data table

Click Create new visualization from the Visualize tab, select the Data Table visualization format and use wazuh-alerts-* as the index pattern name.
Set the following metrics in the Data section:
- Aggregation = Max
- Field = rule.level
Add an additional metric
- Aggregation = Max
- Field = rule.firedtimes
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Metric

This is a quantifiable measurement that is used to evaluate performance, progress, or specific characteristics. Metric represents a calculation as a single numerical value. They are applicable in various domains, including business analytics, key performance indicators (KPIs), and performance monitoring.

The following steps show how to create a Metric to visualize the maximum number of rule levels that triggered alerts.

Creating a Metric

Click Create new visualization from the Visualize tab, select the Metric visualization format and use wazuh-alerts-* as the index pattern name.
Set the following metrics in the Data section:
- Aggregation = Max
- Field = rule.level
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Goal

This refers to the desired target that an individual or organization aims to achieve. It represents a specific purpose and serves as a benchmark for measuring progress and achieving a final goal. Goal visualization helps display progress toward a defined target, often represented as a percentage or count, making it easier to interpret key metrics at a glance.

The steps below show how to create Goals to visualize the Security Configuration Assessment (SCA) policy status in percentage and counts.

Creating a Goal

Click Create new visualization from the Visualize tab, select the Goal visualization format and use wazuh-alerts-* as the index pattern name.
Set the following metrics in the Data section:
- Aggregation = Max
- Field = data.sca.passed
Add a Split group in Buckets and set the following values:
- Aggregation = Terms
- Field = data.sca.total_checks
Customize the Ranges to match the range of existing SCA rules in the Options section. This ensures the visualization accurately reflects the scale of checks (e.g., from 0 to the maximum number of checks).
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Gauge

This is a visualization that is represented as a meter. It is commonly used to display a single value within a specific range. The gauge consists of a pointer that shows the current value. This is displayed as a position along a circular or linear scale. Gauges are used to indicate progress, performance metrics, or levels of achievement. It shows how a metric’s value relates to reference threshold values.

The steps below show how to create a Gauge to visualize the SCA failed counts.

Creating a Gauge

Click Create new visualization from the Visualize tab, select the Gauge visualization format, and use wazuh-alerts-* as the index pattern name.
Set the following metrics in the Data section:
- Aggregation = unique_count
- Field = data.sca.failed
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Maps

These are visual representations of geographical regions. Maps display spatial data, such as locations, boundaries, or distributions, on a graphical interface. They provide a means to explore and analyze geographic information, making them valuable for various applications, including navigation, data visualization, and spatial analysis.

The steps below show how to create a geographic map.

Creating a map

Click Create new visualization from the Visualize tab, select the Maps visualization format.
Click on Add layer.
Select Documents as the Data layer.
Set the following values in the New layer:
- Data source = wazuh-alerts-*
- Geospatial field = GeoLocation.location
- Number of documents = 1000
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

The following is a list of maps used in visualization:

Coordinate map: This can be used for linking the aggregation of data fields with geographic locations.
Region map: This is a kind of thematic map where we use color intensity to show a metric's value with locations.

Coordinate Map

This uses geographic coordinates to display data points or regions on a map. Coordinate maps allow you to plot and visualize information in relation to specific locations or geographical areas. By using latitude and longitude coordinates, you can represent data in a spatial context.

Coordinate maps are ideal for plotting latitude and longitude coordinates. This allows the visualization of spatial data, such as locations, regions, or density. They are commonly used in geographical analysis, tracking data by location, or displaying demographic information.

The steps below show how to create a coordinate map based on the origin location.

Creating a Coordinate map

Click Create new visualization from the Visualize tab, select the Coordinate Map visualization format, and use wazuh-alerts-* as the index pattern name.
Set the following values on the Metric in Data:
- Aggregation = Count
Add a Geo coordinate in Buckets and set the following values:
- Aggregation = Geohash
- Field = GeoLocation.location
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Region Map

This is a map-based visualization that displays data by dividing regions into distinct boundaries. Region maps are suitable for displaying data at a territorial level. They are often used in geopolitical analysis, demographic comparisons, or election results.

The steps below show how to create a region map based on the destination country.

Create region map

Click Create new visualization from the Visualize tab, select the Region Map visualization format and use wazuh-alerts-* as the index pattern name.
Set the following values on the Metric in Data:
- Aggregation = Count
Add a Shape field in Buckets and set the following values:
- Aggregation = Terms
- Field = GeoLocation.country_name
- Order by = Metric: Count
- Order = Descending
Select Name as Join field under the Layer Options tab.
Click the Update button.
Click the Save button in the top right corner and assign a title to save the visualization.

Time series

The following is a list of time series used in visualization:

VisBuilder: This is used to display the results from single or multiple indices by combining data from multiple time series datasets.
Time series visual builder: This is used to visualize time series data using data aggregations.

VisBuilder

Visualization Builder is an intuitive tool that allows users to create customized visualizations without programming knowledge. It is beneficial for users who want to quickly generate visual representations of their data without extensive technical knowledge.

As of the time of writing this document, this visualization is experimental. The design and implementation are less mature than stable visualizations and might be subject to change.

The steps below show how to use Visualization Builder to present MITRE technique and tactics.

Creating a Visualization Builder

Click Create new visualization from the Visualize tab, select the VisBuilder visualization format and use wazuh-alerts-* as the index pattern name.
Drag a field to the configuration panel to generate a visualization.
Set aggregation to count on the Y-axis.
Set rule.mitre.technique on an X-axis.
Set rule.mitre.tactics on the split series.
Click the Save button in the top right corner and assign a title to save the visualization.

TSVB

Time Series Visual Builder (TSVB) is a component of the Wazuh dashboard that allows users to create visualizations and analyze time series data using a visual pipeline interface. It provides features such as aggregations, filters, and metrics specifically tailored for time-based analysis.

The steps below show how to use Time Series Visual Builder to visualize MITRE tactics count within a timeframe.

Creating a TSVB

Select the TSVB visualization format from the Visualize tab.
Set the following values on the Metric in Data:
- Aggregation = Count
- Group by = Terms
- By = rule.mitre.tactic
- Top = 10
- Order by = Doc Count (default)
- Direction = Descending
Click the Save button in the top right corner and assign a title to save the visualization.

Others

Here are some other items that are used in visualization:

Tag cloud: This is where selected field values are picked for creating a cloud of words.
Markdown: This will display a form for showing information or instructions.

Markdown

Markdown is a lightweight markup language that is used for formatting text. It allows users to add structure, emphasis, and styling to plain text documents, without the need for complex coding. Markdown is often utilized in documentation, websites, and note-taking applications to create easily readable and formatted content.

Creating a markdown

Click Create new visualization from the Visualize tab, select the Markdown visualization format, and use wazuh-alerts-* as the index pattern name.
Add the text content in the given text-area on the Data tab.
Increase or decrease the font using the controller on the Options tab.
Click on the Update button to show the markdown:
Click the Save button in the top right corner and assign a title to save the visualization.

Controls

These are interactive tools that provide users with the ability to manipulate or adjust parameters or settings within a software application or user interface. These controls enable users to customize their experience or modify certain aspects of the system according to their preferences. Controls are typically used in interactive applications or interfaces where users need to adjust settings, parameters, or filters to customize their experience or analyze specific aspects of the data.

As at the time of writing this document, this visualization is experimental. The design and implementation are less mature than stable visualizations and might be subject to change.

Creating controls

Click Create new visualization from the Visualize tab, select the Controls visualization format.
Add a new Options list and set the control Label as MITRE tactic.
Choose a source for the chart. Here we selected wazuh-alerts-* as the index to use.
Select the field rule.mitre.tactic.
Add a new Range slider and set the control Label as Quantity.
Select wazuh-alerts-* as the index to use.
Select rule.level as the Field.
Click the Update button.
Click the upper-right Save button and assign a title to save the visualization.

Gantt Chart

This is a visualization that is used to illustrate project schedules or timelines. It displays a horizontal bar for each task or activity, representing its start and end dates. The length of the bars indicates the duration of each task, and they are arranged along a timeline to demonstrate the order and duration of various project activities.

Gantt charts are valuable for project management or scheduling tasks over time. They help in visualizing project timelines, dependencies, and resource allocation.

Creating a Gantt chart

Click Create new visualization from the Visualize tab, select the Gantt Chart visualization format and use wazuh-alerts-* as the index pattern name.
Select a log data on the Metric in Metrics data, under Event.
Select a timestamp field for the start of a schedule on the Start time field for the Event. This is the timestamp used for the beginning of the selected Event.
Select a time interval field for the Event duration on the Duration field for the Event. This is the amount of time that is added to the start time.
Select the number of events that will be shown on the chart on the Results field. The events will be sequenced based on the Start time, from the earliest to the latest.
Navigate to the Panel settings to adjust the colors, axis labels and time format.
Click the Update button.
Click the upper-right Save button and assign a title to save the visualization.

Hover over a bar to see the duration of that event.

Timeline

This is a chronological display of events or activities, often depicted as a horizontal line with dates or time periods marked along it. Timeline builds time-series using functional expressions.

They are commonly used in historical analysis, project planning, or storytelling.

Creating Timeline

Click Create new visualization from the Visualize tab, and select the Timeline visualization format.
Choose a source for the chart. In the Timeline expression windows, within .opensearch(*). The expression .opensearch(*) is a wildcard value that represents all the indexes currently within the Wazuh indexer, combined together. Here we selected wazuh-alerts-* as the index to use.
```
.opensearch(index=wazuh-alerts-*)
```
Where:
- Index represents the data storage unit containing the data to be used for visualization.
- Interval represents the time duration between data points or events.
- Timefield represents a specific field in a dataset that holds timestamp or time information for each data point.
- Metric represents the quantitative measure to be used from the data.
- Offset is used to adjust the time displayed on the timeline for aligning with specific events.
- opensearchDashboards represents a platform that provides a web-based interface for visualizing and exploring real-time data.
- Q represents a query or set of queries used to filter and retrieve specific data for display.
- Split represents the function that divides or groups data into segments based on a specified parameter for visualization and analysis.
A sample query:
.opensearch(index=wazuh-alerts-*, timefield=@timestamp, metric=count:request).aggregate(function=avg)

Vega

This is a versatile declarative language for creating interactive visualizations. It allows users to define visualizations using JSON syntax. It allows users to define complex visualizations using JSON syntax and is suitable for advanced data visualization needs.

Creating a dashboard

Dashboards transform your data from one or more single visualization perspectives into a group of visualizations that provide a clear representation of your data. This allows you to concentrate solely on the data that matters to you by presenting a dynamic representation of your data.

To create a custom dashboard, do the following:

Click on the upper-left menu icon and navigate to Explore > Dashboards > Create new dashboard.
Click Add an existing and select the newly created visualizations to populate the dashboard.
Save the dashboard by selecting the Save option on the top-right navigation bar.

Filtering data using Wazuh Query Language (WQL)

Wazuh Query Language (WQL) is a text-based language designed to allow users to perform advanced data filtering in the Wazuh dashboard. WQL stands out with its user-friendly syntax which leverages the Wazuh server API to facilitate advanced data analysis to gain security insights.

Beyond basic data retrieval, WQL extends the functionality of the Wazuh dashboard search bars, particularly within specialized tabs. This provides a seamless user experience, allowing for intuitive navigation and data manipulation on the Wazuh dashboard.

This guide shows the specifics of operators, values, separators, and the unique syntax of WQL. With WQL, you can filter for specific threat group names or conduct a broad search for related terms. WQL is case-sensitive, meaning it differentiates between uppercase and lowercase letters. Therefore, when writing queries, it is important to use the correct case for identifiers, keywords, and other elements to ensure accurate and effective query execution.

The WQL expands the search bar functionality to specialized tabs on the Wazuh dashboard. These tabs include the following:

Endpoint summary
MITRE ATT&CK Intelligence
Agent Inventory data
Rule management
Decoder management
CDB list management
Group management

WQL queries

WQL enables precise data retrieval by defining detailed criteria. This approach requires defining the field, operator, and value, ensuring the return of accurate and relevant data. The structure of these queries follows a simple pattern: fieldname operator value.

Field name

In WQL, "Field name" indicates the particular data type you want to filter, serving as the starting point in a query. It precedes the operator, pinpointing the exact data segment for targeted text searches. The image below demonstrates the WQL search bar in action on the MITRE ATT&CK > Intelligence tab. A click on the search bar reveals all available field names, enhancing user guidance and intuition.

The Wazuh dashboard displays a validation error if you use an incorrect field name.

Intelligence - Field names validation error

Operators

In the Wazuh Query Language, operators enable precise data filtering and guide the flow of operations to generate desired outcomes. The key operators in WQL are:

= for equality
!= for inequality
> for greater than
< for less than
~ for like as

Equality (=)

This filter operator is used to find exact matches within a dataset. It is also known as equals to and is denoted by the symbol =. For example, you can filter by entities whose os.name is equal to a specific value such as “Debian”.

Inequality (!=)

This filter operator finds all data that do not match the specified value within a dataset. It is also known as not equal to and denoted by the symbol !=. For example, you can filter by entities whose network protocol does not equal a specific value, such as ipv6.

Greater than ( > )

This greater than (>) operator filters values exceeding a specified threshold in a dataset. For example, you can filter by entities whose local port number is greater than a specific value such as 36271 with the query local.port>36271.

Less than (<)

This less than (<) operator filters values below a specified limit in a dataset. For example, you can filter by entities whose local port number is less than a specific value such as 53770 with the query local.port<53770.

Like as (~)

The like as operator (~) enables pattern matching, allowing data retrieval when a specified field matches a given pattern. It offers flexibility by finding records with partial matches. For example, the image below shows how to filter threat groups with names similar to “APT1”:

Consider a query aimed at finding descriptions that include the terms "threat group" shown below:

The query matches documents containing any search terms, irrespective of their order. By default, the query logic treats multiple search terms inclusively, using an or combination.

Value

Value is the specific data that is being filtered for. It represents the condition used to narrow down the results of a query. For instance, to display an entity named wazuh-agent, the query would be structured accordingly:

name=wazuh-agent

As shown in the example above, no additional formatting is necessary when filtering for values without spaces. You must wrap the value with a pair of double quotes " " if it contains spaces or the double quote character (").

name="Agent Tesla"

Note

The double quote " can be escaped using \. For example: "value with whitespaces and escaped \"quotes\"" represents value with whitespaces and escaped "quotes".

Separators

Separators are operators that combine multiple queries for complex filtering. WQL supports the use of the and and or boolean operators.

Note

WQL is case sensitive and supports only lowercase separators, hence AND & OR are invalid.

or separator

The or logical operator, denoted as a comma (,), merges various conditions within a query, requiring at least one condition to be true for the query to succeed. For example, we show the query to filter software named “Bumblebee” or “Avenger” below:

name=Bazar or name=Avenger

and separator

The and logical operator, denoted as a semicolon (;), links several conditions in a query, requiring all conditions to be met for the overall query to succeed. For example, run the following query to filter agents whose status is “disconnected”, and whose operating system platform is “debian”:

status=disconnected and os.platform=debian

Grouping operators

WQL utilizes parentheses () to prioritize expressions, ensuring those within are assessed first. This approach structures the enclosed expressions as singular units within broader queries, guiding the order of evaluation.

( status=active and ip!=192.168.56.195 ) or id=001

Wildcards

WQL does not support the use of wildcards represented as *.

Whitespaces

WQL supports the use of whitespaces between data tokens.

status = disconnected and os.name = debian

Ranges

WQL supports numeric inequalities using the >, and < operators. For example:

local.port>36271 and local.port<53771

Example: Sending WQL queries with cURL

Generate a token to be used to interact with the API:

# TOKEN=$(curl -u <WAZUH_API_USERNAME>:<WAZUH_API_PASSWORD> -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/security/user/authenticate?raw=true")

Replace:

<WAZUH_API_USERNAME> with your Wazuh server API user.
<WAZUH_API_PASSWORD> with your Wazuh server API password.
<WAZUH_MANAGER_IP_ADDRESS> with your Wazuh server IP address.

For example, the following query would be used to filter Ubuntu endpoints with a version higher than 18.

We encode the value of the parameter q with the --data-urlencode flag:

# curl -G --data-urlencode "q=os.name=ubuntu;os.version>18" -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-master",
            "id": "000"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent4",
            "id": "004"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent5",
            "id": "005"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent6",
            "id": "006"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent7",
            "id": "007"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent8",
            "id": "008"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         }
      ],
      "total_affected_items": 8,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

You can use the same field multiple times for more accurate results. For example, filtering Wazuh agents running on a Ubuntu endpoint with a version higher than 18 but lower than 18.04.4:

# curl -G --data-urlencode "q=os.name=ubuntu;os.version>18;os.version<18.04.4" -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

An example of using the or (,) separator and like as (~) operator can be filtering Wazuh agents whose operating system name contains windows or centos.

# curl -G --data-urlencode "q=os.name~centos,os.name~windows" -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "major": "6",
               "name": "Microsoft Windows 7 Ultimate Edition Professional Service Pack 1",
               "version": "6.1.7601"
            },
            "name": "jmv74211-PC",
            "id": "013"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Getting Wazuh agents installed on Ubuntu endpoints with ID greater than 0 and lower than 4, whose name contains the substring waz and whose major version is 16 or 18:

# curl -G --data-urlencode "q=id!=0;id<4;name~waz;(os.major=16,os.major=18)" -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent1",
            "id": "001"
         },
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent2",
            "id": "002"
         },
         {
            "os": {
               "codename": "Xenial Xerus",
               "major": "16",
               "name": "Ubuntu",
               "version": "16.04.6 LTS"
            },
            "name": "wazuh-agent3",
            "id": "003"
         }
      ],
      "total_affected_items": 3,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Getting Wazuh agents with an ID higher than 007 that run on Windows or whose operating system major version is either 14 or 18:

# curl -G --data-urlencode "q=id>007;(os.name~windows,(os.major=14,os.major=18))" -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?limit=500&pretty=true&select=id,name,os.name,os.version,os.codename,os.major" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.4 LTS"
            },
            "name": "wazuh-agent8",
            "id": "008"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent9",
            "id": "009"
         },
         {
            "os": {
               "codename": "Bionic Beaver",
               "major": "18",
               "name": "Ubuntu",
               "version": "18.04.2 LTS"
            },
            "name": "wazuh-agent10",
            "id": "010"
         },
         {
            "os": {
               "major": "6",
               "name": "Microsoft Windows 7 Ultimate Edition Professional Service Pack 1",
               "version": "6.1.7601"
            },
            "name": "jmv74211-PC",
            "id": "013"
         }
      ],
      "total_affected_items": 4,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Enabling multi-tenancy

Tenants in the Wazuh dashboard are containments for saving index patterns, visualizations, dashboards, and other objects. Tenants are useful for safely sharing your work with other users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all the Wazuh dashboard users have access to two independent tenants:

Global: This tenant is shared between every Wazuh dashboard user.
Private: This tenant is exclusive to each user and can't be shared. Users in the private tenant can't access routes or index patterns made by users in the global tenant.
Custom: Administrators can create custom tenants and assign them to specific roles. Once created, these tenants can then provide spaces for specific groups of users.

Configuration

Perform the following instructions below on the Wazuh dashboard to enable multi-tenancy.

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml configuration file and make the following changes:
- Set the opensearch_security.multitenancy.enabled setting to true.
- Add the following line:
```
opensearch_security.multitenancy.tenants.preferred: ["Global", "Private"]
```
This setting lets you change ordering in the Tenants tab of the Wazuh dashboard. By default, the list starts with global and private (if enabled) and then proceeds alphabetically.

You can add tenants here to move them to the top of the list.
```
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Global", "Private"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
```
- Additionally, you can edit the uiSettings.overrides.defaultRoute to set a default tenant, for example, global, each time a user logs in.
```
uiSettings.overrides.defaultRoute: /app/wz-home?security_tenant=global
```

Restart the Wazuh dashboard so changes can take effect.

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Configuring third-party SSL certificates

In the Wazuh dashboard installation guide, self-signed SSL certificates generated during the Wazuh indexer installation were configured for the Wazuh dashboard.

You can use third-party certificates instead of self-signed ones in the Wazuh dashboard. This guide includes instructions for creating and configuring Let's Encrypt certificates. Let's Encrypt is a nonprofit Certificate Authority (CA) providing free SSL/TLS certificates to millions of websites.

To generate this type of certificate, you need a fully qualified domain name (FQDN). Let's Encrypt verifies if you have control over the domain.

You can install the SSL certificate directly on the Wazuh dashboard. Alternatively, you can install it using NGINX, a third-party open source proxy software, to offload the SSL decryption processing from the Wazuh dashboard.

Choose a preferred method to start configuring the SSL/TLS certificate for the Wazuh dashboard:

Configuring SSL certificates on the Wazuh dashboard using Let’s Encrypt

Let’s Encrypt certificate can be configured for the Wazuh dashboard using the certbot client. Follow the instructions below to install and configure a Let’s Encrypt certificate on an All-In-One Wazuh installation consisting of the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. In a clustered environment, the instructions should be applied to the Wazuh dashboard node(s).

The process is divided into three stages:

Installing and configuring the certbot client.
Configuring Let’s Encrypt certificates on the Wazuh dashboard.
Configuring auto-renewal of the certificates.

Installing and configuring the certbot client

Install certbot

Install snap:

The certbot snap provides an easy way to ensure you have the latest version of certbot with features like automated certificate renewal preconfigured.

# yum install epel-release
# yum install snapd
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap

# apt-get update
# apt-get install snap

# amazon-linux-extras enable epel
# yum install epel-release

Confirm installed snap is the latest:
```
# snap install core; snap refresh core
```
```
core 16-2.61.4-20240607 from Canonical✓ installed
snap "core" has no updates available
```
For Amazon Linux 2

Confirm the EPEL repository is available:
```
# yum repolist
```
You should see a repo name that says "Amazon Extras repo for epel."

Install certbot:

# snap install --classic certbot

For Amazon Linux 2

# yum install -y certbot python3-certbot-apache

Skip step 4 if your operating system is Amazon Linux 2.

Run the following command to link the certbot from the snap directory to the user directory:
```
# ln -s /snap/bin/certbot /usr/bin/certbot
```

Configure certbot to generate Let’s Encrypt SSL certificate

Open ports 80 (HTTP) and 443 (HTTPS):

# systemctl start firewalld
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp

# ufw allow 443
# ufw allow 80

Generate the Let’s Encrypt certificate:
```
# certbot certonly --standalone -d <YOUR_DOMAIN_NAME>
```
Where:
- --standalone: Instructs certbot to handle cryptographic challenges using its built-in web server.
- -d: Specifies the Wazuh dashboard Fully Qualified Domain Name (FQDN).
- <YOUR_DOMAIN_NAME>: Your FQDN.
Confirm that the certificates are generated:
```
# ls -la /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/
```
The output of the command generally returns the following:
```
cert.pem
chain.pem
fullchain.pem
privkey.pem
README
```
Where:
- README: contains information about the certificate files.
- privkey.pem: This is the private key for the certificate.
- fullchain.pem: This is the SSL certificate, bundled with all intermediate certificates.

Configuring Let’s Encrypt SSL certificates on the Wazuh dashboard

Copy the generated Let’s Encrypt certificates from the directory /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/ to the Wazuh dashboard certificate directory /etc/wazuh-dashboard/certs:
```
# cp /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem /etc/wazuh-dashboard/certs/
```

Replace the old certificates with the Let’s Encrypt certificates to the Wazuh dashboard by editing the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml as shown below:

server.ssl.key: "/etc/wazuh-dashboard/certs/privkey.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/fullchain.pem"

After editing, you get a configuration file like the one below:

server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: 443
opensearch.ssl.verificationMode: certificate
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/privkey.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/fullchain.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.cookie.secure: true

Modify the permissions and ownership of the certificates:

# chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/
# chmod -R 500 /etc/wazuh-dashboard/certs/
# chmod 440 /etc/wazuh-dashboard/certs/privkey.pem /etc/wazuh-dashboard/certs/fullchain.pem

Restart the Wazuh dashboard service:

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

The Let’s Encrypt certificate installation on the Wazuh dashboard is now ready, and you can proceed to access it by using the configured fully qualified domain name.

Configuring auto-renewal of the certificates

The generated Let’s Encrypt certificates are valid for ninety days. The certbot package previously installed renews the certificate by adding a renewal script to the /etc/cron.d directory on the Wazuh dashboard. This script runs twice a day and will renew the certificate thirty days before expiration.

Also, we append a renewal hook, renew_hook to the configuration to restart or reload the Wazuh dashboard for the renewed certificate to apply.

Configure the renew_hook using the following steps

Edit the domain configuration file at /etc/letsencrypt/renewal/<YOUR_DOMAIN_NAME>.conf and add the renewal hook at the end of the file:

# renew_before_expiry = 30 days
version = 1.32.0
archive_dir = /etc/letsencrypt/archive/<YOUR_DOMAIN_NAME>
cert = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/cert.pem
privkey = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem
chain = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/chain.pem
fullchain = /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = pa269247c1c3c97ec12ka01fa0f456bb
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
renew_hook = systemctl restart wazuh-dashboard

Test the renewal hook by running the command below:

# certbot renew --dry-run

The output looks like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<YOUR_DOMAIN_NAME>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for <YOUR_DOMAIN_NAME>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configuring SSL certificates on the Wazuh dashboard using NGINX

NGINX is an open source software for web serving, reverse proxying, caching, load balancing, and media streaming. It provides improved performance optimization during SSL decryption, better utilization, and complete end-to-end encryption of the Wazuh dashboard server. NGINX can be installed directly on the endpoint hosting the Wazuh dashboard or on a separate endpoint outside of the Wazuh cluster. However, for this use case, NGINX is installed on the Wazuh dashboard node.

Install and configure the Let’s Encrypt SSL certificate using NGINX on a Wazuh dashboard by following the step-by-step instructions below.

Setting up NGINX as Reverse proxy

Installing the NGINX software on the Wazuh dashboard

Install NGINX:

# yum install epel-release
# yum install nginx

# apt-get update
# apt-get install nginx

Start NGINX and verify the status is active:

# systemctl start nginx
# systemctl status nginx

Open ports 80 (HTTP) and 443 (HTTPS):

# systemctl start firewalld
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp

# ufw allow 443
# ufw allow 80

Configure the proxy and the certificates

Install snap:

# yum install epel-release
# yum upgrade
# yum install snapd
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap

# apt-get update
# apt-get install snap
# snap install core; snap refresh core

Install certbot:

# yum remove certbot
# snap install --classic certbot

# apt remove certbot
# snap install --classic certbot

Configure a symbolic link to the certbot directory:
```
# ln -s /snap/bin/certbot /usr/bin/certbot
```

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and change the default dashboard port from 443 to another available port number:

server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: <PORT_NUMBER>
opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.cookie.secure: true

Navigate to the /etc/nginx/conf.d directory and create a wazuh.conf file for the certificate installation:
```
# unlink /etc/nginx/sites-enabled/default
# cd /etc/nginx/conf.d
# touch wazuh.conf
```

Edit wazuh.conf and add the following configuration.

server {
   listen 80 default_server;

   server_name <YOUR_DOMAIN_NAME>;

   location / {
      proxy_pass https://<WAZUH_DASHBOARD_IP_ADDRESS>:<PORT_NUMBER>;
      proxy_set_header Host $host;
   }
}

Replace the following:

<YOUR_DOMAIN_NAME> with your domain name.
<WAZUH_DASHBOARD_IP_ADDRESS> with your Wazuh dashboard IP address.
<PORT_NUMBER> with your new port number.

Restart the Wazuh dashboard and the Wazuh server:

# systemctl restart wazuh-dashboard
# systemctl restart wazuh-manager

Use certbot to generate an SSL certificate:

# certbot --nginx -d <YOUR_DOMAIN_NAME>

Check that NGINX is properly configured and verify that you have the same configuration in the /etc/nginx/conf.d/wazuh.conf file with the sample below:

server {

   server_name <YOUR_DOMAIN_NAME>;

   location / {
      proxy_pass https://<WAZUH_DASHBOARD_IP_ADDRESS>:<PORT_NUMBER>;
      proxy_set_header Host $host;
   }

   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
   if ($host = <YOUR_DOMAIN_NAME>) {
      return 301 https://$host$request_uri;
   } # managed by Certbot


   listen 80 default_server;

   server_name <YOUR_DOMAIN_NAME>;
   return 404; # managed by Certbot


}

Restart the NGINX service:

# systemctl restart nginx

# service nginx restart

Access the Wazuh dashboard via the configured domain name.

The NGINX server has been configured and the Let’s Encrypt certificate installation is active on the Wazuh dashboard. You can proceed to access it by using the configured domain name.

Setting up custom branding

The Wazuh dashboard white-labeling feature allows you to replace the following elements with custom ones:

Logos on the Wazuh dashboard.
- Loading logos
- Health check logo
- Wazuh dashboard home logo
Logo, header, and footer on PDF reports.

Custom logos on the Wazuh dashboard

Loading logos

To customize the global App loading logo, do the following.

Edit opensearch_dashboards.yml. You can find this file in the following locations:
- /etc/wazuh-dashboard/
- /usr/share/wazuh-dashboard/config/ for Docker installations.

Add the URL of your default and dark theme logos.

opensearchDashboards.branding:
   loadingLogo:
      defaultUrl: "https://domain.org/default-logo.png"
      darkModeUrl: "https://domain.org/dark-mode-logo.png"

Restart the Wazuh dashboard service:
```
# systemctl restart wazuh-dashboard
```

To customize the Wazuh plugins loading logo, do the following.

Navigate to Dashboard management > App Settings on the Wazuh dashboard.
Set up customization.logo.app (App main logo) in the Custom branding section.

This property sets the App loading logo image when the user is logging in to the Wazuh server. It has a size limit of 1 MB. It replaces the logo image in the Wazuh loading animation when a new section initializes. Recommended size: 300 pixels width, 70 pixels height. Once you are done setting your custom logo images, you can find them saved in /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/.

Wazuh dashboard home logo

To customize the Wazuh dashboard home logo in the top header, do the following.

Edit opensearch_dashboards.yml. You can find this file in the following locations:
- /etc/wazuh-dashboard/
- /usr/share/wazuh-dashboard/config/ for Docker installations.

Add the URL of your default and dark theme logos.

opensearchDashboards.branding:
   mark:
      defaultUrl: "https://domain.org/default-logo.png"
      darkModeUrl: "https://domain.org/dark-mode-logo.png"

Restart the Wazuh dashboard service:
```
# systemctl restart wazuh-dashboard
```

Once you are done setting your custom logo image, you can find it saved in /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/.

Health check logo

To use your own Health check logo in the Wazuh dashboard, do the following.

Navigate to Dashboard management > App Settings on the Wazuh dashboard.
Under the Custom branding section, set up customization.logo.healthcheck. This property sets the Health check logo image. It has a size limit of 1 MB. It replaces the logo on top of the check list displayed during the health check routine. Recommended size: 300 pixels width, 70 pixels height.

Once you are done setting your custom logo images, you can find them saved in /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/.

Custom branding of the PDF reports

To customize the PDF reports, click the hamburger icon from the top left side and go to Dashboard management > App Settings > Configuration. Under the Custom branding section, set up the following properties:

customization.logo.reports. This property sets the PDF reports logo image. It has a size limit of 1 MB. It's printed in the top left corner of the PDF reports. Recommended size: 190 pixels width, 40 pixels height. See #1 in the image below.
customization.reports.footer. This property sets the Reports footer text block. It has a size limit of 2 lines of 50 characters each. It's printed in the bottom left corner of the PDF reports. See #2 in the image below.
customization.reports.header. This property sets the Reports header text block. It has a size limit of 3 lines of 40 characters each. It's printed in the top right corner of the PDF reports. See #3 in the image below.

Configuration

The following settings correspond to the custom branding feature. Edit the default branding of the main Wazuh dashboard and PDF reports using the user interface as explained above.

Configuration name	Description	Default value	Allowed values	Value limit
customization.enabled	Enables and disables custom branding of the Wazuh dashboard and PDF reports.	true	true, false
customization.logo.app	This is the image to be used as the logo in the main menu of the Wazuh dashboard. It is saved as `/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.app.<FORMAT>`.	''	jpeg, jpg, png, svg	1 MB
customization.logo.healthcheck	This is the image to be used as the health check logo. It is saved as `/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.healthcheck.<FORMAT>`.	''	jpeg, jpg, png, svg	1 MB
customization.logo.reports	This is the image to be used as a logo in the PDF reports generated by the Wazuh dashboard. It is saved as `/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/customization.logo.reports.<FORMAT>`.	''	jpeg, jpg, png	1 MB
customization.reports.header	Header of the PDF reports. To use an empty header, type a space " " in the field. If the field is empty, it uses the default header.	''	Printable characters	3 lines of 40 characters each
customization.reports.footer	Footer of the PDF reports. To use an empty footer, type a space " " in the field. If the field is empty, it uses the default footer.	''	Printable characters	2 lines of 50 characters each

Warning

Please, take into consideration the following notes:

The value of any customization.logo.* setting must follow the pattern custom/images/<SETTING_NAME>.<IMAGE_FORMAT>.
The path custom/images/ included in every customization.logo.* setting is relative to the /plugins/wazuh/public/assets/ folder.
Setting or modifying any customization.logo.* setting by hand is not recommended. Use the UI instead.
The in-file customization.logo.* settings are flagged for deprecation, and will be no longer supported in future releases.

Wazuh dashboard settings

The Wazuh dashboard includes a configuration file located at /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml where you can define custom values for several options. This section describes all the settings available in this file.

The configuration file shows the default values for all of the possible options. You can edit this file, uncomment any of them, and apply the desired values. You can edit these settings from the Wazuh dashboard in Dashboard management > App Settings > Configuration.

The configuration file reference is organized into sections:

General options
Health check

General

hosts

Defines the list of APIs to connect with your Wazuh managers.

hosts:
    - <host_id/host_name>:
        url: http(s)://<WAZUH_MANAGER_IP_ADDRESS>
        port: <PORT>
        username: <USERNAME>
        password: <PASSWORD>

Note

It is required to specify at least one host.

This is an example of a multi-host configuration:

hosts:
    - wazuh_prod:
        url: https://wazuh.com
        port: 55000
        username: wazuh-wui
        password: secret_password
        run_as: false
    - wazuh_test:
        url: https://localhost
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: false

The following table shows the configuration options for the Wazuh dashboard:

Configuration name	Description	Default value	Allowed values
General options
pattern	The property defines the default index pattern to use on the Wazuh dashboard. If there is no valid index pattern specified, the Wazuh dashboard automatically creates one with the name indicated in this option.	`wazuh-alerts-*`	Any valid index pattern
timeout	This property defines the maximum time (in milliseconds) the Wazuh dashboard will wait for an API response when making requests to it. Setting a value under `1500` milliseconds will be ignored and the dashboard will use the default value instead.	`20000`	Any number starting from 1500
ip.selector	This property defines if a user can change the selected index pattern directly from the top menu bar on the Wazuh dashboard WUI.	`true`	true, false
ip.ignore	This property is used to disable certain index pattern names from being available in the index pattern selector on the Wazuh dashboard. An empty list (the default value) won't ignore any valid index pattern.	`[]`	Array of strings. Eg: `["wazuh-archives-*"]`
hideManagerAlerts	This property controls if the Wazuh manager alerts in the dashboard visualizations are visible or not. A value of false displays the Wazuh manager alerts on dashboard visualizations.	`false`	true, false
alerts.sample.prefix	This property defines the index name prefix of sample alerts. It must match the template used by the index pattern to avoid unknown fields in dashboards.	`wazuh-alerts-5.x-`	Any valid index pattern
enrollment.dns	This property specifies the Wazuh registration server used for Wazuh agent enrollment.	`' '`	Any string
enrollment.password	This property specifies the password used to authenticate during the agent enrollment. `enrollment.password` takes a higher precedence over `authd.pass` agent enrollment password set on the Wazuh manager. When both values are set, the value of `enrollment.password` will be used instead.	`' '`	Any string
wazuh.updates.disabled	This property defines if the check updates service is disabled.	`false`	true, false
Health checks
checks.pattern	This property enables or disables the index pattern health check when opening the Wazuh dashboard. If set to false, index patterns will not be checked during the Wazuh healthcheck.	`true`	true, false
checks.template	This property enables or disables the template health check when opening the Wazuh dashboard. It checks to see if the defined index has a valid template. Set this value to false if you do not want the index template to be validated when opening the Wazuh dashboard.	`true`	true, false
checks.api	This property enables or disables the Wazuh server API health check when opening the Wazuh dashboard. Set the value of this property to `false` if you do not require this check when opening the dashboard.	`true`	true, false
checks.setup	This property enables or disables the setup health check when opening the Wazuh dashboard. It checks that the Wazuh server version is compatible with the plugin version. Setting this value to `false` might cause the dashboard to fail if there is a compatibility issue between the dashboard plugins and Wazuh server.	`true`	true, false
checks.fields	This property enables or disables the known fields health check when opening the Wazuh dashboard. Known fields refer to the fields in your indexed documents that the indexer has identified, mapped, and available for querying.	`true`	true, false
checks.metaFields	Meta fields are special fields that provide additional metadata about indexed documents such as the `_index` and `_id`. This property enables or disables the metaFields health check when opening the Wazuh dashboard.	`true`	true, false
checks.timeFilter	This property enables or disables the timeFilter health check when opening the Wazuh dashboard. It checks to ensure a value is set for the dashboard time filter. The time filter is used to set the time range of data displayed on the dashboard.	`true`	true, false
checks.maxBuckets	This property enables or disables the maxBuckets health check when opening the Wazuh dashboard. It checks to ensure that the maximum number of buckets that a single aggregation request can create is at optimal levels. This helps to prevent excessive memory usage and potential out-of-memory errors.	`true`	true, false

Example

This is an example of the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration:

#General options

hosts:
    - env-1:
        url: https://env-1.example
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: true
    - env-2:
        url: https://env-2.example
        port: 55000
        username: wazuh-wui
        password: wazuh-wui
        run_as: true

pattern: 'wazuh-alerts-*'
timeout: 20000
ip.selector: true
ip.ignore: []
logs.level: info
hideManagerAlerts: true
alerts.sample.prefix: wazuh-alerts-4.x-
wazuh.updates.disabled: false

#Health checks

checks.pattern : true
checks.template: true
checks.fields  : true
checks.api     : true
checks.setup   : true
checks.metaFields: true
checks.timeFilter: true
checks.maxBuckets: true

#Custom branding

customization.enabled: true
customization.logo.app: 'custom/images/customization.logo.app.jpg'

customization.logo.healthcheck: 'custom/images/customization.logo.healthcheck.svg'
customization.logo.reports: 'custom/images/customization.logo.reports.jpg'
customization.reports.footer: '123 Custom footer Ave.\nSan Jose, CA 95148'
customization.reports.header: 'Custom Company\ninfo@custom.com\n@social_reference'

#Enrollment DNS

enrollment.dns: ''
enrollment.password: ''

Wazuh global queries

Wazuh global queries allow users to search and visualize global state data directly on the Wazuh dashboard. Global state data represents aggregated information collected from all monitored endpoints, stored centrally in the Wazuh indexer under dedicated indices. This provides a comprehensive view of system configurations, installed software, vulnerabilities, and other critical details.

Previously, users could only retrieve inventory and vulnerability information per agent. With global queries, all relevant data is collected and centralized in the Wazuh indexer. This enables users to view and analyze system inventory and vulnerability information for all monitored endpoints from one single place. This centralization improves monitoring efficiency, streamlines threat hunting, and accelerates incident response.

How it works

Wazuh agents run modules such as the Syscollector module, which periodically collect system inventory data from monitored endpoints. This includes running processes, network interfaces, software packages, and more.

The Wazuh agents forward this data securely to the Wazuh manager using protocols such as wazuh-remoted and wazuh-db. The Wazuh Inventory Harvester module on the Wazuh manager processes the incoming data and standardizes it using Wazuh Common Schemas (WCS). It then forwards the processed data to the Wazuh indexer, where it is stored as global state data.

This data is stored under dedicated indices for each data type, so users can efficiently run targeted queries and generate visualizations directly on the dashboard. For example, the vulnerabilities inventory is indexed as wazuh-states-vulnerabilities-*. It is also part of the global state data and provides up-to-date information about discovered endpoint vulnerabilities.

The image below illustrates how the Wazuh global queries feature works.

Wazuh Inventory Harvester module

The Wazuh Inventory Harvester module on the Wazuh manager processes the collected data in sequential steps:

Message ingestion: The Wazuh manager receives data from the Wazuh Syscollector module via the wazuh-remoted and wazuh-db protocols. These messages are transformed into FlatBuffer messages, a compact format designed for fast and efficient communication between Wazuh components for processing.
Deserialization and validation: The FlatBuffer messages are converted into native data structures and validated against the Wazuh Common Schema (WCS). This ensures all data maintains a consistent structure, format, and integrity.
Batching and forwarding: The validated data is grouped into batches for performance. These batches are forwarded in bulk from the Wazuh manager to the Wazuh indexer for storage.
Storage: The data is stored in a dedicated global state index for each data type, following Wazuh Common Schemas (WCS). This logical separation allows for efficient and targeted queries.
Monitoring and feedback: The module reports any indexing issues or failures for retries or error handling.

Indexing

The Wazuh indexer organizes global state data into indices, each representing a category of information collected by Wazuh modules. These indices enable precise queries and visualizations in the Wazuh dashboard. The global state data indices are outlined below:

Index Pattern	Description
`wazuh-states-inventory-hardware-*`	Basic information about hardware components on a monitored endpoint.
`wazuh-states-inventory-hotfixes-*`	Updates installed on a Windows endpoint.
`wazuh-states-inventory-interfaces-*`	Status and packet transfer information for network interfaces.
`wazuh-states-inventory-networks-*`	IPv4 and IPv6 addresses for each network interface.
`wazuh-states-inventory-packages-*`	Currently installed software packages on an endpoint.
`wazuh-states-inventory-ports-*`	Open network ports on a monitored endpoint.
`wazuh-states-inventory-processes-*`	System processes running on a monitored endpoint.
`wazuh-states-inventory-protocols-*`	Network routing configuration details and protocols per interface.
`wazuh-states-inventory-system-*`	Operating system, hostname, and architecture on an endpoint.
`wazuh-states-vulnerabilities-*`	Information about vulnerabilities detected on a monitored endpoint.

Querying and visualization

Users can query and visualize global state data directly from the Wazuh dashboard. The centralized and enriched index structure enables prompt reporting, compliance checks, and detection of risks across the environment.

Troubleshooting

This section highlights common installation or usage issues on the Wazuh dashboard, and some basic steps to solve them.

Wazuh server API seems to be down error

This issue means that your Wazuh server API might be unavailable. Check the status of the Wazuh manager to see if the service is active:

# systemctl status wazuh-manager

# service wazuh-manager status

If the Wazuh server API is running, try to fetch data using the CLI from the Wazuh dashboard server:

# curl -k -X GET "https://<api_url>:55000/?pretty=true" -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   398  100   398    0     0   3431      0 --:--:-- --:--:-- --:--:--  3431
{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "4.12.0",
      "revision": "rc1",
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/v4.12.0/LICENSE",
      "hostname": "centos8a",
      "timestamp": "2025-08-18T19:31:01Z"
   },
   "error": 0
}

Output if API is down:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (7) Failed to connect to 127.0.0.1 port 55000 after 0 ms: Couldn't connect to server

If the Wazuh server API is down, restart the Wazuh manager and verify the API is now running.

# systemctl restart wazuh-manager

# service wazuh-manager restart

No alerts on the Wazuh dashboard error

The first step is to check if there are alerts in the Wazuh indexer:

# curl https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-* -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -k

green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb

If you do not see any Wazuh related index, it means you do not have alerts stored in your Wazuh indexer.

Run the following command to ensure that Filebeat is correctly configured:

# filebeat test output

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Could not connect to API with ID error

The error “Could not connect to API with id: default: 3003 - Missing param: API USERNAME” is triggered when Wazuh cannot find the correct Wazuh server API username variable. Starting from Wazuh 4.0, the Wazuh server API username variable changed from user to username. It is necessary to change the credentials (foo:bar is no longer accepted) as well as the name of the variable in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file.

For example:

hosts:
 - production:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

Wazuh server and Wazuh dashboard version mismatch error

This error shows a mismatch in the versions of the Wazuh server and the Wazuh dashboard.

The Wazuh server and the Wazuh dashboard must run the same major and minor versions. For example:

Wazuh server 5.0.x
Wazuh dashboard 5.0.x

Check out how to upgrade the Wazuh components in our upgrade guide.

Saved object for index pattern not found error

Saved objects store data for later use, including dashboards, visualizations, maps, index patterns, and more.

This message indicates a problem loading the information of an index pattern, which should be stored in a saved object, but the Wazuh dashboard cannot find it.

This situation can happen if the indexer is reinstalled and the previously saved objects are lost while the dashboard is running and is not restarted in the process.

Remediation

The Wazuh dashboard initializes saved objects with their index definitions when it starts, so the suggested solution is to restart the service to initialize the saved objects again.

Restart the Wazuh dashboard service using the command below:
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
This will initialize the index with the required mappings.

Note

If the index contains data but has missing objects, the Wazuh dashboard will migrate the data to a new index with the missing objects added.

If the restart does not solve the problem, we can execute this process manually:

Stop the Wazuh dashboard service.

# systemctl stop wazuh-dashboard

# service wazuh-dashboard stop

Identify the index or indices that have the wrong field mappings, this depends on the logged user that experiences the problem or the selected tenant.

Get the field mapping for the type field for the indices that store the saved objects.

# curl https://<WAZUH_INDEXER_IP>:9200/.kibana*/_mapping/field/type?pretty -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -k

{
  ".kibana" : {
    "mappings" : {
      "type" : {
        "full_name" : "type",
        "mapping" : {
          "type" : {

           "type" : "text",

           "fields" : {

             "keyword" : {

               "type" : "keyword",

               "ignore_above" : 256
              }
            }
          }
        }
      }
    }
  },
  ".kibana_92668751_admin_1" : {
    "mappings" : {
      "type" : {
        "full_name" : "type",
        "mapping" : {
          "type" : {

           "type" : "text",

           "fields" : {

             "keyword" : {

               "type" : "keyword",

               "ignore_above" : 256
              }
            }
          }
        }
      }
    }
  }
}

In the output, we can see type field mapping for the .kibana and .kibana_92668751_admin_1 indices. Note that the field mapping type for the type field is text and that it contains a subfield called keyword. This is not the expected result; the type field should be keyword, not text, and it should not include the keyword subfield.

These errors happened because there was no template that specified the appropriate field mappings at the time the saved object data was indexed. To solve the errors, we need to remove the index and rebuild it.

Delete the index or indices that store the saved objects with the wrong field mapping.

# curl https://<WAZUH_INDEXER_IP>:9200/<INDEX/INDICES_SEPARATED_BY_COMMAS> -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -k -XDELETE

{“acknowledged”:true}

Restart the Wazuh dashboard service.

# systemctl restart wazuh-dashboard

# service wazuh-dashboard restart

Note

These actions take into account that the index that stores the saved objects must have valid field mappings. The field mappings are defined through a template, so they should exist before the index is created. This template is added when the Wazuh dashboard starts if it doesn’t exist.

Application not found

If you encounter the message Application Not Found when accessing the Wazuh dashboard after upgrading, it might be that the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml wasn't overwritten with new changes. To resolve this issue, update the uiSettings.overrides.defaultRoute setting with the /app/wz-home value in the configuration file:

uiSettings.overrides.defaultRoute: /app/wz-home

None of the above solutions are fixing my problem

We have a welcoming community that can help you with most of the problems you might have regarding Wazuh deployment and usage https://wazuh.com/community.

Also, you can contact us by opening issues in our GitHub repositories under the organization.

In case you encounter errors during your deployment, we will be interested in the log files for your deployment. You can check them out on each component:

Check the following log files:

Wazuh indexer:

# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Wazuh manager:

# cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

Wazuh dashboard:

# journalctl -u wazuh-dashboard | grep -i -E "error|warn"

Note

The Wazuh indexer uses the /var/log folder to store logs by default.

Certificates deployment

In the installation guide, the Wazuh certs tool has been used to create certificates, but any other certificates creation method, for example using OpenSSL, can be used.

The Wazuh certs tool can be downloaded here: wazuh-certs-tool.sh.

There are three kinds of certificates needed for the installation:

root-ca: This certificate is the one in charge of signing the rest of the certificates.
node: The node certificates are the ones needed for every Wazuh indexer node. They must include the node IP address.
admin: The admin certificate is a client certificate with special privileges needed for management and security-related tasks.

These certificates are created with the following additional information:

C: US
L: California
O: Wazuh
OU: Wazuh
CN: Name of the node

To create the certificates, edit the config.yml file and replace the node names and IP values with the corresponding names and IP addresses. The <node-ip> can be either an IP address or a DNS name. The config.yml template can be found here: config.yml.

nodes:
  # Wazuh indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # Wazuh server nodes
  # If there is more than one Wazuh server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

After configuring the config.yml, run the script with option -A to create all the certificates.

# bash wazuh-certs-tool.sh -A

After running the script, the directory wazuh-certificates will be created and will have the following content:

wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── dashboard-key.pem
├── dashboard.pem
├── indexer-key.pem
├── indexer.pem
├── root-ca.key
├── root-ca.pem
├── server-key.pem
└── server.pem

Additionally, this script allows the use of a pre-existent rootCA certificate. To create all the certificates using a pre-existent rootCA certificate, use option -A and indicate the root-ca certificate and key as follows:

# bash wazuh-certs-tool.sh -A /path/to/root-ca.pem /path/to/root-ca.key

After running the script, the directory wazuh-certificates will be created and will have the following content:

wazuh-certificates/
├── admin-key.pem
├── admin.pem
├── dashboard-key.pem
├── dashboard.pem
├── indexer-key.pem
├── indexer.pem
├── server-key.pem
└── server.pem

Wazuh agent

The Wazuh agent is a multi-platform component of the Wazuh solution and runs on the endpoints you want to monitor. It communicates with the Wazuh server, sending data in near real-time through an encrypted and authenticated channel. The Wazuh agent provides capabilities such as log data collection, file integrity monitoring, threat detection, security configuration assessment, system inventory, vulnerability detection, and incident response to enhance your endpoint security.

After installing the Wazuh agent on an endpoint, you need to enroll the Wazuh agent in the Wazuh manager. This guide provides instructions on how to enroll the Wazuh agent, the different enrollment methods, and the management of the Wazuh agent.

The Wazuh agent enrollment section describes the stages a Wazuh agent can go through and the process of enrolling Wazuh agents in a Wazuh manager. You can also find troubleshooting steps for commonly encountered issues during enrollment.

In the Wazuh agent management section, you can find instructions on how to manage the Wazuh agent. These instructions cover administrative tasks such as upgrading the Wazuh agent, verifying connection to the Wazuh manager, and querying the Wazuh agent configuration.

Contents

Wazuh agent enrollment

Wazuh agent enrollment is the process of registering a Wazuh agent to a Wazuh manager. This enrollment allows the Wazuh agents to communicate securely with the Wazuh manager and become authorized members of the Wazuh security platform.

The Wazuh agent enrollment process allows:

The Wazuh manager to enroll Wazuh agents and generate unique client keys for them.
The use of the client key to encrypt communication between the Wazuh agent and the Wazuh manager.
The validation of the identity of the Wazuh agents communicating with the Wazuh manager.
The Wazuh agent to collect security information from the monitored endpoint and send it to the Wazuh manager for analysis.

Note

When following our installation guide, we recommend you use environment variables to configure the Wazuh agent automatically. This allows the Wazuh agent to enroll and connect to the Wazuh manager.

Learn about the different enrollment options and additional information needed for Wazuh agent enrollment in the sections below.

Requirements

The following requirements have to be in place to ensure the Wazuh agent enrollment is successful:

An installed and running Wazuh manager.
An installed and running Wazuh agent on the endpoint that the user needs to enroll.
Outbound connectivity from the Wazuh agent to the Wazuh manager services. The following ports are configurable:
- 1514/TCP for agent communication.
- 1515/TCP for enrollment via automatic agent request.
- 55000/TCP for enrollment via Wazuh server API.

Note

Instructions for installing and enrolling agents can be found in the Wazuh dashboard. Go to Agents management > Summary, and click on Deploy new agent.

Wazuh agent life cycle

The Wazuh agent lifecycle refers to the various stages a Wazuh agent goes through from its initial installation on an endpoint to its removal from the Wazuh platform. It includes the following stages:

Installation and enrollment

The first step involves installing the Wazuh agent on the endpoint to be monitored. Once the Wazuh agent is installed, it must be enrolled in the Wazuh manager to establish communication. Refer to Wazuh agent enrollment.

Agent connection states

After successful enrollment, the Wazuh manager stores information about the Wazuh agent and its connection status until it is deleted by a user.

In this phase, there are four different connection states that a Wazuh agent may be in at any given time, as shown in the image below:

Never connected: The Wazuh agent has been enrolled but has not yet connected to the Wazuh manager.
Pending: The authentication process has not been completed because the Wazuh manager received a request for connection from the Wazuh agent but has not received anything else. The Wazuh agent will be in this state one time in its life cycle after each startup. If the Wazuh agent persists in this state, it may indicate a connectivity issue.
Active: The Wazuh agent has successfully connected and can now communicate with the Wazuh manager.
Disconnected: The Wazuh manager will consider the agent disconnected if it does not receive any keep alive messages within agents_disconnection_time (the default time is 15m).

Removal

The life cycle of the Wazuh agent comes to an end when it is removed from the Wazuh manager. This can be done through the Wazuh server API.

Enrollment methods

This section describes the two methods available for enrolling Wazuh agents. It guides in configuring the necessary settings to ensure a successful connection of the Wazuh agent to the Wazuh server.

Enrollment via agent configuration: Once the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh server has been set, the Wazuh agent can request the client key and import it automatically. This is the recommended enrollment method.
Enrollment via Wazuh server API: The user requests the client key from the Wazuh server API and then manually imports it to the Wazuh agent.

Enrollment via agent configuration

With this option, the Wazuh agent is automatically enrolled after you have configured the Wazuh manager IP address or FQDN (Fully Qualified Domain Name). When using additional security options, you might need to configure other settings.

You can configure the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in one of two ways on the Wazuh agent:

Using environment variables during the Wazuh agent installation process. The guide to this process can be found here.
Manually configuring the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the Wazuh agent configuration file.

Enrollment with additional security options involves the use of passwords for enrollment authorization or certificates for identity validation of the Wazuh agent and Wazuh manager. See the additional security options section for guidance on enrolling a Wazuh agent to a Wazuh manager with additional security options enabled.

The steps below show how to enroll the Wazuh agent for different operating systems:

Linux/Unix

Follow the steps below to configure a Linux/Unix endpoint for enrollment via the Wazuh agent configuration method:

Launch the terminal, obtain root access, edit the Wazuh agent configuration file /var/ossec/etc/ossec.conf, and make the following changes:
1. Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section:
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```
  This will allow the Wazuh agent to connect to the Wazuh manager and automatically request a client key.
  
  Note
  
  If you have a multi-cluster Wazuh server installation, you can add multiple <client> sections that point to the worker nodes. Refer to pointing agents to the cluster (Failover mode) for more information.
2. (Optional) Add enrollment parameters in the <client><enrollment> section.
```
<client>
    ...
    <enrollment>
        <agent_name>EXAMPLE_NAME</agent_name>
        <groups>GROUP1,GROUP2,GROUP3</groups>
        ...
    </enrollment>
</client>
```
  These agent enrollment parameters are optional, and they provide the Wazuh agent with specific information that can be used during enrollment. Some common enrollment parameters can be seen below:
  - <agent_name>EXAMPLE_NAME</agent_name>: This setting specifies the name the Wazuh agent should be enrolled as. When this is not specified, it defaults to the hostname of the endpoint.
  - <groups>GROUP1,GROUP2,GROUP3</groups>: This setting specifies the group(s) in which the Wazuh agent should be added. An agent group is a collection of Wazuh agents that would share the same configuration. This allows the Wazuh manager to push configuration settings to a set of Wazuh agents that belong to the same group. The Wazuh agent enrollment will fail if a non-existent group is specified. Therefore, creating the desired group on the Wazuh manager before using the group parameter is necessary. Additional information on agent groups can be found here.
  More optional enrollment parameters and their usage can be found here.

Restart the Wazuh agent to make the changes effective:

# systemctl restart wazuh-agent

# service wazuh-agent restart

# /var/ossec/bin/wazuh-control restart

Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Windows

Follow these steps to configure a Windows endpoint for enrollment via the agent configuration method.

The Wazuh agent installation directory depends on the architecture of the endpoint:

C:\Program Files (x86)\ossec-agent for 64-bit systems.
C:\Program Files\ossec-agent for 32-bit systems.

Using an administrator account, modify the Wazuh agent configuration file ossec.conf in the installation directory. For this guide, we are assuming a 64-bit architecture. Hence, C:\Program Files (x86)\ossec-agent\ossec.conf
- Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section. Replace <WAZUH_MANAGER_IP_ADDRESS> with the Wazuh manager IP address or FQDN:
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```
  This will allow the Wazuh agent to connect to the Wazuh manager and automatically request a client key.
  
  Note
  
  If you have a multi-cluster Wazuh server installation, you can add multiple <client> sections that point to the worker nodes. Refer to pointing agents to the cluster (Failover mode) for more information.
- (Optional) Add enrollment parameters in the <client><enrollment> section.
```
<client>
    ...
    <enrollment>
        <agent_name>EXAMPLE_NAME</agent_name>
        <groups>GROUP1,GROUP2,GROUP3</groups>
        ...
    </enrollment>
</client>
```
  These agent enrollment parameters are optional, and they provide the Wazuh agent with specific information that should be used during enrollment. Some common enrollment parameters are below:
  - <agent_name>EXAMPLE_NAME</agent_name>: This specifies the name the endpoint should be enrolled as. When this is not specified, it defaults to the endpoint hostname.
  - <groups>GROUP1,GROUP2,GROUP3</groups>: This specifies the group(s) in which the Wazuh agent should be added. An agent group is a collection of agents that would share the same configuration. This allows the Wazuh manager to push configuration settings to a set of Wazuh agents that belong to the same group. The Wazuh agent enrollment will fail if a non-existent group is specified. Therefore, creating the desired group on the Wazuh manager is necessary before using the group parameter. Additional information on agent groups can be found here.
  More optional enrollment parameters and their usage are provided here.
Restart the Wazuh agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

macOS

Follow these steps to configure a macOS endpoint for enrollment via the Wazuh agent configuration method:

Launch the terminal, obtain root access, edit the Wazuh agent configuration file /Library/Ossec/etc/ossec.conf, and make the following changes:
1. Include the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section. Replace <WAZUH_MANAGER_IP_ADDRESS> with the Wazuh manager IP address or FQDN of the Wazuh manager:
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```
  This will allow the Wazuh agent to connect to the Wazuh manager and automatically request a client key.
  
  Note
  
  If you have a multi-cluster Wazuh server installation, you can add multiple <client> sections that point to the worker nodes. Refer to pointing agents to the cluster (Failover mode) for more information.
2. (Optional) Add enrollment parameters in the <client><enrollment> section.
```
<client>
    ...
    <enrollment>
        <agent_name>EXAMPLE_NAME</agent_name>
        <groups>GROUP1,GROUP2,GROUP3</groups>
        ...
    </enrollment>
</client>
```
  These agent enrollment parameters are optional, and they provide the Wazuh agent with specific information that should be used during enrollment. Some common enrollment parameters are below:
  - <agent_name>EXAMPLE_NAME</agent_name>: This specifies the name the endpoint should be enrolled as. When this is not specified, it defaults to the endpoint hostname.
  - <groups>GROUP1,GROUP2,GROUP3</groups>: This specifies the group(s) in which the Wazuh agent should be added. An agent group is a collection of agents that would share the same configuration. This allows the Wazuh manager to push configuration settings to a set of Wazuh agents that belong to the same group. The Wazuh agent enrollment will fail if a non-existent group is specified. Therefore, it is necessary to create the desired group on the Wazuh manager before using the group parameter. Additional information on agent groups can be found here.
    
    More optional enrollment parameters and their usage are provided here.
Restart the Wazuh agent to make the changes effective:
```
# /Library/Ossec/bin/wazuh-control restart
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Enrollment via Wazuh server API

The Wazuh server API allows users to make an agent enrollment request to the Wazuh manager. This request returns a unique client key for the Wazuh agent, which must be manually imported to the Wazuh agent. This is useful for users who need manual control over the enrollment process.

How it works

The flow of a Wazuh agent being enrolled via API is as follows:

The user sends an API request with the Wazuh server API credentials to generate an authorization token (a JSON Web Token). This action can be performed from any authorized endpoint.
The user sends an API request with the authorization token to the Wazuh manager. This request enrolls the Wazuh agent and gets the agent key.
On the Wazuh agent endpoint, the user imports the agent key to the Wazuh agent.
The user configures the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) on the Wazuh agent.
The user restarts the Wazuh agent, establishing the connection to the Wazuh manager.

In this section of the guide, you will find the following information:

Requesting the client key

You can request the Wazuh agent key from any endpoint connected with the Wazuh server API. Alternatively, you can obtain it directly from the Wazuh dashboard or by connecting to the API service from a browser. The default API port is 55000/TCP.

The host making the enrollment request must have connectivity to the Wazuh manager via this or any other port on which the API has been configured to listen.

The steps below show how to request the Wazuh agent key for different operating systems.

Linux/Unix and macOS
From Windows

Linux/Unix and macOS

Generate a JWT for authenticating to the Wazuh server API by making a curl request. The default Wazuh server API credentials are wazuh:wazuh. Replace <WAZUH_MANAGER_IP_ADDRESS> with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name):
```
# TOKEN=$(curl -u <USER>:<PASSWORD> -k -X POST "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/security/user/authenticate?raw=true")
```
Run the command echo $TOKEN to confirm that the token was successfully generated:
```
# echo $TOKEN
```
You should get an output like this:
```
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo
```
Note

You can locate your Wazuh server API user password in the wazuh-install-files.tar file generated during the installation process of the Wazuh server. You can also reset the password for the Wazuh server API user if you have forgotten it.

Request the client key and agent ID. Replace <WAZUH_AGENT_NAME> with the corresponding agent name:

# curl -k -X POST -d '{"name":"<WAZUH_AGENT_NAME>"}' "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?pretty=true" -H "Content-Type:application/json" -H "Authorization: Bearer $TOKEN"

The output with the key looks like this:

{
    "error": 0,
    "data": {
        "id": "001",
        "key": "MDAxIE5ld0FnZW50IDEwLjAuMC44IDM0MGQ1NjNkODQyNjcxMWIyYzUzZTE1MGIzYjEyYWVlMTU1ODgxMzVhNDE3MWQ1Y2IzZDY4M2Y0YjA0ZWVjYzM=",
    },
}

From Windows

Follow these steps to send Wazuh agent enrollment requests from a Windows endpoint via the Wazuh server API:

Open PowerShell with administrative privileges. If the Wazuh server API is using a publicly trusted certificates, move to step 2. If the Wazuh server API is running over HTTPS and it is using a self-signed certificate, execute the function below in PowerShell. The function will ignore the certificate validation errors due to the self-signed SSL/TLS certificates.

function Ignore-SelfSignedCerts {
    add-type @"
        using System.Net;
        using System.Security.Cryptography.X509Certificates;
        public class PolicyCert : ICertificatePolicy {
            public PolicyCert() {}
            public bool CheckValidationResult(
                ServicePoint sPoint, X509Certificate cert,
                WebRequest wRequest, int certProb) {
                return true;
            }
        }
"@
    [System.Net.ServicePointManager]::CertificatePolicy = new-object PolicyCert
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
}

Ignore-SelfSignedCerts

Note

The function above exists only in the PowerShell instance in which it is executed.

To generate the JWT, the default credentials are wazuh:wazuh.

First, encode the credentials as base64 and assign it to the $base64AuthInfo variable. Replace <WAZUH_SERVER_API_USERNAME> and <WAZUH_SERVER_API_PASSWORD> with the Wazuh server API credentials:

# $base64AuthInfo=[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f “<WAZUH_SERVER_API_USERNAME>”, “<WAZUH_SERVER_API_PASSWORD>”)))

Then, request the JWT. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager:

# Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST -Uri https://<WAZUH_MANAGER_IP_ADDRESS>:55000/security/user/authenticate | Select-Object -Expand Content

{"data": {"token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzE1NzgwNzgzLCJleHAiOjE3MTU3ODE2ODMsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.AIS9VKaVpXpA5RZDTTnaiuDnv474puoM3FViy54CZjctpkoZ2xO9SpLEMjdraGlCIIgLx-YSIe4jdQiKQlDZCg8QASSrrKg1K_-OpFKvsX_smIfrGE3NuzhkIvBN-_KUexAsi0Dc4peGN144gIOTMmgbv-ZqVRq4aV0P3uhYBLFoXJwl"}, "error": 0}

Note

You can locate your Wazuh server API user password in the wazuh-install-files.tar file generated during the installation process of the Wazuh server. You can also reset the password for the Wazuh server API user if you have forgotten it.

Run the following commands to create environment variables to hold the generated token and the Wazuh agent variable.
- Replace <TOKEN_GENERATED> with the token generated in step 2:
```
# $TOKEN = “<TOKEN_GENERATED>”
```
- Replace <WAZUH_AGENT_NAME> with the desired agent name:
```
# $AgentName = @{"name"="<WAZUH_AGENT_NAME>"} | ConvertTo-Json
```
These environment variables will be used in subsequent requests made to the Wazuh manager.

To request the client key and agent ID, make a web request with the environment variables created. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager.

# Invoke-WebRequest -UseBasicParsing -Headers @{Authorization=("Bearer {0}" -f $TOKEN)} -Method POST -ContentType "application/json" -Uri https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents -Body $AgentName

The output should look like this:

StatusCode        : 200
StatusDescription : OK
Content           : {"data": {"id": "020", "key": "MDIwIGFwaS13aW5kb3dzIGFueSA3OTJmZTcwZDJiYzNhYzRiY2ZjOTc0MzAyNGZmMTc0ODA3ZGE5YjJjZjViZGQ4OGI3MjkxMTEzMmEwZGU3OGQ2"},
                    "error": 0}
RawContent        : HTTP/1.1 200 OK
                    Strict-Transport-Security: max-age=63072000; includeSubdomains
                    X-Frame-Options: DENY
                    X-XSS-Protection: 1; mode=block
                    X-Content-Type-Options: nosniff
                    Content-Security-Policy: none...
Forms             : {}
Headers           : {[Strict-Transport-Security, max-age=63072000; includeSubdomains], [X-Frame-Options, DENY], [X-XSS-Protection, 1;
                    mode=block], [X-Content-Type-Options, nosniff]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 158

Importing the client key to the Wazuh agent

In this section, you can find instructions on configuring the Wazuh agent with the client key received from the Wazuh manager. This allows the Wazuh agent to communicate with the Wazuh manager.

The steps below shows how to configure the Wazuh agent on different operating systems using the client key:

Linux/Unix
Windows
macOS

Linux/Unix

Follow the steps below to import the client key to a Linux/Unix endpoint:

From the Wazuh agent, launch the terminal, obtain root access, and import the client key. Replace <KEY> with the client key received from the Wazuh manager:
```
# /var/ossec/bin/manage_agents -i <KEY>
```
The output should look like this:
```
  Agent information:
  ID:001
  Name:agent_1
  IP Address:any
  Confirm adding it?(y/n): y
  Added.
```
Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in /var/ossec/etc/ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager.
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```

Restart the Wazuh agent to make the changes effective:

# systemctl restart wazuh-agent

# service wazuh-agent restart

# /var/ossec/bin/wazuh-control restart

Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Windows

Follow the steps below to import the client key to a Windows endpoint.

From the Wazuh agent, launch the CMD or PowerShell as an administrator and import the client key. Replace <KEY> with the client key received from the Wazuh manager:

For 64-bit systems:

# "C:\Program Files (x86)\ossec-agent\manage_agents.exe" -i <KEY>

For 32-bit systems:

# "C:\Program Files\ossec-agent\manage_agents.exe" -i <KEY>

The output should look like this:

Agent information:
  ID:001
  Name:agent_1
  IP Address:any
Confirm adding it?(y/n): y
Added.

Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in C:\Program Files (x86)\ossec-agent\ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh manager.
```
<client>
   <server>
     <address><WAZUH_MANAGER_IP_ADDRESS></address>
     ...
   </server>
 </client>
```
Restart the Wazuh agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

macOS

Follow the steps below to import the client key to a macOS endpoint:

Launch the terminal, obtain root access, and import the client key. Replace <KEY> with the client key received from the Wazuh manager:
```
# /Library/Ossec/bin/manage_agents -i <KEY>
```
The output should look like this:
```
  Agent information:
  ID:001
  Name:agent_1
  IP Address:any
  Confirm adding it?(y/n): y
  Added.
```
Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the Wazuh agent configuration file in /Library/Ossec/etc/ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh manager.
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```
Restart the Wazuh agent to make the changes effective:
```
# /Library/Ossec/bin/wazuh-control restart
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Additional security options

You can implement additional security measures in the enrollment process to authenticate the endpoint to the Wazuh manager and vice versa. These security options are only available when enrolling Wazuh agents via the agent configuration method.

The additional security options include:

Using password authentication

This method requires using a password during the enrollment process to ensure that Wazuh agents enrolled in the Wazuh manager are authenticated.

Follow the steps below to configure password authentication on different operating systems:

Prerequisites

Before a Wazuh agent can be enrolled in the Wazuh manager using the password authentication method, you must ensure the following on the Wazuh manager:

Enable the password authentication option by adding the configuration highlighted below to the <auth> section of the Wazuh server configuration file /var/ossec/etc/ossec.conf:
```
<auth>
  <use_password>yes</use_password>
</auth>
```
Set a password to be used for Wazuh agent enrollment. You can achieve this in two ways:
1. Recommended - Setting your password. This is done by creating the /var/ossec/etc/authd.pass file on the Wazuh manager with your password.
  1. Replace <CUSTOM_PASSWORD> with your chosen agent enrollment password and run the following command:
    # echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass
  2. Change the authd.pass file permissions and ownership.
    # chmod 640 /var/ossec/etc/authd.pass # chown root:wazuh /var/ossec/etc/authd.pass
  3. Restart the Wazuh service for the changes to take effect.
    # systemctl restart wazuh-manager
2. Allowing the agent enrollment service to set a random password. A new random password is generated each time the Wazuh manager service is restarted.
  1. Restart the Wazuh manager so the enrollment service generates a random password. This password is stored in /var/ossec/logs/ossec.log.
    # systemctl restart wazuh-manager
  2. Run the following command to get the Wazuh agent enrollment password:
    # grep "Random password" /var/ossec/logs/ossec.log
    2022/01/11 12:41:35 wazuh-authd: INFO: Accepting connections on port 1515. Random password chosen for agent authentication: 6258b4eb21550e4f182a08c10d94585e

Note

If the deployment architecture uses a multi-node cluster, ensure that password authorization is enabled on each Wazuh manager node. This prevents unauthorized agent enrollment through an unsecured Wazuh manager node. We recommend using the same enrollment password across all Wazuh manager nodes. This simplifies Wazuh agent enrollment and avoids the need to manage different passwords for each node.

Once the above prerequisites are fulfilled, you can enroll the Wazuh agent using the steps corresponding to the OS running on the endpoints with the Wazuh agent installed.

Linux/Unix

Follow these steps to enroll a Linux/Unix endpoint with password authentication:

Launch the terminal, with root permission, create the /var/ossec/etc/authd.pass file with the agent enrollment password in it.
```
# echo "<CUSTOM_PASSWORD>" > /var/ossec/etc/authd.pass
```
1. Replace <CUSTOM_PASSWORD> with the agent enrollment password from the Wazuh manager.
2. Set the file permissions for the authd.pass file to 640, and the owner should be root. You can configure the permissions and ownership by running the commands below:
```
# chmod 640 /var/ossec/etc/authd.pass
# chown root:wazuh /var/ossec/etc/authd.pass
```
  The output below shows the recommended file owner and permissions.
```
-rw-r----- 1 root wazuh 18 Jan 11 13:03 /var/ossec/etc/authd.pass
```
(Optional) To ensure the Wazuh agent can locate your password file if it is not in the default location (/var/ossec/etc/authd.pass), include the authorization_pass_path setting in the Wazuh agent configuration. Replace <PATH_TO_PASSWORD_FILE> with the filepath of the password file.
```
<enrollment>
  <authorization_pass_path><PATH_TO_PASSWORD_FILE></authorization_pass_path>
</enrollment>
```
Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section of the Wazuh agent configuration file /var/ossec/etc/ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the Wazuh manager IP address or FQDN:
<client> <server> <address><WAZUH_MANAGER_IP_ADDRESS></address> ... </server> </client>
This will allow the agent to enroll in the specified Wazuh manager.
Restart the Wazuh agent to make the changes effective:
```
# systemctl restart wazuh-agent
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Windows

Follow these steps to enroll a Windows endpoint with password authentication:

The Wazuh agent installation directory depends on the host's architecture.

C:\Program Files (x86)\ossec-agent for 64-bit systems.
C:\Program Files\ossec-agent for 32-bit systems.

Launch PowerShell as an administrator.
Create a file called authd.pass and save the password. Replace <CUSTOM_PASSWORD> with the agent enrollment password created on the Wazuh manager.

For 32-bit systems
```
# echo “<CUSTOM_PASSWORD>” > "C:\Program Files\ossec-agent\authd.pass"
```
For 64-bit systems
```
# echo “<CUSTOM_PASSWORD>” > "C:\Program Files (x86)\ossec-agent\authd.pass"
```
(Optional) To ensure the Wazuh agent can locate your password file if it is not in the default location (C:\Program Files (x86)\ossec-agent\authd.pass), include the authorization_pass_path setting in the Wazuh agent configuration. Replace <PATH_TO_PASSWORD_FILE> with the filepath of the password file.
```
<enrollment>
  <authorization_pass_path><PATH_TO_PASSWORD_FILE></authorization_pass_path>
</enrollment>
```
Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section of the agent configuration file in C:\Program Files (x86)\ossec-agent\ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh manager.
```
<client>
   <server>
       <address><WAZUH_MANAGER_IP_ADDRESS></address>
      ...
   </server>
</client>
```
Restart the Wazuh agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

macOS

Follow the steps below to enroll a macOS endpoint with password authentication:

Launch the terminal, with root permission, create a file called /Library/Ossec/etc/authd.pass and save the password to it:
```
# echo "<CUSTOM_PASSWORD>" > /Library/Ossec/etc/authd.pass
```
1. Replace <CUSTOM_PASSWORD> with the agent enrollment password created on the Wazuh manager.
2. Set the file permissions for the authd.pass file to 640 and the owner should be root. Configure the permissions and ownership by running the commands below:
```
# chmod 640 /Library/Ossec/etc/authd.pass
# chown root:wazuh /Library/Ossec/etc/authd.pass
```
  The output below shows the recommended file owner and permissions:
```
-rw-r--r-- 1 root wazuh 18 Jan 11 13:03 /Library/Ossec/etc/authd.pass
```
(Optional) To ensure the Wazuh agent can locate your password file if it is not in the default location (/Library/Ossec/etc/authd.pass), include the authorization_pass_path setting in the Wazuh agent configuration. Replace <PATH_TO_PASSWORD_FILE> with the filepath of the password file.
```
<enrollment>
  <authorization_pass_path><PATH_TO_PASSWORD_FILE></authorization_pass_path>
</enrollment>
```
Add the Wazuh manager IP address or FQDN (Fully Qualified Domain Name) to the agent configuration file in /Library/Ossec/etc/ossec.conf. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh manager.
```
<client>
  <server>
    <address><WAZUH_MANAGER_IP_ADDRESS></address>
    ...
  </server>
</client>
```
Restart the Wazuh agent to make the changes effective:
```
# /Library/Ossec/bin/wazuh-control restart
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Wazuh manager identity verification

This method uses SSL certificates to verify the identity of the Wazuh manager before a Wazuh agent sends the enrollment request. The Wazuh manager verification and the Wazuh agent verification are independent. However, it is possible to use a combination of both.

Learn about Wazuh manager identity verification steps in the sections below:

Prerequisites

You need a certificate authority to sign certificates for the Wazuh manager and Wazuh agents. In the absence of an already configured certificate authority, run the following command on the Wazuh server to use it as the certificate authority:

# openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"

The root certificate is created and saved as the rootCA.pem file.

Wazuh manager identity validation

In this process, the Wazuh manager generates an SSL certificate using the Certificate Authority (CA). Subsequently, during the agent enrollment, the Wazuh agent verifies the Wazuh manager certificate using the root certificate of the CA.

Wazuh server configuration

Generate an SSL certificate on the Wazuh server signed by the certificate authority. The steps to generate an SSL certificate for the Wazuh manager are as follows:

Create a certificate request configuration file req.conf on the Wazuh server. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN (Fully Qualified Domain Name) of the Wazuh manager where the Wazuh agents will be enrolled. The contents of the file can be as follows:
```
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = US
CN = <WAZUH_MANAGER_IP_ADDRESS>
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = wazuh
DNS.2 = wazuh.com
```
Where:
- C is the country where the organization making this request is domiciled.
- CN is the common name on the certificate. This should be the IP address or FQDN of the Wazuh manager. This field is not optional.
- subjectAltName is optional and specifies the alternate subject names that can be used for the server. It should be included to allow the enrollment of the Wazuh agents with a SAN certificate.
- DNS.1 and DNS.2 refer to the additional identities that the certificate should be valid for. In this case, the Wazuh manager DNS are wazuh and wazuh.com.
Create a certificate signing request (CSR) on the Wazuh server with the following command. The CSR will be used to request a digital certificate from a Certificate Authority (CA):
```
# openssl req -new -nodes -newkey rsa:4096 -keyout sslmanager.key -out sslmanager.csr -config req.conf
```
Where:
- req.conf is the certificate request configuration file.
- sslmanager.key is the private key for the certificate request.
- sslmanager.csr is the CSR to be submitted to the certificate authority.
Issue and sign the certificate for the Wazuh manager CSR with the following command:
```
# openssl x509 -req -days 365 -in sslmanager.csr -CA rootCA.pem -CAkey rootCA.key -out sslmanager.cert -CAcreateserial -extfile req.conf -extensions req_ext
```
Where:
- req.conf is the certificate request configuration file.
- sslmanager.csr is the CSR to be submitted to the certificate authority.
- sslmanager.cert is the SSL certificate signed by the CSR.
- rootCA.pem is the root certificate for the CA.
- The -extfile and -extensions options are required to copy the subject and the extensions from sslmanager.csr to sslmanager.cert.
Copy the newly signed certificate and key files to /var/ossec/etc on the Wazuh manager:
```
# cp sslmanager.cert sslmanager.key /var/ossec/etc
```
Restart the Wazuh manager to apply the changes made:
```
# systemctl restart wazuh-manager
```

Linux/Unix

Follow the steps below to enroll a Linux/Unix endpoint by using certificates to verify the identity of the Wazuh manager:

Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.

Obtain root access, modify the Wazuh agent configuration file located at /var/ossec/etc/ossec.conf, and include the following:

Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section.
Local path to the root certificate in the <client><enrollment> section:

<client>
   <server>
      <address><WAZUH_MANAGER_IP_ADDRESS></address>
      ...
   </server>
      ...
      <enrollment>
         <server_ca_path>/<PATH_TO>/rootCA.pem</server_ca_path>
         ...
      </enrollment>
      ...
</client>

Restart the Wazuh agent to make the changes effective:
```
# systemctl restart wazuh-agent
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Windows

Follow these steps to enroll a Windows endpoint by using certificates to verify the Wazuh manager identity:

The Wazuh agent installation directory depends on the architecture of the host.

C:\Program Files (x86)\ossec-agent for 64-bit systems.
C:\Program Files\ossec-agent for 32-bit systems.

Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.
Using an administrator account, modify the Wazuh agent configuration file located at C:\Program Files (x86)\ossec-agent\ossec.conf and include the following:
- Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section.
- Local path to the root certificate in the <client><enrollment><server_ca_path> section.
```
<client>
    <server>
       <address><WAZUH_MANAGER_IP_ADDRESS></address>
    </server>
       <enrollment>
          <server_ca_path>/<PATH_TO>/rootCA.pem</server_ca_path>
       </enrollment>
 </client>
```
Restart the Wazuh agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

macOS

Follow the steps below to enroll a macOS endpoint by using certificates to verify the Wazuh manager identity:

Ensure that the root certificate authority rootCA.pem file has been copied to the endpoint.

Modify the Wazuh agent configuration file located at /Library/Ossec/etc/ossec.conf with root access and include the following:

Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section.
Local path to the root certificate in the <client><enrollment> section.

<client>
   <server>
      <address><WAZUH_MANAGER_IP_ADDRESS></address>
      ...
   </server>
      ...
      <enrollment>
         <server_ca_path>/<PATH_TO>/rootCA.pem</server_ca_path>
         ...
      </enrollment>
      ...
</client>

Restart the Wazuh agent to make the changes effective.
```
# /Library/Ossec/bin/wazuh-control restart
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Wazuh agent identity verification

This method uses SSL certificates to verify that a Wazuh agent is authorized to enroll in the Wazuh manager. The Wazuh manager and Wazuh agent verification are independent of each other. However, it is possible to use a combination of both.

Learn about Wazuh agent identity verification steps in the sections below

Prerequisites

# openssl req -x509 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"

The root certificate is created and saved as the rootCA.pem file.

Wazuh agent verification options

In the prerequisite section, the CA issues an SSL certificate to the Wazuh agent host. On attempts to enroll by the Wazuh agent, the Wazuh manager verifies the certificate presented by the Wazuh agent using the root certificate. Wazuh provides two Wazuh agent verification options:

Wazuh agent verification without host validation: The certificates for the Wazuh agents are issued without specifying their hostname or IP address.
Wazuh agent verification with host validation: The certificates for the Wazuh agents are issued with their IP address or hostname specified as the common name.

The difference between these validation methods is that the certificate in the former method can be reused on multiple agents while the certificate created in the latter can only be used on the Wazuh agent whose IP address or hostname was specified during certificate generation.

Wazuh server configuration

Generate a certificate signing request (CSR) for the Wazuh agent on the Wazuh server:
- Wazuh agent verification without host validation: This is done without specifying the IP address or hostname of the Wazuh agent.
```
# openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -batch
```
- Wazuh agent verification with host validation: This is done by specifying the IP address or hostname of the Wazuh agent.
```
# openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -subj '/C=US/CN=<AGENT_IP_ADDRESS>'
```
Where:
- sslagent.csr is the CSR to be submitted to the certificate authority.
- sslagent.key is the generated CSR private key.
Sign the generated agent CSR using the CA keys:
```
# openssl x509 -req -days 365 -in sslagent.csr -CA rootCA.pem -CAkey rootCA.key -out sslagent.cert -CAcreateserial
```
Where:
- sslagent.csr is the CSR to be submitted to the certificate authority.
- sslagent.cert is the SSL certificate signed by the CSR.
- rootCA.pem is the root certificate for the CA.
- rootCA.key is the root certificate private key for the CA.
Copy the signed SSL certificate and key (sslagent.cert and sslagent.key in this case) to the Wazuh agent. You can use a tool like SCP to copy the certificate to the endpoints.
Ensure that the rootCA.pem file is in the /var/ossec/etc/ directory on the Wazuh server.
Update the /var/ossec/etc/ossec.conf file with the location of the rootCA.pem file to enable the use of certificates. Uncomment the <auth><ssl_agent_ca> section and specify the path to the rootCA.pem file on the Wazuh manager.
```
<auth>
   ...
   <ssl_agent_ca>/var/ossec/etc/rootCA.pem</ssl_agent_ca>
</auth>
```
Restart the Wazuh manager service to apply the changes:
```
# systemctl restart wazuh-manager
```

Linux/Unix

Follow these steps to enroll a Linux/Unix endpoint by using certificates for agent verification.

Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) for the Wazuh agent have been copied to the endpoint.
Obtain root access, modify the Wazuh agent configuration file located at /var/ossec/etc/ossec.conf, and include the following:
- The Wazuh manager IP address or FQDN (Fully Qualified Domain Name) in the <client><server><address> section.
- The local path to the agent certificate and the agent key are in the <client><enrollment> section.
```
<client>
   <server>
      <address><WAZUH_MANAGER_IP_ADDRESS></address>
   </server>
   <enrollment>
      <agent_certificate_path>/<PATH_TO>/sslagent.cert</agent_certificate_path>
      <agent_key_path>/<PATH_TO>/sslagent.key</agent_key_path>
   </enrollment>
</client>
```
Restart the Wazuh agent to make the changes effective:
```
# systemctl restart wazuh-agent
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Windows

Follow these steps to enroll a Windows endpoint by using certificates for the Wazuh agent verification:

The Wazuh agent installation directory depends on the architecture of the host.

C:\Program Files (x86)\ossec-agent for 64-bit systems.
C:\Program Files\ossec-agent for 32-bit systems.

Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) have been copied to the endpoint.

Using an administrator account, modify the Wazuh agent configuration file located at C:\Program Files (x86)\ossec-agent\ossec.conf and include the following:

Wazuh manager IP address or FQDN in the <client><server><address> section.
The local path to the agent certificate and key are in the <client><enrollment> section.

<client>
   <server>
      <address><WAZUH_MANAGER_IP_ADDRESS></address>
   </server>
   <enrollment>
      <agent_certificate_path>/<PATH_TO>/sslagent.cert</agent_certificate_path>
      <agent_key_path>/<PATH_TO>/sslagent.key</agent_key_path>
   </enrollment>
</client>

Restart the Wazuh agent to make the changes effective.
# Restart-Service -Name wazuh
# net stop wazuh # net start wazuh
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

macOS

Follow these steps to enroll a macOS endpoint by using certificates for Wazuh agent verification.

Ensure that the signed SSL certificate and key files (sslagent.cert and sslagent.key) for the Wazuh agent have been copied to the endpoint.

Launch the terminal, obtain root access, edit the Wazuh agent configuration file located at /Library/Ossec/etc/ossec.conf, and include the following:

The Wazuh manager IP address or FQDN in the <client><server><address> section.
The local path to the agent certificate and key are in the <client><enrollment> section.

<client>
   <server>
      <address><WAZUH_MANAGER_IP_ADDRESS></address>
   </server>
   <enrollment>
      <agent_certificate_path>/<PATH_TO>/sslagent.cert</agent_certificate_path>
      <agent_key_path>/<PATH_TO>/sslagent.key</agent_key_path>
   </enrollment>
</client>

Restart the Wazuh agent to make the changes effective:
```
# /Library/Ossec/bin/wazuh-control restart
```
Click on the upper-left menu icon and navigate to Agents management > Summary on the Wazuh dashboard to check for the newly enrolled Wazuh agent and its connection status. If the enrollment was successful, you will have an interface similar to the image below.

Deployment variables

Deployment variables can be used to simplify the installation, enrollment, and configuration process of a Wazuh agent.

Select your operating system to learn how to make an automatic deployment using these variables.

Deployment variables for Linux

Below is a table describing the variables used by Wazuh agent packages on Linux endpoints and a few examples of how to use them.

Option	Description
WAZUH_MANAGER	This is the primary Wazuh manager that the Wazuh agent will connect to for ongoing communication and security data exchange. Specifies the Wazuh manager IP address or FQDN (Fully Qualified Domain Name). If you want to specify multiple managers, you can add them separated by commas. See address.
WAZUH_MANAGER_PORT	Specifies the Wazuh manager connection port. See port.
WAZUH_REGISTRATION_SERVER	Specifies the Wazuh enrollment server, used for the Wazuh agent enrollment. See manager_address. If empty, the value set in `WAZUH_MANAGER` will be used.
WAZUH_REGISTRATION_PORT	Specifies the port used by the Wazuh enrollment server. See port.
WAZUH_REGISTRATION_PASSWORD	Sets password used to authenticate during enrollment, stored in `etc/authd.pass`. See authorization_pass_path.
WAZUH_KEEP_ALIVE_INTERVAL	Sets the time between Wazuh agent checks for Wazuh manager connection. See notify_time.
WAZUH_TIME_RECONNECT	Sets the time interval for the Wazuh agent to reconnect with the Wazuh manager when connectivity is lost. See time-reconnect.
WAZUH_REGISTRATION_CA	Host SSL validation need of Certificate of Authority. This option specifies the CA path. See server_ca_path.
WAZUH_REGISTRATION_CERTIFICATE	The SSL agent verification needs a CA signed certificate and the respective key. This option specifies the certificate path. See agent_certificate_path.
WAZUH_REGISTRATION_KEY	Specifies the key path completing the required variables with WAZUH_REGISTRATION_CERTIFICATE for the SSL agent verification process. See agent_key_path.
WAZUH_AGENT_NAME	Designates the Wazuh agent's name. By default, it will be the computer name. See agent_name.
WAZUH_AGENT_GROUP	Assigns the Wazuh agent to one or more existing groups (separated by commas). See agent_groups.
ENROLLMENT_DELAY	Assigns the time that agentd should wait after a successful enrollment. See delay_after_enrollment.

Examples:

Enrollment with password:

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_NAME="apt-agent" apt-get install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_NAME="yum-agent" yum install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_NAME="dnf-agent" dnf install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_NAME="zypper-agent" zypper install wazuh-agent

Enrollment with password and assigning a group:

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_GROUP="my-group" apt-get install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_GROUP="my-group" yum install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_GROUP="my-group" dnf install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" \
     WAZUH_AGENT_GROUP="my-group" zypper install wazuh-agent

Enrollment with relative path to CA. It will be searched at your Wazuh installation folder:

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="apt-agent" \
     WAZUH_REGISTRATION_CA="rootCA.pem" apt-get install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="yum-agent" \
     WAZUH_REGISTRATION_CA="rootCA.pem" yum install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="dnf-agent" \
     WAZUH_REGISTRATION_CA="rootCA.pem" dnf install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="zypper-agent" \
     WAZUH_REGISTRATION_CA="rootCA.pem" zypper install wazuh-agent

Enrollment and adding multiple addresses:

# WAZUH_MANAGER="10.0.0.2,10.0.0.3" WAZUH_REGISTRATION_SERVER="10.0.0.2" \
     WAZUH_AGENT_NAME="apt-agent" apt-get install wazuh-agent

# WAZUH_MANAGER="10.0.0.2,10.0.0.3" WAZUH_REGISTRATION_SERVER="10.0.0.2" \
     WAZUH_AGENT_NAME="yum-agent" yum install wazuh-agent

# WAZUH_MANAGER="10.0.0.2,10.0.0.3" WAZUH_REGISTRATION_SERVER="10.0.0.2" \
     WAZUH_AGENT_NAME="dnf-agent" dnf install wazuh-agent

# WAZUH_MANAGER="10.0.0.2,10.0.0.3" WAZUH_REGISTRATION_SERVER="10.0.0.2" \
     WAZUH_AGENT_NAME="zypper-agent" zypper install wazuh-agent

Absolute paths to CA, certificate, or key that contain spaces can be written as shown below:

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="/var/ossec/etc/sslagent.key" \
     WAZUH_REGISTRATION_CERTIFICATE="/var/ossec/etc/sslagent.cert" apt-get install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="/var/ossec/etc/sslagent.key" \
     WAZUH_REGISTRATION_CERTIFICATE="/var/ossec/etc/sslagent.cert" yum install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="/var/ossec/etc/sslagent.key" \
     WAZUH_REGISTRATION_CERTIFICATE="/var/ossec/etc/sslagent.cert" dnf install wazuh-agent

# WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="/var/ossec/etc/sslagent.key" \
     WAZUH_REGISTRATION_CERTIFICATE="/var/ossec/etc/sslagent.cert" zypper install wazuh-agent

Note

It’s necessary to use both KEY and PEM options to verify Wazuh agents' identities with the enrollment server. See the additional security options section.

Deployment variables for Windows

To fully deploy a Wazuh agent and connect it to the Wazuh server, you must install, enroll, and configure it. The Wazuh agent packages can simplify this process by using variables that allow configuration provisioning.

Below is a table describing the variables used by Wazuh agent packages on Windows and a few examples of how to use them.

Option	Description
WAZUH_MANAGER	This is the primary Wazuh manager that the Wazuh agent will connect to for ongoing communication and security data exchange. Specifies the Wazuh manager IP address or FQDN (Fully Qualified Domain Name). If you want to specify multiple managers, you can add them separated by commas. See address.
WAZUH_MANAGER_PORT	Specifies the Wazuh manager connection port. See port.
WAZUH_REGISTRATION_SERVER	Specifies the Wazuh enrollment server, used for the Wazuh agent enrollment. See manager_address. If empty, the value set in `WAZUH_MANAGER` will be used.
WAZUH_REGISTRATION_PORT	Specifies the port used by the Wazuh enrollment server. See port.
WAZUH_REGISTRATION_PASSWORD	Sets password used to authenticate during enrollment, stored in `authd.pass` file. See authorization_pass_path.
WAZUH_KEEP_ALIVE_INTERVAL	Sets the time between Wazuh agent checks for Wazuh manager connection. See notify_time.
WAZUH_TIME_RECONNECT	Sets the time interval for the Wazuh agent to reconnect with the Wazuh manager when connectivity is lost. See time-reconnect.
WAZUH_REGISTRATION_CA	Host SSL validation need of Certificate of Authority. This option specifies the CA path. See server_ca_path.
WAZUH_REGISTRATION_CERTIFICATE	The SSL agent verification needs a CA signed certificate and the respective key. This option specifies the certificate path. See agent_certificate_path.
WAZUH_REGISTRATION_KEY	Specifies the key path completing the required variables with WAZUH_REGISTRATION_CERTIFICATE for the SSL agent verification process. See agent_key_path.
WAZUH_AGENT_NAME	Designates the Wazuh agent's name. By default, it will be the computer name. See agent_name.
WAZUH_AGENT_GROUP	Assigns the Wazuh agent to one or more existing groups (separated by commas). See agent_groups.
ENROLLMENT_DELAY	Assigns the time that agentd should wait after a successful enrollment. See delay_after_enrollment.
/l installer.log	Generates a log of the installation process.
/l*v installer.log	Generates a log of the installation process, including verbose messages.

Note

In PowerShell, use """ or '"" if the deployment variable contains spaces. For example, WAZUH_REGISTRATION_PASSWORD="""TOP SECRET"""

Below there are some examples to install and enroll a Windows agent.

Enrollment with password:

wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_NAME="W2012"

Enrollment with password and assigning a group:

wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_PASSWORD="TopSecret" WAZUH_AGENT_GROUP="my-group"

Enrollment with relative path to CA. It will be searched at your Wazuh installation folder:

wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="W2019" WAZUH_REGISTRATION_CA="rootCA.pem"

Absolute paths to CA, certificate or key that contain spaces can be written as shown below:

wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_REGISTRATION_KEY="C:\Program Files (x86)\ossec-agent\sslagent.key" WAZUH_REGISTRATION_CERTIFICATE="C:\Program Files (x86)\ossec-agent\sslagent.cert"

Note

It's necessary to use both WAZUH_REGISTRATION_KEY and WAZUH_REGISTRATION_CERTIFICATE options to verify Wazuh agents’ via SSL. See the additional security options section.

Enrollment and adding multiple addresses:

wazuh-agent-5.0.0-1.msi /q WAZUH_MANAGER="10.0.0.2,10.0.0.3" WAZUH_REGISTRATION_SERVER="10.0.0.2" WAZUH_AGENT_NAME="W2016"

Warning

To avoid compatibility issues when installing the Wazuh agent on Windows versions older than Windows Server 2008 or Windows 7, use either of these options.

Run the /var/ossec/bin/wazuh-authd program on the Wazuh server with the -a flag. This enables compatibility mode for older Windows agents.
Set the <ssl_auto_negotiate> option to yes in the auth configuration section of the /var/ossec/etc/ossec.conf file on the Wazuh server. This allows automatic negotiation of the most compatible SSL/TLS version for communication with older Windows agents.

Deployment variables for macOS

For a Wazuh agent to be fully deployed and connected to the Wazuh server, you must install, enroll, and configure it. The Wazuh agent packages can use variables that allow configuration provisioning to make the process simple.

Below is a table describing the variables used by Wazuh agent packages on macOS endpoints, and a few examples of how to use them.

Option	Description
WAZUH_MANAGER	This is the primary Wazuh manager that the Wazuh agent will connect to for ongoing communication and security data exchange. Specifies the Wazuh manager IP address or FQDN (Fully Qualified Domain Name). If you want to specify multiple managers, you can add them separated by commas. See address.
WAZUH_MANAGER_PORT	Specifies the Wazuh manager connection port. See port.
WAZUH_REGISTRATION_SERVER	Specifies the Wazuh enrollment server, used for the Wazuh agent enrollment. See manager_address. If empty, the value set in `WAZUH_MANAGER` will be used.
WAZUH_REGISTRATION_PORT	Specifies the port used by the Wazuh enrollment server. See port.
WAZUH_REGISTRATION_PASSWORD	Sets the password used to authenticate during the Wazuh agent enrollment, stored in `etc/authd.pass` file. See authorization_pass_path
WAZUH_KEEP_ALIVE_INTERVAL	Sets the time between Wazuh agent checks for Wazuh manager connection. See notify_time.
WAZUH_TIME_RECONNECT	Sets the time interval for the Wazuh agent to reconnect with the Wazuh manager when connectivity is lost. See time-reconnect.
WAZUH_REGISTRATION_CA	Host SSL validation need of Certificate of Authority. This option specifies the CA path. See server_ca_path.
WAZUH_REGISTRATION_CERTIFICATE	The SSL agent verification needs a CA signed certificate and the respective key. This option specifies the certificate path. See agent_certificate_path.
WAZUH_REGISTRATION_KEY	Specifies the key path completing the required variables with WAZUH_REGISTRATION_CERTIFICATE for the SSL agent verification process. See agent_key_path.
WAZUH_AGENT_NAME	Designates the Wazuh agent's name. By default, it will be the computer name. See agent_name.
WAZUH_AGENT_GROUP	Assigns the Wazuh agent to one or more existing groups (separated by commas). See agent_groups.
ENROLLMENT_DELAY	Assigns the time that agentd should wait after a successful enrollment. See delay_after_enrollment.

Examples:

Enrollment with password:

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_PASSWORD='TopSecret' && \
WAZUH_AGENT_NAME='macos-agent'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_PASSWORD='TopSecret' && \
WAZUH_AGENT_NAME='macos-agent'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Enrollment with password and assigning a group:

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_REGISTRATION_PASSWORD='TopSecret' && \
WAZUH_AGENT_GROUP='my-group'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_REGISTRATION_PASSWORD='TopSecret' && \
WAZUH_AGENT_GROUP='my-group'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Enrollment with relative path to CA. It will be searched at your Wazuh installation folder:

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_AGENT_NAME='macos-agent' && \
WAZUH_REGISTRATION_CA='rootCA.pem'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_AGENT_NAME='macos-agent' && \
WAZUH_REGISTRATION_CA='rootCA.pem'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Enrollment and adding multiple addresses:

# echo "WAZUH_MANAGER='10.0.0.2,10.0.0.3' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && \
WAZUH_AGENT_NAME='macos-agent'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /

# echo "WAZUH_MANAGER='10.0.0.2,10.0.0.3' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && \
WAZUH_AGENT_NAME='macos-agent'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Absolute paths to CA, certificate or key that contain spaces can be written as shown below:

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_REGISTRATION_KEY='/var/ossec/etc/sslagent.key' && \
WAZUH_REGISTRATION_CERTIFICATE='/var/ossec/etc/sslagent.cert'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /

# echo "WAZUH_MANAGER='10.0.0.2' && WAZUH_REGISTRATION_SERVER='10.0.0.2' && WAZUH_REGISTRATION_KEY='/var/ossec/etc/sslagent.key' && \
WAZUH_REGISTRATION_CERTIFICATE='/var/ossec/etc/sslagent.cert'" > /tmp/wazuh_envs && installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Note

It’s necessary to use both KEY and PEM options to verify Wazuh agents' identities with the enrollment server. See the additional security options section.

Troubleshooting

We recommend checking the logs on the Wazuh manager and Wazuh agent for errors when a Wazuh agent fails to enroll. The location of the Wazuh manager log file is /var/ossec/logs/ossec.log. The location of the Wazuh agent log file is dependent on the operating system:

Operating system	Wazuh agent log file
Linux/Unix	`/var/ossec/logs/ossec.log`
macOS	`/Library/Ossec/logs/ossec.log`
Windows 64-bit	`C:\Program Files (x86)\ossec-agent\ossec.log`
Windows 32-bit	`C:\Program Files\ossec-agent\ossec.log`

In the list below, you can access the different cases included in this troubleshooting section:

Verifying communication with the Wazuh manager

In some scenarios, the Wazuh agent may be unable to enroll or establish a connection with the Wazuh manager because the necessary ports on the Wazuh manager are unreachable.

The following default ports on the Wazuh manager should be opened:

1514/TCP for agent communication.
1515/TCP for enrollment via agent configuration.
55000/TCP for enrollment via Wazuh server API.

On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace <WAZUH_MANAGER_IP_ADDRESS> with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name).

# nc -zv <WAZUH_MANAGER_IP_ADDRESS> 1514 1515 55000

If there is connectivity, the output should be a connection success message:

Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1514 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1515 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP_ADDRESS> port 55000 [tcp] succeeded!

On Windows, open a PowerShell terminal and run the following command:

# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP_ADDRESS>", 1514)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP_ADDRESS>", 1515)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP_ADDRESS>", 55000)

If there is connectivity, there is no output. Otherwise, an error is shown:

A connection attempt failed because the connected party did not properly respond after a period of time (...)

Authentication error

The client.keys file stores the data used to authenticate the Wazuh agent and the Wazuh manager. The Wazuh agent may be unable to authenticate with the Wazuh manager if the client.keys on the Wazuh manager and the Wazuh agent are different.

Location: Wazuh manager log file at /var/ossec/logs/ossec.log.

Error log:

2022/02/03 10:07:32 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '001' at 'any'.

Resolution: Ensure that the client key on the Wazuh agent matches the key in the Wazuh manager client.keys file. You can find the client.keys key file at the following locations:

Endpoint	Location
Wazuh manager	`/var/ossec/etc/client.keys`
Linux/Unix	`/var/ossec/etc/client.keys`
macOS	`/Library/Ossec/etc/client.keys`
Windows	`"C:\Program Files (x86)\ossec-agent\client.keys"`

Also, verify that each agent has a unique agent key stored in the Wazuh manager /var/ossec/etc/client.keys file. Duplicate keys can arise if you previously deleted agents with the highest IDs or copied the client.keys file between agents.

Invalid agent name for enrollment

Each Wazuh agent must have a unique name before successfully enrolling in the Wazuh manager. If you do not specify a Wazuh agent name during the deployment process, Wazuh will use the endpoint's hostname. If two or more endpoints have the same hostname, the Wazuh agent enrollment will not be successful.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 08:59:10 wazuh-agentd: INFO: Using agent name as: localhost.localdomain
2022/01/26 08:59:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 08:59:10 wazuh-agentd: ERROR: Invalid agent name: localhost.localdomain (from manager)
2022/01/26 08:59:10 wazuh-agentd: ERROR: Unable to add agent (from manager)

Resolution: Ensure the Wazuh agent hostname is unique and does not match an already enrolled agent. Alternatively, specify a unique agent name in the <client><enrollment><agent_name> section of the Wazuh agent ossec.conf file. You can find the ossec.conf file at the following locations:

Linux/Unix endpoints - /var/ossec/etc/ossec.conf
macOS endpoint - /Library/Ossec/etc/ossec.conf
Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

<client>
     ...
     <enrollment>
         <agent_name>EXAMPLE_NAME</agent_name>
         ...
     </enrollment>
 </client>

Unable to read CA certificate file

The Wazuh agent may not be able to authenticate with the Wazuh manager if the root certificate authority is missing on either the Wazuh manager or the Wazuh agent. This applies when additional security options such as Wazuh manager identity verification and Wazuh agent identity verification are used.

Location: Wazuh manager log file at /var/ossec/logs/ossec.log.

Error log:

2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.

Resolution: Ensure the certificate authority file is in the location specified in the <ssl_agent_ca> section of the Wazuh manager /var/ossec/etc/ossec.conf file.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.

Resolution: Ensure the certificate authority file is in the location specified in the <server_ca_path> section of the Wazuh agent configuration file (ossec.conf). You can find the ossec.conf file at the following locations:

Linux/Unix endpoints - /var/ossec/etc/ossec.conf
macOS endpoint - /Library/Ossec/etc/ossec.conf
Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

Unable to read private key file

The Wazuh agent may not be able to authenticate with the Wazuh manager if the private key file is missing on the Wazuh agent. This applies when Wazuh agent identity verification is used for the Wazuh agent enrollment.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 08:57:18 wazuh-agentd: ERROR: Unable to read private key file: /var/ossec/etc/sslagent.key
2022/01/26 08:57:18 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.

Resolution: Ensure the agent private key file is in the location specified in the <agent_key_path> section of the Wazuh agent ossec.conf file. You can find the ossec.conf file at the following locations:

Linux/Unix endpoints - /var/ossec/etc/ossec.conf
macOS endpoint - /Library/Ossec/etc/ossec.conf
Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

Unable to read certificate file

The Wazuh agent may not be able to authenticate with the Wazuh manager if the signed SSL certificate is missing on the Wazuh agent. This applies when Wazuh agent identity verification is used for the Wazuh agent enrollment.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 08:54:55 wazuh-agentd: ERROR: Unable to read certificate file (not found): /var/ossec/etc/sslagent.cert
2022/01/26 08:54:55 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.

Resolution: Ensure the agent certificate file is in the location specified in the <agent_certificate_path> section of the Wazuh agent ossec.conf file. You can find the ossec.conf file at the following locations:

Linux/Unix endpoints - /var/ossec/etc/ossec.conf
macOS endpoint - /Library/Ossec/etc/ossec.conf
Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

Invalid password

If you enable password authentication for agent enrollment, the Wazuh agent may not be able to authenticate with the Wazuh manager if there's an invalid or missing password.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 12:28:10 wazuh-agentd: INFO: Requesting a key from server: X.X.X.X
2022/01/26 12:28:10 wazuh-agentd: INFO: No authentication password provided
2022/01/26 12:28:10 wazuh-agentd: INFO: Using agent name as: random
2022/01/26 12:28:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 12:28:10 wazuh-agentd: ERROR: Invalid password (from manager)
2022/01/26 12:28:10 wazuh-agentd: ERROR: Unable to add agent (from manager)

Resolution:

Ensure the same password is used by the Wazuh manager and the Wazuh agent
Ensure that the authd.pass password file is in the /var/ossec/etc/ directory and has the right permission. The file permissions should be set to 640, and the owner should be root.
If password authentication is not needed, it should be disabled in the <auth> section of the Wazuh manager /var/ossec/etc/ossec.conf file. You can find the ossec.conf file at the following locations:
- Linux/Unix endpoints - /var/ossec/etc/ossec.conf
- macOS endpoint - /Library/Ossec/etc/ossec.conf
- Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

Wazuh agent management

This section describes managing the Wazuh agent using the command line (CLI), the Wazuh dashboard, and the Wazuh server API. This includes the following management actions:

Wazuh agent connection

This section highlights different methods to verify the connection status between a Wazuh agent and the Wazuh manager. It also discusses how to check the Wazuh agent connnection to the Wazuh manager and verify the synchronization status of the Wazuh agent. These sections are outlined below:

Checking connection with the Wazuh manager

There are different ways to check the connection status between a Wazuh agent and the Wazuh manager. They include navigating the Wazuh dashboard, using the Wazuh agent control utility, querying the Wazuh server API, and reading the Wazuh agent state file. This guide highlights the different methods and contains steps to verify the network communication between a Wazuh agent and the Wazuh manager.

Using the Wazuh dashboard

You can check the connection status of a Wazuh agent by selecting Summary under Agents management on the Wazuh dashboard.

Wazuh dashboard – Agents management summary menu option

This option displays the Endpoints dashboard with a list of all enrolled Wazuh agents. The list includes the connection status of each Wazuh agent. The Wazuh dashboard also displays a summary with the number of Wazuh agents found for each possible agent connection status: Active, Disconnected, Pending, or Never connected.

Using the agent_control utility from the server

You can check the status of a Wazuh agent remotely by using the agent_control utility present on the Wazuh server. To get the Wazuh agent status, run the following command and replace the <WAZUH_AGENT_ID> parameter with your Wazuh agent ID, for example, 001.

# /var/ossec/bin/agent_control -i <WAZUH_AGENT_ID> | grep Status

Status:     Active

To list all the available Wazuh agents and their status, use the command /var/ossec/bin/agent_control -l. Output

Wazuh agent_control. List of available agents:
   ID: 000, Name: vpc-ossec-manager (server), IP: 127.0.0.1, Active/Local
   ID: 1040, Name: ip-10-0-0-76, IP: 10.0.0.76, Active
   ID: 003, Name: vpc-agent-debian, IP: 10.0.0.121, Active
   ID: 005, Name: vpc-agent-ubuntu-public, IP: 10.0.0.126, Active
   ID: 006, Name: vpc-agent-windows, IP: 10.0.0.124, Active
   ID: 1024, Name: ip-10-0-0-252, IP: 10.0.0.252, Never connected
   ID: 1028, Name: vpc-debian-it, IP: any, Never connected
   ID: 1030, Name: diamorphine-POC, IP: 10.0.0.59, Active
   ID: 015, Name: vpc-agent-centos, IP: 10.0.0.123, Active
   ID: 1031, Name: WIN-UENN0U6R5SF, IP: 10.0.0.124, Never connected
   ID: 1032, Name: vpc-agent-ubuntu, IP: 10.0.0.122, Active
   ID: 1033, Name: vpc-agent-debian8, IP: 10.0.0.128, Active
   ID: 1034, Name: vpc-agent-redhat, IP: 10.0.0.127, Active
   ID: 1035, Name: vpc-agent-centos7, IP: 10.0.0.101, Never connected
   ID: 1041, Name: vpc-agent-centos-public, IP: 10.0.0.125, Active

List of agentless devices:
   ID: 010, Name: agentless-ubuntu, IP: 10.0.0.135, Active

Using the Wazuh server API

You can check the status of a Wazuh agent by sending a request to the Wazuh server API to retrieve statistical information from an agent. This action is performed on the Wazuh server.

GET /agents/<WAZUH_AGENT_ID>/stats/agent

{
  "data": {
     "affected_items": [
     {
     "status": "connected",
     "last_keepalive": "2024-02-14T10:08:36Z",
     "last_ack": "2024-02-14T10:08:39Z",
     "msg_count": 3984,
     "msg_sent": 4191,
     "msg_buffer": 0,
     "buffer_enabled": true
     }
     ],
     "total_affected_items": 1,
     "total_failed_items": 0,
     "failed_items": []
  },
  "message": "Statistical information for each agent was successfully read",
  "error": 0
}

Reading the local wazuh-agentd.state file

You can read the /var/ossec/var/run/wazuh-agentd.state file found in the endpoint to check the status of the connection. The Wazuh agent keeps reporting its connection status in this file as follows:

pending: Waiting for acknowledgment from the Wazuh manager about the connection established.
disconnected: No acknowledgment signal received in the last 60 seconds or lost connection.
connected: Acknowledgment about the connection established received from the Wazuh manager.

To check the current status and verify the connection of the Wazuh agent to the Wazuh manager, run the following command on the endpoint:

$ sudo grep ^status /var/ossec/var/run/wazuh-agentd.state

status='connected'

> Select-String -Path 'C:\Program Files (x86)\ossec-agent\wazuh-agent.state' -Pattern "^status"

C:\Program Files (x86)\ossec-agent\wazuh-agent.state:7:status='connected'

# sudo grep ^status /Library/Ossec/var/run/wazuh-agentd.state

status='connected'

Checking network communication

Agent communication with the Wazuh manager requires outbound connectivity from the Wazuh agent to the Wazuh manager. It uses the port 1514/TCP by default.

Run the following commands on the Wazuh agent to verify if a connection to the Wazuh manager is established. The result should match the Wazuh agent and Wazuh manager IP addresses.

# netstat -vatunp|grep wazuh-agentd

tcp            0       0 192.168.33.27:60174   192.168.33.25:1514      ESTABLISHED 4415/wazuh-agentd

> Get-NetTCPConnection -RemotePort 1514

LocalAddress                           LocalPort RemoteAddress                         RemotePort State        AppliedSetting OwningProcess
------------                           --------- -------------                         ---------- -----        -------------- -------------
192.168.33.1                           62657   192.168.33.25                           1514    Established Internet    33232

# lsof -i -P | grep ESTABLISHED | grep 1514

wazuh-age  1763          wazuh    7u  IPv4 0xca59cd921b0f1ccb      0t0    TCP 10.0.2.15:49326->10.0.2.1:1514 (ESTABLISHED)

Search for errors or warnings in the corresponding agent log files for troubleshooting purposes.

Linux/Unix: /var/ossec/logs/ossec.log
Windows: C:\Program Files (x86)\ossec-agent\ossec.log
macOS: /Library/Ossec/logs/ossec.log

To learn more, see the troubleshooting section.

Checking the synchronization status of Wazuh agents group configuration

Synchronization ensures the Wazuh agent has the latest security configurations and data for consistent monitoring. To check the synchronization status of the group configuration for agents, you can use the /var/ossec/bin/agent_groups tool or the GET /agents Wazuh server API endpoint.

Using the agent_groups tool

Run the command below on the Wazuh server:

# /var/ossec/bin/agent_groups -S -i 001

Agent '001' is synchronized.

For the other capabilities of the /var/ossec/bin/agent_groups tool, refer to the reference section.

Using the GET /agents Wazuh server API endpoint

Run the command below on the Wazuh server or any endpoint that has connectivity with the Wazuh server. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server.

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?agents_list=001&select=group_config_status&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "group_config_status": "synced",
            "id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Refer to the following documentation for other information on the Wazuh server API.

Wazuh agent administration

Wazuh agent administration involves the management of the enrolled Wazuh agents. The following sections discuss the settings and functions that you can use to manage the Wazuh agent from the Wazuh manager.

Querying the Wazuh agent configuration

You can query the actual configuration of a Wazuh agent or the Wazuh manager on demand. Navigate to the Server management > Settings in the Wazuh dashboard. From here, you will be able to fetch the active configuration for the Wazuh manager in real-time. The image below shows details about the Wazuh manager configuration.

Query the manager configuration in Wazuh dashboard

Navigate to the Agents management > Summary tab in the Wazuh dashboard. Select an agent and click on Configuration. The image below shows details about the Wazuh agent configuration. It also shows that the Wazuh agent configuration is synchronized. This means that the Wazuh agent's local configuration reflects the latest settings defined on the Wazuh manager.

Navigate to the Agents management > Summary tab in the Wazuh dashboard. Select an agent and click on Configuration. Scroll down to the Log data analysis section and click on the Log collection configuration. The active configuration is shown. The image below shows the log files that will be analyzed.

Grouping agents

There are two methods for configuring enrolled Wazuh agents. They can either be configured locally with the Wazuh agent configuration file or remotely using the centralized configuration. If the centralized configuration is used, Wazuh agents may be assigned to groups where each group possesses a unique configuration. This greatly simplifies the overall configuration process.

Note

Refer to the agent groups and centralized configuration document for more information.

Unless otherwise assigned, all newly connected Wazuh agents automatically belong to the 'default' group. This group is created during the installation process with the configuration files placed in the /var/ossec/etc/shared/default/ folder on the Wazuh server. These files will be pushed from the Wazuh manager to all Wazuh agents belonging to this group.

Each group has a configuration file /var/ossec/etc/shared/<GROUP_NAME>/agent.conf located on the Wazuh server, where <GROUP_NAME> is the name of the agent group. This file is empty by default, and here, you can define centralized agent configurations. After creating a group, you can modify the group's configuration file to apply configurations to all agents in that group.

Creating agent groups

There are three methods for creating agent groups which include:

The Wazuh dashboard
The agent_groups tool
The Wazuh API

The Wazuh dashboard

To create agent groups from the Wazuh dashboard:

Navigate to Agents management > Groups and click the Add new group button.
Enter a name for the agent group and click on the Save new group button.

The agent_groups tool

The agent_groups tool offers the ability to create and manage Wazuh agent groups directly from the command line. The tool is used as follows to create a Wazuh agent group:

Note

You need root user privileges to execute the commands below.

# /var/ossec/bin/agent_groups -a -g <GROUP_ID> -q

Where:

The flag -a -g adds a group.
The <GROUP_ID> indicates a unique group name. Replace <GROUP_ID> with the name of the group you want to create.
The flag -q triggers the silent or no confirmation mode.

Run the following commands on the Wazuh server to create the agent groups Windows, macOS, and Linux:

# /var/ossec/bin/agent_groups -a -g Windows -q
# /var/ossec/bin/agent_groups -a -g macOS -q
# /var/ossec/bin/agent_groups -a -g Linux -q

An example output is as follows:

Group 'Windows' created.

To ensure the groups are created correctly, run the following command to list all existing groups:

# /var/ossec/bin/agent_groups -l

An example output is as follows:

Groups (5):
  Linux (0)
  Test (0)
  Windows (0)
  default (2)
  macOS (0)
Unassigned agents: 0.

The Wazuh API

Using the Wazuh API to create and manage groups programmatically is effective for automating group management tasks. Perform the steps below to create agent groups using the Wazuh API:

On the Wazuh dashboard, navigate to Server management, and select Dev Tools.

Run the queries below to create the agent groups Windows, macOS, and Linux:

POST /groups {"group_id": "Windows"}
POST /groups {"group_id": "macOS"}
POST /groups {"group_id": "Linux"}

You can also use the command line interface to create agent groups via the Wazuh API. The equivalent command to run from the console with root user privileges to create the Linux group would be:

# curl -k -X POST "https://<WAZUH_MANAGER_IP>:55000/groups?pretty=true" -H "Content-Type: application/json" -d '{"group_id": "Linux"}' -H  "Authorization: Bearer $(curl -u <API_USER>:<API_PASSWORD> -k -X POST 'https://<WAZUH_MANAGER_IP>:55000/security/user/authenticate?raw=true')"
Replace:

The <WAZUH_MANAGER_IP> variable with the IP address of your Wazuh server. In case you have a distributed deployment, use the IP address of the master node.

The <API_USER> variable with your Wazuh API username.

The <API_PASSWORD> variable with the password of your Wazuh API user.

The output of the command is as follows:
{
   "message": "Group 'Linux' created.",
   "error": 0
}

Assigning agents to a group

Below are the steps to assign agents to a group with a specific configuration:

Once a Wazuh agent has been added and connected to the Wazuh manager, assign it to a group using the /var/ossec/bin/agent_groups tool or the Wazuh server API. Below are examples of how to assign a Wazuh agent with ID 002 to the group dbms using these methods:

Using the /var/ossec/bin/agent_groups tool:
```
# /var/ossec/bin/agent_groups -a -i 002 -g dbms
```
Note

The group must be created and configured before assigning agents. You can create agent groups using the /var/ossec/bin/agent_groups tool. The group name can only contain upper/lower case letters, numbers, dots, underscores, and hyphens.

Using the Wazuh server API endpoint PUT /agents/{agent_id}/group/{group_id}:

# curl -k -X PUT "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/002/group/dbms?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
    "data": {
        "affected_items": ["002"],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents were assigned to dbms",
    "error": 0,
}

Agents assigned to a group can be checked using one of the following commands:

Using /var/ossec/bin/agent_groups:

# /var/ossec/bin/agent_groups -l -g dbms

5 agent(s) in group 'dbms':
  ID: 002  Name: agent-dbms-e1.
  ID: 003  Name: agent-dbms-e2.
  ID: 004  Name: agent-dbms-a1.
  ID: 005  Name: agent-dbms-a2.
  ID: 006  Name: agent-dbms-a3.

Using the Wazuh server API endpoint GET /groups/{group_id}/agents:

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/groups/dbms/agents?pretty=true&select=id,name" -H  "Authorization: Bearer $TOKEN"

{
    "data": {
        "affected_items": [
            {"name": "agent-dbms-e1", "id": "002"},
            {"name": "agent-dbms-e2", "id": "003"},
            {"name": "agent-dbms-a1", "id": "004"},
            {"name": "agent-dbms-a2", "id": "005"},
            {"name": "agent-dbms-a3", "id": "006"},
        ],
        "total_affected_items": 5,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents information was returned",
    "error": 0,
}

Once a group is created, its agent.conf file can be edited to include the specific configuration you wish to assign to this group. For this example, the file to be edited is located at /var/ossec/etc/shared/dbms/agent.conf and each agent belonging to this group will receive this file.
After connecting to the Wazuh manager, each agent assigned to the group will receive the files contained in the /var/ossec/etc/shared/dbms/ folder from the Wazuh manager, including the agent.conf file that was modified in the previous step. The length of time it takes for the Wazuh manager to push these files to the Wazuh agents depends on the size of the files and the number of agents in the group. For example, depending on network bandwidth and performance, it may take less than 8 minutes to receive a 10 MB folder (excluding merged.mg file) on 100 agents.
Once a specific agent belongs to a group, it will not be automatically reassigned to this group even if it is re-enrolled under another name or ID. After re-enrollment, it will be added to the default group which is the default behavior. If you want the Wazuh agent to be automatically reassigned after re-enrollment, it must be explicitly activated by the user in the /var/ossec/etc/local_internal_options.conf file by adding the option remoted.guess_agent_group=1 (see section remoted in internal options).

When this option is added, on re-enrollment, the checksum of the merged.mg file sent by the Wazuh agent is compared with that of the other agents enrolled with the Wazuh manager.

merged.mg

When a Wazuh agent is enrolled in the Wazuh manager for the first time, the Wazuh manager generates a merged.mg file based on the Wazuh agent's configuration and group membership. Whenever the Wazuh agent's configuration or group membership changes, the Wazuh manager updates the merged.mg file and sends it to the Wazuh agent.

The merged.mg file plays a role in automatic re-assignment of agents to their original groups after re-enrollment (with the remoted.guess_agent_group=1 option enabled). The checksum of the merged.mg file is used for comparison with other agents to determine the appropriate group.

On the Wazuh server, the file is located at var/ossec/etc/shared/merged.mg.

On the Wazuh agent, it is located at /var/ossec/etc/shared/merged.mg for Linux and C:\Program Files (x86)\ossec-agent\shared\merged.mg on Windows.

Multiple groups

Agents can be members of multiple groups. When a Wazuh agent is associated with multiple groups, it will receive configuration files from each group. However, the configuration received from the most recently assigned group takes precedence over those from other groups.

Managing multiple groups

The following activities can be carried out when managing multiple Wazuh agent groups.

Assigning multiple groups to a Wazuh agent
Listing groups and configuration
Making changes to group assignment
Shared files behavior

The /var/ossec/bin/agent_groups tool and the Wazuh server API help to manage agent groups by listing them and allowing them to assign/change/unassign groups to Wazuh agents. We explore three use cases managing multiple groups over existing Wazuh agents.

Assigning multiple groups to a Wazuh agent

There are three different methods to assign a Wazuh agent to one or more groups:

Using the Wazuh server API

In this example, agent 001 has been added to the webserver and apache groups using the Wazuh server API endpoint PUT /agents/{agent_id}/group/{group_id}:

# curl -k -X PUT "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/001/group/webserver?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
    "data": {
        "affected_items": ["001"],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents were assigned to webserver",
    "error": 0,
}

# curl -k -X PUT "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/001/group/apache?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
    "data": {
        "affected_items": ["001"],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents were assigned to apache",
    "error": 0,
}

Following this, we can query for groups to which a Wazuh agent belongs using the Wazuh server API endpoint GET /agents:

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?pretty=true&agents_list=001&select=group" -H  "Authorization: Bearer $TOKEN"

{
    "data": {
        "affected_items": [{"group": ["default", "webserver", "apache"], "id": "001"}],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents information was returned",
    "error": 0,
}

In this case, the remote configuration for the group apache takes precedence over the three groups when a conflict exists on any configuration parameter.

Using the CLI (agent_groups tool)

With the CLI /var/ossec/bin/agent_groups tool, Wazuh agents can be assigned to groups in the same way. In this example, the agent 001 is added to the webserver group:

$ /var/ossec/bin/agent_groups -a -i 001 -g webserver

Do you want to add the group 'webserver' to the agent '001'? [y/N]: y
Group 'webserver' added to agent '001'.

$ /var/ossec/bin/agent_groups -a -i 001 -g apache

Do you want to add the group 'apache' to the agent '001'? [y/N]: y
Group 'apache' added to agent '001'.

During agent enrollment

To assign the Wazuh agent to one or more groups during the enrollment process, refer to Agent enrollment.

Listing groups and configuration

It is possible to query agents belonging to groups in real-time, and the configuration and shared files applied to each one, depending on which groups they belong to.

For example, to list the Wazuh agents in the webserver group, we could run the following query using the /var/ossec/bin/agent_groups tool:

# /var/ossec/bin/agent_groups -l -g webserver

3 agent(s) in group 'webserver':
  ID: 001 Name: ag-windows-12.
  ID: 003 Name: ag-windows-east.
  ID: 004 Name: centos-7-apache

We can also query which groups the Wazuh agent 001 is a member of:

# /var/ossec/bin/agent_groups -s -i 001

The agent 'ag-windows-12' with ID '001' has the group: '[u'webserver', u'apache']'.

The priority of the groups increases from the left to the right, meaning the last group has the highest priority. In the example above, apache is the group that has the highest priority.

Making changes to group assignment

Just as agents can be assigned to multiple groups, it is also possible to revert assignments and switch between available groups. The command below removes the Wazuh agent 001 from the apache group:

# /var/ossec/bin/agent_groups -r -i 001 -g apache -q

Group 'apache' unset for agent '001'.

To verify the successful removal from the group, run this command on the Wazuh server to check which groups Wazuh agent 001 belongs to.

# /var/ossec/bin/agent_groups -s -i 001

The agent 'ag-windows-12' with ID '001' has the group: '[u'webserver']'.

It is also possible to switch between groups and overwrite the existing assignment:

# /var/ossec/bin/agent_groups -s -i 001

The agent 'ag-windows-12' with ID '001' has the group: '[u'default', u'webserver']'.

From the output above, the Wazuh agent has the existing group assignment: default, webserver.

# /var/ossec/bin/agent_groups -a -f -i 001 -g apache

Group 'apache' set to agent '001'.

The previous group assignment has been overwritten and changed to apache.

# /var/ossec/bin/agent_groups -s -i 001

The agent 'ag-windows-12' with ID '001' has the group: '[u'apache']'.

The -f parameter resets the groups assigned to the Wazuh agent and forces it to belong only to the new group.

Shared files behavior

As previously mentioned, the Wazuh manager shares configuration files with its agents according to their group. In the case of belonging to multiple groups, the configuration files of every group are merged into one following these criteria:

Shared files, such as CIS benchmarks for rootkit detection, are joined in the shared folder. If there are repeated files, the last one added will overwrite the old ones.
The new agent.conf file added is appended to the existing one. When two groups have conflicting configurations, the last group assigned to the Wazuh agent will take precedence. Learn more about the configuration precedence in centralized configuration manual.
Custom shared files set from the user to a particular group are also joined to send them to the Wazuh agents.

Listing agents

There are different ways to list the Wazuh agents enrolled in the Wazuh manager. These include using the CLI, querying the Wazuh server API, and using the Wazuh dashboard.

Listing agents using the CLI

The /var/ossec/bin/agent_control tool on the Wazuh server, used with -l option, allows for the retrieval of a list of the available Wazuh agents:

# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: vpc-ossec-manager (server), IP: 127.0.0.1, Active/Local
   ID: 1040, Name: ip-10-0-0-76, IP: 10.0.0.76, Active
   ID: 003, Name: vpc-agent-debian, IP: 10.0.0.121, Active
   ID: 005, Name: vpc-agent-ubuntu-public, IP: 10.0.0.126, Active
   ID: 006, Name: vpc-agent-windows, IP: 10.0.0.124, Active
   ID: 1024, Name: ip-10-0-0-252, IP: 10.0.0.252, Never connected
   ID: 1028, Name: vpc-debian-it, IP: any, Never connected
   ID: 1030, Name: diamorphine-POC, IP: 10.0.0.59, Active
   ID: 015, Name: vpc-agent-centos, IP: 10.0.0.123, Active
   ID: 1031, Name: WIN-UENN0U6R5SF, IP: 10.0.0.124, Never connected
   ID: 1032, Name: vpc-agent-ubuntu, IP: 10.0.0.122, Active
   ID: 1033, Name: vpc-agent-debian8, IP: 10.0.0.128, Active
   ID: 1034, Name: vpc-agent-redhat, IP: 10.0.0.127, Active
   ID: 1035, Name: vpc-agent-centos7, IP: 10.0.0.101, Never connected
   ID: 1041, Name: vpc-agent-centos-public, IP: 10.0.0.125, Active

List of agentless devices:
   ID: 010, Name: agentless-ubuntu, IP: 10.0.0.135, Active

Listing agents using the Wazuh server API

The GET /agents request returns a list of available Wazuh agents.

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?pretty=true&sort=-ip,name" -H  "Authorization: Bearer $TOKEN"

     {
        "data": {
           "affected_items": [
              {
                 "os": {
                    "arch": "x86_64",
                    "major": "9",
                    "name": "CentOS Stream",
                    "platform": "centos",
                    "uname": "Linux |ag-centos9s |5.14.0-391.el9.x86_64 |#1 SMP PREEMPT_DYNAMIC Tue Nov 28 20:35:49 UTC 2023 |x86_64",
                    "version": "9"
                 },
                 "name": "ag-centos9s",
                 "lastKeepAlive": "2025-08-18T18:40:48+00:00",
                 "version": "Wazuh v4.12.0",
                 "group": [
                    "default"
                 ],
                 "id": "001",
                 "status": "active",
                 "manager": "centos8a",
                 "registerIP": "any",
                 "mergedSum": "cb5dc59d195320bb20b6039a519a8c0e",
                 "ip": "172.16.1.85",
                 "configSum": "ab73af41699f13fdd81903b5f23d8d00",
                 "group_config_status": "synced",
                 "node_name": "wazuh-1",
                 "dateAdd": "2025-08-18T16:49:29+00:00",
                 "status_code": 0
              },
              {
                 "os": {
                    "arch": "x86_64",
                    "codename": "Jammy Jellyfish",
                    "major": "22",
                    "minor": "04",
                    "name": "Ubuntu",
                    "platform": "ubuntu",
                    "uname": "Linux |ag-ubuntu22 |5.15.0-91-generic |#101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 |x86_64",
                    "version": "22.04.3 LTS"
                 },
                 "name": "ag-ubuntu22",
                 "lastKeepAlive": "2025-08-18T18:40:40+00:00",
                 "version": "Wazuh v4.12.0",
                 "group": [
                    "default"
                 ],
                 "id": "002",
                 "status": "active",
                 "manager": "centos8b",
                 "registerIP": "any",
                 "mergedSum": "cb5dc59d195320bb20b6039a519a8c0e",
                 "ip": "172.16.1.83",
                 "configSum": "ab73af41699f13fdd81903b5f23d8d00",
                 "group_config_status": "synced",
                 "node_name": "wazuh-2",
                 "dateAdd": "2025-08-18T17:05:02+00:00",
                 "status_code": 0
              },
              {
                 "os": {
                    "arch": "x86_64",
                    "major": "8",
                    "minor": "5",
                    "name": "CentOS Linux",
                    "platform": "centos",
                    "uname": "Linux |centos8a |4.18.0-348.7.1.el8_5.x86_64 |#1 SMP Wed Dec 22 13:25:12 UTC 2021 |x86_64",
                    "version": "8.5"
                 },
                 "name": "centos8a",
                 "lastKeepAlive": "9999-12-31T23:59:59+00:00",
                 "version": "Wazuh v4.12.0",
                 "id": "000",
                 "status": "active",
                 "manager": "centos8a",
                 "registerIP": "127.0.0.1",
                 "ip": "127.0.0.1",
                 "group_config_status": "synced",
                 "node_name": "wazuh-1",
                 "dateAdd": "2025-08-18T16:33:54+00:00",
                 "status_code": 0
              }
           ],
           "total_affected_items": 3,
           "total_failed_items": 0,
           "failed_items": []
        },
        "message": "All selected agents information was returned",
        "error": 0
     }

Listing agents using the Wazuh dashboard

You can list and view basic information about all enrolled agents by navigating to Agents management > Summary in the Wazuh dashboard:

Anti-tampering

The anti-tampering feature prevents unauthorized removal of the Wazuh agent from monitored endpoints. When you configure this feature, users must obtain validation from the Wazuh manager before uninstalling the Wazuh agent package.

Note

The anti-tampering feature is supported only on Linux endpoints.

Enabling anti-tampering

There are two methods to enable anti-tampering on Wazuh agents:

Using centralized configuration: Apply the setting remotely from the Wazuh manager to multiple agents.
Using local configuration: Modify the Wazuh agent local configuration on a specific monitored endpoint.

Enabling anti-tampering via centralized configuration

Use the centralized agent configuration method to remotely enable the anti-tampering feature on a group of agents. The agent configuration file for each agent group is located at /var/ossec/etc/shared/<AGENT_GROUP_NAME>/agent.conf on the Wazuh manager.

For example, add the following to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh manager to enable anti-tampering for all Linux endpoints in the default group:

<agent_config os="linux">
  <!-- Enables validation requirement to uninstall Wazuh agent package -->
  <anti_tampering>
    <package_uninstallation>yes</package_uninstallation>
  </anti_tampering>
</agent_config>

Once the agent group configuration file is saved, the Wazuh manager will automatically distribute the updated configuration to all Linux agents in the default group.

Enabling anti-tampering via local configuration

Perform the following steps on the monitored endpoint to enable the Wazuh agent anti-tampering feature:

Append the following configuration block to the Wazuh agent /var/ossec/etc/ossec.conf file to enable anti-tampering:

<ossec_config>
  <!-- Enables validation requirement to uninstall Wazuh agent package -->
  <anti_tampering>
    <package_uninstallation>yes</package_uninstallation>
  </anti_tampering>
</ossec_config>

Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```

After completing these steps, the anti-tampering feature will be active.

Uninstalling an agent with anti-tampering enabled

To remove a Wazuh agent with anti-tampering enabled, you must first configure agent authentication, and then proceed to uninstall the agent.

Configuring agent authentication

You can authenticate the agent removal using any of the following methods:

Temporary authentication token (recommended): More secure as it avoids storing the Wazuh server API username and password on the monitored endpoint.
Stored Wazuh server API credentials: Requires storing the Wazuh server API username and password on the monitored endpoint.

Temporary authentication token

You need to generate an authentication token on a trusted administrator endpoint and then copy it to the monitored endpoint.

Run the following command on any Linux endpoint to generate a temporary authentication token. Replace <WAZUH_SERVER_API_USER>, <WAZUH_SERVER_API_PASSWORD>, and <WAZUH_SERVER_IP_ADDRESS> with your Wazuh server API username, password, and IP address respectively:
```
# TOKEN=$(curl -u <WAZUH_SERVER_API_USER>:<WAZUH_SERVER_API_PASSWORD> -k -X POST "https://<WAZUH_SERVER_IP_ADDRESS>:55000/security/user/authenticate?raw=true")
```
View the generated authentication token:
```
# echo $TOKEN
```
Copy the token, as you will use it to authenticate when removing agents. You can reuse the same token for multiple agents.
Create the file /var/ossec/etc/uninstall_validation.env on the monitored endpoint you want to remove the Wazuh agent from and add the following content to it:
```
#!/bin/sh

export VALIDATION_TOKEN="<AUTHENTICATION_TOKEN>"
export VALIDATION_HOST="<WAZUH_SERVER_IP_ADDRESS>:55000"
export VALIDATION_SSL_VERIFY="false"
```
Replace <AUTHENTICATION_TOKEN> with the authentication token you generated earlier, and <WAZUH_SERVER_IP_ADDRESS> with the Wazuh server IP address.

You can now proceed to uninstall the Wazuh agent.

Stored Wazuh server API credentials

To authenticate the agent with this method, you need to add the Wazuh server API credentials directly to the monitored endpoint.

Create the file /var/ossec/etc/uninstall_validation.env on the monitored endpoint you want to remove the Wazuh agent from and add the following content to it:

#!/bin/sh

export VALIDATION_LOGIN="<WAZUH_SERVER_API_USER>:<WAZUH_SERVER_API_PASSWORD>"
export VALIDATION_HOST="<WAZUH_SERVER_IP_ADDRESS>:55000"
export VALIDATION_SSL_VERIFY="false"

Replace <WAZUH_SERVER_API_USER> and <WAZUH_SERVER_API_PASSWORD> with your Wazuh server API username and password respectively. Also, replace <WAZUH_SERVER_IP_ADDRESS> with the Wazuh server IP address.

You can now proceed to uninstall the Wazuh agent.

Uninstalling the Wazuh agent

Perform the following steps on the endpoint you want to remove the agent from:

Remove the Wazuh agent installation.
# apt-get remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Run the following command If you want to remove all files completely.
# apt-get remove --purge wazuh-agent
# yum remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
# dnf remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
# zypper remove wazuh-agent
Some files are marked as configuration files. Due to this designation, the package manager does not remove these files from the filesystem. Delete the /var/ossec/ folder if you want to remove all files completely.
Disable the Wazuh agent service.
# systemctl disable wazuh-agent # systemctl daemon-reload
Choose one option according to your operating system.
1. RPM-based operating systems:
# chkconfig wazuh-agent off # chkconfig --del wazuh-agent
1. Debian-based operating systems:
# update-rc.d -f wazuh-agent remove
No action required.

The Wazuh agent is now completely removed from your Linux endpoint.

Troubleshooting agent removal

If you encounter issues while uninstalling the Wazuh agent, review the following common errors and their solutions.

Error: Validation host not provided

The uninstallation process cannot proceed because the required validation host information is missing. This typically happens when the uninstallation validation environment file (/var/ossec/etc/uninstall_validation.env) is not set up.

Log output from failed removal of the Wazuh agent:

INFO: Uninstall configuration file not found, using environment variables.
ERROR: Validation host not provided. Uninstallation cannot be continued.

To resolve this, ensure that the required environment file /var/ossec/etc/uninstall_validation.env is created and properly configured before attempting the removal.

Error: Uninstallation not authorized

The Wazuh server rejects the uninstallation request due to invalid API credentials.

Log output from failed removal of the Wazuh agent:

2025/02/20 13:23:32 wazuh-agentd: INFO: (9500): Starting user validation to uninstall the Wazuh agent package.
2025/02/20 13:23:32 wazuh-agentd: ERROR: (4116): Unexpected status code in Wazuh agent package uninstallation request: 401

ERROR: Uninstallation not authorized, aborting...

Verify that the correct API credentials are used in the environment file.

Removing agents

Remove a Wazuh agent that is enrolled in the Wazuh manager by querying the Wazuh server API.

Remove agents using the Wazuh server API

This section includes examples of using the DELETE /agents request to delete a list of agents or agents disconnected for a given period. This action is performed on the Wazuh server or on an authorized endpoint.

The examples use an authentication token. To get your token, replace <USER>:<PASSWORD> with your Wazuh server API credentials, <WAZUH_MANAGER_IP_ADDRESS> with the Wazuh manager IP address or FQDN (Fully Qualified Domain Name), and run the following command:

# TOKEN=$(curl -u <USER>:<PASSWORD> -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/security/user/authenticate?raw=true")

Note

Removing agents in a list

You can remove specific Wazuh agents using a list. Use the parameter agents_list to set a list of agent IDs separated by commas. For example, to remove agents ID 005, 006, and 007, run the following query:

# curl -k -X DELETE "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?pretty=true&older_than=0s&agents_list=005,006,007&status=all" -H  "Authorization: Bearer $TOKEN"

Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server.

{
    "data": {
        "affected_items": [
            "005",
            "006",
            "007"
        ],
        "total_affected_items": 3,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected agents were deleted",
    "error": 0,
}

Removing disconnected agents

You can remove Wazuh agents that never connected or agents that have been disconnected for a given period. Use the parameter older_than to set a period of no known activity. Use status to select the never connected and disconnected Wazuh agents. For example, to remove Wazuh agents inactive for more than 21 days, execute the following query:

# curl -k -X DELETE "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected" -H  "Authorization: Bearer $TOKEN"

Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server.

{
   "data": {
      "affected_items": [
         "003"
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents were deleted",
   "error": 0
}

Remote upgrading

Wazuh agents can be upgraded remotely from the Wazuh server. The Wazuh manager performs this upgrade and sends each enrolled agent a WPK (Wazuh signed package) file containing the files needed to upgrade to the new version. This streamlines the upgrade process across your installation and eliminates the need to access each agent individually.

Wazuh provides access to an updated WPK repository for each new release. All available WPK files can be found here. Users can also generate custom WPK files and host them in a custom repository. Custom WPK files can be created by following the steps described in Custom WPK creation.

Note

The upgrade procedure is performed by the agent upgrade module.

Learn more about remote upgrading of the Wazuh agents in the following sections:

Upgrading the Wazuh agent

A Wazuh agent can be upgraded remotely using the command line and through the Wazuh server API.

Warning

It is recommended to use the Wazuh server API to upgrade agents if running a Wazuh cluster.

Using the command line

To upgrade agents using the command line, use the /var/ossec/bin/agent_upgrade tool as follows:

List all outdated Wazuh agents using the -l parameter:

# /var/ossec/bin/agent_upgrade -l

ID    Name                               Version
001   Win-Server-2019                    Wazuh v4.7.5
002   debian12                           Wazuh v4.7.5
003   debian12                           Wazuh v4.7.5

Total outdated agents: 2

Upgrade the Wazuh agent using the -a parameter followed by the agent ID (here, the agent ID is 003):

# /var/ossec/bin/agent_upgrade -a 003

Upgrading...

Upgraded agents:
   Agent 003 upgraded: Wazuh v4.7.5 -> Wazuh v4.12.0

It is possible to specify multiple agent IDs using this method:

# /var/ossec/bin/agent_upgrade -a 001 002

Upgrading...

Upgraded agents:
   Agent 001 upgraded: Wazuh v4.7.5 -> Wazuh v4.12.0
   Agent 002 upgraded: Wazuh v4.7.5 -> Wazuh v4.12.0

Following the upgrade, the Wazuh agent is automatically restarted. Check the agent version to ensure it has been properly upgraded as follows:

# /var/ossec/bin/agent_control -i 002

Wazuh agent_control. Agent information:
   Agent ID:   002
   Agent Name: debian12
   IP address: any
   Status:     Active

   Operating system: Linux |debian12 |6.1.0-31-amd64 |#1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) |x86_64
   Client version:   Wazuh v4.12.0
   Configuration hash:  ab73af41699f13fdbd8193b5f23d8d00
   Shared file hash:  cb5dc59d19532bb2b0b6039a519a8c0e
   Last keep alive:  1749046794
   Syscheck last started at:  Wed Jun  4 14:14:45 2025
   Syscheck last ended at:  Wed Jun  4 14:14:48 2025

Using the RESTful API

List all outdated agents using endpoint GET /agents/outdated. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server:

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/outdated?pretty=true" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
          "affected_items": [
          {"version": "Wazuh v4.7.2", "id": "002", "name": "VM_Debian9"},
          {"version": "Wazuh v4.7.2", "id": "003", "name": "VM_Debian8"},
          {"version": "Wazuh v4.7.2", "id": "009", "name": "VM_WinServ2016"},
          ],
          "total_affected_items": 3,
          "total_failed_items": 0,
          "failed_items": [],
  },
  "message": "All selected agents information was returned",
  "error": 0,
}

Upgrade the Wazuh agent using endpoint PUT /agents/upgrade (here, we upgrade agents with ID 002 and 003). Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server:
```
# curl -k -X PUT "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/upgrade?agents_list=002,003&pretty=true" -H  "Authorization: Bearer $TOKEN"
```
```
{
  "data": {
  "affected_items": [
          {
          "agent": "002",
          "task_id": 1
          },
          {
          "agent": "003",
          "task_id": 2
          }
  ],
  "total_affected_items": 2,
  "total_failed_items": 0,
  "failed_items": []
  },
  "message": "All upgrade tasks were created",
  "error": 0
}
```
The agents_list parameter in the PUT /agents/upgrade and PUT /agents/upgrade_custom endpoints allows the value all. When this value is set, an upgrade request will be sent to all Wazuh agents.

When upgrading more than 3000 Wazuh agents at the same time, it is highly recommended that the parameter wait_for_complete be set to true to avoid a possible API timeout.

This recommendation is based on testing with a Wazuh manager on a server with a 2.5 GHz AMD EPYC 7000 series processor and 4 GiB memory. Using an agent list with 3000 agents or fewer on a system with similar or better specifications guarantees a response before the API timeout occurs.

Check the upgrade results using endpoint GET /agents/upgrade_result. Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or FQDN of the Wazuh server:

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents/upgrade_result?agents_list=002,003&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
  "data": {
  "affected_items": [
          {
          "message": "Success",
          "agent": "002",
          "task_id": 1,
          "node": "worker2",
          "module": "upgrade_module",
          "command": "upgrade",
          "status": "Updated",
          "create_time": "2024-07-09T17:13:45Z",
          "update_time": "2024-07-09T17:14:07Z"
          },
          {
          "message": "Success",
          "agent": "003",
          "task_id": 2,
          "node": "worker1",
          "module": "upgrade_module",
          "command": "upgrade",
          "status": "Updated",
          "create_time": "2024-07-09T17:13:45Z",
          "update_time": "2024-07-09T17:14:11Z"
          }
  ],
  "total_affected_items": 2,
  "total_failed_items": 0,
  "failed_items": []
  },
  "message": "All upgrade tasks were returned",
  "error": 0
}

Following the upgrade, the Wazuh agents are automatically restarted. Check the version of the Wazuh agents to ensure they have been properly upgraded using endpoint GET /agents:

# curl -k -X GET "https://<WAZUH_MANAGER_IP_ADDRESS>:55000/agents?agents_list=002,003&pretty=true&select=version" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "id": "002",
            "version": "Wazuh v4.12.0"
         },
         {
            "id": "003",
            "version": "Wazuh v4.12.0"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

Wazuh signed package (WPK) files

WPK files are archive files used for distributing and installing updates or new versions of the Wazuh agent on various operating systems. A WPK file must contain an installation program in binary form or a script in any language the Wazuh agent supports (Bash, Python, etc). WPK packages must contain a Bash script named upgrade.sh for UNIX or upgrade.bat for Windows. This program must:

Fork itself, as the parent, will return 0 immediately.
Restart the Wazuh agent.
Write a file called upgrade_result containing a status number (0 means OK) before exiting.

There are two methods to remotely upgrade Wazuh agents when using the WPK feature:

Using a repository (Wazuh provides access to an updated WPK repository for each new release. This repository is used by default).
Using a custom WPK file

Custom agent upgrade packages are created by generating a repository on the Wazuh server to host the generated WPK (Wazuh package) files. The Wazuh manager can then be set to send files to the Wazuh agents from this repository.

Note

In case of having a multi-node Wazuh server cluster, the custom WPK file has to exist on all Wazuh server nodes in the specified path.

Creating a custom WPK

Prerequisites

To create a WPK file, an X509 certificate and root CA are required. They provide a secure mechanism for signing and verifying WPK packages. If you already have them, jump to the building the WPK section. Else, perform these steps on the Wazuh server:

Create a root CA:

# openssl req -x509 -new -nodes -newkey rsa:2048 -keyout wpk_root.key -out wpk_root.pem -batch

Create a certificate and key:
```
# openssl req -new -nodes -newkey rsa:2048 -keyout wpkcert.key -out wpkcert.csr -subj '/C=US/ST=CA/O=Wazuh'
```
Set the location as follows:
- /C=US is the country.
- /ST=CA is the state.
- /O=Wazuh is the organization's name.

Sign this certificate with the root CA:

# openssl x509 -req -days 365 -in wpkcert.csr -CA wpk_root.pem -CAkey wpk_root.key -out wpkcert.pem -CAcreateserial

Building the WPK

There are two different methods of creating a WPK:

Using Docker

Wazuh provides an automated way of building WPK packages using Docker, so no other dependency is needed.

To generate a WPK package, you need an X509 certificate, and CA. See prerequisites to learn more.

Perform these steps on the Wazuh server to create a WPK package using Docker:

Requirements

Docker
Git

Download the wazuh repository from GitHub and navigate to the WPK directory:

$ git clone https://github.com/wazuh/wazuh && cd wazuh/packages/wpk && git checkout v5.0.0

Execute the generate_wpk_package.sh script with the different options you desire. This script will build a Docker image with all the necessary tools to create the WPK and run a container that will build it:

$ ./generate_wpk_package.sh -h

Usage: ./generate_wpk_package.sh [OPTIONS]

    -t,   --target-system <target>              [Required] Select target wpk to build [linux/windows/macos].
    -b,   --branch <branch>                     [Required] Select Git branch or tag e.g.
    -d,   --destination <path>                  [Required] Set the destination path of package.
    -pn,  --package-name <name>                 [Required for windows and macos] Package name to pack on wpk.
    -o,   --output <name>                       [Required] Name to the output package.
    -k,   --key-dir <arch>                      [Required] Set the WPK key path to sign package.
    --aws-wpk-key                               [Optional] AWS Secrets manager Name/ARN to get WPK private key.
    --aws-wpk-cert                              [Optional] AWS secrets manager Name/ARN to get WPK certificate.
    --aws-wpk-key-region                        [Optional] AWS Region where secrets are stored.
    -a,   --architecture <arch>                 [Optional] Target architecture of the package [x86_64].
    -j,   --jobs <number>                       [Optional] Number of parallel jobs when compiling.
    -p,   --path <path>                         [Optional] Installation path for the package. By default: /var.
    -c,   --checksum                            [Optional] Generatez checksum.
    -h,   --help                                Show this help.

To use this tool, the previously created certificate and key must be in the same directory.

Linux WPK

Download the latest version of the Wazuh DEB or RPM package here. For example, for Debian:

# curl -O https://packages.wazuh.com/5.x/apt/pool/main/w/wazuh-agent/wazuh-agent_5.0.0-1_amd64.deb

Run the command below to build a Linux WPK:

# ./generate_wpk_package.sh -t linux -b v5.0.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -pn wazuh-agent_5.0.0-1_amd64.deb -o wazuh-agent_v5.0.0_linux.wpk

This script builds a Wazuh version 5.0.0 Linux WPK file named wazuh-agent_v5.0.0_linux.wpk and stores it in /<DESTINATION_PATH> (You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS> (See prerequisites).

Replace /<PATH_TO_GENERATED_WPK_KEYS> with the directory path of the previously generated keys (Example: /tmp/keys).

Windows WPK

To build a WPK for Windows, you need to first download an MSI package of the desired version:

# curl -O https://packages.wazuh.com/5.x/windows/wazuh-agent-5.0.0-1.msi

Run the command below to build a Windows WPK:

# ./generate_wpk_package.sh -t windows -b v5.0.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v5.0.0_windows.wpk -pn /<PATH_TO>/wazuh-agent-5.0.0-1.msi

This script builds a Wazuh 5.0.0 Windows WPK package named wazuh-agent_v5.0.0_windows.wpk and stores it in /<DESTINATION_PATH>. (You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS> and the downloaded MSI package in /<PATH_TO>/wazuh-agent-5.0.0-1.msi.

Replace /<PATH_TO_GENERATED_WPK_KEYS> with the directory path of the previously generated keys and <PATH_TO>/wazuh-agent-5.0.0-1.msi with the directory path to the downloaded MSI package.

If the -c or --checksum option is used, a file is created containing the SHA512 checksum in the same output path. The location of this file is configurable, and you can indicate where you want to store it.

macOS WPK

To build a WPK for macOS, you need to first download a PKG package of the desired version:

# curl -O https://packages.wazuh.com/5.x/macos/wazuh-agent-5.0.0-1.intel64.pkg

# curl -O https://packages.wazuh.com/5.x/macos/wazuh-agent-5.0.0-1.arm64.pkg

Run the command below to build a macOS WPK:

# ./generate_wpk_package.sh -t macos -b v5.0.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v5.0.0_macOS.wpk -pn /<PATH_TO_WPK_FILE>/wazuh-agent-5.0.0-1.intel64.pkg

# ./generate_wpk_package.sh -t macos -b v5.0.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v5.0.0_macOS.wpk -pn /<PATH_TO_WPK_FILE>/wazuh-agent-5.0.0-1.arm64.pkg

This script builds a Wazuh 5.0.0 macOS WPK package named wazuh-agent_v5.0.0_macOS.wpk and stores it in /<DESTINATION_PATH>. (You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS>.

Replace /<PATH_TO_GENERATED_WPK_KEYS> with the directory path of the previously generated keys.

Below is an example of how to build a WPK generation with checksum:

# ./generate_wpk_package.sh -t linux -b v5.0.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o LinuxAgent.wpk -c /tmp/wpk_checksum

Generating WPK packages manually

Perform these actions on the Wazuh server.

Requirements

Python 2.7 or 3.5+
The Python cryptography package. This can be obtained using the following command:
```
$ pip install cryptography
```

Linux WPK

Install the development tools and compilers. This can easily be done using your distribution package manager.

# yum install make gcc policycoreutils-python automake autoconf libtool unzip

# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip

Download and extract the latest version:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0

Download the latest version of the Wazuh DEB or RPM package here. For example, for Debian:

# curl -O https://packages.wazuh.com/5.x/apt/pool/main/w/wazuh-agent/wazuh-agent_5.0.0-1_amd64.deb

Install the root CA if you want to overwrite the root CA with the file you created previously:
```
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
```
Copy the necessary script to the Wazuh sources folder to compile the WPK.
```
# cp src/init/pkg_installer.sh .
```

Compile the WPK package using the PKG package, along with your SSL certificate and key.

# tools/agent-upgrade/wpkpack.py output/myagent.wpk path/to/wpkcert.pem path/to/wpkcert.key wazuh-agent-5.0.0-1_amd64.deb upgrade.sh pkg_installer.sh

Definitions:

<PATH_TO>/myagent.wpk is the name of the output WPK package.
<PATH_TO>/wpkcert.pem is the path to the SSL certificate.
<PATH_TO>/wpkcert.key is the path to the SSL certificate's key.
wazuh-agent_5.0.0-1_amd64.deb is the PKG file downloaded in step 3.
upgrade.sh is the script that run first when the WPK is deployed in the target agent. Find an example at the base directory in the Wazuh repository.
pkg_installer.sh is the script that manages the WPK upgrade procedure. Find an example in src/init in the Wazuh repository.

Windows WPK

Install the development tools and compilers. This can easily be done using your distribution package manager:

# yum install make gcc policycoreutils-python automake autoconf libtool unzip

# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip

Download and extract the latest version of Wazuh sources:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0

Download the latest version of the Wazuh MSI package:

# curl -Ls https://packages.wazuh.com/5.x/windows/wazuh-agent-5.0.0-1.msi --output wazuh-agent-5.0.0-1.msi

Install the root CA if you want to overwrite the root CA with the file you created previously:
```
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
```

Compile the WPK package using the MSI package, along with your SSL certificate and key.

# tools/agent-upgrade/wpkpack.py <PATH_TO>/myagent.wpk <PATH_TO>/wpkcert.pem <PATH_TO>/wpkcert.key <PATH_TO>/wazuhagent.msi <PATH_TO>/upgrade.bat <PATH_TO>/do_upgrade.ps1

Definitions:

<PATH_TO>/myagent.wpk is the name of the output WPK package.
<PATH_TO>/wpkcert.pem is the path to the SSL certificate.
<PATH_TO>/wpkcert.key is the path to the SSL certificate's key.
<PATH_TO>/wazuhagent.msi is the path to the MSI file downloaded in step 3.
<PATH_TO>/upgrade.bat is the path to the upgrade.bat file. Find an example in src/win32 in the Wazuh repository.
<PATH_TO>/do_upgrade.ps1 is the path to the do_upgrade.ps1 file. Find an example in src/win32 in the Wazuh repository.

macOS WPK

Install development tools and compilers. This can easily be done using your distribution package manager:

# yum install make gcc policycoreutils-python automake autoconf libtool unzip

# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip

Download and extract the latest version of Wazuh sources:

# curl -Ls https://github.com/wazuh/wazuh/archive/v5.0.0.tar.gz | tar zx
# cd wazuh-5.0.0

Download the latest version of the Wazuh PKG package:

# curl -O https://packages.wazuh.com/5.x/macos/wazuh-agent-5.0.0-1.intel64.pkg

# curl -O https://packages.wazuh.com/5.x/macos/wazuh-agent-5.0.0-1.arm64.pkg

Install the root CA if you want to overwrite the root CA with the file you created previously:
```
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
```
Copy the necessary script to the Wazuh sources folder to compile the WPK:
```
# cp src/init/pkg_installer.sh .
```

Compile the WPK package using the PKG package and your SSL certificate and key:

# tools/agent-upgrade/wpkpack.py <PATH_TO>/myagent.wpk <PATH_TO>/wpkcert.pem <PATH_TO>/wpkcert.key wazuh-agent-5.0.0-1.pkg upgrade.sh pkg_installer.sh

Where:

<PATH_TO>/myagent.wpk is the name of the output WPK package.
<PATH_TO>/wpkcert.pem is the path to the SSL certificate.
<PATH_TO>/wpkcert.key is the path to the SSL certificate's key.
wazuh-agent-5.0.0-1.pkg is the PKG file downloaded in step 3.
upgrade.sh is the script that runs first when the WPK is deployed in the target agent. Find an example in the base directory in the Wazuh repository.
pkg_installer.sh is the script that manages the WPK upgrade procedure. Find an example in src/init in the Wazuh repository.

Note

These are only examples. If you want to distribute a WPK package using these methods, it's important to begin with an empty directory.

Installing a custom WPK

Follow the steps below to upgrade a Wazuh agent using a custom WPK file in a WPK repository:

Install the root CA into the Wazuh agent. The root CA certificate or the certificate used to sign the WPK package must be installed in the Wazuh agent before an upgrade.

You have two options to perform this action:
- Add a new certificate by editing the ossec.conf file:
```
<agent-upgrade>
  <ca_verification>
    <enabled>yes</enabled>
    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
    <ca_store>/<PATH_TO>/certificate</ca_store>
    <ca_store>wpk_root.pem</ca_store>
  </ca_verification>
</agent-upgrade>
```
  Then restart the Wazuh agent:
  # systemctl restart wazuh-agent
  # Restart-Service -Name wazuh
  # /Library/Ossec/bin/wazuh-control restart
- Overwrite the shipped root CA with your certificate.
  
  Note
  
  Overwriting the shipped root CA will prevent your agent from upgrading using WPK packages from the Wazuh manager.
```
# cp /<PATH_TO>/certificate <PATH_TO>/wpk_root.pem
```
  Location of /wpk_root.pem on the monitored endpoint:
  - Linux/Unix endpoints - /var/ossec/etc/wpk_root.pem
  - macOS endpoint - /Library/Ossec/etc/wpk_root.pem
  - Windows endpoints:
    - C:\Program Files (x86)\ossec-agent\wpk_root.pem for 64-bit systems
    - C:\Program Files\ossec-agent\wpk_root.pem for 32-bit systems.
Initiate the upgrade by running this command on the Wazuh server:
```
# /var/ossec/bin/agent_upgrade -a 001 -f <PATH_TO>/myagent.wpk -x upgrade.sh
```
Where:
- -a 001 specifies the agent to upgrade.
- -f <PATH_TO>/myagent.wpk designates the path to the WPK package.
- -x upgrade.sh is the name of the upgrading script contained in the package.
Note

To upgrade a Windows agent, you must use upgrade.bat instead of upgrade.sh.
```
Upgrading...

Upgraded agents:
  Agent 001 upgraded: Wazuh v4.7.2 -> Wazuh v4.12.0
```

WPK List

Linux

Distribution	Version	Architecture	WPK Package
Linux (deb)	5.0.0	x86_64/AMD64	wazuh_agent_v5.0.0_linux_amd64.deb.wpk (sha512)
Linux (deb)	5.0.0	ARM64/aarch64	wazuh_agent_v5.0.0_linux_arm64.deb.wpk (sha512)
Linux (rpm)	5.0.0	x86_64/AMD64	wazuh_agent_v5.0.0_linux_x86_64.rpm.wpk (sha512)
Linux (rpm)	5.0.0	ARM64/aarch64	wazuh_agent_v5.0.0_linux_aarch64.rpm.wpk (sha512)

Windows

Distribution	Version	Architecture	WPK Package
Windows	5.0.0	32/64bit	wazuh_agent_v5.0.0_windows.wpk (sha512)

macOS

Distribution	Version	Architecture	WPK Package
macOS	5.0.0	Intel 64	wazuh_agent_v5.0.0_macos_intel64.pkg.wpk (sha512)
macOS	5.0.0	ARM64	wazuh_agent_v5.0.0_macos_arm64.pkg.wpk (sha512)

Agent upgrade module - How it works

This section describes how the agent upgrade module works.The agent upgrade module is responsible for remotely carrying out the agent upgrade process.

On the Wazuh manager side, it validates, downloads, and/or sends the WPK files to the Wazuh agents.
On the Wazuh agent side, it processes the received commands and notifies the Wazuh manager after an upgrade process has been accomplished.

The following is a description of how the agent upgrade module works.

Upgrade request [API/CLI]

The agent upgrade module will receive the upgrade requests from a socket located at:

{WAZUH_DIR}/queue/tasks/upgrade

The module expects three parameters:

Option	Suboption	Values	Description
origin	module	API (only value allowed)	Emitter of the request
command		upgrade, upgrade_custom	Specifies the command to be executed
parameters	agents	Array of int values (id of the agents)	Specifies the list of agents where the command will be applied

Upgrade parameters: Command to upgrade agents from a repository.

Option	Suboption	Values	Required	Default	Description
parameters	wpk_repo	string	no	`<wpk_repo>` configuration	Parameter to override the default WPK repository set by configuration
	version	vX.Y.Z	no	Last available version	Overrides the version of the package that will be downloaded from the repository
	use_http	true, false	no	false	Whether retrieve the WPK file over HTTP or HTTPS
	force_upgrade	true, false	no	false	Forces the agents to upgrade, ignoring package type and version validations
	package_type	string	no	Manager-inferred	Specifies the package type for upgrading agents. For example rpm and deb. Especially useful for upgrading unrecognized system platforms

Example message:

{
    "origin": {
        "module": "api"
    },
    "command": "upgrade",
    "parameters": {
        "agents": [5,6],
        "wpk_repo": "packages.wazuh.com/wpk/",
        "version": "v4.2.1",
        "use_http": false,
        "force_upgrade": false,
          "package_type": "rpm"
    }
}

Upgrade custom parameters: Command to upgrade agents from a local WPK file.

Note

In a multi-node Wazuh cluster setup, the custom WPK file must exist on all Wazuh manager nodes in the specified path. Ensure the directory path remains consistent across all cluster manager nodes to deploy the custom WPK file and its contents properly.

Option	Suboption	Values	Required	Default	Description
parameters	file_path	string	yes		Path to the WPK file to be sent
parameters	installer	string	no	`upgrade.sh` in Linux and macOS, `upgrade.bat` in Windows	Overrides the default installer script

Example message:

{
    "origin": {
        "module": "api"
    },
    "command": "upgrade_custom",
    "parameters": {
        "agents": [20,23],
        "file_path": "/home/user/agent.wpk",
        "installer": "custom-upgrade-script.sh"
    }
}

Refer to the Upgrade agents API reference documentation for more information.

Upgrade result request [API/CLI]

The task manager informs the result of an upgrade task. It will receive the upgrade result requests from a socket located at:

{WAZUH_DIR}/queue/tasks/task

The module expects three parameters:

Option	Suboption	Values	Description
origin	module	API (only value allowed)	Emitter of the request
command		upgrade, upgrade_custom	Specifies the command to be executed
parameters	agents	Array of int values (id of the agents)	Specifies the list of agents where the command will be applied

Example message:

{
    "origin": {
        "module": "api"
    },
    "command": "upgrade_result",
    "parameters": {
        "agents": [5,10]
    }
}

The response will contain all the information related to the upgrade task stored in the tasks DB:

Option	Values	Description
error	int value	Error code: 0 when successful, a positive number when there's an error
data	array	Array with the responses for each agent
message	string	String associated to the error code

The information for each agent will be the following:

Option	Values	Description
error	int value	Error code: 0 when successful, a positive number when there's an error
message	string	String associated with the error code
node	string	Name of the node that executed the task retrieved
module	upgrade_module	Initiator of the task retrieved
command	upgrade, upgrade_custom	Command executed by the task retrieved
agent	int value (id of the agent)	Id of the agent where the task retrieved was executed
task_id	int value (id of the task)	Id of the task retrieved
create_time	timestamp	Creation time of the task retrieved (UTC)
update_time	timestamp	Last update time of the task retrieved (UTC)
status	In queue, Updating, Updated, Error, Cancelled, Timeout, Legacy	The current status of the task retrieved
error_msg	string	String associated to the status when the status is Error

Note

The legacy status is used to indicate that the upgrade is to an old version where the agent does not report the result of the task. The result of these tasks must be checked manually.

Example response:

{
     "error": 0,
     "data": [
     {
             "error": 0,
             "message": "Success",
             "node": "node01",
             "module": "upgrade_module",
             "command": "upgrade",
             "agent": 5,
             "task_id": 15,
             "create_time": "2020/08/11 00:05:18",
             "update_time": "0",
             "status": "Updating"
     },{
             "error": 0,
             "message": "Success",
             "node": "node02",
             "module": "upgrade_module",
             "command": "upgrade",
             "agent": 10,
             "task_id": 16,
             "create_time": "2020/08/11 00:05:30",
             "update_time": "2020/08/11 00:05:52",
             "status": "Error",
             "error_msg": "SHA1 verification error"
     }
     ],
     "message": "Success"
}

Refer to the packages list for a full list of the available agent packages. Refer to the Get upgrade results API reference documentation for more information.

Wazuh agent queue

The Wazuh agent includes a queue mechanism queue_ad to prevent large bursts of events on a Wazuh agent from negatively impacting the network or the Wazuh manager. It uses a leaky bucket queue that collects all generated events and sends them to the Wazuh manager at a rate below the specified events per second threshold. This helps to avoid the loss of events or unexpected behavior from the Wazuh components.

Additionally, Wazuh agent modules such as Log collector, File Integrity Monitoring (FIM), Security configuration assessment (SCA), can be configured to limit their event production rate, reducing the risk of saturating the leaky bucket's buffer.

Why a queue is needed

In the Wazuh architecture, Wazuh agents collect information from log files, command outputs, different kinds of scans, etc. They then send all the collected information to the Wazuh manager, separated into individual events. Without any congestion control, a Wazuh agent could potentially send events at a rate as high as the system can transmit, which could be hundreds or thousands of events per second.

Due to this fact, an incorrect configuration in a Wazuh agent may generate enough events to saturate a network or its Wazuh manager. Here are some misconfiguration scenarios that could lead to this problem:

Real-time file integrity monitoring of a directory with files that keep changing:

Events are generated every time a file under a monitored directory changes. If the FIM module monitors a directory that changes constantly, it will generate a large volume of events. In addition, if the monitored directory contains any file to which Wazuh continuously updates when it generates an event, like /var/ossec/logs/, it will cause an infinite loop.
Windows Filtering Platform:

A Windows firewall event (ID 5156) is generated each time an outbound network connection is allowed. When this event is enabled in Windows, and Wazuh is configured to monitor all Windows security event logs, the result is an infinite loop. When the Wazuh agent connects to its Wazuh manager, it generates a Windows firewall event that causes the Wazuh agent to connect again to its manager.
Applications that retry on errors with no rate limiting:

When certain applications encounter an error, such as disk full, they may generate an error log entry and retry the task hundreds of times per second, generating massive events.

Each of these scenarios may create such a high rate of events that the functioning of the Wazuh agent, network, and/or manager may be significantly hampered.

Event congestion controls

To better handle these kinds of situations, the following controls have been deployed:

Agent-to-manager event congestion management (Leaky bucket):

This provides event congestion control with an agent-side leaky bucket queue to guard against saturation of the network or of the Wazuh manager by a Wazuh agent.
Internal agent event congestion management:

This mechanism uses internal limits in different components of the Wazuh agent to control the rate at which they generate events.

Agent-to-manager event congestion management (Leaky bucket)

As mentioned above, the leaky bucket is a congestion control located in Wazuh agents and focused on agent-to-manager communication. The Wazuh agent collects events and stores them temporarily in a buffer that can hold up to 5000 events by default. It then forwards these events to the Wazuh manager, ensuring that no more than 500 events are sent per second, which is the default setting. This ensures a controlled flow of information to the Wazuh manager. These values are set by default; however, you can change them depending on your infrastructure requirement. The following graphic shows how the bucket works.

There are several levels of control for the bucket. These control levels are set to monitor the buffer status and address a potential flooding situation. They include:

Warning alert: The first control level will trigger an alert on the Wazuh manager when the occupied capacity of the buffer has reached a certain threshold. By default, it is set at 90%.
Full alert: After the first control level, if the buffer gets filled, the Wazuh manager will receive another alert. This new alert is more serious than a warning alert because subsequent events will be dropped when the bucket is filled.
Flood alert: This alert is generated if more than a customizable timeout passes between a full alert event and the buffer level dropping below the warning level. For example, you might set the timeout to 60 seconds. This means if the buffer remains full for more than 60 seconds after a "Full alert," the "Flood alert" will be triggered
Normal alert: This announces that the buffer level has returned to normal (by default <= 70%) after having previously triggered a warning alert or higher.

The leaky bucket can be configured to adapt to any environment with the use of the following configuration options:

Throughput configuration

In the <client_buffer> section of Local configuration, it is possible to disable the buffer, configure the size of the buffer (number of events), and configure its throughput limit measured in events per second (EPS).

Follow the steps below to configure the Wazuh agent queue.

Modify the queue_size and events_per_second to allowable values in the client_buffer block in the Wazuh agent configuration file. The file can be found at C:\Program Files (x86)\ossec-agent\ossec.conf on Windows, /var/ossec/etc/ossec.conf on Linux/Unix, and /Library/Ossec/etc/ossec.conf on macOS.
```
<client_buffer>
  
  <disabled>no</disabled>
  <queue_size>5000</queue_size>
  <events_per_second>500</events_per_second>
</client_buffer>
```
- Disable buffer: This parameter disables the use of the leaky bucket, resulting in no restriction on the rate of events transmitted by the Wazuh agent to the Wazuh manager.
- Queue size: The queue size is the maximum number of events that can be held in the leaky bucket once. It should be configured according to the expected rate at which a Wazuh agent may generate events. By default, this value is set to 5000 events, which is a generous buffer size for most environments.
- Events per second: This is the maximum rate at which events will be pulled from the Wazuh agent's buffer and transmitted to its manager. The default is a generous 500 EPS, but this should be set considering the network's capacity and the number of agents a manager is serving.

Restart the Wazuh agent with administrative privileges.

# systemctl restart wazuh-agent

# Restart-Service -Name wazuh

# /Library/Ossec/bin/wazuh-control restart

This configuration is also available in centralized configuration, which means it can be set in the agent.conf file to configure agents' bucket options from the Wazuh server. When a Wazuh agent is configured by agent.conf, that configuration overrides its local configuration. However, it is possible to configure the minimum number of EPS an agent is allowed to transmit. This can be done by setting the agent.min_eps in the Wazuh agent's /var/ossec/etc/internal_options.conf file. This setting overrides the EPS limit configured at the Wazuh manager level via agent.conf.

Threshold configuration

The /var/ossec/etc/internal_options.conf file contains more advanced options related to buffer operation. These advanced options include the warning and normal level thresholds. Using the internal configuration /var/ossec/etc/internal_options.conf file, we can also configure the tolerance time for triggering a flooding alert.

Internal agent event congestion management

To avoid agent buffer saturation followed by event loss, the event production rates of the Wazuh agent daemons that could cause this saturation have been limited.

Logcollector: If a log file is written faster than the logcollector can read it, this can negatively impact the Wazuh agent's proper functioning. For this reason, the Wazuh agent will restrict itself to reading no more than a configurable maximum number of lines from the same file per read cycle.
Syscollector: The module previously sent the entire set of scan results as soon as a scan was complete. It now sends the scan information to the Wazuh manager at a regulated speed to prevent the buffer from collapsing.

These are advanced configurations located at Internal configuration. The variables defined for this purpose are called logcollector.max_lines, wazuh_modules.max_eps, and much care should be given when changing these values.

Use case: Leaky bucket

In this section, it will be shown how the leaky bucket acts when under high load. In the image below, we show the different phases of the buffer's usage from when it is receiving more events than expected till the flooding is resolved.

Normal status (green area)

As the graphic in the left area shows, the buffer works normally, receiving and sending events. In this situation, no buffer alerts are triggered on the Wazuh manager. However, many events can trigger an increase in buffer usage, causing it to reach the warning level, which is set at 90%.

Warning status (orange area)

Once it has reached the warning level, you will see alerts with rule.id: 202 on the Wazuh dashboard:

Despite this alert, no events have been dropped because the buffer still has free space.

Full status (light red area)

When the buffer continues receiving events faster than they are removed, it will eventually reach 100% of its capacity. You'll see alerts with rule.id 203 on the Wazuh dashboard:

Note

It is important to understand that when the buffer is full, all newly arriving events will be dropped until free space opens up in the buffer. For example, if 1000 events arrive at a full buffer with a throughput limit of 500 EPS in one second, 500 of these events will be stored, and the other 500 will be dropped.

When the buffer is 100% full, a timer is started compared to the agent.tolerance value is set in the /var/ossec/etc/internal_options.conf file.

At this point, two possible things could happen:

The buffer utilization decreases below the warning level before the timer reaches the agent.tolerance value. If this occurs, no alert about flooding appears on the Wazuh manager. This graphic illustrates this situation.
The buffer utilization stays above the warning level until the specified agent.tolerance value has elapsed. Now, the buffer may not come back to normal status by itself. For that reason, a more severe Flooding status alert is triggered on the Wazuh manager.

Flooding status (red area)

If the conditions in number 2 above are met, where the buffer stays above the warning level beyond the defined agent.tolerance value, the Flooding status alert is triggered. You'll see an alert with rule.id 204 on the Wazuh dashboard:

Warning

The alert description warns the user to check the Wazuh agent since it is probable that it will not recover to normal status by itself. Remember that a flooded agent is dropping events.

Normal status

The right area of the graphic shows how the buffer returns to normal status after it hits 100%. This could occur when a module stops generating excessive events, either because a task has been completed or because the problematic module was manually shut down.

To let the Wazuh manager know when a Wazuh agent is working properly again, another alert is triggered when the use of a maxed-out buffer decreases to less than the normal level (70% by default). You'll see alerts with rule.id 205 on the Wazuh dashboard:

When the bucket is in this status, no events are dropped.

Agent labels

This feature allows the user to customize the alert information from agents to include specific information related to the Wazuh agent generating the alert. This can prove useful when addressing or reviewing alerts. In addition, in large environments, this capability can be used to identify groups of agents by any common characteristic such as time zone, for example.

How it works
Use case

How it works

Configuring labels that will be included in alerts is a straightforward process. It can be done using a simple XML structure that adds information to alerts. Labels can be nested by separating "key" terms by a period for inclusion in JSON-formatted alerts.

Information on how to configure labels can be found in the labels section of the ossec.conf file on the Wazuh agent.

Agent labels can also be centralized using the agent.conf file on the Wazuh manager, such that labels can be set for specific Wazuh agents at the Wazuh manager level. When there is a pre-existing label that is the same as one the user has defined in the Wazuh agent ossec.conf file or agent.conf, the second one will override the first.

For more information about centralizing agent configuration, see the centralized configuration section.

Additional configuration information is available in the internal configuration section.

Use case

Below is a case where the use of labels can prove helpful.

In a large environment deployed in Amazon Web Services (AWS), you might want to have the following information about each Wazuh agent when an alert is triggered:

AWS instance-id.
AWS Security group.
Network IP address.
Network MAC.
Date of installation (hidden).

To include these labels in alerts from a specific Wazuh agent, the following configuration must be inserted into the Wazuh agent’s ossec.conf file:

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">July 1st, 2024</label>
</labels>

To set the labels at the Wazuh manager level, the following configuration would be added to the agent.conf file:

<agent_config name="92603de31548">
  <labels>
     <label key="aws.instance-id">i-052a1838c</label>
     <label key="aws.sec-group">sg-1103</label>
     <label key="network.ip">172.17.0.0</label>
     <label key="network.mac">02:42:ac:11:00:02</label>
     <label key="installation" hidden="yes">July 1st, 2024</label>
  </labels>
</agent_config>

When an alert is fired for a Wazuh agent with the above configuration applied from the Wazuh manager, the defined labels will add information to alerts as shown below:

The same alert in JSON format shows the advantage of using nested labels:

{
  "_index": "wazuh-alerts-4.x-2024.07.12",
  "_id": "i74Hp5ABO7i5Oz0kQ5QV",
  "_version": 1,
  "_score": null,
  "_source": {
    "predecoder": {
      "hostname": "ubuntu",
      "program_name": "sshd",
      "timestamp": "Jul 12 15:59:42"
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.33.128",
      "name": "Ubuntu-24.04",
      "id": "004",
      "labels": {
        "aws": {
          "instance-id": "i-052a1838c",
          "sec-group": "sg-1103"
        },
        "network": {
          "ip": "172.17.0.0",
          "mac": "02:42:ac:11:00:02"
        }
      }
    },
    "manager": {
      "name": "wazuh-virtual-machine"
    },
    "data": {
      "srcip": "192.168.33.1",
      "dstuser": "wazuh"
    },
    "rule": {
      "mail": false,
      "level": 10,
      "pci_dss": [
        "10.2.4",
        "10.2.5"
      ],
      "hipaa": [
        "164.312.b"
      ],
      "tsc": [
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "syslog: User missed the password more than one time",
      "groups": [
        "syslog",
        "access_control",
        "authentication_failed"
      ],
      "nist_800_53": [
        "AU.14",
        "AC.7"
      ],
      "gdpr": [
        "IV_35.7.d",
        "IV_32.2"
      ],
      "firedtimes": 1,
      "mitre": {
        "technique": [
          "Brute Force"
        ],
        "id": [
          "T1110"
        ],
        "tactic": [
          "Credential Access"
        ]
      },
      "id": "2502",
      "gpg13": [
        "7.8"
      ]
    },
    "location": "/var/log/auth.log",
    "decoder": {
      "parent": "sshd",
      "name": "sshd"
    },
    "id": "1720789183.17423",
    "full_log": "Jul 12 15:59:42 ubuntu sshd[16051]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.33.1  user=wazuh",
    "timestamp": "2024-07-12T15:59:43.612+0300"
  },
  "fields": {
    "timestamp": [
      "2024-07-12T12:59:43.612Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@004@/opensearch-dashboards-highlighted-field@"
    ],
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh-virtual-machine@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1720789183612
  ]
}

Agent key request

The key request feature fetches the agent keys stored on an external database.

How it works

The key request feature allows agent keys to be retrieved from an external source such as a database. This provides a mechanism to auto-enroll agents who are not enrolled in a manager instance but report to it.

When the <key_request> tag is enabled in the authd configuration, it allows retrieving the Wazuh agent information from an external database, such as MySQL or any database engine, for enrolling it to the client.keys file.

To do this, it is necessary to create a binary or script in any language that can be integrated into your database engine and thus request the Wazuh agents' information. The key_request tag must be added to the authd configuration block.

Below is the flow diagram:

Input

If the socket tag is not specified in the configuration block, the key request feature calls the executable with the following parameters, depending on the fetching type:

Fetch agent information by ID
Fetch agent information by IP

When polling by ID, the Wazuh manager retrieves the agent key by querying its ID. The input parameters that the program receives are as follows:

./agent_key_request.py id 001

When fetching by IP address, the Wazuh manager retrieves the agent key by querying its IP address. The input parameters that the program receives are as follows:

./agent_key_request.py ip 192.168.1.100

Note

Keep in mind that the above examples represent how Wazuh will call the binary or script you created and integrated into your database.

When the socket tag is specified, the module will send the parameters through the specified socket and read the response. The performance improvement over executing the program, as it is explained above, is significant.

The format in which the program receives the data is option:value, where option can be id or ip depending on the fetching type.

An empty input must be allowed. The key request feature performs a socket health check on startup. If the connection is established successfully, it is immediately closed.

Note

If the socket option is specified and the socket is unavailable, the program to be turned on will be called if it has been specified.

Output

The output of your script must be a JSON object, which is the standard output.

On success example:

{
    "error": 0,
    "data": {
        "id": "001",
        "name": "my_agent",
        "ip": "192.168.1.100",
        "key": "ac575526e8bbcddf6654e5aa0a39fa60a0020e5d34ed1370916368bdaf5f0c71"
    }
}

error

Error identification number.

Allowed characters	Digits only
Allowed size	1 digit
Unique value	Yes, must be 0

data

Data in json format with the following fields.

Allowed fields

id, name, ip, key

Agent identification number.

Allowed characters	Digits only
Allowed size	3 to 8 digits
Unique value	Yes

name

Agent name.

Allowed characters	Alphanumeric characters, `-`, `_` and `.`
Allowed size	Up to 128 bytes
Unique value	Yes

address

Allowed source address range in CIDR format. If specified, the Wazuh manager will only accept the Wazuh agent if its source IP address matches this address.

Format	CIDR. Netmask is optional.
Unique value	Yes
Reserved values	None
Aliases	`any` = `0.0.0.0/0`

key

String that will take part in the external message encryption.

Allowed characters	Printable characters
Allowed size	Up to 128 bytes
Unique value	No

On error example:

{
    "error": 1,
    "message": "Your error message"
}

error

Error identification number.

Allowed characters	Digits only
Unique value	Yes

message

String that will show the message error.

Allowed characters	Printable characters
Unique value	No

Example scripts

Suppose you have a table named agent in your database with the following structure:

Field	Type
id	Varchar (8)
name	Varchar (128)
ip	Varchar (19)
agent_key	Varchar (128)

Note

If your executable is a script that does not include a hashbang (#!) line specifying the interpreter, you must include its interpreter in the exec_path parameter of the configuration.

The Python script below shows an example of an agent key retrieval from the database (MySQL).

import sys
import json
import mysql.connector
from mysql.connector import Error

def main():

     if len(sys.argv) < 3:
     print json.dumps({"error": 1, "message": "Too few arguments"})
     return

     try:
     conn = mysql.connector.connect(host='localhost',
                                     database='your_database',
                                     user='user',
                                     password='secret')
     except Error as e:
     print json.dumps({"error": 2, "message": str(e)})
     return

     cursor = conn.cursor()
     data = sys.argv[2]

     if sys.argv[1] == "id":
     cursor.execute("SELECT id,name,ip,`agent_key` FROM agent WHERE id = '{}'".format(data))
     elif sys.argv[1] == "ip":
     cursor.execute("SELECT id,name,ip,`agent_key` FROM agent WHERE ip = '{}'".format(data))
     else:
     print json.dumps({"error": 3, "message": "Bad arguments given"})
     return

     row = cursor.fetchone()

     if row:
     print json.dumps({"error": 0, "data": {"id" : row[0], "name": row[1], "ip": row[2], "key": row[3]}},sort_keys=False)
     else:
     print json.dumps({"error": 4, "message": "No agent key found"},sort_keys=False)


if __name__ == '__main__':
     main()

The php script below shows an example of an agent key retrieval from the database (MySQL).

<?php
     $servername = "localhost";
     $username = "user";
     $password = "secret";
     $dbname = "your_database";

     if($argc < 3){
     echo json_encode(array('error' => 1, 'message' => 'To few arguments'));
     exit;
     }

     $conn = new mysqli($servername, $username, $password, $dbname);
     if ($conn->connect_error) {
     echo json_encode(array('error' => 2, 'message' => 'Could not connect to database'));
     exit;
     }

     $data = $argv[2];

     if($argv[1] == "id"){
     $sql = "SELECT id,name,ip,`agent_key` FROM agent WHERE id = '$data'";
     } else if ($argv[1] == "ip") {
     $sql = "SELECT id,name,ip,`agent_key` FROM agent WHERE ip = '$data'";
     } else {
     echo json_encode(array('error' => 3, 'message' => 'Bad arguments given'));
     exit;
     }

     $result = $conn->query($sql);

     if ($result->num_rows > 0) {
     $row = $result->fetch_assoc();
     echo json_encode(array('error' => 0, 'data' => array( "id" => $row["id"], "ip" => $row["ip"],"key" => $row["agent_key"],"name" => $row["name"])));
     } else {
     echo json_encode(array('error' => 4, 'message' => 'No agent key found'));
     }
     $conn->close();
?>

Note

Remember to use parameter binding to protect your script or binary against SQL injections.

Data analysis

Wazuh provides security monitoring for various platforms, including endpoints, containers, and cloud environments. It collects log data from these platforms through multiple methods such as the Wazuh agent, agentless monitoring, syslog, and APIs. Once collected, the log data is processed by the Wazuh data analysis engine. This engine utilizes decoders to parse the log messages into useful fields and matches these fields against out-of-the-box or custom rules. The analyzed data is then utilized for threat detection, security configuration assessment, and other Wazuh capabilities.

The Wazuh data analysis engine is responsible for decoding logs, triggering rules, and generating alerts in Wazuh using the following scheme:

Log collection: Wazuh gathers logs from monitored endpoints, applications, and network devices. These logs come from various sources including operating system logs, syslog-enabled devices, cloud provider logs, and custom logs. See the log data collection documentation for more information.
Log decoding: The Wazuh server analyzes the collected logs in real-time using decoders. Decoders are responsible for parsing and normalizing log data, converting raw log data into a unified and structured format, and extracting the most relevant fields that Wazuh can process effectively.
Rule matching and alert visualization: After decoding, the Wazuh server compares logs against its ruleset and triggers alerts when specific conditions are met. The alerts generated are recorded in /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json on the Wazuh server. Then, using Filebeat, the logs are forwarded and stored on the Wazuh indexer. These alerts can then be accessed through the Wazuh dashboard Security Events tab, where users can conduct real-time log data queries, apply filters, and identify anomalies and potential security incidents within their environment.

While the Wazuh development team continuously contributes to improving the Wazuh ruleset, we also encourage contributions from the Wazuh community to ensure its continuous improvement. As users adopt diverse technologies tailored to their specific requirements, the constant development of new security-relevant devices and software programs worldwide becomes increasingly relevant. Wazuh recognizes this need for adaptability and offers a comprehensive range of rules and decoders within its data analysis engine. Moreover, Wazuh empowers users with the flexibility to develop custom rules and decoders in addition to over 3000 rules and decoders that come out-of-the-box. For more information about the out-of-the-box rules and decoders, refer to the ruleset directory on our GitHub repository.

Directory layout

Below, we show the structure of the ruleset directory on the Wazuh server:

/var/ossec/
        ├─ etc/
        │   ├─ decoders/
        |   |        └─ local_decoder.xml
        │   └─ rules/
        |         └─ local_rules.xml
        └─ ruleset/
                ├─ decoders/
                └─ rules/

Note

You can find all the out-of-the-box rules and decoders inside the /var/ossec/ruleset/ directory. All files within this directory are overwritten or modified during the Wazuh upgrade process. Therefore, we do not recommend editing or adding your custom files here. Instead, we recommend making custom changes in the /var/ossec/etc/ directory. Here, you can add your own decoders and rules files or use the default /var/ossec/etc/decoders/local_decoder.xml and /var/ossec/etc/rules/local_rules.xml files.

GitHub repository

Visit the Wazuh GitHub repository to view the ruleset in detail.

In the repository, you will find:

New rules and decoders

We update and maintain the out-of-the-box rules and decoders to increase detection coverage and accuracy. These rules and decoders assist in meeting regulatory compliance standards, threat detection, security configuration assessment, and mapping events and alerts to the MITRE ATT&CK framework more accurately.
Tools

We provide useful tools such as the wazuh-logtest, which allows for testing rules and decoders before using them. This tool processes only one-liner (no line breaks) logs and is available in /var/ossec/bin/wazuh-logtest on the Wazuh server, along with various other binaries which help in managing the Wazuh server and agents. For more information you can take a look at Wazuh tools documentation.

Content

Decoders

Wazuh utilizes decoders to extract information from received log messages. Upon receiving a log message, decoders segment the information into fields to prepare them for analysis.

Wazuh decoders utilize XML syntax, enabling users to specify how log data should be parsed and normalized. The syntax typically includes elements such as <decoder> for defining the decoder, <order> to specify the decoding sequence, and <regex> for defining regular expressions for pattern matching. For more information, take a look at the decoder syntax documentation.

Decoders operate in two phases: pre-decoding and decoding. During the pre-decoding phase, general information such as a timestamp, hostname, and program name are extracted when a syslog-like header is present. This initial extraction provides essential context for further analysis. In the subsequent decoding phase, decoders parse and interpret the remaining log data, extracting additional relevant information. They play a crucial role in parsing and interpreting log data, allowing Wazuh to understand and respond to different types of events.

While Wazuh has a built-in JSON decoder dedicated to logs in JSON format, it also offers a range of other out-of-the-box decoders tailored to various log formats commonly encountered in different environments. Furthermore, users have the flexibility to create custom decoders for formats not covered by the out-of-the-box options. The following sections provide detailed insights into both the functionality of the built-in JSON decoder and the process of creating and utilizing custom decoders.

JSON decoder

Wazuh incorporates a default decoder for JSON logs, enabling the extraction of data from any source in this format.

The JSON decoder possesses the ability to extract the following data types:

Numbers	Integer or decimal numbers.
Strings	A sequence of characters.
Booleans	The values are `true` or `false`.
Null values	Empty values.
Arrays	Lists with zero or more values. These values may be different, but they must belong to some of the above. An array of objects is not supported.
Objects	Collections of key/value pairs where the keys are strings.

Extracted fields are stored as dynamic Fields and can be referred to by the rules.

The following example shows how Wazuh decodes a JSON log and generates an alert for Suricata.

Suricata event log:

{
   "timestamp": "2023-05-02T17:46:48.515262+0000",
   "flow_id": 1234,
   "in_iface": "eth0",
   "event_type": "alert",
   "src_ip": "16.10.10.10",
   "src_port": 5555,
   "dest_ip": "16.10.10.11",
   "dest_port": 80,
   "proto": "TCP",
   "alert": {
      "action": "allowed",
      "gid": 1,
      "signature_id": 2019236,
      "rev": 3,
      "signature": "ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number",
      "category": "Attempted Administrator Privilege Gain",
      "severity": 1
   },
   "payload": "21YW5kXBtgdW5zIGRlcHJY2F0QgYWI",
   "payload_printable": "this_is_an_example",
   "stream": 0,
   "host": "suricata.com"
}

The JSON decoder extracts each field from the JSON log data for comparison against the rules, eliminating the need for a specific Suricata decoder. Ensure to convert the multiline JSON log above to single-line, just as seen from the output below.

We can now run the /var/ossec/bin/wazuh-logtest tool on the Wazuh server to test the log sample and have insights into the current decoding.

The output of the test provide the following result:

Type one log per line

{"timestamp":"2023-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com"}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
        name: 'json'
        alert.action: 'allowed'
        alert.category: 'Attempted Administrator Privilege Gain'
        alert.gid: '1'
        alert.rev: '3'
        alert.severity: '1'
        alert.signature: 'ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number'
        alert.signature_id: '2019236'
        dest_ip: '16.10.10.11'
        dest_port: '80'
        event_type: 'alert'
        flow_id: '1234'
        host: 'suricata.com'
        in_iface: 'eth0'
        payload: '21YW5kXBtgdW5zIGRlcHJY2F0QgYWI'
        payload_printable: 'this_is_an_example'
        proto: 'TCP'
        src_ip: '16.10.10.10'
        src_port: '5555'
        stream: '0'
        timestamp: '2023-05-02T17:46:48.515262+0000'

**Phase 3: Completed filtering (rules).
        id: '86601'
        level: '3'
        description: 'Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number'
        groups: '['ids', 'suricata']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

Offset

The offset attribute in the Wazuh JSON decoder enables the extraction of JSON data included within an incoming log by discarding certain parts of the input string. This functionality proves useful when dealing with logs that contain additional metadata or formatting before the JSON payload. For instance, if we receive a log containing JSON data embedded within a larger string, we can use the offset attribute to discard the preceding text and focus solely on the JSON content.

Let’s consider the following log entry which includes player information within a string, preceded by timestamp and program name:

2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ "name": "Stephen", "surname": "Curry", "team": "Golden State Warriors", "number": 30, "position": "point guard"}

By utilizing the JSON decoder with the offset attribute, we can efficiently extract and process the JSON data for further analysis. The decoder declaration using the offset attribute would be as follows:

<decoder name="raw_json">
    <program_name>nba_program</program_name>
    <prematch>player_information: "</prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

The JSON decoder extracts the fields contained in the JSON event as dynamic fields, considering the end of the prematch text.

When, testing the log sample with /var/ossec/bin/wazuh-logtest we obtain the following output:

Type one log per line

2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ "name": "Stephen", "surname": "Curry", "team": "Golden State Warriors", "number": 30, "position": "point guard"}

**Phase 1: Completed pre-decoding.
        full event: '2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ "name": "Stephen", "surname": "Curry", "team": "Golden State Warriors", "number": 30, "position": "point guard"}'
        timestamp: '2018 Apr 04 13:11:52'
        program_name: 'nba_program'

**Phase 2: Completed decoding.
        name: 'raw_json'
        name: 'Stephen'
        number: '30'
        position: 'point guard'
        surname: 'Curry'
        team: 'Golden State Warriors'

As we can see, the JSON decoder ignores any data after a valid JSON object, ensuring accurate extraction of JSON fields.

Mixing of plugin decoders with regular expressions

Another new capability is the ability to combine plugin decoders with regular expressions.

Consider the following incoming log:

2018 Jun 08 13:11:52 nba_email_db: json_data: { "name": "Stephen", "surname": "Curry", "email": "curry@gmail.com"}

We can set several child decoders from a parent, specifying a plugin decoder as before, and also another one including a regular expression. For example, the following ones:

<decoder name="json_parent">
    <program_name>nba_email_db</program_name>
</decoder>

<decoder name="json_child">
    <parent>json_parent</parent>
    <prematch>json_data: </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

<decoder name="json_child">
    <parent>json_parent</parent>
    <regex>@(\S+)"</regex>
    <order>email_domain</order>
</decoder>

When, testing the log sample with /var/ossec/bin/wazuh-logtest, we can observe the decoded fields by the JSON decoder, as well as the matched field from the regex expression:

Type one log per line

2018 Jun 08 13:11:52 nba_email_db: json_data: { "name": "Stephen", "surname": "Curry", "email": "curry@gmail.com"}

**Phase 1: Completed pre-decoding.
        full event: '2018 Jun 08 13:11:52 nba_email_db: json_data: { "name": "Stephen", "surname": "Curry", "email": "curry@gmail.com"}'
        timestamp: '2018 Jun 08 13:11:52'
        program_name: 'nba_email_db'

**Phase 2: Completed decoding.
        name: 'json_parent'
        parent: 'json_parent'
        email: 'curry@gmail.com'
        email_domain: 'gmail.com'
        name: 'Stephen'
        surname: 'Curry'

Dynamic fields

Dynamic fields are additional fields extracted from log data during the decoding process. Unlike predefined fields, dynamic fields are not limited in number and can vary depending on the content of the log message. These fields capture specific information from logs, enriching the data available for analysis and detection.

Traditional decoders

Traditionally, Wazuh offers thirteen predefined fields for storing extracted information: user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, and system_name. These are also referred to as “static fields”. However, only eight fields can be extracted simultaneously. This limitation arises because in certain scenarios where log entries contain multiple types of information, Wazuh prioritizes the extraction of specific fields over others. As a result, only eight out of the thirteen fields can be populated simultaneously to manage resource constraints and maintain efficiency in log processing. The prioritized fields in such cases are typically: user, srcip, dstip, srcport, dstport, protocol, action and id.

You can find below an example decoder to match some static fields:

<decoder name="web-accesslog">
  <type>web-log</type>
  <prematch>^\d+.\d+.\d+.\d+ - </prematch>
  <regex>^(\d+.\d+.\d+.\d+) - \S+ [\S+ -\d+] </regex>
  <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
  <order>srcip,url,id</order>
</decoder>

Dynamic decoders

It is often necessary to extract more than eight relevant fields from an event, and often the actual data items extracted have no relationship to the limited list of predefined field names. Recognizing the limitations of operating within these constraints, unlimited number of fields with names that accurately reflect the extracted data. This enhancement includes support for nested field names as well.

You can find below an example decoder to match some dynamic fields:

<decoder name="auditd-config_change">
  <parent>auditd</parent>
  <regex offset="after_regex">^auid=(\S+) ses=(\S+) op="(\.+)"</regex>
  <order>audit.auid,audit.session,audit.op</order>
</decoder>

Wazuh transforms any field name included in the <order> tag into a JSON field.

The following example shows how the /var/ossec/ruleset/decoders/0040-auditd_decoders.xml decoder extracts information from an alert:

Output

** Alert 1486483073.60589: - audit,audit_configuration,
2017 Feb 07 15:57:53 wazuh-example->/var/log/audit/audit.log
Rule: 80705 (level 3) -> 'Auditd: Configuration changed'
type=CONFIG_CHANGE msg=audit(1486483072.194:20): auid=0 ses=6 op="add rule" key="audit-wazuh-a" list=4 res=1
audit.type: CONFIG_CHANGE
audit.id: 20
audit.auid: 0
audit.session: 6
audit.op: add rule
audit.key: audit
audit.list: 4
audit.res: 1

JSON output

{
  "rule": {
    "level": 3,
    "description": "Auditd: Configuration changed",
    "id": 80705,
    "firedtimes": 2,
    "groups": [
      "audit",
      "audit_configuration"
    ]
  },
  "agent": {
    "id": "000",
    "name": "wazuh-example"
  },
  "manager": {
    "name": "wazuh-example"
  },
  "full_log": "type=CONFIG_CHANGE msg=audit(1486483072.194:20): auid=0 ses=6 op=\"add rule\" key=\"audit-wazuh-a\" list=4 res=1",
  "audit": {
    "type": "CONFIG_CHANGE",
    "id": "20",
    "auid": "0",
    "session": "6",
    "op": "add rule",
    "key": "audit",
    "list": "4",
    "res": "1"
  },
  "decoder": {
    "parent": "auditd",
    "name": "auditd"
  },
  "timestamp": "2017 Feb 07 15:57:53",
  "location": "/var/log/audit/audit.log"
}

By default, the maximum number of fields that can be extracted simultaneously from an <order> tag is 64. You can modify the analysisd.decoder_order_size variable in the /var/ossec/etc/internal_options.conf file to adjust this value.

If you need to change this value, copy the analysisd.decoder_order_size section from /var/ossec/etc/internal_options.conf to /var/ossec/etc/local_internal_options.conf and make the necessary changes there. This precaution is necessary because Wazuh upgrades overwrite the /var/ossec/etc/internal_options.conf file.

Sibling Decoders

Sibling decoders refer to a decoder building strategy where multiple decoders operate at the same hierarchical level without a parent-child relationship. Unlike traditional parent-child decoder relationships, where a parent decoder triggers its child decoders based on specific conditions, sibling decoders are independent of each other and function in parallel. This approach is particularly useful when dealing with logs that require multiple decoding strategies or when different parts of a log entry need to be processed separately. Sibling decoders offer greater flexibility in decoding complex log structures and allow for more nuanced analysis of log data.

Traditional log decoding

Wazuh collects log messages from numerous sources relevant to an environment's security. Subsequently, each ingested message undergoes analysis based on a simple and resource-efficient logic, enabling the Wazuh manager to handle large volumes of log data with minimal resources.

The analysis process involves sequentially examining each log message using decoders without a parent. Once a matching condition is met, the process repeats with decoders that have this decoder as a parent. It is important to note that once a decoder is matched, it stops searching through other decoders and focuses solely on its children, if any. Therefore, when constructing decoders, it is essential to avoid overly generic matching conditions to prevent false positives and ensure that the appropriate decoders are triggered effectively.

As a reminder, decoders, unlike rules, cannot have "grandchildren". In other words, a child decoder cannot act as a parent.

Dealing with dynamically structured logs

The process of matching at decoder level uses regular expressions, which require the matching string to have a specific structure. However, this can be a nuisance when logs do not follow a specific structure. They will often provide information omitting parts of the log or changing the order, which would make it impractical if not impossible to create all the necessary decoders to match each one of the possible combinations in which security-relevant data may be received.

Sibling decoders take advantage of the simple parent-children matching logic, enabling the creation of a set of decoders that are 'parents' of each other. As a result, when one of these decoders is matched, it will also check the "sibling" decoders, while extracting one piece of information at a time.

As a result, even if the ordering of the information varies, additional information is present, or some information is missing, the Wazuh analysis engine can still extract as much information as possible from the message.

Extracting information in this modular way through sibling decoders significantly improves their readability. This is achieved by breaking down lengthy regular expression strings into smaller, more manageable pieces.

Practical example

We have a log source that provides the following log message:

Apr 12 14:31:38 hostname1 securityapp: INFO: srcuser="Bob" action="called" dstusr="Alice"

A simple decoder may be:

<decoder name="securityapp">
  <program_name>securityapp</program_name>
  <regex>(\w+): srcuser="(\.+)" action="(\.+)" dstusr="(\.+)"</regex>
  <order>type,srcuser,action,dstuser</order>
</decoder>

We run the /var/ossec/bin/wazuh-logtest utility on the Wazuh server to test the decoder and obtain the following result:

Type one log per line

Apr 12 14:31:38 hostname1 securityapp: INFO: srcuser="Bob" action="called" dstusr="Alice"

**Phase 1: Completed pre-decoding.
        full event: 'Apr 12 14:31:38 hostname1 securityapp: INFO: srcuser="Bob" action="called" dstusr="Alice"'
        timestamp: 'Apr 12 14:31:38'
        hostname: 'hostname1'
        program_name: 'securityapp'

**Phase 2: Completed decoding.
        name: 'securityapp'
        action: 'called'
        dstuser: 'Alice'
        srcuser: 'Bob'
        type: 'INFO'

However, if the log source then provides this message:

Apr 01 19:21:24 hostname2 securityapp: INFO: action="logged on" srcuser="Bob"

No information is extracted.

We can use modular logic with sibling decoders to decode the log message:

<decoder name="securityapp">
  <program_name>securityapp</program_name>
</decoder>

<decoder name="securityapp">
  <parent>securityapp</parent>
  <regex>^(\w+):</regex>
  <order>type</order>
</decoder>

<decoder name="securityapp">
  <parent>securityapp</parent>
  <regex>srcuser="(\.+)"</regex>
  <order>srcuser</order>
</decoder>

<decoder name="securityapp">
  <parent>securityapp</parent>
  <regex>action="(\.+)"</regex>
  <order>action</order>
</decoder>

<decoder name="securityapp">
  <parent>securityapp</parent>
  <regex>dstusr="(\.+)"</regex>
  <order>dstuser</order>
</decoder>

Both messages are now correctly decoded.

Output

Type one log per line

Dec 28 01:35:18 hostname1 securityapp: INFO: srcuser="Bob" action="called" dstusr="Alice"

**Phase 1: Completed pre-decoding.
        full event: 'Dec 28 01:35:18 hostname1 securityapp: INFO: srcuser="Bob" action="called" dstusr="Alice"'
        timestamp: 'Dec 28 01:35:18'
        hostname: 'hostname1'
        program_name: 'securityapp'

**Phase 2: Completed decoding.
        name: 'securityapp'
        action: 'called'
        dstuser: 'Alice'
        srcuser: 'Bob'
        type: 'INFO'


Apr 01 19:21:24 hostname2 securityapp: INFO: action="logged on" srcuser="Bob"

**Phase 1: Completed pre-decoding.
        full event: 'Apr 01 19:21:24 hostname2 securityapp: INFO: action="logged on" srcuser="Bob"'
        timestamp: 'Apr 01 19:21:24'
        hostname: 'hostname2'
        program_name: 'securityapp'

**Phase 2: Completed decoding.
        name: 'securityapp'
        action: 'logged on'
        srcuser: 'Bob'
        type: 'INFO'

Custom decoders

You can customize the Wazuh decoders on the Wazuh server to suit your requirements and improve your detection capabilities. Wazuh allows you to:

Add custom decoders

Note

Add your new decoders in the /var/ossec/etc/decoders/local_decoder.xml file. We recommend creating new decoder files in the /var/ossec/etc/decoders/ directory for changes on a larger scale.

Check out this example on how to create new decoders and rules. The following log corresponds to a program called example:

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

Add a new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information:

<decoder name="example">
  <program_name>^example</program_name>
</decoder>

<decoder name="example">
  <parent>example</parent>
  <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+)'</regex>
  <order>user, srcip</order>
</decoder>

Run /var/ossec/bin/wazuh-logtest utility on the Wazuh server and enter the example log above to test the decoder and rule:

Type one log per line

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'

**Phase 2: Completed decoding.
        name: 'example'
        dstuser: 'admin'
        srcip: '192.168.1.100'

To test your rules and decoders using the /var/ossec/bin/wazuh-logtest utility, simply save the changes made to the decoder and rule files. However, you need to restart the Wazuh manager to generate alerts based on these modifications.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Modify default decoders

Default decoders may not parse custom or non-standard log formats correctly, so modifying them ensures accurate analysis for your specific environment.

To modify a default decoder, you can rewrite its file in the /var/ossec/etc/decoders/ directory on the Wazuh server, make the changes, and exclude the original decoder file from the loading list. This approach avoids editing core files, preventing conflicts during Wazuh updates, and allows tailored log processing to extract specific fields or handle unique application logs effectively.

For example, if you want to customize decoders in the /var/ossec/ruleset/decoders/0310-ssh_decoders.xml file, follow these steps:

Copy the decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user directory /var/ossec/etc/decoders/. This ensures that your changes are saved when upgrading to a newer version.

Change the ownership and permission of the copied file to wazuh:wazuh to ensure the Wazuh manager service can read it:

# chown wazuh:wazuh /var/ossec/etc/decoders/0310-ssh_decoders.xml
# chmod 660 /var/ossec/etc/decoders/0310-ssh_decoders.xml

Edit the Wazuh server /var/ossec/etc/ossec.conf configuration file. Set the <decoder_exclude> tag to exclude the original /var/ossec/ruleset/decoders/0310-ssh_decoders.xml decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the /var/ossec/etc/decoders/ user directory instead of the file in the default directory.

<ruleset>
  <!-- Default ruleset -->
  <decoder_dir>ruleset/decoders</decoder_dir>
  <rule_dir>ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <list>etc/lists/audit-keys</list>

  <!-- User-defined ruleset -->
  <decoder_dir>etc/decoders</decoder_dir>
  <rule_dir>etc/rules</rule_dir>
  <decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
</ruleset>

Make the changes into the /var/ossec/etc/decoders/0310-ssh_decoders.xml file.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Warning

By excluding the original decoder file, you won't receive the updates it may receive. Your custom file will remain unchanged during upgrades. So, consider applying relevant changes manually.

Rules

Wazuh rules are a set of conditions written in XML format that define how log data should be interpreted. These rules are used by the Wazuh manager to detect specific patterns or behaviors within log messages and generate alerts or responses accordingly. They play a crucial role in threat detection, as they allow the system to identify potential security incidents based on predefined criteria.

Each rule typically consists of elements such as <rule>, <description>, <group> and <field>, among others. In which, the <description> element provides a clear explanation of the rule's purpose and functionality. Within the <group> element, rules are categorized based on their relevance or priority and the <field> element specifies the log data fields to be evaluated for matching conditions. Overall, the rules syntax in Wazuh facilitates the precise definition of criteria for detecting specific patterns or behaviors in log messages, contributing to effective threat detection and response mechanisms. For more information, take a look at the rule syntax documentation.

Additionally, each rule is assigned an ID and a level. The rule's level determines the severity of the alert triggered when the rule conditions are met. Levels range from 0 (ignored) to 16 (severe attack), with each level indicating a different level of security relevance. For detailed information, refer to the rules classification section.

Default rules

Wazuh default rules are the built-in rules that come with the Wazuh installation. They are available at /var/ossec/ruleset/rules/ on the Wazuh server. These rules cover a wide range of security events and log sources, providing a baseline for common security threats. Default rules are designed to detect various types of attacks, vulnerabilities, or suspicious activities. They are continuously updated and maintained by the Wazuh team to address emerging threats and ensure the effectiveness of the security detection capabilities.

Custom rules

Custom rules in Wazuh allow users to define specific conditions or patterns in log data that are relevant to their unique environment, applications, or security requirements. While Wazuh comes with a set of default rules covering a broad range of security events, custom rules enable users to tailor the system to their specific needs and enhance its capabilities.

Wazuh allows users to:

Add custom rules.
Modify the default rules.

Adding custom rules

Note

Use ID numbers between 100000 and 120000 for custom rules to avoid conflicts with out-of-the-box system rules.

Note

To make minor adjustments in your rules, use the /var/ossec/etc/rules/local_rules.xml file. We recommend creating new rule files in /var/ossec/etc/rules/ directory for changes on a larger scale.

Check out this example on how to create new rules. The following log corresponds to a program called example. We already created a custom decoder for this event in the Custom decoder section.

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

Perform the following steps on the Wazuh server.

Add the following rule to /var/ossec/etc/rules/local_rules.xml file:

<group name="custom_rules_example,">
  <rule id="100010" level="0">
    <program_name>example</program_name>
    <description>User logged</description>
  </rule>
</group>

Run the /var/ossec/bin/wazuh-logtest utility and input the example log above to test the decoder and rule:

Type one log per line

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'

**Phase 2: Completed decoding.
        name: 'example'
        dstuser: 'admin'
        srcip: '192.168.1.100'

**Phase 3: Completed filtering (rules).
        id: '100010'
        level: '0'
        description: 'User logged'
        groups: '['custom_rules_example']'
        firedtimes: '1'
        mail: 'False'

To test your rules using /var/ossec/bin/wazuh-logtest tool, saving the changes made to the rule files is enough. However, you need to restart the Wazuh manager to generate alerts based on these changes.

Restart the Wazuh manager to apply the changes:

# systemctl restart wazuh-manager

# service wazuh-manager restart

Changing existing rules

Warning

Modifications made to any rule file within the /var/ossec/ruleset/rules directory are overwritten during the upgrade process. Follow the procedure below to preserve your changes.

Wazuh allows you to modify its out-of-the-box rules. To do so, you have to copy the rules to a file under the /var/ossec/etc/rules/ directory on the Wazuh server, make the necessary changes, and add the overwrite="yes" tag to the modified rules. These steps guarantee that your changes won't be lost during upgrades.

Here is an example of how to change the level value of the SSH rule 5710 from 5 to 10.

Perform the steps below on the Wazuh server.

Open the /var/ossec/ruleset/rules/0095-sshd_rules.xml rule file.

Find and copy the rule definition for rule ID 5710:

<group name="syslog,sshd,">
  ...
  <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
  ...
</group>

Paste the copied rule definition into /var/ossec/etc/rules/local_rules.xml. Modify the level value, and add overwrite="yes" to indicate that this rule overwrites an already defined rule:

<group name="syslog,sshd,">
 <rule id="5710" level="10" overwrite="yes">
   <if_sid>5700</if_sid>
    <match>illegal user|invalid user</match>
    <description>sshd: Attempt to login using a non-existent user</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
</group>

Warning

To maintain consistency across loaded rules, it is currently not possible to overwrite the if_sid, if_group, if_level, if_matched_sid, and if_matched_group labels. These tags are ignored when present in an overwrite rule, preserving the original values.

Restart the Wazuh manager to load the updated rules:

# systemctl restart wazuh-manager

# service wazuh-manager restart

The combination of default and custom rules allows Wazuh to provide a flexible and extensible security monitoring solution for different use cases.

Rules classification

Rules are categorized into multiple levels, ranging from the lowest (0) to the maximum (16). The table below outlines each level, providing insight into the severity of each triggered alert and aiding in the creation of custom rules.

Level	Title	Description
0	Ignored	No action taken. Used to avoid false positives. These rules are scanned before all the others, include events with no security relevance and do not appear in the security event dashboard.
2	System low priority notification	System notification or status messages. These have no security relevance and do not appear in the security event dashboard.
3	Successful/Authorized events	These include successful login attempts, firewall allow events, etc.
4	System low priority error	Errors related to bad configurations or unused devices/applications. These have no security relevance and are usually caused by default installations or software testing.
5	User generated error	These include missed passwords, denied actions, etc. By themselves, these have no security relevance.
6	Low relevance attack	These indicate a worm or a virus that has no effect on the system (like code red for Apache servers, etc). These also include frequent IDS events and frequent errors.
7	"Bad word" matching	These include words like "bad", "error", etc. These events are most of the time unclassified and may have some security relevance.
8	First time seen	Include first time seen events. First time an IDS event is fired or the first time a user logs in. It also includes security relevant actions such as the activation of a sniffer or similar activities.
9	Error from invalid source	Include attempts to login as an unknown user or from an invalid source. May have security relevance (especially if repeated). These also include errors regarding the "admin" (root) account.
10	Multiple user generated errors	These include multiple bad passwords, multiple failed logins, etc. These may indicate an attack or simply signal that a user has forgotten their credentials.
11	Integrity checking warning	These include messages regarding the modification of binaries or the presence of rootkits (by Rootcheck). These may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions).
12	High importance event	These include error or warning messages from the system, kernel, etc. These may indicate an attack against a specific application.
13	Unusual error (high importance)	It matches a common attack pattern most of the time.
14	High importance security event	It is triggered with correlation most of the time, and it indicates an attack.
15	Severe attack	No chances of false positives. Immediate attention is necessary.

Ruleset XML syntax

This section provides detailed information on how the rules and decoders syntax function.

Decoders Syntax

The decoders extract the information from the received events. When an event is received, the decoders separate the information into blocks to prepare them for subsequent analysis.

How it works

To understand how decoders work, it will be easier through examples.

Let’s consider the following log sample:

Sep 08 11:25:52 wazuh-server sudo[4543]: pam_unix(sudo-i:session): session opened for user root(uid=0) by wazuh-user(uid=1000)

The first step should always be to run the /var/ossec/bin/wazuh-logtest utility and input the event log to test the current decoder and rule before creating your own decoder.

With the event log above, we obtain the following result:

Type one log per line

Sep 08 11:25:52 wazuh-server sudo[4543]: pam_unix(sudo-i:session): session opened for user root(uid=0) by wazuh-user(uid=1000)

**Phase 1: Completed pre-decoding.
        full event: 'Sep 08 11:25:52 wazuh-server sudo[4543]: pam_unix(sudo-i:session): session opened for user root(uid=0) by wazuh-user(uid=1000)'
        timestamp: 'Sep 08 11:25:52'
        hostname: 'wazuh-server'
        program_name: 'sudo'

**Phase 2: Completed decoding.
        name: 'pam'
        parent: 'pam'
        dstuser: 'root(uid=0)'
        srcuser: 'wazuh-user'
        uid: '1000'

We can observe two phases of decoding. The input log first goes through the pre-decoding phase, during which general information, such as a timestamp, a hostname, and a program name, are extracted when a Syslog-like header is present.

In the decoding phase, the decoder extracts information from the remaining log. In this example, the decoder only analyzes the message: pam_unix(sudo-i:session): session opened for user root(uid=0) by wazuh-user(uid=1000).

Options

There are several decoder configuration options. Below, you can find a description of the XML labels used to configure decoders:

Option	Values	Description
decoder	Name of the decoder	This attribute defines the decoder.
parent	Any decoder's name	It will reference a parent decoder and the current one will become a child decoder.
accumulate	None	It allows tracking events over multiple log messages.
program_name	Any regex, sregex or pcre2 expression.	Sets a program name as a condition for applying the decoder. The log header must have a program name matching the regular expression.
prematch	Any regex or pcre2 expression.	Sets a regular expression as a condition for applying the decoder. The log must match the regular expression without considering any Syslog-like header.
regex	Any regex or pcre2 expression.	The decoder will use this option to find fields of interest and extract them.
order	See order table	The values that regex will extract will be stored in these groups.
fts	See fts table	First time seen.
ftscomment	Any String	Adds a comment to fts.
plugin_decoder	See below	Specifies a plugin that will do the decoding. Useful when the extraction with regex is not feasible.
use_own_name	True	Only for child decoders.
json_null_field	String	Adds the option of deciding how a null value from a JSON will be stored.
json_array_structure	String	Adds the option of deciding how an array structure from a JSON will be stored.
var	Name for the variable.	Defines variables that can be reused inside the same file.
type	See type table	It will set the type of log that the decoder is going to match.

decoder

The decoder option serves as the root element of a decoder file in Wazuh. It encapsulates the definition of a decoder, including its name, type, and the specific attributes that dictate how it processes and extracts information from log messages.

The attributes listed below define a decoder.

Attribute	Description
name	The name of the decoder

Example:

Below is a custom JSON decoder that extracts specific fields from a log message.

<decoder name="json_custom_decoder">
  <type>json</type>
  <program_name>application_logs</program_name>
  <regex>"message": "(.*?)"</regex>
  <order>message_content</order>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

parent

It is used to link a subordinate decoder to its parent. A parent decoder can have many child decoders but take into account that a child decoder cannot be a parent. It is possible to create sibling decoders, which is a handy decoding strategy to handle dynamic logs.

Default Value	n/a
Allowed values	Any decoder name

Example:

decoder_junior will trigger only if decoder_father has previously matched.

<decoder name="decoder_junior">
  <parent>decoder_father</parent>
  ...
</decoder>

accumulate

Allows Wazuh to track events over multiple log messages based on a decoded id. This is particularly useful for logs that span multiple lines or entries.

Note

Requires a regex populating the id field.

Example of use

program_name

This defines the program name that must be found in the log header to apply the decoder. The pre-decoding phase extracts the program name from input logs with Syslog-like headers.

Default Value	n/a
Allowed value	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If program_name label is declared multiple times within the decoder, the following rules apply:

The resulting value is their concatenation.
The resulting value of type attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

Example:

The decoder below uses the PCRE2 regular expression to match a program name called test, TEST or their equivalent (case-insensitive) in a log message:

<decoder name="test_decoder">
  <program_name type="pcre2">(?i)test</program_name>
  ...
</decoder>

prematch

Defines a regular expression that the log must match to apply the decoder. It is important to be as specific as possible to avoid matching unwanted events. Note that if the log is Syslog-like, then prematch only analyzes the log after the Syslog-like header. If the log is not Syslog-like, then it analyzes the entire log.

Default Value	n/a
Allowed values	Any regex or pcre2 expression.

You can use the optional attributes below with the prematch option.

Attribute	Description	Value range	Default value
offset	allows discarding some of the content of the entry	after_regex
offset	allows discarding some of the content of the entry	after_parent
type	allows to set regular expression type	osregex	osregex
type	allows to set regular expression type	pcre2	osregex

If prematch label is declared multiple times within the decoder, the following rules apply:

The resulting value is their concatenation.
The resulting value of type attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

regex

Regular expressions are sequences of characters that define a pattern. Decoders use them to find words or other patterns within log messages. The decoder will only extract those fields that are contained within parentheses.

An example is this regex that matches any numeral:

<regex> [+-]?(\d+(\.\d+)?|\.\d+)([eE][+-]?\d+)? </regex>

Default Value	n/a
Allowed values	Any regex or pcre2 expression.

When using the regex label, it is mandatory to define an order label as well. Besides, regex labels require a prematch or a program_name label defined on the same decoder or a parent with a prematch or a program_name label defined on it.

You can use the optional attributes below with the regex option.

Attribute	Description	Value range	Default value
offset	allows to discard some of the content of the entry	after_regex
		after_parent
		after_prematch
type	allows setting regular expression type	osregex	osregex
type	allows setting regular expression type	pcre2	osregex

If regex label is declared multiple times within the decoder, the following rules apply:

The resulting value is their concatenation.
The resulting value of the type attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

Example:

The decoder below matches a log message indicating when a user executed the sudo command for the first time:

<decoder name="sudo-fields">
  <parent>sudo</parent>
  <prematch>\s</prematch>
  <regex>^\s*(\S+)\s*:</regex>
  <order>srcuser</order>
  <fts>name,srcuser,location</fts>
  <ftscomment>First time user executed the sudo command</ftscomment>
</decoder>

order

It defines what the parenthesis groups contain and the order in which they were received. It requires a regex label defined on the same decoder. It can contain both static fields and dynamic fields.

Default Value	n/a
Static fields	srcuser	Extracts the source username
	dstuser	Extracts the destination (target) username
	user	An alias to dstuser (only one of the two can be used)
	srcip	Source IP address
	dstip	Destination IP address
	srcport	Source port
	dstport	Destination port
	protocol	Protocol
	system_name	System name
	id	Event id
	url	Url of the event
	action	Event action (deny, drop, accept, etc.)
	status	Event status (success, failure, etc.)
	data	Data
	extra_data	Any extra data
Dynamic fields	Any string not included in the previous list

fts

It specifies a decoder that triggers an alert the first time it matches.

Default Value	n/a
Allowed values	location	Indicates the origin of the log.
	srcuser	Extracts the source username
	dstuser	Extracts the destination (target) username
	user	An alias to dstuser (only one of the two can be used)
	srcip	Source IP address
	dstip	Destination IP address
	srcport	Source port
	dstport	Destination port
	protocol	Protocol
	system_name	System name
	id	Event ID
	url	Url of the event
	action	Event action (deny, drop, accept, etc.)
	status	Event status (success, failure, etc.)
	data	Data
	extra_data	Any extra data

Example:

The following decoder will extract the user who generated the alert and the location from where it comes:

<decoder name="fts-decoder">
  <fts>srcuser, location</fts>
  ...
</decoder>

The decoder will consider this option if the decoded event triggers a rule that uses if_fts.

ftscomment

It adds a comment to a decoder when <fts> tag is used.

Default Value	n/a
Allowed values	Any string

plugin_decoder

Use a specific plugin decoder to decode the incoming fields. It is useful for particular cases where it would be tricky to extract the fields by using regexes.

Default Value	n/a
Allowed values	PF_Decoder
	SymantecWS_Decoder
	SonicWall_Decoder
	OSSECAlert_Decoder
	JSON_Decoder

The attribute below is optional; it allows to start the decode process after a particular point of the log.

Attribute

Value

offset

after_parent

after_prematch

An example of its use is described at the JSON decoder section.

use_own_name

Allows setting the name of the child decoder from the name attribute instead of using the name of the parent decoder.

Default Value	n/a
Allowed values	true

json_null_field

Specifies how to treat the NULL fields coming from the JSON events. Only for the JSON decoder.

Default Value	string
Allowed values	string (It shows the NULL value as a string)
Allowed values	discard (It discards NULL fields and doesn't store them into the alert)

json_array_structure

Specifies how to treat the array structures coming from the JSON events. Only for the JSON decoder.

Default Value	array
Allowed values	array (It shows the array structures as JSON arrays)
Allowed values	csv (It shows the array structures as CSV strings)

var

Defines a variable that can be used in any decoder within the same decoder file. It must be defined at the beginning of the decoder file and not inside a tagged section.

Attribute	Value
name	Name for the variable.

Example:

<var name="header">myprog</var>
<var name="offset">after_parent</var>
<var name="type">syscall</var>

<decoder name="syscall">
  <prematch>^$header</prematch>
</decoder>

<decoder name="syscall-child">
  <parent>syscall</parent>
  <prematch offset="$offset">^: $type </prematch>
  <regex offset="after_prematch">(\S+)</regex>
  <order>syscall</order>
</decoder>

type

It sets the type of log that the decoder is going to match.

Default Value	syslog
Allowed values	firewall
	ids
	web-log
	syslog
	squid
	windows
	host-information
	ossec

Example:

Set type of decoder to syslog:

<decoder>
  <type>syslog</type>
  ...
</decoder>

Rules Syntax

The Wazuh ruleset, combined with any custom rules, analyzes incoming events. It generates alerts when all specified conditions within a rule are met. The ruleset is constantly expanding and improving thanks to the collaborative efforts of our developers and growing community.

Options

Below, you can find a description of the XML labels used to configure rules.

Option	Values	Description
rule	See this table below.	Declares a new rule and its defining options.
match	Any regular expression.	Attempts to find a match in the log using sregex by default, deciding if the rule should be triggered.
regex	Any regular expression.	Does the same as `match`, but with regex as default.
decoded_as	Any decoder's name.	Matches with logs that have been decoded by a specific decoder.
category	Any type.	Matches logs with the corresponding decoder's type.
field	Name and any regular expression.	Compares a field extracted by the decoder in order with a regular expression.
srcip	Any IP address.	Compares the IP address with the IP decoded as `srcip`.
dstip	Any IP address.	Compares the IP address with the IP decoded as `dstip`.
srcport	Any regular expression.	Compares a regular expression representing a port with a value decoded as `srcport`.
dstport	Any regular expression.	Compares a regular expression representing a port with a value decoded as `dstport`.
data	Any regular expression.	Compares a regular expression representing data with a value decoded as `data`.
extra_data	Any regular expression.	Compares a regular expression representing extra data with a value decoded as `extra_data`.
user	Any regular expression.	Compares a regular expression representing a user with a value decoded as `user`.
system_name	Any regular expression.	Compares a regular expression representing a system name with a value decoded as `system_name`.
program_name	Any regular expression.	Compares a regular expression representing a program name with a value pre-decoded as `program_name`.
protocol	Any regular expression.	Compares a regular expression representing a protocol with a value decoded as `protocol`.
hostname	Any regular expression.	Compares a regular expression representing a hostname with a value pre-decoded as `hostname`.
time	Any time range. e.g. (hh:mm-hh:mm)	Checks if the event was generated during that time range.
weekday	monday - sunday, weekdays, weekends	Checks whether the event was generated during certain weekdays.
id	Any regular expression.	Compares a regular expression representing an ID with a value decoded as `id`
url	Any regular expression.	Compares a regular expression representing a URL with a value decoded as `url`
location	Any regular expression.	Compares a regular expression representing a location with a value pre-decoded as `location`.
action	Any String or regular expression.	Compares a string or regular expression representing an action with a value decoded as `action`.
status	Any regular expression.	Compares a regular expression representing a status with a value decoded as `status`.
srcgeoip	Any regular expression.	Compares a regular expression representing a GeoIP source with a value decoded as `srcgeoip`.
dstgeoip	Any regular expression.	Compares a regular expression representing a GeoIP destination with a value decoded as `dstgeoip`.
if_sid	A list of rule IDs separated by commas or spaces.	Similar to parent decoder, it matches when a rule ID on the list has previously matched.
if_group	Any group name.	Matches if the indicated group has matched before.
if_level	Any level from 1 to 16.	Matches if that level has already been triggered by another rule.
if_matched_sid	Any rule ID (Number).	Similar to `if_sid` but it will only match if the ID has been triggered in a period of time.
if_matched_group	Any group name.	Similar to `if_group` but it will only match if the group has been triggered in a period of time.
same_id	None.	The decoded `id` must be the same.
different_id	None.	The decoded `id` must be different.
same_srcip	None.	The decoded `srcip` must be the same.
different_srcip	None.	The decoded `srcip` must be different.
same_dstip	None.	The decoded `dstip` must be the same.
different_dstip	None.	The decoded `dstip` must be different.
same_srcport	None.	The decoded `srcport` must be the same.
different_srcport	None.	The decoded `srcport` must be different.
same_dstport	None.	The decoded `dstport` must be the same.
different_dstport	None.	The decoded `dstport` must be different.
same_location	None.	The `location` must be the same.
different_location	None.	The `location` must be different.
same_srcuser	None.	The decoded `srcuser` must be the same.
different_srcuser	None.	The decoded `srcuser` must be different.
same_user	None.	The decoded `user` must be the same.
different_user	None.	The decoded `user` must be different.
same_field	None.	The decoded `field` must be the same as the previous ones.
different_field	None.	The decoded `field` must be different from the previous ones.
same_protocol	None.	The decoded `protocol` must be the same.
different_protocol	None.	The decoded `protocol` must be different.
same_action	None.	The decoded `action` must be the same.
different_action	None.	The decoded `action` must be different.
same_data	None.	The decoded `data` must be the same.
different_data	None.	The decoded `data` must be different.
same_extra_data	None.	The decoded `extra_data` must be the same.
different_extra_data	None.	The decoded `extra_data` must be different.
same_status	None.	The decoded `status` must be the same.
different_status	None.	The decoded `status` must be different.
same_system_name	None.	The decoded `system_name` must be the same.
different_system_name	None.	The decoded `system_name` must be different.
same_url	None.	The decoded `url` must be the same.
different_url	None.	The decoded `url` must be different.
same_srcgeoip	None.	The decoded `srcgeoip` must the same.
different_srcgeoip	None.	The decoded `srcgeoip` must be different.
same_dstgeoip	None.	The decoded `dstgeoip` must the same.
different_dstgeoip	None.	The decoded `dstgeoip` must be different.
description	Any String.	Provides a human-readable description to explain the purpose of the rule. Always use this field when creating custom rules.
list	Path to the CDB file.	Perform a CDB lookup using a CDB list.
info	Any String.	Extra information using certain attributes.
options	See the table below.	Additional rule options that can be used.
check_diff	None.	Determines when the output of a command changes.
group	Any String.	Add additional groups to the alert.
mitre	See Mitre table below.	Contains Mitre Technique IDs that fit the rule
var	Name for the variable. Most used: BAD_WORDS	Defines a variable that can be used anywhere inside the same file.

group

Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard.

The default Wazuh ruleset already includes rules that use groups like syscheck,, attack,, and syslog,. As an example, you can filter alerts for these categories by querying rule.groups: attack or rule.groups: (syscheck OR syslog) in the Wazuh dashboard.

Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the <group name="GROUP1_NAME,GROUP2_NAME,"> element. For example:

<group name="limits,">
 <rule id="100234" level="3">
    <if_sid>230</if_sid>
    <field name="alert_type">normal</field>
    <description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
  </rule>
</group>

You can also specify additional groups by including the <group> element within the rule definition. For example:

<group name="limits,">
  <rule id="100234" level="3">
    <if_sid>230</if_sid>
    <field name="alert_type">normal</field>
    <description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
   <group>syscheck,fim_db_state,</group>
 </rule>
</group>

To define rules that trigger only if another rule in a specific group has triggered, check the if_group and if_matched_group options.

rule

<rule> is the label that starts the block defining a rule. In this section, we describe the various options associated with this label.

level	Definition	Specifies the level of the rule. Alerts and responses use this value.
level	Allowed values	0 to 16
id	Definition	Specifies the ID of the rule.
id	Allowed values	Any number from 1 to 999999
maxsize	Definition	Specifies the maximum size of the event.
maxsize	Allowed values	Any number from 1 to 9999
frequency	Definition	Number of times the rule must match before generating an alert.
frequency	Allowed values	Any number from 2 to 9999
timeframe	Definition	The timeframe in seconds. This option is intended to be used with the frequency option.
timeframe	Allowed values	Any number from 1 to 99999
ignore	Definition	The time (in seconds) to ignore this rule after it triggers(to avoid floods).
ignore	Allowed values	Any number from 1 to 999999
overwrite	Definition	Used to replace a rule with local changes. To maintain consistency between loaded rules, `if_sid`, `if_group`, `if_level`, `if_matched_sid`, and `if_matched_group` labels are not taken into account when overwriting a rule. If any of these are encountered, the original value prevails.
overwrite	Allowed values	yes, no
noalert	Definition	Does not trigger an alert if the rule matches.
noalert	Allowed values	`0` (alerts, value by default) or `1` (no alerts). If `noalert` is set to `1`, the event continues analyzing other rules despite the rule matches.

Example:

<rule id="50180" level="10" frequency="8" timeframe="120" ignore="60">
  <if_matched_sid>50125</if_matched_sid>
  <description>MySQL: Multiple errors.</description>
  <mitre>
    <id>T1499</id>
  </mitre>
  <group>service_availability,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

The rule with ID 50180 triggers a level 10 alert if rule 50125 matches 8 times within 120 seconds. To prevent floods, it is ignored for 60 seconds after triggering.

match

Used as a requisite to trigger a rule. It will search for a match in the log event.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="100001" maxsize="300" level="3">
  <if_sid>100200</if_sid>
  <match>Queue flood!</match>
  <description>Flooded events queue.</description>
</rule>

If the rule 100200 is matched and the log message contains the phrase Queue flood!, the rule 100001 triggers a level 3 alert.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If match label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

regex

Used as a requisite to trigger a rule. It will search for a match in the log event.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="100001" level="3">
  <if_sid>100500</if_sid>
  <regex>\b(?:\d{1,3}\.){3}\d{1,3}\b</regex>
  <description>Matches any valid IP</description>
</rule>

If the rule 100500 is matched and the event contains any valid IPv4, the rule 100001 is triggered, generating a level 3 alert.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osregex	osregex
		osmatch
		pcre2

If regex label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

decoded_as

Used as a requisite to trigger a rule. It will be triggered if the event has been decoded by a certain decoder. Useful to group rules and have child rules inherit from it.

Default Value	n/a
Allowed values	Any decoder name

Example:

<rule id="53500" level="0">
  <decoded_as>smtpd</decoded_as>
  <description>OpenSMTPd grouping.</description>
</rule>

The rule will be triggered if the event was decoded by the smtpd decoder. You can create more rules specifically tailored for OpenSMTPd events that will inherit from this one.

field

Used as a requisite to trigger a rule. It will check for a match in the content of a field extracted by the decoder.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Below is the list of attributes.

Attribute	Description	Value range	Default value
name	specifies the name of the field extracted by the decoder.	n/a	n/a
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osregex	osregex
		osmatch
		pcre2

Example:

<rule id="87100" level="0">
    <decoded_as>json</decoded_as>
    <field name="integration">virustotal</field>
    <description>VirusTotal integration messages.</description>
    <options>no_full_log</options>
</rule>

This rule groups events decoded from json that belong to an integration called VirusTotal. It checks the field decoded as integration and if its content is virustotal, the rule is triggered.

If the field option is declared multiple times within a rule, Wazuh evaluates them as logical AND conditions. This means that each field requirement must be met for the rule to trigger.

Example:

<rule id="100001" level="5">
    <decoded_as>json</decoded_as>
    <field name="program_name">powershell.exe</field>
    <field name="command">Set-MpPreference -DisableRealtimeMonitoring</field>
    <description>PowerShell used to disable Windows Defender real-time protection.</description>
</rule>

This rule triggers only when both of the following field values are present in a log:

The field decoded as program_name contains powershell.exe.
The field decoded as command contains Set-MpPreference -DisableRealtimeMonitoring.

By combining two fields, the rule ensures higher precision and reduces false positives.

srcip

Used as a requisite to trigger a rule. It compares any IP address or CIDR block to an IP decoded as srcip.

Default Value	n/a
Allowed values	Any IP address

Example:

<rule id="100105" level="8">
    <if_sid>100100</if_sid>
    <srcip>10.25.23.12</srcip>
    <description>Forbidden srcip has been detected.</description>
</rule>

This rule will trigger when that exact scrip has been decoded.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the IP address	no	no
negate	allows to negate the IP address	yes	no

If srcip label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

dstip

Used as a requisite to trigger a rule. It compares any IP address or CIDR block to an IP decoded as dstip.

Default Value	n/a
Allowed values	Any IPv4 IP address

Example:

<rule id="100110" level="5">
    <if_sid>100100</if_sid>
    <dstip negate=”yes”>198.168.41.30</dstip>
    <description>A different dstip has been detected.</description>
</rule>

This rule will trigger when a dstip different from 198.168.41.30 is detected.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows you to negate the IP address	no	no
negate	allows you to negate the IP address	yes	no

If the dstip label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

srcport

Used as a requisite to trigger a rule. It will check the source port (decoded as srcport).

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="100110" level="5">
    <if_sid>100100</if_sid>
    <srcport type="pcre2">^5000[0-7]$</srcport>
    <description>Source port $(srcport) is detected.</description>
</rule>

This rule will trigger when srcport is in the range of 50000 to 50007.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the srcport label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

dstport

Used as a requisite to trigger a rule. It will check the destination port (decoded as dstport).

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the dstport label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

data

Used as a requirement to trigger a rule, it compares a regular expression representing a data with a value decoded as data.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the data label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

extra_data

Used as a requirement to trigger a rule, it compares a regular expression representing a data with a value decoded as extra_data.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="7301" level="0">
  <category>windows</category>
  <extra_data>^Symantec AntiVirus</extra_data>
  <description>Grouping of Symantec AV rules from eventlog.</description>
</rule>

This rule will trigger when the log belongs to windows category and the decoded field extra_data is: Symantec AntiVirus

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the extra_data label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

user

Used as a requirement to trigger a rule, it compares a regular expression representing a user with a value decoded as user.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

May  9 08:58:13 my-server sudo[3856]: pam_unix(sudo:session): session opened for user foo by vagrant(uid=1000)

<rule id="140101" level="12">
  <if_group>authentication_success</if_group>
  <user negate="yes">wazuh|root</user>
  <description>Unexpected user successfully logged to the system.</description>
</rule>

This rule triggers when a user different from root or wazuh successfully logs in to the system.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the user label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

system_name

Used as a requirement to trigger a rule, it compares a regular expression representing a system name with a value decoded as system_name.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the system_name label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

program_name

Used as a requirement to trigger a rule, it compares a regular expression representing a program name with a value decoded as program_name.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="1005" level="5">
  <program_name>syslogd</program_name>
  <match>^restart</match>
  <description>Syslogd restarted.</description>
  <group>pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
</rule>

The rule will trigger when the program Syslogd is restarted.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the program_name label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

protocol

Used as a requirement to trigger a rule, it compares a regular expression representing a protocol with a value decoded as protocol.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the protocol label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

hostname

Used as a requirement to trigger a rule, it compares a regular expression representing a hostname with a value decoded as hostname.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="2931" level="0">
  <hostname>yum.log$</hostname>
  <match>^Installed|^Updated|^Erased</match>
  <description>Yum logs.</description>
</rule>

This rule will group rules for Yum logs when something is either being installed, updated or erased.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the hostname label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

time

Used as a requisite to trigger a rule. It checks the event time based on the Wazuh server time, not the event timestamp. You must configure local time settings correctly to prevent unexpected triggers.

Default Value	n/a
Allowed values	Any time range (hh:mm-hh:mm, hh:mm am-hh:mm pm, hh-hh, hh am-hh pm)

Example:

<rule id="17101" level="9">
  <if_group>authentication_success</if_group>
  <time>6 pm - 8:30 am</time>
  <description>Successful login during non-business hours.</description>
  <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
</rule>

This rule triggers on successful logins occurring between 6 PM and 8 AM Wazuh server time.

weekday

Used as a requisite to trigger a rule. It checks the event weekday based on the Wazuh server time, not the event timestamp. You must configure local time settings correctly to prevent unexpected triggers.

Default Value	n/a
Allowed values	monday - sunday, weekdays, weekends

Example:

<rule id="17102" level="9">
  <if_group>authentication_success</if_group>
  <weekday>weekends</weekday>
  <description>Successful login during weekend.</description>
  <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,</group>
</rule>

This rule triggers on successful logins during the weekend.

id

Used as a requisite to trigger a rule. It compares a regular expression that represents an ID with a value decoded as id.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575

<rule id="81100" level="0">
    <decoded_as>kernel</decoded_as>
    <id>usb</id>
    <description>USB messages grouped.</description>
</rule>

This rule will check the content of the field id and group the logs whose decoded ID is usb.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the id label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

url

Used as a requisite to trigger a rule. It compares a regular expression representing a URL with a value decoded as url.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="31102" level="0">
  <if_sid>31101</if_sid>
  <url>.jpg$|.gif$|favicon.ico$|.png$|robots.txt$|.css$|.js$|.jpeg$</url>
  <compiled_rule>is_simple_http_request</compiled_rule>
  <description>Ignored extensions on 400 error codes.</description>
</rule>

This rule is a child from a level 5 rule 31101 and becomes a level 0 rule when it confirms that the extensions are benign.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the url label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

location

Used as a requisite to trigger a rule. It will check the content of the field location and try to find a match.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The location identifies the origin of the input. If the event comes from an agent, its name and registered IP address (as it was added) is appended to the location.

Example of a location for a log pulled from /var/log/syslog in an agent with name dbserver and registered with IP any:

(dbserver) any->/var/log/syslog

The following components use a static location:

Component	Location
Windows Eventchannel	EventChannel
Windows Eventlog	WinEvtLog
FIM (Syscheck)	syscheck
Rootcheck	rootcheck
Syscollector	syscollector
Vuln Detector	vulnerability-detector
Azure Logs	azure-logs
AWS S3 integration	aws-s3
Docker integration	Wazuh-Docker
SCA module	sca

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the location label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

action

Used as a requirement to trigger a rule, it compares a regular expression representing an action with a value decoded as action.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="4502" level="4">
  <if_sid>4500</if_sid>
  <action type="osregex">warning|WARN</action>
  <description>Netscreen warning message.</description>
</rule>

This rule will trigger a level 4 alert when the decoded action from Netscreen is warning or WARN.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	string
		osregex
		pcre2

Note

Use type attribute only for regular expression match. It must be omitted if the action field tries to match a string.

If the action label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

status

Compares a regular expression representing a status with a value decoded as status.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

Example:

<rule id="213" level="7">
  <if_sid>210</if_sid>
  <status>aborted</status>
  <description>Remote upgrade could not be launched. Error: $(error).</description>
  <group>upgrade,upgrade_failure,</group>
</rule>

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the status label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

srcgeoip

Used as a requirement to trigger a rule, it compares a regular expression representing a source GeoIP with a value decoded as srcgeoip.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the srcgeoip label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

dstgeoip

Used as a requirement to trigger a rule, it compares a regular expression representing a destination GeoIP with a value decoded as dstgeoip.

Default Value	n/a
Allowed values	Any regex, sregex or pcre2 expression.

The attributes below are optional.

Attribute	Description	Value range	Default value
negate	allows to negate the regular expression	no	no
negate	allows to negate the regular expression	yes	no
type	allows to set regular expression type	osmatch	osmatch
		osregex
		pcre2

If the dstgeoip label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.
The resulting value of an attribute corresponds to the one specified in the last label. If it is not specified, the default value is used.

if_sid

Used as a requisite to trigger a rule. This option matches if the log has previously matched a rule in the specified ID. It is similar to a child decoder, with the key difference that alerts can have as many descendants as necessary, whereas decoders cannot have "grandchildren".

Default Value	n/a
Allowed values	Any rule ID. Multiple values must be separated by commas or spaces.

Example:

<rule id="100110" level="5">
  <if_sid>100100, 100101</if_sid>
  <match>Error</match>
  <description>There is an error in the log.</description>
</rule>

The rule 100110 is triggered when either of the parent rules has matched and the logs contain the word Error.

if_group

Used as a requisite to trigger a rule. This option matches if the log has previously matched a rule in the specified group.

Default Value	n/a
Allowed values	Any Group

Example:

<rule id="184676" level="12">
    <if_group>sysmon_event1</if_group>
    <field name="sysmon.image">lsm.exe</field>
    <description>Sysmon - Suspicious Process - lsm.exe</description>
    <group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,</group>
</rule>

The rule matches if the log has previously matched a rule in the sysmon_event1 group and if the decoded field sysmon.image contains the value lsm.exe.

if_level

Matches if the level has matched before.

Default Value	n/a
Allowed values	Any level from 1 to 16

if_matched_sid

Matches if an alert of the defined ID has been triggered in a set number of seconds.

This option is used in conjunction with frequency and timeframe.

Default Value	n/a
Allowed values	Any rule id

Note

Rules at level 0 are discarded immediately and will not be used with if_matched_rules. The level must be at least 1, but you will have to add the <no_log> option to the rule to ensure it is not logged.

Example:

<rule id="30202" level="10" frequency="10" timeframe="120">
  <if_matched_sid>30201</if_matched_sid>
  <description>ModSecurity: Multiple attempts blocked.</description>
  <mitre>
    <id>T1110</id>
  </mitre>
  <group>access_denied,gdpr_IV_35.7.d,hipaa_164.312.b,modsecurity,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

The rule triggers when rule 30201 matches 10 times within 120 seconds.

if_matched_group

Matches if an alert of the defined group has been triggered in a set number of seconds.

This option is used in conjunction with frequency and timeframe.

Default Value	n/a
Allowed values	Any Group

Example:

<rule id="40113" level="12" frequency="8" timeframe="360">
  <if_matched_group>virus</if_matched_group>
  <description>Multiple viruses detected - Possible outbreak.</description>
  <group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,nist_800_53_SI.3,nist_800_53_SI.4,</group>
</rule>

The rule will trigger when the group virus has been matched 8 times in the last 360 seconds.

if_fts

Makes the decoder that processed the event to take the fts line into consideration.

Example of use

<if_fts />

Note

The dynamic filters same_field or not_same_field will not work with the static fields (user, srcip, dstip, etc.) and the specific ones have to be used instead.

same_id

Specifies that the decoded ID must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_id />

different_id

Specifies that the decoded id must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_id />

same_srcip

Specifies that the decoded source IP address must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_srcip />

The deprecated label same_source_ip works like an alias for same_srcip.

different_srcip

Specifies that the decoded source IP address must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_srcip />

The deprecated label not_same_source_ip works like an alias for different_srcip.

same_dstip

Specifies that the decoded destination IP address must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_dstip />

different_dstip

Specifies that the decoded destination IP address must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_dstip />

same_srcport

Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_srcport />

different_srcport

Specifies that the decoded source port must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_srcport />

same_dstport

Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_dstport />

different_dstport

Specifies that the decoded destination port must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_dstport />

same_location

Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_location />

different_location

Specifies that the decoded location must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_location />

same_srcuser

Specifies that the decoded source user must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_srcuser />

different_srcuser

Specifies that the decoded source user must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_srcuser />

same_user

Specifies that the decoded user must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_user />

different_user

Specifies that the decoded user must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_user />

same_field

The value of the dynamic field specified in this option must appear a certain number of times in previous events, as defined by the frequency attribute, within a time frame specified by the timeframe attribute.

Example of use

<same_field>key</same_field>

As an example of this option, check these rules:

<!-- {"key":"value", "key2":"AAAA"} -->
<rule id="100001" level="3">
  <decoded_as>json</decoded_as>
  <field name="key">value</field>
  <description>Testing JSON alert</description>
</rule>

<rule id="100002" level="10" frequency="4" timeframe="300">
  <if_matched_sid>100001</if_matched_sid>
  <same_field>key2</same_field>
  <description>Testing same_field option</description>
</rule>

Rule 100002 will fire when key2 in the currently considered event is the same in four events that matched rule 100001 within the last 300 seconds. Consider the following event logs generated in less than 300 seconds:

{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"BBBB"}
{"key":"value", "key2":"AAAA"}
{"key":"value", "key2":"CCCC"}
{"key":"value", "key2":"CCCC"}
{"key":"value", "key2":"AAAA"}

The last event will fire rule 100002 instead of 100001 because it found the value AAAA in three of the previous events. The corresponding alert looks like the following:

{
  "timestamp": "2020-03-04T03:00:28.973-0800",
  "rule": {
    "level": 10,
   "description": "Testing same_field option",
   "id": "100002",
    "frequency": 4,
    "firedtimes": 1,
    "mail": false,
    "groups": [
      "local"
    ]
  },
  "agent": {
    "id": "000",
    "name": "ubuntu"
  },
  "manager": {
    "name": "ubuntu"
  },
  "id": "1583319628.14426",
  "previous_output": "{\"key\":\"value\",\"key2\":\"AAAA\"}\n{\"key\":\"value\",\"key2\":\"AAAA\"}\n{\"key\":\"value\",\"key2\":\"AAAA\"}",
  "full_log": "{\"key\":\"value\",\"key2\":\"AAAA\"}",
  "decoder": {
    "name": "json"
  },
  "data": {
    "key": "value",
    "key2": "AAAA"
  },
  "location": "/root/test.log"
}

different_field

It is the opposite setting of same_field. The value of the dynamic field specified in this option must differ from those found in previous events a certain number of times. This is defined by the frequency attribute, within a time frame specified by the timeframe attribute.

Example of use

<different_field>key2</different_field>

global_frequency

Specifies that the events of all agents will be contemplated when using the frequency and timeframe options. By default, only the events generated by the same agent will be taken into account to increase the frequency counter for a rule.

Example of use

<global_frequency />

Warning

Although the label contains the word global, this option works at manager level, not at cluster level.

same_protocol

Specifies that the decoded protocol must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_protocol />

different_protocol

Specifies that the decoded protocol must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_protocol />

same_action

Specifies that the decoded action must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_action />

different_action

Specifies that the decoded data must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<different_action />

same_data

Specifies that the decoded data must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_data />

different_data

Specifies that the decoded data must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_data />

same_extra_data

Specifies that the decoded extra data must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_extra_data />

different_extra_data

Specifies that the decoded extra data must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_extra_data />

same_status

Specifies that the decoded status must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_status />

different_status

Specifies that the decoded status must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_status />

same_system_name

Specifies that the decoded system name must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_system_name />

different_system_name

Specifies that the decoded system name must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_system_name />

same_url

Specifies that the decoded url must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_url />

different_url

Specifies that the decoded url must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_url />

same_srcgeoip

Specifies that the source GeoIP location must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_srcgeoip />

different_srcgeoip

Specifies that the source GeoIP location must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_srcgeoip />

Example:

As an example of these last options, check this rule:

<rule id=100005 level="0">
  <match> Could not open /home </match>
  <same_user />
  <different_srcgeoip />
  <same_dstport />
</rule>

The rule filters when the same user tries to open file /home but returns an error, on a different GeoIP and using the same destination port.

same_dstgeoip

Specifies that the destination GeoIP location must be the same. This option is used in conjunction with frequency and timeframe.

Example of use

<same_dstgeoip />

different_dstgeoip

Specifies that the destination GeoIP location must be different. This option is used in conjunction with frequency and timeframe.

Example of use

<different_dstgeoip />

description

Specifies a human-readable description of the rule to provide context to each alert regarding the nature of the events matched by it.

Default Value	n/a
Allowed values	Any string

Examples:

<rule id="100015" level="2">
  ...
  <description>A timeout occurred.</description>
</rule>

<rule id="100035" level="4">
  ...
  <description>File missing. Root access unrestricted.</description>
</rule>

Since Wazuh version 3.3, it is possible to include any decoded field (static or dynamic) to the description message. You can use the following syntax: $(field_name) to add a field to the description.

Example:

<rule id="100005" level="8">
  <match>illegal user|invalid user</match>
  <description>sshd: Attempt to login using a non-existent user from IP $(attempt_ip)</description>
  <options>no_log</options>
</rule>

If description label is declared multiple times within the rule, the following rules apply:

The resulting value is their concatenation.

list

Perform a Constant DataBase lookup using a CDB list. This is a fast on-disk database which will always find keys within two seeks of the file.

Default Value	n/a
Allowed values	Path to the CDB file to be used for lookup from the Wazuh directory. Must also be included in the `/var/ossec/etc/ossec.conf` file.

Attribute	Description
field	key in the CDB: srcip, srcport, dstip, dstport, extra_data, user, url, id, hostname, program_name, status, action, dynamic field.
lookup	match_key	Matches if the key value is present in the CDB list. Works by default.
	not_match_key	Matches if the key value is not present in the CDB list.
	match_key_value	Searches for a key value in the CDB list
	address_match_key	IP address and the key to search within the CDB and will match if the key is present.
	not_address_match_key	IP address and the key to search and will match if it IS NOT present in the database.
	address_match_key_value	IP address to search in the CDB. It is compared with regex from attribute check_value.
check_value	regex for matching on the value pulled out of the CDB when using types: address_match_key_value, match_key_value

Example:

<rule id="80780" level="3">
    <if_sid>80700</if_sid>
    <list field="audit.key" lookup="match_key_value" check_value="write">etc/lists/audit-keys</list>
    <description>Audit: Watch - Write access</description>
    <group>audit_watch_write,gdpr_IV_30.1.g,</group>
</rule>

The rule will look for audit.key in the CDB list. Where it will check if it is equal to write, in which case it will match and trigger a level 3 alert.

info

You can add extra information through the following attributes:

Default Value	n/a
Allowed values	Any string

Attribute	Allowed values	Description
type	text	This is the default when no type is selected. Additional information about the alert/event.
	link	Link to more information about the alert/event.
	cve	The CVE Number related to this alert/event.
	ovsdb	The osvdb id related to this alert/event.

Example:

<rule id="5714" level="14" timeframe="120" frequency="3">
  <if_matched_sid>5713</if_matched_sid>
  <match>Local: crc32 compensation attack</match>
  <description>sshd: SSH CRC-32 Compensation attack</description>
  <info type="cve">2001-0144</info>
  <info type="link">http://www.securityfocus.com/bid/2347/info/</info>
  <group>exploit_attempt,pci_dss_11.4,pci_dss_6.2,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,nist_800_53_SI.2,</group>
</rule>

The rule provides additional information about the threat it detects.

options

Additional rule options.

Attribute	Description
alert_by_email	Always alert by email.
no_email_alert	Never alert by email.
no_log	Do not log this alert.
no_full_log	Do not include the `full_log` field in the alert.
no_counter	Omit field `rule.firedtimes` in the JSON alert.

Example:

<rule id="9800" level="8">
  <match>illegal user|invalid user</match>
  <description>sshd: Attempt to login using a non-existent user</description>
  <options>no_log</options>
</rule>

Note

Use one <options> tag for each option you want to add.

check_diff

Used to determine when the output of a command changes.

Example:

<rule id="534" level="1">
  <if_sid>530</if_sid>
  <match>ossec: output: 'w'</match>
  <check_diff />
  <options>no_log</options>
  <description>List of logged in users. It will not be alerted by default.</description>
</rule>

mitre

Specifies the MITRE ATT&CK technique ID or IDs that fit in well with the rule.

Required label	Value
id	MITRE ATT&CK technique ID.

Example:

<rule id="100002" level="10">
  <description>Attack technique sample.</description>
  <mitre>
    <id>T1110</id>
    <id>T1037</id>
  </mitre>
</rule>

var

Defines a variable that can be used in any rule within the same rule file. It must be defined at the base level of the rule file, not inside a tagged section.

Attribute	Value
name	Name for the variable.

Example:

<var name="joe_folder">/home/joe/</var>

<group name="local,">

   <rule id="100001" level="5">
     <if_sid>550</if_sid>
    <field name="file">^$joe_folder</field>
    <description>A Joe's file was modified.</description>
     <group>ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
   </rule>

</group>

BAD_WORDS

<var name="BAD_WORDS">error|warning|failure</var>

BAD_WORDS is a commonly used case of the <var> option.

It is used to include many words in the same variable. This variable can then be included into the rules to check if any of those words are in a caught event.

Example:

<var name="BAD_WORDS">error|warning|failure</var>
<group name="syslog,errors,">
  <rule id="XXXX" level="2">
   <match>$BAD_WORDS</match>
   <description>Error found.</description>
  </rule>
</group>

Regular Expression Syntax

Regular expressions or regex are sequences of characters that define a pattern.

There are three types of regular expressions: regex (OS_Regex), sregex (OS_Match) and PCRE2.

Regex (OS_Regex) syntax

This is a fast and simple library for regular expressions in C.

This library is designed to be simple while still supporting the most common regular expressions.

Supported expressions

Expressions	Valid characters
\w	A-Z, a-z, 0-9, '-', '@', '_' characters
\d	0-9 character
\s	Spaces " "
\t	Tabs
\p	()*+,-.:;<=>?[]!"'#$%&\|{}
\W	Anything not \w
\D	Anything not \d
\S	Anything not \s
\.	Anything

Sregex (OS_Match) syntax

This is faster than OS_Regex, but only supports simple string matching and the following special characters.

Special characters

Expressions	Actions
^	To specify the beginning of the text
$	To specify the end of the text
\|	To create a logic: or, between multiple patterns
!	To negate the expression

PCRE2 syntax

Perl Compatible Regular Expressions (PCRE) tries to match Perl syntax and semantics as closely as it can.

It provides features like recursive patterns, look-ahead and look-behind assertions, non-capturing groups, non-greedy quantifiers, extended syntax for characters and character classes, and many others. For more details, please refer to the PCRE Syntax documentation.

By default, PCRE2 is case-sensitive. Use (?i) for case-insensitive matching. For example, the string post matches the regex (?i)POST|GET|PUT but not POST|GET|PUT.

Supported expressions

Expressions	Actions
.	Any character except newline
\d	Any decimal digit, equal to [0-9]
\D	Any character that is not a decimal digit, equal to [^0-9]
\h	Any horizontal white space character
\H	Any character that is not a horizontal white space character
\s	Any white space character, equal to [\t\r\n\f]
\S	Any character that is not a white space character, equal to [^\t\r\n\f]
\w	Any "word" character
\W	Any "non-word" character

Characters escaping

Expressions	Actions
\f	Form feed (hex 0C)
\n	Newline (hex 0A)
\r	Carriage return (hex 0D)
\t	Tab (hex 09)
\0dd	Character with octal code 0dd
\o{ddd..}	Character with octal code ddd..
\xhh	Character with hex code hh
\x{hh..}	Character with hex code hh..

Quantifiers

Expressions	Actions
?	0 or 1, greedy
?+	0 or 1, possessive
??	0 or 1, lazy
*	0 or more, greedy
*+	0 or more, possessive
*?	0 or more, lazy
+	1 or more, greedy
++	1 or more, possessive
+?	1 or more, lazy
{n}	Exactly n
{n,m}	At least n, no more than m, greedy
{n,m}+	At least n, no more than m, possessive
{n,m}?	At least n, no more than m, lazy
{n,}	n or more, greedy
{n,}+	n or more, possessive
{n,}?	n or more, lazy

Perl-compatible Regular Expressions

Incorporation of PCRE regex support along with already existing OSRegex and OSMatch regex open up a range of possibilities, and enhance log comprehension and interpretation.

This section briefly describes the features of this type of regex, its enablement in rules, decoders, and some use cases applied to the default ruleset.

Advantages
Configuring PCRE
Use case: Accurate PAM user alerts

Advantages

Quantifiers

In addition to the already known * and + quantifiers, PCRE incorporates:

? try to match zero or one time. Example: https? regex will match http and https.
{n} try to match exactly n times. Example: \d{4} regex matches exactly four consecutive digits in a string.
{n,} try to match n or more times. Example: \d{2,} will be 12, 123, 1234 and so on.
{n,m} try to match between n and m times. Example: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} will match any IPv4 address.

All quantifiers can be used and combined with groups, expressions and literals. Example: (\d{1,3}\.?){4} is shorter than and equivalent to \d{1,3}\.?\d{1,3}\.?\d{1,3}\.?\d{1,3}.?.

Case sensitivity

Compared to OSRegex and OSMatch, which are case insensitive, PCRE regex are case sensitive by default. This can be changed by using (?i). Example: post will match (?i)POST|GET|PUT regex but not POST|GET|PUT.

Groups within groups

PCRE provides ease and flexibility in data extraction. Unlike OSRegex, it allows groups within groups. For example, in the next log, the regular expression from=<(.*?@(.*?))> extracts the email (john@email-dom.com) and domain (email-dom.com) into separate fields.

Sep 29 17:11:02 ramp sendmail[21549]: v8TLB2x7021549: from=<john@email-dom.com>, size=909, class=0, nrcpts=1, msgid=<201709292111.v8TLB1Nj021545@email.com>, proto=ESMTP, daemon=MTA, relay=[2001:0db8:85a3:0000:0000:8a2e:0370:7334]

Groups comparing: backreferences

Backreferences match the same text as previously matched by a capturing group. Groups can be referenced in the order they are declared with a backslash followed by the group number. For example, in the next log, the regular expression ^(\d+\.\d+\.\d+\.\d+) \1 only matches if both IP addresses at the beginning of the log are equal.

10.10.10.11 10.10.10.11 - - [10/Apr/2017:13:18:05 -0700] "GET /injection/%0d%0aSet-Cookie HTTP/1.1" 404 271 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

Character classes (character set)

In addition to the types of characters like \w to match a word character or \d to match the decimal digit, a custom set of characters can be specified with []. Ranges of letters and numbers can also be specified. For example, [A-zA-Z0-5] includes the numbers from 0 to 5 and the entire alphabet in upper and lower case letters. Example: The next regex \d+[-\/]\d+[-\/]\d+ will match any datetime despite the separation character used.

Configuring PCRE

PCRE can be enabled in rules and decoders using the type="pcre2" attribute, which also allow to set other regex like type="osregex" and type="osmatch" for OSRegex and OSMatch, respectively, depending on the case.

Decoders

You can enable PCRE in the following decoder options: program_name, prematch, and regex.

Below is a simple example of data extraction with PCRE. Here is a log message of a program called example_pcre2:

Dec 25 20:45:02 MyHost example_pcre2[12345]: User 'admin' change email to 'admin@suspicious-domain.com'

You can use PCRE in a decoder to extract the user, email, and domain from the log:

<decoder name="example_pcre2">
      <program_name>^example_pcre2$</program_name>
</decoder>

<decoder name="example_pcre2">
      <parent>example_pcre2</parent>
      <regex type="pcre2">User '(.*?)' change email to '(.*?@(.*?))'</regex>
      <order>user, email, domain</order>
</decoder>

Rules

In rules, you can enable and use PCRE along with OSRegex, OSMatch regular expressions.

The following rules options are compatible with PCRE:

For matching static fields: action, extra_data, hostname, id, location, match, program_name, protocol, user, url, srcport, dstport, status, system_name, dstgeoip, srcgeoip.
For matching dynamic fields: field.

Below is an example of data extraction with PCRE regex in a rule:

May  12 11:07:21 web passwd[21533]: pam_unix(passwd:chautok]: password changed for foo

We use PCRE to match on which host a password change is made using the hostname in the rule below.

<group name="sshd,">
  <rule id="100101" level="5">
    <if_sid>5555</if_sid>
    <hostname type="pcre2">web</hostname>
    <description>Password changed on $(hostname).</description>
  </rule>
</group>

Use case: Accurate PAM user alerts

The Linux Pluggable Authentication Modules(PAM) is a key component that brings authentication support for applications and services in UNIX-like systems, most of which are case sensitive. By default, some false positive alerts related to usernames may be generated. For example, users FOO and foo are not differentiated by the rules. This can be avoided by using PCRE case sensitivity, so they are handled as different users. The next custom rule generates an alert when the foo user logs into the system via SSH.

<group name="sshd,">
  <rule id="100002" level="5">
    <if_sid>5501</if_sid>
    <description>foo user logged in.</description>
    <user type="pcre2">foo</user>
  </rule>
</group>

The /var/ossec/bin/wazuh-logtest output shows the triggered alert.

Type one log per line

Dec  1 11:27:21 ip-10-0-0-220 sshd(pam_unix)[17365]: session opened for user foo by (uid=508)

**Phase 1: Completed pre-decoding.
        full event: 'Dec  1 11:27:21 ip-10-0-0-220 sshd(pam_unix)[17365]: session opened for user foo by (uid=508)'
        timestamp: 'Dec  1 11:27:21'
        hostname: 'ip-10-0-0-220'
        program_name: 'sshd(pam_unix)'

**Phase 2: Completed decoding.
        name: 'pam'
        parent: 'pam'
        dstuser: 'foo'
        uid: '508'

**Phase 3: Completed filtering (rules).
        id: '100002'
        level: '5'
        description: 'foo user logged in.'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

Testing decoders and rules

/var/ossec/bin/wazuh-logtest tool allows the testing and verification of decoders and rules against provided log samples on the Wazuh server. You can utilize it through any of the following options:

Wazuh dashboard
Command line tool
Wazuh server API

With /var/ossec/bin/wazuh-logtest, you can:

Input event logs.
Verify which decoders match them and identify the associated fields.
Check which alerts match the event logs.

/var/ossec/bin/wazuh-logtest shares the same rules with the Wazuh analysis engine. It operates based on unique sessions, each loading its own set of rules and decoders.

It also has a firedtimes counter which keeps track of all the matching occurrences of the rules and maintains these counters throughout the duration of the session.

Configuration

/var/ossec/bin/wazuh-logtest comes out-of-the-box in the Wazuh server. In a Wazuh cluster, the master node processes the event logs. You can change its configuration parameters in the <rule_test> section of the /var/ossec/etc/ossec.conf file of the Wazuh server.

By default, the /var/ossec/bin/wazuh-logtest configuration is set as follows:

<rule_test>
  <enabled>yes</enabled>
  <threads>1</threads>
  <max_sessions>64</max_sessions>
  <session_timeout>15m</session_timeout>
</rule_test>

Parameter	Description	Default	Values allowed
enabled	Enables and disables logtest	`yes`	`yes`, `no`
threads	Number of logtest threads	`1`	`1`–`128`, `auto`. auto creates one thread per CPU
max_sessions	Number of open sessions allowed	`64`	`1`–`500`
session_timeout	Minimum time inactive to close a session	`15m`	Positive number and a suffix character indicating a time unit. `s` for seconds, `m` for minutes, `h` for hours. The max value allowed is `365d`

If a session is idle longer than the session_timeout, it gets closed.

If the number of open sessions reaches max_sessions, opening a new session results in the closure of the longest inactive session.

Using the Wazuh dashboard and the command line tool

Follow the following steps to try /var/ossec/bin/wazuh-logtest using the Wazuh dashboard or the command line tool:

Run the tool.
- Go to Tools > Ruleset test in the Wazuh dashboard.
- Run /var/ossec/bin/wazuh-logtest from the command line.

Paste the following log:

Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928

**Phase 1: Completed pre-decoding.
   full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
   timestamp: 'Oct 15 21:07:00'
   hostname: 'linux-agent'
   program_name: 'sshd'

**Phase 2: Completed decoding.
   name: 'sshd'
   parent: 'sshd'
   srcip: '18.18.18.18'
   srcport: '48928'
   srcuser: 'blimey'

**Phase 3: Completed filtering (rules).
   id: '5710'
   level: '5'
   description: 'sshd: Attempt to login using a non-existent user'
   groups: '["syslog","sshd","authentication_failed","invalid_login"]'
   firedtimes: '1'
   gdpr: '["IV_35.7.d","IV_32.2"]'
   gpg13: '["7.1"]'
   hipaa: '["164.312.b"]'
   mail: 'false'
   mitre.id: '["T1110.001","T1021.004","T1078"]'
   mitre.tactic: '["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"]'
   mitre.technique: '["Password Guessing","SSH","Valid Accounts"]'
   nist_800_53: '["AU.14","AC.7","AU.6"]'
   pci_dss: '["10.2.4","10.2.5","10.6.1"]'
   tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.

The above result shows that rule id 5710 matches the event log.

If you paste the log six more times, you can see that rule id 5710 "sshd: Attempt to login using a non-existent user" matches each time. It is important to note that in Phase 3, filtering (rules), the firedtimes counter increases with each repetition. If you paste the log one more time, rule ID 5712 matches instead, indicating an attempted SSH brute force attack on the system. This rule triggers when there have been eight failed attempts to log in to SSH with a non-existing user, all originating from the same IP address, and occurring within a two-minute timeframe.

**Phase 1: Completed pre-decoding.
     full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
     timestamp: 'Oct 15 21:07:00'
     hostname: 'linux-agent'
     program_name: 'sshd'

**Phase 2: Completed decoding.
     name: 'sshd'
     parent: 'sshd'
     srcip: '18.18.18.18'
     srcport: '48928'
     srcuser: 'blimey'

**Phase 3: Completed filtering (rules).
     id: '5712'
     level: '10'
     description: 'sshd: brute force trying to get access to the system. Non existent user.'
     groups: '["syslog","sshd","authentication_failures"]'
     firedtimes: '1'
     frequency: '8'
     gdpr: '["IV_35.7.d","IV_32.2"]'
     hipaa: '["164.312.b"]'
     mail: 'false'
     mitre.id: '["T1110"]'
     mitre.tactic: '["Credential Access"]'
     mitre.technique: '["Brute Force"]'
     nist_800_53: '["SI.4","AU.14","AC.7"]'
     pci_dss: '["11.4","10.2.4","10.2.5"]'
     tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.

Using the Wazuh server API

The logtest API endpoint is part of the Wazuh server APIs which you can use to interact with Wazuh from the Wazuh server or an authorized endpoint.

You can use the Wazuh server API to interact with the /var/ossec/bin/wazuh-logtest utility via the two endpoints below.

Endpoint	Method	Description
/logtest	PUT	Check if an alert matches a log and query the related information.
/logtest/sessions/{token}	DELETE	Delete the session corresponding to `{token}`

Logging into the Wazuh server API

All Wazuh server API calls require authentication and must include a JSON Web Token. You can use the cURL command to log in. The Wazuh server API provides a JWT token upon successful authentication.

Run the following command replacing <WAZUH_API_USER> and <PASSWORD> with your credentials:

TOKEN=$(curl -u <WAZUH_API_USER>:<PASSWORD> -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")

By default, the user is wazuh, and the password is wazuh.

In case you do not know your credentials, run the command below on your Wazuh server to retrieve your Wazuh server API credentials:

tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt | grep -A 2 "# Password for wazuh API user"

# Password for wazuh API user
  api_username: '<WAZUH_API_USER>'
  api_password: '<WAZUH_API_PASSWORD>'

Check that everything works correctly.

curl -k -X GET "https://localhost:55000/?pretty=true" -H "Authorization: Bearer $TOKEN"

{
   "data": {
      "title": "Wazuh API REST",
      "api_version": "<CURRENT_API_VERSION>",
      "revision": <CURRENT_REVISION>,
      "license_name": "GPL 2.0",
      "license_url": "https://github.com/wazuh/wazuh/blob/v<CURRENT_API_VERSION>/LICENSE",
      "hostname": "Wazuh",
      "timestamp": "<CURRENT_TIME>"
   },
   "error": 0
}

First request

The first time you send a processing request, it has no logtest API session token. Since there is no active session, a processing log request is sent to logtest in the Wazuh analysis engine.

Use the following sample data for request:

Field	Description	Example
log_format	Type of log	`syslog`
event	Log to process	`Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928`
location	Origin of the log	`master->/var/log/syslog`
token (optional)	logtest session id

You must send the data to the logtest endpoint in JSON format. You can first store the request in a variable as follows:

LOGTEST_REQ=$(echo '{'\
    '"event": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",'\
    '"log_format": "syslog",'\
    '"location": "master->/var/log/syslog"'\
    '}')

Then, send the request to the logtest endpoint:

curl -k -X PUT "https://localhost:55000/logtest?pretty=true" \
-H "Authorization: Bearer $TOKEN" \
-H  "Content-Type: application/json" \
-d "$LOGTEST_REQ"

{
   "error": 0,
   "data": {
      "messages": [

        "INFO: (7202): Session initialized with token '35604a22'"

     ],

     "token": "35604a22",

     "output": {
         "timestamp": "2023-04-25T13:50:43.764000Z",
         "rule": {
            "level": 5,
            "description": "sshd: Attempt to login using a non-existent user",

           "id": "5710",

           "mitre": {
               "id": [
                  "T1110.001",
                  "T1021.004",
                  "T1078"
               ],
               "tactic": [
                  "Credential Access",
                  "Lateral Movement",
                  "Defense Evasion",
                  "Persistence",
                  "Privilege Escalation",
                  "Initial Access"
               ],
               "technique": [
                  "Password Guessing",
                  "SSH",
                  "Valid Accounts"
               ]
            },

           "firedtimes": 1,

           "mail": false,
            "groups": [
               "syslog",
               "sshd",
               "authentication_failed",
               "invalid_login"
            ],
            "gdpr": [
               "IV_35.7.d",
               "IV_32.2"
            ],
            "gpg13": [
               "7.1"
            ],
            "hipaa": [
               "164.312.b"
            ],
            "nist_800_53": [
               "AU.14",
               "AC.7",
               "AU.6"
            ],
            "pci_dss": [
               "10.2.4",
               "10.2.5",
               "10.6.1"
            ],
            "tsc": [
               "CC6.1",
               "CC6.8",
               "CC7.2",
               "CC7.3"
            ]
         },
         "agent": {
            "id": "000",
            "name": "centos7"
         },
         "manager": {
            "name": "centos7"
         },
         "id": "1682430643.3725",
         "full_log": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",
         "predecoder": {
            "program_name": "sshd",
            "timestamp": "Oct 15 21:07:00",
            "hostname": "linux-agent"
         },
         "decoder": {
            "parent": "sshd",
            "name": "sshd"
         },
         "data": {
            "srcip": "18.18.18.18",
            "srcport": "48928",
            "srcuser": "blimey"
         },
         "location": "master->/var/log/syslog"
      },
      "alert": true,
      "codemsg": 0
   }
}

The above result shows that rule ID 5710 matches the event log.

The messages field shows the session token 95375d4c. You must add this token to the next requests to keep the session loaded, including its event history, and rules and decoders. If you don't add the token field to the next request, a new session initializes, reloading the rules and decoders.

Repeating the request with the same session

Add the session token to the request and send it seven more times within two minutes. You can see that rule ID 5710 matches multiple times. In the rule object of the response, inside the output field, you can see the firedtimes counter increases with each repetition. But in the last request, rule ID 5712 triggers and captures the eighth event that rule ID 5710 matched previously for the same IP address. Change the token below to your own session token generated.

LOGTEST_REQ=$(echo '{'\

   '"token": "35604a22",'\

   '"event": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",'\
    '"log_format": "syslog",'\
    '"location": "master->/var/log/syslog"'\
    '}')

Note

Providing an invalid logtest session token results in a new session.

curl -k -X PUT "https://localhost:55000/logtest?pretty=true" \
-H "Authorization: Bearer $TOKEN" \
-H  "Content-Type: application/json" \
-d "$LOGTEST_REQ"

{
   "error": 0,
   "data": {
      "token": "35604a22",
      "output": {
         "timestamp": "2023-04-25T13:51:36.409000Z",
         "rule": {
            "level": 10,
            "description": "sshd: brute force trying to get access to the system. Non existent user.",

           "id": "5712",

           "mitre": {
               "id": [
                  "T1110"
               ],
               "tactic": [
                  "Credential Access"
               ],
               "technique": [
                  "Brute Force"
               ]
            },
            "frequency": 8,
            "firedtimes": 1,
            "mail": false,
            "groups": [
               "syslog",
               "sshd",
               "authentication_failures"
            ],
            "gdpr": [
               "IV_35.7.d",
               "IV_32.2"
            ],
            "hipaa": [
               "164.312.b"
            ],
            "nist_800_53": [
               "SI.4",
               "AU.14",
               "AC.7"
            ],
            "pci_dss": [
               "11.4",
               "10.2.4",
               "10.2.5"
            ],
            "tsc": [
               "CC6.1",
               "CC6.8",
               "CC7.2",
               "CC7.3"
            ]
         },
         "agent": {
            "id": "000",
            "name": "centos7"
         },
         "manager": {
            "name": "centos7"
         },
         "id": "1682430696.3725",
         "previous_output": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",
         "full_log": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",
         "predecoder": {
            "program_name": "sshd",
            "timestamp": "Oct 15 21:07:00",
            "hostname": "linux-agent"
         },
         "decoder": {
            "parent": "sshd",
            "name": "sshd"
         },
         "data": {
            "srcip": "18.18.18.18",
            "srcport": "48928",
            "srcuser": "blimey"
         },
         "location": "master->/var/log/syslog"
      },
      "alert": true,
      "codemsg": 0
   }
}

Closing the session

If you don't need the session any longer, you can close it to release the history of events, and rules and decoders loaded. The token in command below should also be changed to your own session token.

curl -k -X DELETE "https://localhost:55000/logtest/sessions/35604a22?pretty=true" -H "Authorization: Bearer $TOKEN"

{
   "error": 0,
   "data": {
         "messages": [
            "INFO: (7206): The session '35604a22' was closed successfully"
         ],
         "codemsg": 0
   }
}

Using CDB lists

Wazuh is able to check if a field extracted during the decoding phase is in a CDB list (constant database). The main use case of this feature is to create a white/black list of users, file hashes, IP addresses, or domain names.

Creating a CDB list

The list file is a plain text file. Each line has a unique key followed by a colon : separator character.

key1:
key2:

Following the separator, you can optionally add a value. Values can be repeated, but the keys must be unique.

key1:value1
key2:value2
key3:value2

If you need to include the : character as part of the key, such as with MAC addresses, you must escape the complete key using quotation marks. For example:

"a0:a0:a0:a0:a0:a0":
"b1:b1:b1:b1:b1:b1":

With a key, we can determine the presence or absence of a field in a given list. By adding a value, we can use it as a criterion in rules. For example, if we have account names (key) with a department name (value) associated, it would be possible to create an alert that triggers when a user not from the finance department logs into the finance server.

For IP addresses the dot notation is used for subnet matches:

key	CIDR	Possible matches
192.168.:	192.168.0.0/16	192.168.0.0 - 192.168.255.255
172.16.19.:	172.16.19.0/24	172.16.19.0 - 172.16.19.255
10.1.1.1:	10.1.1.1/32	10.1.1.1

Example of IP address list file

168.: Matches 192.168.0.0 - 192.168.255.255
16.19.: Matches 172.16.19.0 - 172.16.19.255
1.1.1: Matches 10.1.1.1

We recommend storing the lists on /var/ossec/etc/lists.

CDB lists are built and loaded automatically when the Wazuh analysis engine starts. Therefore, you need to restart the Wazuh manager service when you add or modify a CDB list.

Adding the list in the Wazuh server configuration file

Perform the following steps to add a CDB list to the Wazuh server configuration file.

Define the CDB list within the <ruleset> block of the /var/ossec/etc/ossec.conf file. For example, to define the CDB list /var/ossec/etc/lists/list-IP, add the relative path etc/lists/list-IP as highlighted below:

...
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/list-IP</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>
...

Restart the Wazuh manager via the CLI to apply the changes:
# systemctl restart wazuh-manager
# service wazuh-manager restart

Using the CDB list in the rules

A rule would use the following syntax to look up a key within a CDB list.

Positive key match

This example is a search for the key stored in the field attribute and will match if it is present in the database:

<list field="user" lookup="match_key">etc/lists/list-user</list>

The lookup="match_key" is the default and can be omitted as in this example:

<list field="user">etc/lists/list-user</list>

In case the field is an IP address, you must use address_match_key:

<list field="srcip" lookup="address_match_key">etc/lists/list-IP</list>

Negative key match

This example is a search for the key stored in the field attribute and will match if it is not present in the database:

<list field="user" lookup="not_match_key">etc/lists/list-user</list>

In case the field is an IP address, you must use not_address_match_key:

<list field="srcip" lookup="not_address_match_key">etc/lists/list-IP</list>

Key and value match

This example is a search for the key stored in the field attribute, and on a positive match the returned value of the key will be processed using the regex in the check_value attribute:

<list field="user" lookup="match_key_value" check_value="^block">etc/lists/list-user</list>

In case the field is an IP address, you must use address_match_key_value:

<list field="srcip" lookup="address_match_key_value" check_value="^reject">etc/lists/list-IP</list>

CDB lists examples

The following rules below are triggered if an IP address is in /var/ossec/etc/lists/List-one, in /var/ossec/etc/lists/List-two or in both:

<rule id="110700" level="10">
  <if_group>json</if_group>
  <list field="srcip" lookup="address_match_key">etc/lists/List-one</list>
  <description>IP blacklisted in LIST ONE</description>
  <group>list1,</group>
</rule>

<rule id="110701" level="10">
  <if_group>json</if_group>
  <list field="srcip" lookup="address_match_key">etc/lists/List-two</list>
  <description>IP blacklisted in LIST TWO</description>
  <group>list2,</group>
</rule>

<rule id="110710" level="10">
  <if_sid>110700</if_sid>
  <list field="srcip" lookup="address_match_key">etc/lists/List-two</list>
  <description>IP blacklisted in LIST ONE and LIST TWO</description>
  <group>list1,list2,</group>
</rule>

MITRE ATT&CK framework

Created by the MITRE Corporation, MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. It is a globally-accessible collection of observed real-world threat actor actions and behavior. The MITRE ATT&CK framework describes 14 tactics and several techniques that security analysts can use to identify attacks in progress. MITRE uses IDs to reference the tactic or technique employed by an adversary.

The Wazuh integration with MITRE ATT&CK framework is provided through an out-of-the-box module on the Wazuh dashboard. It allows users to map alerts generated by Wazuh to specific tactics and techniques. This gives security teams a better understanding of the nature of the threats they are facing and helps them develop effective mitigation strategies.

The Wazuh MITRE ATT&CK module is accessible under the THREAT DETECTION AND RESPONSE section of the main page of the Wazuh dashboard. It is shipped with various functionalities to help enhance your threat detection.

Intelligence

The Intelligence tab of the Wazuh dashboard includes information about known threat actors or groups that have been observed using particular Tactics, Techniques, and Procedures (TTPs). It also provides any relevant indicators of compromise (IOCs) or mitigations that can be used to detect or prevent attacks leveraging the TTPs.

Additionally, it contains links to relevant external sources such as MITRE ATT&CK pages, blog posts, and white papers that provide detailed information about each TTP.

Framework

The Framework tab of the Wazuh MITRE ATT&CK module provides a high-level overview of the tactics and techniques occurring in endpoints monitored by the Wazuh server. This tab enables users to filter and search for specific tactics and techniques, and view which endpoints the events occurred on. You can use this functionality to identify vulnerable areas in your environment.

Dashboard

The MITRE ATT&CK Dashboard tab provides an overview of the current state of your infrastructure with respect to known adversarial Tactics, Techniques, and Procedures (TTPs) in the MITRE ATT&CK framework. The dashboard displays key indicators such as the total number of events, alerts, and a summary of the top 10 TTPs detected within your environment. These indicators can be used to assess the effectiveness of existing security controls and identify areas that may require further attention. Additionally, you can customize the dashboard to display specific metrics that are most relevant to your organization's security posture.

Events

The MITRE ATT&CK Events tab provides detailed information about each event that has been detected within your environment. It includes their correlation to specific TTPs as defined by the MITRE ATT&CK framework. The information shown in this tab is particularly useful for security teams who need to investigate suspicious activity. It allows them to drill down into the details of individual events and assess their potential impact on an environment.

You can filter the events based on various criteria such as severity, event type, and detection method, and also sort them by different fields to locate relevant information quickly. Additionally, the tab provides access to additional details, such as the full event log message and any related alerts that may have been generated in response to the event.

Customization

The Wazuh MITRE ATT&CK module also supports a range of customization options. For example, users can define custom mappings between Wazuh alerts and specific tactics and techniques, allowing them to tailor the module to their unique needs and requirements.

Customization example

Wazuh offers out-of-the-box detection rules that are mapped against relevant MITRE IDs. In addition, you can also configure custom rules and assign corresponding MITRE ATT&CK IDs based on the techniques involved in the attack.

For this example, we require the following infrastructure:

Endpoint	Example description
Wazuh server	You can download the Wazuh OVA or install it using the installation guide.
Windows 11	We perform privilege escalation emulation attack on this endpoint. You need to install and enroll a Wazuh agent on this endpoint. To install the Wazuh agent, refer to the Wazuh Windows installation guide.

Wazuh server

Append the following rules to the /var/ossec/etc/rules/local_rules.xml file:

<group name="windows,sysmon,privilege-escalation">

  <rule id="110011" level="10">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC</field>
    <field name="win.eventdata.eventType" type="pcre2">^SetValue$</field>
    <field name="win.eventdata.user" type="pcre2">NT AUTHORITY\\\\SYSTEM</field>
    <options>no_full_log</options>
    <description>PsExec service running as $(win.eventdata.user) has been created on $(win.system.computer).</description>
    <mitre>
      <id>T1543.003</id>
    </mitre>
  </rule>
</group>

The rule 110011 creates an alert whenever there is a creation of a service named PSEXESVC, which occurs each time PsExec is executed on the Windows endpoint. It is mapped to the MITRE ATT&CK ID T1543.003, indicating the persistence and privilege escalation tactics.

When the rule triggers, the alert contains information about the MITRE ATT&CK ID T1543.003.

Restart the Wazuh manager service to apply the changes:
```
$ sudo systemctl restart wazuh-manager.service
```

Windows 11

Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis.

Download Sysmon and the configuration file sysmonconfig.xml in the same folder.
Launch PowerShell with administrative privilege, and install Sysmon as follows:
```
> .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
```

Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following settings within the <ossec_config> block:

<!-- Configure Wazuh agent to receive events from Sysmon -->
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Restart the Wazuh agent for the changes to take effect:
```
> Restart-Service -Name wazuh
```

PsExec execution

Download the PsTools archive from the Microsoft Sysinternals page and extract the PsExec binary from the archive. The following command escalates a Windows PowerShell process from an administrator user to a SYSTEM user:

> .\psexec -i -s powershell /accepteula

Run the command below to confirm that the new instance of PowerShell is running as SYSTEM user:

> whoami

PS C:\Windows\system32> whoami
nt authority\system

Visualize the alerts

We use filters on the Security Module > MITRE ATT&CK > Events tab of the Wazuh dashboard to query for specific MITRE IDs, tactics, or techniques, as shown in the figure below.

Expand the alert with rule ID 110011 alert to view the MITRE ID T1543.003 information.

Click on the JSON tab to view the details of the alert in JSON format:

{
  "agent": {
    "ip": "172.20.10.3",
    "name": "Windows11",
    "id": "002"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "data": {
    "win": {
      "eventdata": {
        "image": "C:\\\\Windows\\\\system32\\\\services.exe",
        "targetObject": "HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName",
        "processGuid": "{45cd4aff-93d1-6501-0b00-000000000b00}",
        "processId": "720",
        "utcTime": "2023-10-16 12:12:15.759",
        "ruleName": "technique_id=T1543,technique_name=Service Creation",
        "details": "LocalSystem",
        "eventType": "SetValue",
        "user": "NT AUTHORITY\\\\SYSTEM"
      },
      "system": {
        "eventID": "13",
        "keywords": "0x8000000000000000",
        "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
        "level": "4",
        "channel": "Microsoft-Windows-Sysmon/Operational",
        "opcode": "0",
        "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2023-10-16 12:12:15.759\r\nProcessGuid: {45cd4aff-93d1-6501-0b00-000000000b00}\r\nProcessId: 720\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"",
        "version": "2",
        "systemTime": "2023-10-16T12:12:15.7636688Z",
        "eventRecordID": "118081",
        "threadID": "3644",
        "computer": "Windows11",
        "task": "13",
        "processID": "3140",
        "severityValue": "INFORMATION",
        "providerName": "Microsoft-Windows-Sysmon"
      }
    }
  },
  "rule": {
    "firedtimes": 4,
    "mail": false,
    "level": 10,
    "description": "PsExec service running as NT AUTHORITY\\\\SYSTEM has been created on Windows11",
    "groups": [
      "windows",
      "sysmon"
    ],
    "mitre": {
      "technique": [
        "Windows Service"
      ],
      "id": [
        "T1543.003"
      ],
      "tactic": [
        "Persistence",
        "Privilege Escalation"
      ]
    },
    "id": "110011"
  },
  "location": "EventChannel",
  "decoder": {
    "name": "windows_eventchannel"
  },
  "id": "1694607138.3688437",
  "timestamp": "2023-10-16T12:12:18.684+0000"
}

The alerts display the MITRE ATT&CK ID and its associated tactics and techniques. This helps users quickly understand the nature of the attack and take appropriate actions.

User administration

Learn how to change the user passwords, how to create new internal users and how to integrate Wazuh with different Identity Providers (IdP) to implement Single Sign-On (SSO).

In the password management section, you can find instructions on how to use the Wazuh passwords tool to change the passwords of both the Wazuh indexer and the Wazuh manager API users.

The RBAC section contains directions on how to create Wazuh indexer users, also known as internal users, assign them different roles and map them to the Wazuh manager API. Find out how to create an admin user, a read-only user, a custom user, and a user with permission to read and manage only a group of agents.

In the single sign-on section, you can find instructions on how to integrate Wazuh with different Identity Providers to implement Single Sign-On. Find instructions for Okta, Microsoft Entra ID, PingOne, Google, Jumpcloud and OneLogin.

In the LDAP integration section, you can find instructions on how to integrate Wazuh with LDAP/Active Directory to authenticate and authorize users.

Password management

Note

If you deployed Wazuh on Docker, read Changing the default password of Wazuh users for specific instructions.

Learn how to use the Wazuh passwords tool to manage your passwords. This tool allows you to change the passwords of both the Wazuh indexer users, also known as internal users, and the Wazuh server API users.

Among the Wazuh indexer users, it is worth mentioning the following:

admin: is the default administrator account of the Wazuh indexer. It's used to log in to the Wazuh dashboard and for communications between Filebeat and the Wazuh indexer. If you change the admin password, you must update it in Filebeat and the Wazuh server.

kibanaserver: is used for communications between the Wazuh dashboard and the Wazuh indexer. If you change the kibanaserver password, you must update it in the Wazuh dashboard.

On the other hand, the Wazuh server API has two default users:

wazuh: is the default Wazuh server API administrator user.

wazuh-wui: is an admin user used for communications between Wazuh dashboard and the Wazuh server API. If you change the wazuh-wui password, you must ensure it updates in the Wazuh dashboard.

If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, depending on the user whose password you change, you may have to update the password on other components. See Changing the passwords in a distributed environment for more details.

The passwords tool is embedded in the Wazuh indexer under /usr/share/wazuh-indexer/plugins/opensearch-security/tools/. You can use the embedded version or download it with the following command:
# curl -so wazuh-passwords-tool.sh https://packages.wazuh.com/5.0/wazuh-passwords-tool.sh
All the available options to run the script are:
Options

Purpose
-a|--change-all

Changes all the Wazuh indexer and Wazuh server API user passwords and prints them on screen. Changing API passwords requires -au|--admin-user <ADMIN_USER> and -ap|--admin-password <ADMIN_PASSWORD>.

-A|--api

Change the Wazuh server API password given the current password. Requires -u|--user <USER>, -p|--password <PASSWORD>, -au|--admin-user <ADMIN_USER>, and -ap|--admin-password <ADMIN_PASSWORD>.

-au|--admin-user <ADMIN_USER>

Admin user for the Wazuh server API. Required for changing the Wazuh server API passwords. Requires -A|--api.

-ap|--admin-password <ADMIN_PASSWORD>

Password for the Wazuh server API admin user. Required for changing the Wazuh server API passwords. Requires -A|--api.

-u|--user <USER>

Indicates the name of the user whose password will be changed. If no password is specified, it will generate a random one.

-p|--password <PASSWORD>

Indicates the new password. Must be used with option -u|--user <USER>.

-c|--cert <ROUTE_ADMIN_CERTIFICATE>

Indicates route to the admin certificate.

-k|--certkey <ROUTE_ADMIN_CERTIFICATE_KEY>

Indicates route to the admin certificate key.

-v|--verbose

Shows the complete script execution output.
-f|--file <PASSWORD_FILE.yml>
Changes the passwords for the ones given in the file.

Wazuh indexer users must have this format:
# Description
  indexer_username: <USER>

  indexer_password: <PASSWORD>
Wazuh server API users must have this format:
# Description
  api_username: <USER>

  api_password: <PASSWORD>
-gf|--generate-file <passwords.wazuh>

Generate password file with random passwords for standard users.

-h|--help

Shows help.
Changing the password for single user

To change the password for a single Wazuh indexer user, run the script with the -u|--user <USER> option and indicate the new password with the option -p|--password <PASSWORD>. The password must have a length between 8 and 64 characters and contain at least one upper case letter, one lower case letter, a number and one of the following symbols: .*+?-. If no password is specified, the script will generate a random one.
# bash wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rd
INFO: Generating password hash
WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, depending on the user whose password you change, you may have to update the password on other components. See Changing the passwords in a distributed environment for more details.

If you want to change the password for a Wazuh server API user, run the script on a Wazuh server node and use option -A|--api. Alternatively, you can change the Wazuh server API passwords following the instructions in the Securing the Wazuh server API documentation.
Changing the passwords for all users

To generate and change passwords for all the Wazuh indexer users, run the script with the -a|--change-all option:
# bash wazuh-passwords-tool.sh -a
INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
INFO: The password for user admin is kwd139yG?YoIK?lRnqcXQ4R4gJDlAqKn
INFO: The password for user kibanaserver is Bu1WIELh9RdRlf*oGjinN1?yhF6XzA7V
INFO: The password for user kibanaro is 7kZvau11cPn6Y1SbOsdr8Kwr*BRiK3u+
INFO: The password for user logstash is SUbk4KTmLl*geQbUg0c5tyfwahjDMhx5
INFO: The password for user readall is ?w*Itj1Lgz.5w.C7vOw0Kxi7G94G8bG*
INFO: The password for user snapshotrestore is Z6UXgM8Sr0bfV.i*6yPPEUY3H6Du2rdz
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
If you use the tool in an all-in-one deployment, it automatically updates the passwords where necessary. If you use it in a distributed environment, you have to update the password on other components. See Changing the passwords in a distributed environment for more details.

On an all-in-one deployment, use options -a|--change-all, -A|--api, -au|--admin-user <ADMIN_USER>, and -ap|--admin-password <ADMIN_PASSWORD> to also change the passwords for all the Wazuh indexer and the Wazuh server API users.
# sudo bash wazuh-passwords-tool.sh -a -A -au wazuh -ap KTb+Md+rR74J2yHfoGGnFGHGm03Gadyu
INFO: The password for user admin is Wkw+b2rM6BEOwUmGfr*m*i1ithWw.dg2
INFO: The password for user kibanaserver is 5Y0lIfCwmjkus9nWAAVxMInI+Eth25hr
INFO: The password for user kibanaro is kJG7fHX18.UJIZoNip5nDo*34DN+cGBL
INFO: The password for user logstash is wuabgegtKsQABems5RNJfV0AOmxT?81T
INFO: The password for user readall is gKSuQFGG.Sa0L9gzJX5WZHPP3Y4Es+sU
INFO: The password for user snapshotrestore is UdyI8ToXkgVCNOPfJ*FX*a5vybeB.rUw
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
INFO: The password for Wazuh API user wazuh is zG0yTsAiettOXWEB79Aca1jbQ5.UeW3M
INFO: The password for Wazuh API user wazuh-wui is JmKiaCBQo?4Ne0yrM4+n7kGdXGfCmVjO
INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.
Changing the passwords using a formatted file

Use a formatted file to indicate the passwords and run the script with the -f|--file <PASSWORD_FILE.yml> option followed by the file path. Use the following pattern to indicate the users and passwords in the formatted file.

For Wazuh indexer users:
# Description
  indexer_username: <USER>
  indexer_password: <PASSWORD>
For Wazuh server API users:
# Description
  api_username: <USER>
  api_password: <PASSWORD>
If the -a|--change-all option is used in combination with the -f|--file <PASSWORD_FILE.yml> option, all users not included in the file are given a random password.

The options -au|--admin-user <ADMIN_USER> and -ap|--admin-password <ADMIN_PASSWORD> are necessary to change the passwords for the API users.
Changing the passwords in a distributed environment

Follow the instructions below to change the passwords for all the Wazuh indexer users as well as the Wazuh server API users.
On any Wazuh indexer node, use the Wazuh passwords tool to change the passwords of the Wazuh indexer users.
# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j
INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp
INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna
INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h
INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4
INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB
WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
On the Wazuh server master node, download the Wazuh passwords tool and use it to change the passwords of the Wazuh server API users. For example, to change the password of the wazuh server API user, run:
# curl -sO https://packages.wazuh.com/5.0/wazuh-passwords-tool.sh
# bash wazuh-passwords-tool.sh --api -u wazuh -p <NEW_PASSWORD> --admin-user wazuh-wui --admin-password <WAZUH_WUI_USER_PASSWORD>
INFO: The password for Wazuh API user wazuh is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je.
Where:
<NEW_PASSWORD> is the new password for the server API user.
<WAZUH_WUI_USER_PASSWORD> is the password of the wazuh-wui user. You can retrieve it by running:
$ sudo tail /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
If you've set up a user other than admin for Filebeat, manually add the username and password using the following commands. Replace <CUSTOM_USERNAME> and <CUSTOM_PASSWORD> with your custom username and password.
# echo <CUSTOM_USERNAME> | filebeat keystore add username --stdin --force
# echo <CUSTOM_PASSWORD> | filebeat keystore add password --stdin --force
Restart Filebeat to apply the changes.
# systemctl restart filebeat
# service filebeat restart
On your Wazuh dashboard node, run the following command to update the kibanaserver password in the Wazuh dashboard keystore. Replace <KIBANASERVER_PASSWORD> with the random password generated in the first step.
# echo <KIBANASERVER_PASSWORD> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
Update the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file with the new wazuh-wui password generated in the second step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
Restart the Wazuh dashboard to apply the changes.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Wazuh RBAC - How to create and map internal users

Wazuh RBAC allows access to Wazuh resources based on the roles and policies assigned to the users. It is an easy-to-use administration system that enables to manage users' or entities' permissions to the system resources. To learn more, see the Role-Based Access Control section.

The Wazuh platform includes an internal user database that can be used for authentication. It can also be used in addition to an external authentication system such as LDAP or Active Directory. Learn how to create users and map them with Wazuh in the below sections.

Creating and setting a Wazuh admin user

Creating and setting a Wazuh read-only user

Creating an internal user and mapping it to Wazuh

Use case: Give a user permissions to read and manage a group of agents

Creating and setting a Wazuh admin user

Follow these steps to create an internal user, create a new role mapping, and give administrator permissions to the user.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Internal users to open the internal users' page.

Click Create internal user, provide a username and password, and click Create to complete the action.

To map the user to the admin role, follow these steps:

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Search for the all_access role in the roles list and select it to open the details window.

Click Duplicate role, assign a name to the new role, then click Create to confirm the action.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Add the user you created in the previous steps and click Map to confirm the action.

Note

Reserved roles are restricted for any permission customizations. You can create a custom role with the same permissions or duplicate a reserved role for further customization.

To map the user with Wazuh, follow these steps:

Click the upper-left menu icon ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Internal users: Select the internal user created previously.

Click Save role mapping to save and map the user with Wazuh as administrator.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.

Creating and setting a Wazuh read-only user

Follow these steps to create an internal user, create a new role mapping, and give read-only permissions to the user.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Internal users to open the internal users' page.

Click Create internal user, provide a username and password, and click Create to complete the action.

To map the user to the appropriate role, follow these steps:

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: global_tenant and select the Read only option.

Select the Mapped users tab and click Manage mapping.

Add the user you created in the previous steps and click Map to confirm the action.

To map the user with Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Internal users: Select the internal user created previously.

Click Save role mapping to save and map the user with Wazuh as read-only.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.

Creating an internal user and mapping it to Wazuh

Follow these steps to create an internal user and map it to a role of your choice.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Internal users to open the internal users' page.

Click Create internal user, provide a username and password, and click Create to complete the action.

To map the user to a given role, follow these steps:

Go to Security, select Roles to open the page, and click the name of the selected role to open the window. Alternatively, you can create a custom role by clicking Create role.

Select the Mapped users tab and click Manage mapping.

Add the user you created in the previous steps and click Map to confirm the action.

To map the user with Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select the Wazuh roles that you want to map the user with.

Internal users: Select the internal user created previously.

Wazuh includes an extensive list of default policies and roles. Additionally, you can create custom policies and roles to suit your needs. To see an example, check our Use case: Give a user permissions to manage a group of agents below.

Click Save role mapping to save and map the user with Wazuh.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.
Use case: Give a user permissions to read and manage a group of agents

In this use case, we explore how to create an internal user and give it permissions to read and manage an agents group.

This process involves adding a label in the agent group's centralized configuration to identify the Wazuh alerts coming from this group of agents, creating an internal user, and giving it reading permission only for those documents that correspond to the group of authorized agents.

It also involves mapping this user with the Wazuh API, creating a custom policy that includes permissions to read, restart, upgrade, among other actions over a group of agents, and finally creating a custom role and mapping it to our internal user.

As a final result, we will have a new user with permission to manage a group of agents and read the documents regarding the said group.

In this example, we have an environment with three agents. Agents 001 and 003 belong to the Team_A group whereas agents 002 and 003 belong to the Team_B group. To learn more about creating agents' groups, see Grouping agents. We will describe how to create a new user and give it permission to manage agents from Team_A.
Adding an agents group label

To prepare the environment, add a label in the Team_A centralized configuration agent.conf. To learn more, see Agent labels.
Log into the Wazuh dashboard as administrator.

Select Agents management > Endpoint Groups to open the page.

Select your group, for example, Team_A.

Select Files and click Edit group configuration.
Add a label to identify the group, for example:
<agent_config>
       <labels>
               <label key="group">Team_A</label>
       </labels>
</agent_config>
Click Save to complete the action.
You have now added a group label that allows us to identify all the Wazuh alerts coming from this group of agents. Note that only new alerts will include this group label.
Creating and mapping an internal user

Follow these steps to create an internal user, create a custom role and map it to the new user.
Click the upper-left menu icon ☰ to open the available options, go to Indexer management > Security, and then Internal users to open the internal users' page.

Click Create internal user, provide a username and password, and click Create to complete the action.
To create a custom role and map the user to it, follow these steps:
Go to Security, select Roles to open the page.

Click Create role, complete the empty fields with the following parameters:

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read
Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:
Index: wazuh-alerts*

Index permissions: read
Document level security:
{
  "bool": {
    "must": {
      "match": {
        "agent.labels.group": "Team_A"
      }
    }
  }
}
Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:
Index: wazuh-monitoring*

Index permissions: read
Document level security:
{
  "bool": {
    "must": {
      "match": {
        "group": "Team_A"
      }
    }
  }
}
Under Tenant permissions, select Tenant: global_tenant and the Read only option.

Click Create to complete the task.

Select the Mapped users tab and click Manage mapping.

Add the user you created in the previous steps and click Map to confirm the action.
You have now created an internal user and assigned it reading permissions over the Wazuh alerts and Wazuh monitoring documents from the authorized agents group.
Mapping with Wazuh

To map the user with Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Policies to open the policies page.

Click Create policy and complete the empty fields with the requested information.

Policy name: Assign a name to the new policy.

Action: Select the actions that the user is allowed to perform, for example, agent:read, and click Add. Select as many actions as needed.

Resource: Select agent:group.

Resource identifier: Write the name of the agents' group, for example, Team_A, and click Add. You can add as many resources as needed.

Select an effect: Select Allow.

Click Create policy to complete the action.

Click Roles to open the tab, click Create Role, and fill in the empty fields with the requested information.

Role name: Assign a name to the new role.

Policies: Select the policy created previously.

Click Create role to confirm the action.

Click Create Role mapping and complete the empty fields with the requested information.

Role mapping name: Assign a name to the role mapping.

Roles: Select the role created previously, for example Team_A_role, and the cluster_readonly role. The latter assigns the user basic configuration reading permissions.

Internal users: Select the internal user created previously.

Click Save role mapping to finish the action.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.

You have now created a new internal user and mapped it to manage a Wazuh agents' group. Authenticate with the new user and open the Wazuh dashboard, see that only Team_A agents' alerts and information are displayed.
Single sign-on

Wazuh supports the Security Assertion Markup Language (SAML) standard for Single Sign-On (SSO) in addition to the internal user database used for authentication. This allows organizations to use their existing Identity Providers (IdP) to manage access to the Wazuh platform.

Learn how to create administrator and read-only roles on several IdP and map them with Wazuh in the sections below.
Setup single sign-on with administrator role

This section describes how Wazuh can be integrated with several IdP to implement Single Sign-On (SSO) with an administrator role.

The guide assumes you already have a Wazuh indexer and a Wazuh dashboard installation. To learn more, see the installation guide.

Required parameters

The following parameters are required to make the configurations on the Wazuh dashboard instance:

idp.metadata_url: URL to an XML file that contains metadata information about the application configured on the IdP side. It can be used instead of idp.metadata_file.

idp.metadata_file: XML File that contains the metadata information about the application configured on the IdP side. It can be used instead of idp.metadata_url.

idp.entity_id: Entity ID of the Identity Provider. This is a unique value assigned to an Identity Provider.

sp.entity_id: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.

kibana_url: URL to access the Wazuh dashboard.

roles_key: The attribute in the SAML assertion where the roles/groups are sent.

exchange_key: The key that will be used to sign the assertions. It must have at least 64 characters.

Note

The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.

OpenSearch and the SAML assertion are case sensitive. Therefore the values on the IDP and in the SAML configuration of the Wazuh indexer have to be exactly the same.

It is recommended to clear the browser cache and cookies before the integration is carried out.

The securityadmin script has to be executed with root user privileges

Administrator permissions are being assigned in this integration. The Setup single sign-on with read-only role guide can be used to configure a read-only role based on the user requirements.

Each group that is generated in the IDPs can only be used as one backend_role. In a case where other roles such as read-only are needed, a new group will have to be created for this purpose.

You need an account with administrator privileges on the Wazuh dashboard.
Identity providers
Okta

Okta Inc. is an identity and access management company that provides technologies that enable secure user authentication into applications. In this guide, we integrate the Okta IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Okta Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Okta Configuration

Create an account on Okta. Request a free trial if you don't have a paid license.

Create a new user.

From your okta admin console page, navigate to Directory > People.

From the People section, select Add Person, fill in the details of the new user, and click Save as seen in the following screenshots.

Create a new group. Navigate to Directory > Groups and add a group.

Create a new group using any name. In our case, we name it wazuh-admins. This name will be used as our backend_roles in roles_mapping.yml.

Add the new user to the new group. Navigate to Directory > Groups and select your group. Click on Assign People and add the user to the group created.

Create a new app. Configure the SAML settings while you create the app.

Navigate to the Applications section in Okta. Select Create App Integration.

In the Create a new application integration window, select SAML 2.0 and click Next.

Assign a name to the application and click on Next. In our case, we assign the name wazuh-sso-app.

In the Configure SAML menu, you’ll find the SAML Settings section, modify the following parameters:

Single sign on URL: input https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs and replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL.

Audience URI (SP Entity ID): input wazuh-saml. This is the SP Entity ID value which will be used later in the config.yml on the Wazuh indexer instance.

Other Requestable SSO URLs: click on Show Advanced Settings to access this option. Input https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated and replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL.

You can leave the rest of the values as default.

In the Group Attribute Statements section put Roles as the name. The value for Roles will be used as the roles_key parameter in the Wazuh indexer configuration. For the filter field, select Matches regex and type .*.

Proceed by clicking next and on the feedback page, select the options seen in the screenshot below. Click on Finish and proceed to the next step.

Add the new app to the new group. Navigate to Directory > Groups and select your group. Click on Applications and select Assign Applications. From here, assign the app created in step 5 and click on Done to save the changes.

Note the necessary parameters from the SAML settings of the new app. The parameters already obtained during the integration are:

sp.entity_id: wazuh-saml

roles_key: Roles

kibana_url: https://<WAZUH_DASHBOARD_URL>

To obtain the remaining parameters, navigate to Applications > Applications, select your app and click Sign On.

Under SAML Signing Certificates, select View IdP metadata of the active certificate. This will open in a new tab. Copy the URL as this will be the idp.metadata_url.

Now, on the same page, click on View SAML setup instructions. Copy the Identity Provider Issuer URL, it will be the idp.entity_id.

This information can also be found in the metadata XML file.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: 'https://....okta.com/app/..../sso/saml/metadata'
              entity_id: 'http://www.okta.com/....'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.........'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_url

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Configure the roles_mapping.yml file to map the Okta group to the appropriate Wazuh indexer role. In our case, we map it to the all_access role:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "<GROUP_NAME>"
Replace <GROUP_NAME> with the name you gave to your group in Step 3. In our case, this is wazuh-admins.
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name you gave to your group in Step 3 of Okta configuration, in our case, this is wazuh-admins.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Okta account.
Microsoft Entra ID

Microsoft Entra ID (ME-ID) is a cloud-based identity and access management service by Microsoft. It provides single sign-on, multifactor authentication, and access to internal and cloud developed applications. In this guide, we integrate the Microsoft Entra ID IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Microsoft Entra ID Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Note

You may have to request a free trial at least to complete the configuration.

Microsoft Entra ID Configuration

Create a Microsoft account or use your own if you already have one.

Go to Microsoft Azure Portal and sign in with your Microsoft account.

Create an app in Microsoft Entra ID.

Go to Microsoft Entra ID > Enterprise applications > New application and Create your own application.

Select Integrate any other application you don't find in the gallery. Give a name to your application and click Add. In our case, we name this application wazuh-sso.

Create a role for your application.

Go back to Microsoft Entra ID and click on App registrations.

Select your new app under All applications and click App roles.

Add the following details to your app role:

Display name: This can be any value that you want. In our case this is Wazuh_role.

Allowed member types: Select Users/Groups.

Value: Defines the name of the role. In this case Wazuh_role, which will be the backend role value to be mapped in the roles_mapping.yml file.

Description: This can be any value that you want. In our case this is Wazuh Admin Role.

Do you want to enable this app role: Click on the checkmark to enable the role.

Click Apply to save the changes and proceed to the next step.

Assign a user to the app.

In Microsoft Entra ID, go to Enterprise applications, select your application and then click on Assign users and groups (or Users and Groups in the panel to the left).

Click on Add user/group, assign a user and select the role we created in Manifest.

Configure Single sign-on.

Go to Enterprise applications, select your application and then click on Set up single sign-on > SAML.

In option 1, under Basic SAML Configuration, click edit and set wazuh-saml as Identifier (Entity ID) and https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs as Reply URL (Assertion Consumer Service URL), and https://<WAZUH_DASHBOARD_URL> as Sign on URL (Optional). Replace <WAZUH_DASHBOARD_URL> with the corresponding value. Save and proceed to the next step.

In option 2 under Attributes & Claims, click edit and select Add new claim. Select Roles as the name and user.assignedroles as Source attribute. This claim will be mapped with roles_key on the Wazuh indexer configuration.

Note the necessary parameters. In the Enterprise applications menu, select your application and then click on Single sign-on. Note some parameters that will be used in the Wazuh indexer configuration.

In option 3 SAML Certificate, the App Federation Metadata Url will be the idp.metadata_url in the Wazuh indexer configuration file.

In option 4 Set up <YOUR APPLICATION>, the Microsoft Entra ID Identifier will be our idp.entity_id.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/...
              entity_id: https://sts.windows.net/...
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_url

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Configure the roles_mapping.yml file to map the role we have in Microsoft Entra ID to the appropriate Wazuh indexer role. In this case, we map the Wazuh_role in Microsoft Entra ID to the all_access role in Wazuh indexer:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "Wazuh_role"
  description: "Maps admin to all_access"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the backend role from the Microsoft Entra ID configuration, in our case, this is Wazuh_role.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Microsoft account.
PingOne

PingOne for Enterprise is an identity-as-a-service (IDaaS) and single sign-on (SSO) platform. It allows enterprises to give their users federated access to applications. In this guide, we integrate the PingOne IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

PingOne Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

PingOne Configuration

Create an account in Ping Identity. Request a free trial if you don't have a paid license.

Go to PingOne and sign in with your Ping Identity account.

Create an application in Connections.

Navigate to Connections > Applications > Add Application and give it a name. In our case, the name is wazuh-sso.

Proceed to the Choose Application Type section, and select SAML Application > Configure.

Select Manually Enter on the Provide App Metadata section and add the following configuration, replacing <WAZUH_DASHBOARD_URL> with the corresponding value:

ACS URLs: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Entity ID: wazuh-saml

On the Configuration tab, click on the edit icon and add the following information:

SLO ENDPOINT: https://<WAZUH_DASHBOARD_URL>/

SLO BINDING: HTTP Redirect

ASSERTION VALIDITY DURATION: 3600 (for one hour token validity)

VERIFICATION CERTIFICATE (OPTIONAL): Load a PUBLIC CERTIFICATE that corresponds to the PRIVATE KEY that is going to be used on the sp.signature_private_key_filepath of the config.yml configuration file on the Wazuh indexer instance. This is necessary as all the logout requests must be signed.

Click on the Attribute Mappings tab, select the edit icon, click on Add and insert the following configuration:

Roles = Group Names

The Roles attribute will be used later as the sp.entity_id in the Wazuh indexer configuration file.

Click on the Required checkbox, and click on Save.

Create a group and assign users.

Navigate to Identities > Groups, and click on the + sign. Select the name of the Group, in this case, Role.

To assign users, open the created Group, go to the Users tab and select Add Individually. Add all the members that must log in to the Wazuh dashboard, and click on Save when done.

Activate the application and note the necessary parameters.

Navigate to Connections, select Applications, and enable the application.

Take note of the following parameters from the configuration page of the application. This information will be used in the next step.

ISSUER ID: It'll be in the form https://auth.pingone.com/...

IDP METADATA URL: It’ll be in the form https://auth.pingone.com/...
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the private key file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/securityconfig/PRIVATE_KEY
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: IDP METADATA URL
              entity_id: ISSUER ID
            sp:
              entity_id: wazuh-saml
              signature_private_key_filepath: /etc/wazuh-indexer/opensearch-security/PRIVATE_KEY
              forceAuthn: true
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

sp.signature_private_key_filepath

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Map the Group (Role) that is in PingOne to the all_access role in Wazuh indexer:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "Role"
  description: "Maps admin to all_access"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name you gave to your group in PingOne configuration, in our case, this is Role.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Ping One account.
Google

Google Workspace, developed and marketed by Google, is a collection of cloud computing, productivity, and collaboration tools. In this guide, we integrate Google IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Google Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Google Configuration

Create an account in Google Workspace. A Google Workspace account is required for this configuration. Request a free trial if you don't have a paid license.

Go to https://admin.google.com/ac/apps/unified and sign in with your Google Admin account.

Create an app with Add custom SAML app.

Go to Apps > Web and mobile apps > Add App, then Add custom SAML app. Enter an App name and click CONTINUE.

Take note of the following parameters, as they will be used during the Wazuh indexer configuration:

Entity ID: This will be used later as the idp.entity_id

Select DOWNLOAD METADATA and place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is /etc/wazuh-indexer/opensearch-security/.

Select CONTINUE and configure the following:

ACS URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs. Replace the Wazuh dashboard URL field with the appropriate URL or IP address.

Entity ID: Use any name here. This will be the sp.entity_id in the Wazuh indexer configuration file. In our case, the value is wazuh-saml.

Leave the remaining parameters with their default values, then select CONTINUE.

Click on ADD MAPPING. Under Employee details, choose Department and under App attributes, type Roles. Click FINISH.

Google doesn't support sending the Group membership attribute as part of the SAML Assertion (as the other Identity Providers do). So in this example, we are going to use Department as the attribute whose value will be used as our roles_key in the Wazuh indexer configuration. In this case, the value for the Department attribute will be stored as Roles.

Turn ON access for everyone.

Select the recently created app and click on User access.

Select ON for everyone and click SAVE.

Define the attribute for users.

Go to Directory then Users.

Select a user, go to User information, then edit Employee information.

Add a value to the Department field, in this example, we add Wazuh_access, click on SAVE. This value will be used in the role_mapping file configuration.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the Google_Metadata.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/Google_Metadata.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/Google_Metadata.xml'
              entity_id: 'https://accounts.google.com/o/saml2?idpid=C02…'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Map the Department field value that was obtained in Google IdP to the all_access role in the Wazuh indexer:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "Wazuh_access"
  description: "Maps admin and Wazuh_access to all_access"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the Department field value that was obtained in Google IdP, in our case, this is Wazuh_access.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Google Workspace account.
Jumpcloud

Jumpcloud, is a Unified Device and Identity Access Management platform that provides services such as Multi-Factor Authentication (MFA), Single Sign-On, password management, and cloud directory. In this guide, we integrate the Jumpcloud SSO to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Jumpcloud Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Jumpcloud Configuration

Create an account in Jumpcloud. Request a free trial if you don't have a paid license.

Create a new user. This step can be skipped if you are just testing, you can use your Jumpcloud admin user for example.

Go to User Management, click on Users > (+) > Manual user entry. Fill in the user information, activate the user and click on save user.

Create a new group and assign the user.

Go to User Management > User Groups > (+) and give a name to the group. In our case, this is Wazuh admins.

The name you give to your group will be used in the configuration. It will be our backend_roles in roles_mapping.yml.

In the selected User Groups, go to the Users tab, select the newly created user and Save the changes.

Create a new app. Configure the SAML settings while you create the app.

Under the User Authentication section, go to SSO Applications, select + Add New Application, and select Custom Application.

Complete the Create New Application Integration page with the appropriate information.

Click Next on the Select Application page.

Check the Manage Single Sign-On (SSO) and Configure SSO with SAML options on the Select Options page. Click Next to proceed to the next step.

Assign a Display Label to the application, and click the Show this application in User Portal checkbox on the Enter General Info page. Click Save Application to apply the settings.

Click Configure Application on the Review page.

Complete the SSO tab with the appropriate information.

IdP Entity ID: wazuh (this will be the idp.entity_id in our Wazuh indexer configuration).

SP Entity ID: wazuh-saml (this will be the sp.entity_id in our Wazuh indexer configuration).

ACS URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Check Sign Assertion.

Check Declare Redirect Endpoint.

Check include group attribute and add Roles as the attribute. This will be used later in the config.yml configuration file.

The rest of the options can be left as their default values.

On the User Groups tab, select the Group created previously and click save.

Note the necessary parameters from the SAML settings of the new app.

Open the recently created application and go to the SSO tab, select Export Metadata. This will be our metadata_file. Place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is /etc/wazuh-indexer/opensearch-security/.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the metadata_jumpcloud.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/metadata_jumpcloud.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/metadata_jumpcloud.xml'
              entity_id: wazuh
            sp:
              entity_id: wazuh-saml
              forceAuthn: true
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Configure the roles_mapping.yml file to map the Jumpcloud user group to the appropriate Wazuh indexer role. In our case, we map the Wazuh admins group to the all_access role:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "Wazuh admins"
  description: "Maps admin to all_access"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name of the Jumpcloud user group. In our case, this is Wazuh admins.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Jumpcloud account.
OneLogin

OneLogin is a cloud-based identity and access management provider that provides a unified access management platform to enterprise-level businesses and organizations. In this guide, we integrate the OneLogin SSO to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

OneLogin Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

OneLogin Configuration

Create an account in OneLogin. Request a free trial if you don't have a paid license.

Add the OneLogin extension to your browser.

Create a new user.

Log in to OneLogin web console, and select Administration > Users > New User.

Complete the mandatory fields, assign a value in the Department field and click on Save User. In our case, the department is wazuh-admin. This field will be used later in the Wazuh indexer configuration as the backend role.

Select the user, navigate to More Actions and click on Change Password to assign a password to the user.

Create a new app using the SAML Custom Connector (Advanced) template and configure the SAML settings.

Go to Applications tab > Applications and then click on Add app.

Search for SAML Custom Connector (Advanced) application. In Display Name, assign a name. In our case, we assigned the name Wazuh. Navigate to the Configuration tab and fill in the information:

Audience (EntityID): wazuh-saml

Recipient: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

ACS (Consumer) URL Validator: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

ACS (Consumer) URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Login URL: https://<WAZUH_DASHBOARD_URL>

SAML initiator: Service Provider

SAML nameID format: Unspecified

SAML issuer type: Specific

SAML signature element: Response

Replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL of your Wazuh dashboard instance.

The configuration must be similar to the highlighted blue rectangles:

Go to the Parameters tab and click on + to add a new parameter to the app:

Edit the parameter details. In our own case, we named the new parameter as Roles, then we selected the value Department and marked the Include in SAML assertion checkbox. The rest of the app configuration is left as default.

Click on Save to apply the configuration.

Add the created user to the new app.

Go to Users and select the created user. Go to Applications and click on +, select the Allow the user to sign in checkbox, and click on Save.

Get the metadata_onelogin.xml file from the application.

Go to Applications > Applications then select the Wazuh app. Click on More Actions and then select SAML Metadata.

Save the file as XML. This will be the idp.metadata_file in the Wazuh indexer security configuration.

The Issuer URL will be the idp.entity_id in the Wazuh indexer security configuration.

The Audience (EntityID) will be the sp.entity_id in the Wazuh indexer security configuration.

The roles_key is the name of the parameter added in the Wazuh app. In our example, this is Roles.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the metadata_onelogin.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/metadata_onelogin.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain2:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/metadata_onelogin.xml'
              entity_id: 'https://app.onelogin.com/saml/metadata/xxxxxxx'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
...
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

To configure the roles_mapping.yml file, we map the Department field from step 3 to the all_access role on the Wazuh indexer. In this case, wazuh-admin:
...
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "wazuh-admin"
  description: "Maps admin to all_access"
...
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value of the Department field in OneLogin configuration. In our case, this is wazuh-admin.

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your OneLogin account.
Keycloak

Keycloak is an open source identity and access management tool. It provides user federation, strong authentication, user management, and fine-grained authorization for modern applications and services. In this guide, we integrate the KeyCloak IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration:

KeyCloak configuration

Wazuh indexer configuration

Wazuh dashboard configuration

KeyCloak configuration

Create a new realm. Log in to the Keycloak admin console, expand the master drop-down menu and click Add Realm. Input a name in the Realm name field; in our case, this is named Wazuh. Click on Create to apply this configuration.

Create a new client. In the newly created realm, navigate to Clients > Create Client and modify the following parameters:

Client type: select SAML from the drop-down menu.

Client ID: input wazuh-saml. This is the SP Entity ID value which will be used later in the config.yml on the Wazuh indexer instance.

You can leave the rest of the values as default. Click Save to apply the configuration.

Configure client settings.

Navigate to Clients > Settings and ensure the Enabled button is turned on. Complete the section with these parameters:

Client ID: wazuh-saml

Name: Wazuh SSO

Valid redirect URIs: https://<WAZUH_DASHBOARD_URL>/*

IDP-Initiated SSO URL name: wazuh-dashboard

Name ID format: username

Force POST binding: ON

Include AuthnStatement: ON

Sign documents: ON

Sign assertions: ON

Signature algorithm: RSA_SHA256

SAML signature key name: KEY_ID

Canonicalization method: EXCLUSIVE

Front channel logout: ON

Replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL of your Wazuh dashboard instance.

The configuration must be similar to the highlighted blue rectangles:

You can leave the rest of the values as default. Click Save to apply the configuration.

Navigate to Clients > Keys and complete the section with these parameters:

Client signature required: Off

Navigate to Clients > Advanced > Fine Grain SAML Endpoint Configuration and complete the section with these parameters:

Assertion Consumer Service POST Binding URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated

Logout Service Redirect Binding URL: https://<WAZUH_DASHBOARD_URL>

You can leave the rest of the values as default. Click Save to apply the configuration.

Create a new role. Navigate to Realm roles > Create role and complete the section with these parameters:

Role name: Input admin. This will be our backend role in the Wazuh indexer configuration.

Click on Save to apply the configuration.

Create a new user.

Navigate to Users > Add user and fill in the required information.

Click on Create to apply the configuration.

Navigate to Users > Credentials > Set password and input a password for the newly created user. You will use these credentials to log in to the Wazuh dashboard.

Click on Save to apply the configuration.

Create a new group and assign the user.

Go to Groups > Create group and assign a name to the group. In our case, this is Wazuh-admins.

Click on the newly created group, navigate to Members > Add member and select the user created in the previous step. Click on Add to add it to the group.

In the newly created group details, go to Role Mapping > Assign role and select the admin role created in step 3. Click on Assign to apply the configuration.

Configure protocol mapper.

Navigate to Client scopes > role_list > Mappers > Configure a new mapper.

Select Role list from the list as seen below:

Complete the Add mapper section with these parameters:

Mapper type: Role list

Name: wazuhRoleKey. You can use any name here.

Role attribute name: Roles. This will be the roles_key on the Wazuh indexer configuration.

SAML Attribute NameFormat: Basic

Single Role Attribute: On

Click on Save to apply the configuration.

Note the necessary parameters from the SAML settings of Keycloak.

The parameters already obtained during the integration are:

sp.entity_id: wazuh-saml

roles_key: Roles

kibana_url: https://<WAZUH_DASHBOARD_URL>

To obtain the remaining parameters.

Navigate to Clients and select the name of your client. In our case, this is wazuh-saml.

Navigate to Action > Download adapter config, and ensure the Format option is Mod Auth Mellon files.

Click on Download to download the remaining files.

The downloaded files contain the idp.metadata.xml file and the sp.metadata.xml file.

The idp.entityID parameter is in the idp.metadata.xml file.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the idp.metadata.xml and sp.metadata.xml files within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp.metadata.xml
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/sp.metadata.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0, and set the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/idp.metadata.xml'
              entity_id: 'http://192.168.XX.XX:8080/realms/Wazuh'
            sp:
              entity_id: wazuh-saml
              metadata_file: /etc/wazuh-indexer/opensearch-security/sp.metadata.xml
            kibana_url: https://<WAZUH_DASHBOARD_ADDRESS>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

sp.metadata_file

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:

Configure the roles_mapping.yml file to map the realm role in Keycloak to the appropriate Wazuh indexer role; in our case, we map this to the all_access role.
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Done with success
Wazuh dashboard configuration
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value of the realm role in Keycloak configuration. In our case, this is admin.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Keycloak account.
Setup single sign-on with read-only role

This section describes how Wazuh can be integrated with several Identity Providers (IdP) to implement Single Sign-On (SSO) with a read-only role.

The guide assumes you already have a Wazuh indexer and a Wazuh dashboard installation. To learn more, see the installation guide.

Required parameters

The following parameters are required to make the configurations on the Wazuh dashboard instance:

idp.metadata_url: URL to an XML file that contains metadata information about the application configured on the IdP side. It can be used instead of idp.metadata_file.

idp.metadata_file: XML File that contains the metadata information about the application configured on the IdP side. It can be used instead of idp.metadata_url.

idp.entity_id: Entity ID of the Identity Provider. This is a unique value assigned to an Identity Provider.

sp.entity_id: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.

kibana_url: URL to access the Wazuh dashboard.

roles_key: The attribute in the SAML assertion where the roles/groups are sent.

exchange_key: The key that will be used to sign the assertions. It must have at least 64 characters.

Note

The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.

OpenSearch and the SAML assertion are case sensitive. Therefore the values on the IDP and in the SAML configuration of the Wazuh indexer have to be exactly the same.

It is recommended to clear the browser cache and cookies before the integration is carried out.

The securityadmin script has to be executed with root user privileges

Read-only permissions are being assigned in this integration. The Setup single sign-on with administrator role guide can be used to configure an administrator role based on the user requirements.

Each group that is generated in the IDPs can only be used as one backend_role. In a case where other roles such as administrator are needed, a new group will have to be created for this purpose.

You need an account with administrator privileges on the Wazuh dashboard.
Identity providers
Okta

Okta Inc. is an identity and access management company that provides technologies that enable secure user authentication into applications. In this guide, we integrate the Okta IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Okta Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Okta Configuration

Create an account on Okta. Request a free trial if you don't have a paid license.

Create a new user.

From your okta admin console page, navigate to Directory > People.

From the People section, select Add Person, fill in the details of the new user, and click Save as seen in the following screenshots.

Create a new group. Navigate to Directory > Groups and add a group.

Create a new group using any name. In our case, we name it wazuh-readonly. This name will be used as our backend_roles in roles_mapping.yml.

Add the new user to the new group. Navigate to Directory > Groups and select your group. Click on Assign People and add the user to the group created.

Create a new app. Configure the SAML settings while you create the app.

Navigate to the Applications section in Okta. Select Create App Integration.

In the Create a new application integration window, select SAML 2.0 and click Next.

Assign a name to the application and click on Next. In our case, we assign the name wazuh-sso-app.

In the Configure SAML menu, you’ll find the SAML Settings section, modify the following parameters:

Single sign on URL: input https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs and replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL.

Audience URI (SP Entity ID): input wazuh-saml. This is the SP Entity ID value which will be used later in the config.yml on the Wazuh indexer instance.

Other Requestable SSO URLs: click on Show Advanced Settings to access this option. Input https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated and replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL.

You can leave the rest of the values as default.

In the Group Attribute Statements section put Roles as the name. The value for Roles will be used as the roles_key parameter in the Wazuh indexer configuration. For the filter field, select Matches regex and type .*.

Proceed by clicking next and on the feedback page, select the options seen in the screenshot below. Click on Finish and proceed to the next step.

Add the new app to the new group. Navigate to Directory > Groups and select your group. Click on Applications and select Assign Applications. From here, assign the app created in step 5 and click on Done to save the changes.

Note the necessary parameters from the SAML settings of the new app. The parameters already obtained during the integration are:

sp.entity_id: wazuh-saml

roles_key: Roles

kibana_url: https://<WAZUH_DASHBOARD_URL>

To obtain the remaining parameters, navigate to Applications > Applications, select your app and click Sign On.

Under SAML Signing Certificates, select View IdP metadata of the active certificate. This will open in a new tab. Copy the URL as this will be the idp.metadata_url.

Now, on the same page, click on View SAML setup instructions. Copy the Identity Provider Issuer URL, it will be the idp.entity_id.

This information can also be found in the metadata XML file.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: 'https://....okta.com/app/..../sso/saml/metadata'
              entity_id: "http://www.okta.com/...."
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.........'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_url

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the name of the read-only group you created in Okta and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name you gave to your group in Step 3 of Okta configuration, in our case, this is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Okta account.
Microsoft Entra ID

Microsoft Entra ID (ME-ID) is a cloud-based identity and access management service by Microsoft. It provides single sign-on, multifactor authentication, and access to internal and cloud developed applications. In this guide, we integrate the Microsoft Entra ID IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Microsoft Entra ID Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Note

You may have to request a free trial at least to complete the configuration.

Microsoft Entra ID Configuration

Create a Microsoft account or use your own if you already have one.

Go to Microsoft Azure Portal and sign in with your Microsoft account.

Create an app in Microsoft Entra ID.

Go to Microsoft Entra ID > Enterprise applications > New application and Create your own application.

Select Integrate any other application you don't find in the gallery. Give a name to your application and click Add. In our case, we name this application wazuh-sso.

Create a role for your application.

Go back to Microsoft Entra ID and click on App registrations.

Select your new app under All applications and click App roles.

Add the following details to your app role:

Display name: This can be any value that you want. In our case, this is Wazuh Read Only Role.

Allowed member types: Select Users/Groups.

Value: defines the name of the role. In this case wazuh-readonly, which will be the backend role value to be mapped on the Wazuh dashboard.

Description: This can be any value that you want. In our case, this is Wazuh Read Only Role.

Do you want to enable this app role: Click on the checkmark to enable the role.

Click Apply to save the changes and proceed to the next step.

Assign a user to the app.

In Microsoft Entra ID, go to Enterprise applications, select your application and then click on Assign users and groups (or Users and Groups in the panel to the left).

Click on Add user/group, assign a user and select the role we created in App roles. Click on Assign to save the configuration.

Configure Single sign-on.

Go to Enterprise applications, select your application and then click on Set up single sign-on > SAML.

In option 1, under Basic SAML Configuration, click edit and set wazuh-saml as Identifier (Entity ID), https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs as Reply URL (Assertion Consumer Service URL), and https://<WAZUH_DASHBOARD_URL> as Sign on URL (Optional). Replace <WAZUH_DASHBOARD_URL> with the corresponding value. Save and proceed to the next step.

In option 2 under Attributes & Claims, click edit and select Add new claim. Select Roles as the name and user.assignedroles as Source attribute. This claim will be mapped with roles_key on the Wazuh indexer configuration.

Note the necessary parameters. In the Enterprise applications menu, select your application and then click on Single sign-on. Note some parameters that will be used in the Wazuh indexer configuration.

In option 3 SAML Certificate, the App Federation Metadata Url will be the idp.metadata_url in the Wazuh indexer configuration file.

In option 4 Set up <YOUR APPLICATION>, the Microsoft Entra ID Identifier will be our idp.entity_id.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/...
              entity_id: https://sts.windows.net/...
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_url

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the value attribute of the app role you created in Microsoft Entra ID and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value attribute of the app role you created in Microsoft Entra ID, in our case, this is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Microsoft account.
PingOne

PingOne for Enterprise is an identity-as-a-service (IDaaS) and single sign-on (SSO) platform. It allows enterprises to give their users federated access to applications. In this guide, we integrate the PingOne IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

PingOne Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

PingOne Configuration

Create an account in Ping Identity. Request a free trial if you don't have a paid license.

Go to PingOne and sign in with your Ping Identity account.

Create an application in Connections.

Navigate to Connections > Applications > Add Application and give it a name. In our case, the name is wazuh-sso.

Proceed to the Choose Application Type section, and select SAML Application > Configure.

Select Manually Enter on the Provide App Metadata section and add the following configuration, replacing <WAZUH_DASHBOARD_URL> with the corresponding value:

ACS URLs: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Entity ID: wazuh-saml

On the Configuration tab, click on the edit icon and add the following information:

SLO ENDPOINT: https://<WAZUH_DASHBOARD_URL>/

SLO BINDING: HTTP Redirect

ASSERTION VALIDITY DURATION: 3600 (for one hour token validity)

VERIFICATION CERTIFICATE (OPTIONAL): Load a PUBLIC CERTIFICATE that corresponds to the PRIVATE KEY that is going to be used on the sp.signature_private_key_filepath of the config.yml configuration file on the Wazuh indexer instance. This is necessary as all the logout requests must be signed.

Click on the Attribute Mappings tab, select the edit icon, click on Add and insert the following configuration:

Roles = Group Names

The Roles attribute will be used later as the sp.entity_id in the Wazuh indexer configuration file.

Click on the Required checkbox, and click on Save.

Create a group and assign users.

Navigate to Identities > Groups, and click on the + sign. Select the name of the Group, in this case, wazuh-readonly.

To assign users, open the created Group, go to the Users tab and select Add Individually. Add all the members that must log in to the Wazuh dashboard, and click on Save when done.

Activate the application and note the necessary parameters.

Navigate to Connections, select Applications, and enable the application.

Take note of the following parameters from the configuration page of the application. This information will be used in the next step.

ISSUER ID: It'll be in the form https://auth.pingone.com/...

IDP METADATA URL: It’ll be in the form https://auth.pingone.com/...
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the private key file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/securityconfig/PRIVATE_KEY
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: IDP METADATA URL
              entity_id: ISSUER ID
            sp:
              entity_id: wazuh-saml
              signature_private_key_filepath: /etc/wazuh-indexer/opensearch-security/PRIVATE_KEY
              forceAuthn: true
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

sp.signature_private_key_filepath

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the name of the group you created in PingOne and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name you gave to your group in PingOne configuration, in our case, this is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Ping One account.
Google

Google Workspace, developed and marketed by Google, is a collection of cloud computing, productivity, and collaboration tools. In this guide, we integrate Google IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Google Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Google Configuration

Create an account in Google Workspace. A Google Workspace account is required for this configuration. Request a free trial if you don't have a paid license.

Go to https://admin.google.com/ac/apps/unified and sign in with your Google Admin account.

Create an app with Add custom SAML app.

Go to Apps > Web and mobile apps > Add App, then Add custom SAML app. Enter an App name and click CONTINUE.

Take note of the following parameters, as they will be used during the Wazuh indexer configuration:

Entity ID: This will be used later as the idp.entity_id.

Select DOWNLOAD METADATA and place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is /etc/wazuh-indexer/opensearch-security/.

Select CONTINUE and configure the following:

ACS URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs. Replace the Wazuh dashboard URL field with the appropriate URL or IP address.

Entity ID: Use any name here. This will be the sp.entity_id in the Wazuh indexer configuration file. In our case, the value is wazuh-saml.

Leave the remaining parameters with their default values, then select CONTINUE.

Click on ADD MAPPING. Under Employee details, choose Department and under App attributes, type Roles. Click FINISH.

Google doesn't support sending the Group membership attribute as part of the SAML Assertion (as the other Identity Providers do). So in this example, we are going to use Department as the attribute whose value will be used as our roles_key in the Wazuh indexer configuration. In this case, the value for the Department attribute will be stored as Roles.

Turn ON access for everyone.

Select the recently created app and click on User access.

Select ON for everyone and click SAVE.

Define the attribute for users.

Go to Directory then Users.

Select a user, go to User information, then edit Employee information.

Add a value to the Department field, in this example, we add wazuh-readonly, click on SAVE. This value will be used as the backend role in the Wazuh dashboard configuration.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the Google_Metadata.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/Google_Metadata.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/Google_Metadata.xml'
              entity_id: 'https://accounts.google.com/o/saml2?idpid=C02…'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the value of the Department field you created in Google Workspace and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value of the Department field you created in Google Workspace. In our case, the backend role is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Google Workspace account.
Jumpcloud

Jumpcloud, is a Unified Device and Identity Access Management platform that provides services such as Multi-Factor Authentication (MFA), Single Sign-On, password management, and cloud directory. In this guide, we integrate the Jumpcloud SSO to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

Jumpcloud Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

Jumpcloud Configuration

Create an account in Jumpcloud. Request a free trial if you don't have a paid license.

Create a new user. This step can be skipped if you are just testing, you can use your Jumpcloud admin user for example.

Go to User Management, click on Users > (+) > Manual user entry. Fill in the user information, activate the user and click on save user.

Create a new group and assign the user.

Go to User Management > User Groups > (+) and give a name to the group. In our case, this is wazuh-readonly.

The name you give to your group will be used in the configuration. It will be our backend_roles in roles_mapping.yml.

In the selected User Groups, go to the Users tab, select the newly created user and Save the changes.

Create a new app. Configure the SAML settings while you create the app.

Under the User Authentication section, go to SSO Applications, click + Add New Application, and select Custom Application.

Complete the Create New Application Integration page with the appropriate information.

Click Next on the Select Application page.

Check the Manage Single Sign-On (SSO) and Configure SSO with SAML options on the Select Options page. Click Next to proceed to the next step.

Assign a Display Label to the application, and click the Show this application in User Portal checkbox on the Enter General Info page. Click Save Application to apply the settings.

Click Configure Application on the Review page.

Complete the SSO tab with the appropriate information.

IdP Entity ID: wazuh (this will be the idp.entity_id in our Wazuh indexer configuration).

SP Entity ID: wazuh-saml (this will be the sp.entity_id in our Wazuh indexer configuration).

ACS URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Check Sign Assertion.

Check Declare Redirect Endpoint.

Check include group attribute and add Roles as the attribute. This will be used later in the config.yml configuration file.

The rest of the options can be left as their default values.

On the User Groups tab, select the Group created previously and click save.

Note the necessary parameters from the SAML settings of the new app.

Open the recently created application and go to the SSO tab, select Export Metadata. This will be our metadata_file. Place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is /etc/wazuh-indexer/opensearch-security/.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the metadata_jumpcloud.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/metadata_jumpcloud.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/metadata_jumpcloud.xml'
              entity_id: wazuh
            sp:
              entity_id: wazuh-saml
              forceAuthn: true
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the name of the group you created in JumpCloud and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the name of the group you created in JumpCloud. In our case, the backend role is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Jumpcloud account.
OneLogin

OneLogin is a cloud-based identity and access management provider that provides a unified access management platform to enterprise-level businesses and organizations. In this guide, we integrate the OneLogin SSO to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration.

OneLogin Configuration

Wazuh indexer configuration

Wazuh dashboard configuration

OneLogin Configuration

Create an account in OneLogin. Request a free trial if you don't have a paid license.

Add the OneLogin extension to your browser.

Create a new user.

Log in to OneLogin web console, and select Administration > Users > New User.

Complete the mandatory fields, assign a value in the Department field and click on Save User. In our case, the department is wazuh-readonly. This field will be used later in the Wazuh indexer configuration as the backend role.

Select the user, navigate to More Actions and click on Change Password to assign a password to the user.

Create a new app using the SAML Custom Connector (Advanced) template and configure the SAML settings.

Go to Applications tab > Applications and then click on Add app.

Search for SAML Custom Connector (Advanced) application. In Display Name, assign a name. In our case, we assigned the name Wazuh. Navigate to the Configuration tab and fill in the information:

Audience (EntityID): wazuh-saml

Recipient: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

ACS (Consumer) URL Validator: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

ACS (Consumer) URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs

Login URL: https://<WAZUH_DASHBOARD_URL>

SAML initiator: Service Provider

SAML nameID format: Unspecified

SAML issuer type: Specific

SAML signature element: Response

Replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL of your Wazuh dashboard instance.

The configuration must be similar to the highlighted blue rectangles:

Go to the Parameters tab and click on + to add a new parameter to the app:

Edit the parameter details. In our case, we named the new parameter as Roles, then we selected the value Department and marked the Include in SAML assertion checkbox. The rest of the app configuration is left as default.

Click on Save to apply the configuration.

Add the created user to the new app.

Go to Users and select the created user. Go to Applications and click on +, select the Allow the user to sign in checkbox, and click on Save.

Get the metadata_onelogin.xml file from the application.

Go to Applications > Applications then select the Wazuh app. Click on More Actions and then select SAML Metadata.

Save the file as XML. This will be the idp.metadata_file in the Wazuh indexer security configuration.

The Issuer URL will be the idp.entity_id in the Wazuh indexer security configuration.

The Audience (EntityID) will be the sp.entity_id in the Wazuh indexer security configuration.

The roles_key is the name of the parameter added in the Wazuh app. In our example, this is Roles.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the metadata_onelogin.xml file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/metadata_onelogin.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0 and the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain2:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/metadata_onelogin.xml'
              entity_id: 'https://app.onelogin.com/saml/metadata/xxxxxxx'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://<WAZUH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241......'
        authentication_backend:
          type: noop
...
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the value of the Department field in OneLogin configuration and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value of the Department field in OneLogin configuration. In our case, this is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service.
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your OneLogin account.
Keycloak

Keycloak is an open source identity and access management tool. It provides user federation, strong authentication, user management, and fine-grained authorization for modern applications and services. In this guide, we integrate the KeyCloak IdP to authenticate users into the Wazuh platform.

There are three stages in the single sign-on integration:

KeyCloak configuration

Wazuh indexer configuration

Wazuh dashboard configuration

KeyCloak configuration

Create a new realm. Log in to the Keycloak admin console, expand the master drop-down menu and click Add Realm. Input a name in the Realm name field; in our case, this is named Wazuh. Click on Create to apply this configuration.

Create a new client. In the newly created realm, navigate to Clients > Create Client and modify the following parameters:

Client type: select SAML from the drop-down menu.

Client ID: input wazuh-saml. This is the SP Entity ID value which will be used later in the config.yml on the Wazuh indexer instance.

You can leave the rest of the values as default. Click Save to apply the configuration.

Configure client settings.

Navigate to Clients > Settings and ensure the Enabled button is turned on. Complete the section with these parameters:

Client ID: wazuh-saml

Name: Wazuh SSO

Valid redirect URIs: https://<WAZUH_DASHBOARD_URL>/*

IDP-Initiated SSO URL name: wazuh-dashboard

Name ID format: username

Force POST binding: ON

Include AuthnStatement: ON

Sign documents: ON

Sign assertions: ON

Signature algorithm: RSA_SHA256

SAML signature key name: KEY_ID

Canonicalization method: EXCLUSIVE

Front channel logout: ON

Replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL of your Wazuh dashboard instance.

The configuration must be similar to the highlighted blue rectangles:

You can leave the rest of the values as default. Click Save to apply the configuration.

Navigate to Clients > Keys and complete the section with these parameters:

Client signature required: Off

Navigate to Clients > Advanced > Fine Grain SAML Endpoint Configuration and complete the section with these parameters:

Assertion Consumer Service POST Binding URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated

Logout Service Redirect Binding URL: https://<WAZUH_DASHBOARD_URL>

You can leave the rest of the values as default. Click Save to apply the configuration.

Create a new role. Navigate to Realm roles > Create role and complete the section with these parameters:

Role name: Input wazuh-readonly. This will be our backend role in the Wazuh indexer configuration.

Click on Save to apply the configuration.

Create a new user.

Navigate to Users > Add user and fill in the required information.

Click on Create to apply the configuration.

Navigate to Users > Credentials > Set password and input a password for the newly created user. You will use these credentials to log in to the Wazuh dashboard.

Click on Save to apply the configuration.

Create a new group and assign the user.

Go to Groups > Create group and assign a name to the group. In our case, this is Wazuh read only.

Click on the newly created group, navigate to Members > Add member and select the user created in the previous step. Click on Add to add it to the group.

In the newly created group details, go to Role Mapping > Assign role and select the wazuh-readonly role created in step 3. Click on Assign to apply the configuration.

Configure protocol mapper.

Navigate to Client scopes > role_list > Mappers > Configure a new mapper.

Select Role list from the list as seen below:

Complete the Add mapper section with these parameters:

Mapper type: Role list

Name: wazuhRoleKey. You can use any name here.

Role attribute name: Roles. This will be the roles_key on the Wazuh indexer configuration.

SAML Attribute NameFormat: Basic

Single Role Attribute: On

Click on Save to apply the configuration.

Note the necessary parameters from the SAML settings of Keycloak.

The parameters already obtained during the integration are:

sp.entity_id: wazuh-saml

roles_key: Roles

kibana_url: https://<WAZUH_DASHBOARD_URL>

To obtain the remaining parameters.

Navigate to Clients and select the name of your client. In our case, this is wazuh-saml.

Navigate to Action > Download adapter config, and ensure the Format option is Mod Auth Mellon files.

Click on Download to download the remaining files.

The downloaded files contain the idp.metadata.xml file and the sp.metadata.xml file.

The idp.entityID parameter is in the idp.metadata.xml file.
Wazuh indexer configuration

Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
Generate a 64-character long random key using the following command.
openssl rand -hex 32
The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.
Place the idp.metadata.xml and sp.metadata.xml files within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp.metadata.xml
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/sp.metadata.xml
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the following values:

Set the order in basic_internal_auth_domain to 0, and set the challenge flag to false.

Include a saml_auth_domain configuration under the authc section similar to the following:
    authc:
...
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/etc/wazuh-indexer/opensearch-security/idp.metadata.xml'
              entity_id: 'http://192.168.XX.XX:8080/realms/Wazuh'
            sp:
              entity_id: wazuh-saml
              metadata_file: '/etc/wazuh-indexer/opensearch-security/sp.metadata.xml'
            kibana_url: https://<WAZUH_DASHBOARD_ADDRESS>
            roles_key: Roles
            exchange_key: 'b1d6dd32753374557dcf92e241.......'
        authentication_backend:
          type: noop
Ensure to change the following parameters to their corresponding value:

idp.metadata_file

idp.entity_id

sp.entity_id

sp.metadata_file

kibana_url

roles_key

exchange_key
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.10.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Wazuh dashboard configuration
Create a new role mapping for the backend role. Follow these steps to create a new role mapping, and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: Select global_tenant and the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, add the value of the Role name attribute in Keycloak configuration and click Map to confirm the action. In our case, the backend role is wazuh-readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles

Search operation: FIND

Value: Assign the value of the realm role in Keycloak configuration. In our case, this is wazuh-readonly.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Edit the Wazuh dashboard configuration file. Add these configurations to /etc/wazuh-dashboard/opensearch_dashboards.yml. We recommend that you back up these files before you carry out the configuration.
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
# service wazuh-dashboard restart
Test the configuration. Go to your Wazuh dashboard URL and log in with your Keycloak account.
LDAP integration

Lightweight Directory Access Protocol (LDAP) is often used for centralizing user authentication and authorization data. It is also used to store structured data such as employee records, contact information, and more. LDAP can handle both authentication and authorization of users accessing the Wazuh dashboard.

Authentication is the process of verifying the identity of users or systems to ensure that they provide valid credentials, such as username and password. Authorization, on the other hand, is granting access to a user or system based on their identity. It retrieves the backend roles for the user and determines what actions they are allowed to perform on the Wazuh dashboard.

In this section, we outline the required configuration to integrate LDAP with the Wazuh platform. The guide assumes you already have an LDAP server or Microsoft Active Directory.

Required parameters

The following parameters are required to make the configurations on the Wazuh indexer instance:

hosts: This is your LDAP server and its port (by default it is 389 for LDAP and 636 for LDAP over SSL).

bind_dn: The credential to authenticate to your LDAP server.

password: The password to authenticate to your LDAP server.

enable_ssl: Specifies whether to use LDAP over SSL (LDAPS). This can be set to true or false.

pemtrustedcas_filepath: The absolute path to the Privacy Enhanced Mail (PEM) file containing the root Certificate Authority (CA) of your Active Directory/LDAP server. This is required when enable_ssl is set to true.

userbase: Specifies the subtree in the directory where user information is stored.

usersearch: The actual LDAP query that the Security plugin executes when trying to authenticate a user.

username_attribute: The Security plugin uses this attribute of the directory entry to look for the user name. If set to null, the Distinguished Name (DN) is used (default).

rolebase: Specifies the subtree in the directory where role/group information is stored.

rolesearch: The actual LDAP query that the Security plugin executes when trying to determine the roles of a user.

userrolename: If the roles/groups of a user are not stored in the groups subtree, but as an attribute of the user’s directory entry, define this attribute name here.

rolename: The attribute of the role entry that should be used as the role name.

skip_users: Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported.

Note

The LDAP attribute types such as Common Name (CN), Organizational Unit (OU), Distinguished Name (DN), and Domain Component (DC) used in this integration are from a test LDAP server. Replace them with the corresponding values from your LDAP server.

It is recommended to clear the browser cache and cookies before the integration is carried out.

The securityadmin script has to be executed with root user privileges.

You need an account with administrator privileges on the Wazuh dashboard.

LDAP server configuration

Depending on your LDAP server configuration, you need to create users and groups or use existing ones. You also have to obtain some information from your AD/LDAP server:

Create an OU for the Users (or use an already created OU). Get the DN of the OU, in our example: ou=people,dc=example,dc=org.

Create an OU for the Group(s) (or use an already created OU). Get the DN of the OU, in our example: ou=Groups,dc=example,dc=org.

Create a user with sufficient privileges to bind to the service. Get the DN of the user, in our example, this is cn=admin,dc=example,dc=org.

Create a group where the users with access to Wazuh will be placed, in our example this is the Administrator and readonly groups.

Get the FQDN of the LDAP server or Domain Controller.
Authentication and authorization configuration

The auhtc section of the Wazuh indexer security configuration file handles authentication, while the authz section handles authorization. We recommend that you back up the /etc/wazuh-indexer/opensearch-security/config.yml file before you carry out this configuration.
Save the LDAP server certificate. If you don’t have access to the root CA file of the LDAP server, run the following command on the Wazuh indexer node to retrieve the certificate. Replace <FQDN_LDAP_SERVER> with the Fully Qualified Domain Name of your LDAP server:
$ echo -n | openssl s_client -connect <FQDN_LDAP_SERVER>:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapcacert.pem
The command copies everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (including these delimiters) and saves it in a new text file.
Place the certificate file within the /etc/wazuh-indexer/opensearch-security/ directory. Set the file ownership to wazuh-indexer using the following command:
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/ldapcacert.pem
Edit the /etc/wazuh-indexer/opensearch-security/config.yml file and change the appropriate values.
Under the authc section, modify the LDAP configuration. Your configuration should be similar to this:
authc:
  ldap:
    description: "Authenticate via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: false
    order: 5
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: ldap
      config:
        enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
        pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
        - <FQDN_LDAP_SERVER>:636 #Port 389 for LDAP, 636 for LDAPS
        bind_dn: cn=admin,dc=example,dc=org
        password: <PASSWORD>
        userbase: 'ou=people,dc=example,dc=org'
        usersearch: (cn={0})  #Depending on your LDAP schema this can be CN, sAMAccountName, etc
        username_attribute: cn
Under the authz section, modify the LDAP configuration. Your configuration should be similar to this:
authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: ldap
      config:
        enable_ssl: true #Set to true if LDAPS is enabled, otherwise set to false.
        pemtrustedcas_filepath: /etc/wazuh-indexer/opensearch-security/ldapcacert.pem #Required when enable_ssl is set to true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        hosts:
        - <FQDN_LDAP_SERVER>:636 #Port 389 for LDAP, 636 for LDAPS
        bind_dn: cn=admin,dc=example,dc=org
        password: <PASSWORD>
        userbase: 'ou=people,dc=example,dc=org'
        usersearch: (cn={0}) #Depending on your LDAP schema this can be cn, sAMAccountName, etc
        username_attribute: cn
        rolebase: ou=Groups,dc=example,dc=org #This is the subtree in the directory that contains the role/group
        rolesearch: '(member={0})' #Depending on your LDAP schema this can be member, memberOf, etc
        userrolename: memberof
        rolename: cn
        skip_users:
          - admin
          - kibanaserver
Change the following parameters to their corresponding value:

pemtrustedcas_filepath

hosts

bind_dn

password

userbase

usersearch

username_attribute

rolebase

rolesearch

userrolename

rolename
Run the securityadmin script to load the configuration changes made in the config.yml file.
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.6.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /home/wazuh
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
SUCC: Expected 1 config types for node {"updated_config_types":["config"],"updated_config_size":1,"message":null} is 1 (["config"]) due to: null
Done with success
Map LDAP role to Wazuh dashboard

LDAP can be used for authorization by retrieving the backend roles associated with a user. This backend role can be used to determine the access privileges of a user on the Wazuh dashboard. In this section, we map the LDAP roles to the administrator and read-only roles on the Wazuh dashboard.

Setup administrator role

Setup read-only role
Setup administrator role

Follow these steps to create a new role mapping and grant administrator permissions to the backend role.
Configure the roles_mapping.yml file to map the role (CN) we have in our LDAP server to the appropriate Wazuh indexer role. In our case, we map users in the Administrator group in LDAP to the all_access role on Wazuh indexer.

Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and change the following values:
all_access:
  reserved: false
  hidden: false
  backend_roles:
  - "admin"
  - "Administrator"
  description: "Maps admin to all_access"
Run the securityadmin script to load the configuration changes made in the roles_mapping.yml file:
# export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
The -h flag specifies the hostname or the IP address of the Wazuh indexer node. Note that this command uses 127.0.0.1, set your Wazuh indexer address if necessary.

The command output must be similar to the following:
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.6.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Done with success
SUCC: Expected 1 config types for node {"updated_config_types":["rolesmapping"],"updated_config_size":1,"message":null} is 1 (["rolesmapping"]) due to: null
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select administrator.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles.

Search operation: FIND.

Value: Assign the name of your backend role in your LDAP server. In our case, this is a group named Administrator which contains users with administrator roles

Click Save role mapping to save and map the backend role with Wazuh as administrator.
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
Test the configuration. To test the configuration, go to your Wazuh dashboard URL and log in with your LDAP details.
Setup read-only role
Follow these steps to create a new role mapping and grant read-only permissions to the backend role.

Log into the Wazuh dashboard as administrator.

Click the upper-left menu icon ☰ to open the options, go to Indexer management > Security, and then Roles to open the roles page.

Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

Name: Assign a name to the role.

Cluster permissions: cluster_composite_ops_ro

Index: *

Index permissions: read

Tenant permissions: global_tenant and select the Read only option.

Select the newly created role.

Select the Mapped users tab and click Manage mapping.

Under Backend roles, assign the name of the read-only role you have in your LDAP server and click on Map to confirm the action. In our case, the backend role (CN) is readonly.
Check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. If run_as is set to false, proceed to the next step.
hosts:
  - default:
      url: https://127.0.0.1
      port: 55000
      username: wazuh-wui
      password: "<WAZUH_WUI_PASSWORD>"
      run_as: false
If run_as is set to true, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:

Click the upper-left menu icon ☰ to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

Click Create Role mapping and complete the empty fields with the following parameters:

Role mapping name: Assign a name to the role mapping.

Roles: Select readonly.

Custom rules: Click Add new rule to expand this field.

User field: backend_roles.

Search operation: FIND.

Value: Assign the name of your backend role in your LDAP server. In our case, this is a group named readonly which contains users with read only roles.

Click Save role mapping to save and map the backend role with Wazuh as read-only.
Restart the Wazuh dashboard service using this command:
# systemctl restart wazuh-dashboard
Test the configuration. To test the configuration, go to your Wazuh dashboard URL and log in with your LDAP details.

Capabilities

This section shows detailed explanation of the Wazuh capabilities and their configuration options.

File integrity monitoring

File Integrity Monitoring (FIM) is a security process used to monitor the integrity of system and application files. FIM is an important security defense layer for any organization monitoring sensitive assets. It provides protection for sensitive data, application, and device files by monitoring, routinely scanning, and verifying their integrity. It helps organizations detect changes to critical files on their systems which reduces the risk of data being stolen or compromised. This process can save time and money in lost productivity, lost revenue, reputation damage, and legal and regulatory compliance penalties.

Wazuh has a built-in capability for file integrity monitoring. The Wazuh FIM module monitors files and directories and triggers an alert when a user or process creates, modifies, and deletes monitored files. It runs a baseline scan, storing the cryptographic checksum and other attributes of the monitored files. When a user or process changes a file, the module compares its checksum and attributes to the baseline. It triggers an alert if it finds a mismatch. The FIM module performs real-time and scheduled scans depending on the FIM configuration for agents and manager.

Some benefits of the Wazuh FIM capability include change management, threat detection and response, and regulatory compliance as follows.

Change management

The Wazuh FIM capability is an essential tool for verifying that the change management processes are working correctly. This Wazuh capability allows you to examine files to see if they change, how and when they change, and who or what changes them. The Wazuh FIM module compares the baseline information against the information of the latest version of the file. This comparison provides visibility into alterations and updates of critical files. For example, you can use this to detect incorrect updates to applications or unauthorized changes made to configuration files.

Threat detection and response

You can combine FIM with other Wazuh capabilities for threat detection and response. The FIM capability monitors file integrity, detects permission changes, and monitors user and file activities. It provides detailed alerts for quick responses to detected threats.

Regulatory compliance

The FIM capability helps organizations meet regulatory requirements for data security, privacy, and data retention. Monitoring critical files for changes is an important requirement for regulations such as PCI DSS, HIPAA, and GDPR.

Contents

How it works

The FIM module runs periodic scans on specific paths and monitors specific directories for changes in real time. You can set which paths to monitor in the configuration of the Wazuh agents and manager.

FIM stores the files checksums and other attributes in a local FIM database. Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored paths to the Wazuh server. The FIM module looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It generates an alert if it finds discrepancies.

The Wazuh FIM module uses two databases to collect FIM event data, such as file creation, modification, and deletion data. One is a local SQLite-based database on the monitored endpoint that stores the data in:

C:\Program Files (x86)\ossec-agent\queue\fim\db on Windows.
/var/ossec/queue/fim/db on Linux.
/Library/Ossec/queue/fim/db on macOS.

The other is an agent database on the Wazuh server. The wazuh-db. daemon creates and manages a database for each agent on the Wazuh server. It uses the ID of the agent to identify the database. This service stores the databases at /var/ossec/queue/db.

The FIM module keeps the Wazuh agent and the Wazuh server databases synchronized with each other. It always updates the file inventory in the Wazuh server with the data available to the Wazuh agent. An up-to-date Wazuh server database allows for servicing FIM-related API queries. The synchronization mechanism only updates the Wazuh server with information from the Wazuh agents such as checksums and file attributes that have changed.

The Wazuh agent and manager have the FIM module enabled and pre-configured by default. However, we recommend that you review the configuration of your endpoints to ensure that you tailor the FIM settings, such as monitored paths, to your environment.

From Wazuh 4.13.0, the FIM module only monitors files and directories located on local file systems for Windows. Monitoring of UNC network paths such as \\server\share\folder and mapped drives such as Z:\folder is not supported. Any such paths set in the configuration will be ignored and will not generate FIM events. This change prevents NetNTLMv2 hash theft and remote code execution risks, since accessing files over network shares can expose Windows authentication hashes to attackers via NTLMSSP negotiation.

How to configure the FIM module

The FIM module runs scans on Windows, Linux, and macOS operating systems. There are both global settings and settings that are specific to the operating system of the endpoint. We discuss these settings and the supported operating systems in the Basic settings section of this guide.

You must specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. You can specify the file or directory to monitor on the Wazuh server and the Wazuh agent configuration files. You can also configure this capability remotely using the centralized configuration file.

You have to set the files and directories to monitor with the directories options. You can include multiple files and directories using comma-separated entries or adding entries on multiple lines. You can configure FIM directories using * and ? wildcards in the same way you would use them in a shell or Command Prompt (cmd) terminal. For example, C:\Users\*\Downloads.

Any time the FIM module runs a scan, it triggers alerts if it finds modified files and depending on the changed file attributes. You can view these alerts in the Wazuh dashboard.

Following, you can see how to configure the FIM module to monitor a file and directory. Replace <FILEPATH_OF_MONITORED_FILE> and <FILEPATH_OF_MONITORED_DIRECTORY> with your own filepaths.

Add the following settings to the Wazuh agent configuration file, replacing the directories values with your own filepaths:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <directories><FILEPATH_OF_MONITORED_FILE></directories>
   <directories><FILEPATH_OF_MONITORED_DIRECTORY></directories>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart
Note

If you specify a directory both in a centralized configuration and on the configuration file of the Wazuh agent, the centralized configuration takes precedence and overrides the local configuration.

From Wazuh 4.13.0, the FIM module does not support monitoring UNC network paths or mapped network drives on Windows. Only local file system paths are supported.

Interpreting the FIM module analysis

FIM analysis results appear on the Wazuh dashboard whenever there’s an addition, modification, or deletion of monitored files. You can view the FIM results in three different sections of the dashboard. To view results from the FIM module, navigate to File Integrity Monitoring on the Wazuh dashboard. The results are in the following sections:

Inventory
Dashboard
Events

Inventory

This section displays an inventory of all files that the FIM module has indexed. The FIM database contains the inventory information including the filename, last modification date, user, user id, group, and file size. The image below shows the file inventory of an Ubuntu 22.04 endpoint.

You can click a file entry to view the entry details such as the last time the FIM module analyzed the file and the file attributes. You can also view FIM alerts related to the file. The image below shows this information for the /etc/resolv.conf file.

Dashboard

The dashboard section shows an overview of the analysis results of the Wazuh FIM module for:

All agents within an infrastructure.
A selected agent within an infrastructure.

You can view an example of the overview of FIM scan results for all monitored endpoints in the image below.

You can view an example of the overview of FIM scan results for an Ubuntu endpoint in the image below.

Events

This section shows the alerts the Wazuh FIM module triggered. Here you can see details such as the agent name, the file path of the monitored file, the type of FIM event, a description of the alert, and the rule level of the alert.

In addition, you can expand each alert entry to display additional information about the event that triggered the alert.

Basic settings

You can configure the FIM capability on the Wazuh server and the Wazuh agent. A default FIM configuration exists on both the Wazuh server and the Wazuh agent. You can modify these settings depending on your needs.

You can configure the FIM module on the Wazuh server and the Wazuh agent configuration file. You can also configure this capability remotely using the centralized configuration file. The list of all FIM configuration options is available in the syscheck section.

In this guide, we show different configuration options that the Wazuh FIM module supports.

Real-time monitoring

The realtime attribute enables real-time/continuous monitoring of directories on Windows and Linux endpoints only.

To monitor files in real time, configure the FIM module with the realtime attribute of the directories option. The allowed values for the realtime attribute are yes and no, and it only works with directories, not individual files. Real-time change detection is paused during scheduled FIM module scans and reactivates as soon as these scans are complete.

Below, you can see how to configure the FIM module to monitor a directory in real time. Replace <FILEPATH_OF_MONITORED_DIRECTORY> with your own filepath.

Note

When specifying a directory for real time monitoring, it must exist before restarting the Wazuh agent. If not, the module ignores the directory until it finds it on a subsequent restart of the Wazuh agent.

From Wazuh 4.13.0, the FIM module does not support monitoring UNC network paths or mapped network drives on Windows. Only local file system paths are supported. This restriction applies to all monitoring modes (realtime, scheduled, and whodata) on Windows.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
```
   <syscheck>
      <directories realtime="yes"><FILEPATH_OF_MONITORED_DIRECTORY></directories>
   </syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh

Record file attributes

When you configure the FIM module to monitor specific files and directories, it records the metadata of the files and monitors them. You can use the directories option to set the specific file metadata that the FIM module must collect and ignore. The directories option supports several attributes.

The table below describes the supported attributes the FIM module records.

Attribute

Default value

Allowed values

Description

check_all

yes

yes, no

Records the values of all attributes below.

check_sum

yes

yes, no

Records the MD5, SHA-1 and SHA-256 hashes of the files. Same as using check_md5sum="yes", check_sha1sum="yes", and check_sha256sum="yes" at the same time.

check_sha1sum

yes

yes, no

Records the SHA-1 hash of the files.

check_md5sum

yes

yes, no

Records the MD5 hash of the files.

check_sha256sum

yes

yes, no

Records the SHA-256 hash of the files.

check_size

yes

yes, no

Records the size of the files.

check_owner

yes

yes, no

Records the owner of the files in Linux.

check_group

yes

yes, no

Records the group owner of the files/directories. On Windows, gid is always 0 and the group name is blank.

check_perm

yes

yes, no

Records the permission of the files/directories. On Windows, a list of denied and allowed permissions is recorded for each user or group. It works on Linux and Windows with NTFS partitions.

check_attrs

yes

yes, no

Records the attributes of files in Windows.

check_mtime

yes

yes, no

Records the modification time of a file.

check_inode

yes

yes, no

Records the file inode on Linux.

check_device

yes

yes, no

Records the device on Linux.

When there is a conflict between options that modify the same attribute, the last one configured takes precedence. For instance, the following configuration sets the option check_mtime to yes:

<directories check_all="no" check_mtime="yes">/etc</directories>

While the following configuration disables recording of all attributes including the modification time check.

<directories check_mtime="yes" check_all="no">/etc</directories>

You can see below an example configuration of how to disable the recording of SHA-1 hash of a monitored file. Replace <FILEPATH_OF_MONITORED_FILE> with your own filepath.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
   <syscheck>
      <directories check_sha1sum="no"><FILEPATH_OF_MONITORED_FILE></directories>
   </syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control Restart

Note

Specified files or directories created after the initial FIM scan will be added for monitoring during the next scheduled scan.

Scheduled scans

To modify the schedule of the FIM module scans, you can configure the <frequency> option of the Wazuh FIM module. This option defines the period between FIM scans. You can alternatively configure the scans to run at a specific time and day of the week using the scan_time and the scan_day options. Scheduled scans prevent alert flooding when monitoring frequently updated files such as log files.

The FIM module runs scans every 12 hours (43200 seconds) by default. In the following configuration example, you can see how to set the FIM module to run scans every 15 minutes (900 seconds).

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <frequency>900</frequency>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart
Alternatively, you can schedule the scans using the scan_time and the scan_day options. Configuring FIM using these options helps to set up FIM scans outside business hours.

The configuration example below shows you how to run the scans of the specified directories every Saturday at 10 pm.
Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <scan_time>10pm</scan_time>
   <scan_day>saturday</scan_day>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Report changes in file values

The report_changes attribute allows the FIM module to report the exact content changed in a text file. This records the text added to or deleted from a monitored file. You can configure this functionality by enabling the report_changes attribute of the directories options. The allowed values for this attribute are yes and no. It works with both directories and individual files on Windows, macOS, and Linux endpoints.

You must use the report_changes attribute with caution when you enable this option. Wazuh copies every monitored file to a private location increasing storage usage. You can find the copy of the files at:

/var/ossec/queue/diff/local/ on Linux.
Library/Ossec/queue/diff/local/ on macOS.
C:\Program Files (x86)\ossec-agent\queue\diff\local\ on Windows.

Below, you can see how to configure the FIM module to report file changes. Replace <FILEPATH_OF_MONITORED_FILE> with your own filepath.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <directories check_all="yes" report_changes="yes"><FILEPATH_OF_MONITORED_FILE></directories>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply the configuration changes:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart
In the configuration example below, you can see how to use the report_changes attribute for all files in the <FILEPATH_OF_MONITORED_DIRECTORY> directory. You can see how to prevent the FIM module from reporting the exact content changes to the <FILEPATH_OF_MONITORED_DIRECTORY>/private.txt file. Replace <FILEPATH_OF_MONITORED_DIRECTORY> with your own filepath.

When using the report_changes option, you can use the nodiff option to create an exception. This option alerts modifications of the file but it prevents the Wazuh FIM module from reporting the exact content changed in a text file. Using the nodiff option avoids data leakage that might occur by sending the file content changes through alerts.

Add the following settings to the Wazuh agent configuration file:

Linux: /var/ossec/etc/ossec.conf
Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
macOS: /Library/Ossec/etc/ossec.conf

<syscheck>
   <directories check_all="yes" report_changes="yes"><FILEPATH_OF_MONITORED_DIRECTORY></directories>
   <nodiff><FILEPATH_OF_MONITORED_DIRECTORY>/private.txt</nodiff>
</syscheck>

Restart the Wazuh agent with administrator privilege to apply the configuration changes:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Adding exclusions

You can configure the FIM module to ignore alerting of certain files and directories using either of two methods:

Using the ignore option

You can use the ignore option to ignore a path. It allows one entry of either file or directory per line. However, you can use multiple lines to add exclusions for multiple paths.

In this example, you can see how to configure the FIM module to ignore a filepath. This also ignores the regex match for the file extensions .log and .tmp. Replace <FILEPATH_OF_MONITORED_FILE> with your own filepaths.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <ignore><FILEPATH_OF_MONITORED_FILE></ignore>
   <ignore type="sregex">.log$|.tmp$</ignore>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Using custom rules

An alternative method is using rules of alert level 0. This method ignores the alerting of specific files and directories scanned by the FIM module. Alerts for level 0 rules are silent and the Wazuh server doesn’t report them.

In the configuration example below, you can see how to monitor the /var/www/htdocs/ directory on a Linux endpoint and use silent alerts for the /var/www/htdocs/private.html file.

Linux endpoint

Add the following settings to the Wazuh agent /var/ossec/etc/ossec.conf configuration file:
```
<syscheck>
   <directories>/var/www/htdocs</directories>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
```
# systemctl restart wazuh-agent
```

Wazuh server

Create the fim_ignore.xml file in the /var/ossec/etc/rules/ directory on the Wazuh server:
```
# touch /var/ossec/etc/rules/fim_ignore.xml
```

Add the following rules to the fim_ignore.xml file:

<group name="syscheck">
  <rule id="100345" level="0">
    <if_group>syscheck</if_group>
    <field name="file">/var/www/htdocs/private.html</field>
    <description>Ignore changes to $(file)</description>
  </rule>
</group>

The rule silences the FIM alert for the /var/www/htdocs/private.html file.

Restart the Wazuh manager to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Creating custom FIM rules

Wazuh includes out-of-the-box rules that trigger alerts on the creation, modification, or deletion of monitored files. The image below shows alerts for file addition, modification, and deletion.

You can use custom Wazuh FIM rules to monitor changes to files and directories based on specific criteria such as filename, permissions, and content. For example, you can create a custom rule to detect changes to a critical system file or configuration file. Whenever a user or process modifies the file, Wazuh triggers a specific alert indicating the change and the details of the modification.

Creating custom FIM rules can extend the out-of-the-box detection capability of the Wazuh FIM module. This makes it easier to identify and respond to security incidents such as data breaches, insider threats, and other cyberattacks that involve file manipulation or modification.

This section shows you how to use the fields decoded from FIM events in custom rules. It explains what the decoded FIM events fields represent in the Wazuh alert fields.

Mapping FIM fields to Wazuh alerts

Fields are information that the Wazuh decoder extracts from events the Wazuh server receives. Each event type has specific fields. The decoder identifies them with a field name. The Wazuh server translates these fields into alert fields and sends them to the Wazuh indexer for storage.

FIM alerts: fields correspondence

The following table establishes a correspondence between the decoded FIM fields and their equivalent field in an alert.

FIM field	Alert field	Field description
file	path	File path in the current event
size	size_after	File size in the current event
hard_links	hard_links	List of hard links of the file
mode	mode	FIM event mode
perm	perm_after,win_perm_after	File permissions
uid	uid_after	User ID of the owner of the file
gid	gid_after	Group ID of the group that shares ownership of the file
uname	uname_after	User name of the owner of the file
gname	gname_after	Group name of the group that shares ownership of the file
md5	md5_after	MD5 hash of the file in the current event after changes
sha1	sha1_after	SHA1 hash of the file in the current event after changes
sha256	sha256_after	SHA256 hash of the file in the current event after changes
mtime	mtime_after	Timestamp of the file changes
inode	inode_after	Inode of the file in the current event
changed_content	diff	Reported changes on the file of the current event
changed_fields	changed_attributes	Changed fields in the file such as permissions, content, and other related attributes
win_attributes	attrs_after	File attributes such as hidden, read-only, and other related attributes
tag	tag	Custom tags to be added to one specific event
user_id	audit.user.id	The actual ID of the user that triggered the event
user_name	audit.user.name	The actual name of the user that triggered the event
group_id	audit.group.id	The actual group ID of the user that triggered the event
group_name	audit.group.name	The actual group name of the user that triggered the event
process_name	audit.process.name	The name of the process run by a user that triggered the event
process_id	audit.process.id	The ID of the process run by a user that triggered the event
ppid	audit.process.ppid	The parent ID of the process that triggered the event
effective_uid	audit.effective.user_id	Effective user ID used by the process triggering the event
effective_name	audit.effective_user.name	Effective user name used by the process triggering the event
parent_name	audit.process.parent_name	The process name of the parent of the process triggering the event
cwd	audit.process.cwd	Current work directory of the process triggering the event
parent_cwd	audit.process.parent_cwd	Current work directory of the parent process
audit_uid	audit.login_user.id	The ID of the user logged in to the system that triggered the event
audit_name	audit.login_user.name	The name of the user logged in to the system that triggered the event
arch	arch	Registry architecture (32 or 64 bits)
value_name	value_name	Registry value name
value_type	value_type	Registry value type
entry_type	entry_type	Registry entry type

Custom FIM rules examples

In the following examples, we demonstrate how you can customize the default FIM rules of Wazuh. You can see how to create custom rules with the decoded FIM fields and what their equivalent Wazuh alert fields are.

Trigger alerts when execute permission is added to a script

If a script contains malicious code, such as commands to delete or modify important files or data, then the execution of that code might result in serious damage or data loss. Therefore, you have to be careful when granting execute permission to shell scripts, and only do so for scripts that are trusted and thoroughly reviewed.

Wazuh already has an out-of-the-box rule that generates an alert when a file permission is modified. However, in this example, you can see how to create a custom FIM rule to further customize this alert.

Use case description

Endpoint	Description
Ubuntu 25.04	The FIM module monitors scripts in a directory on this endpoint to detect permission changes.

Wazuh server

Perform the following steps on the Wazuh server.

Create a file fim_specialdir3.xml in the /var/ossec/etc/rules/ directory for the custom rule:
```
# touch /var/ossec/etc/rules/fim_specialdir3.xml
```

Add the following rule definition to /var/ossec/etc/rules/fim_specialdir3.xml. This rule triggers an alert when execute permission is added to a shell script in a monitored directory:

<group name="syscheck">
  <rule id="100002" level="8">
    <if_sid>550</if_sid>
    <field name="file">.sh$</field>
    <field name="changed_fields">^permission$</field>
    <field name="perm" type="pcre2">\w\wx</field>
    <description>Execute permission added to shell script.</description>
    <mitre>
      <id>T1222.002</id>
    </mitre>
  </rule>
</group>

Restart the Wazuh server to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Ubuntu endpoint

Perform the following steps to configure the Wazuh FIM module to monitor the /specialdir3 directory.

Create the /specialdir3 directory:
```
# mkdir /specialdir3
```
Edit the Wazuh agent /var/ossec/etc/ossec.conf configuration file and add the directory for monitoring:
```
<syscheck>
   <directories realtime="yes">/specialdir3</directories>
</syscheck>
```
Restart the Wazuh agent to apply the configuration changes:
```
# systemctl restart wazuh-agent
```

Test the configuration

Create a shell script file fim.sh in the monitored directory:
```
# touch /specialdir3/fim.sh
```
Add execute permission to the script:
```
# chmod +x /specialdir3/fim.sh
```

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects the addition of the execute permission.

You can see the alert fields that correspond to the decoded FIM fields in the alert data below:

{
  "_index": "wazuh-alerts-4.x-2025.12.12",
  "_id": "IBmxE5sBQJYplt2kQYiE",
  "_score": null,
  "_source": {
    "syscheck": {
      "perm_before": "rw-r--r--",
      "uname_after": "root",
      "mtime_after": "2025-12-12T12:50:38",
      "size_after": "0",
      "gid_after": "0",
      "mode": "realtime",
      "path": "/specialdir3/fim.sh",
      "sha1_after": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "changed_attributes": [
        "permission"
      ],
      "gname_after": "root",
      "uid_after": "0",
      "perm_after": "rwxr-xr-x",
      "event": "modified",
      "md5_after": "d41d8cd98f00b204e9800998ecf8427e",
      "sha256_after": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "inode_after": 3276802
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.33.130",
      "name": "Ubuntu-25",
      "id": "002"
    },
    "manager": {
      "name": "ubuntu-VMware-Virtual-Platform"
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 8,
      "description": "Execute permission added to shell script.",
      "groups": [
        "syscheck"
      ],
      "mitre": {
        "technique": [
          "Linux and Mac File and Directory Permissions Modification"
        ],
        "id": [
          "T1222.002"
        ],
        "tactic": [
          "Defense Evasion"
        ]
      },
      "id": "100002"
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1765561940.516146",
    "full_log": "File '/specialdir3/fim.sh' modified\nMode: realtime\nChanged attributes: permission\nPermissions changed from 'rw-r--r--' to 'rwxr-xr-x'\n",
    "timestamp": "2025-12-12T12:52:20.242-0500"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2025-12-12T12:50:38.000Z"
    ],
    "timestamp": [
      "2025-12-12T17:52:20.242Z"
    ]
  },
  "sort": [
    1765561940242
  ]
}

Trigger file deletion alerts

Deleting a file can result in loss of important data or system files when done accidentally or without authorization. If an attacker gains access to a system and deletes critical files, it can render the system unusable, causing data loss or downtime for the organization.

Wazuh has an out-of-the-box rule that generates an alert when a monitored file is deleted or when a file in a monitored directory is deleted. In this example, we create a custom FIM rule that triggers an alert indicating the user and the application that deleted the file.

Use case description

Endpoint	Description
Windows 11	The FIM module monitors a folder on this endpoint for file deletions.

Wazuh server

Perform the following steps on the Wazuh server.

Create a file fim_win_test.xml in the /var/ossec/etc/rules/ directory:
```
# touch /var/ossec/etc/rules/fim_win_test.xml
```

Add the following rule definition to the /var/ossec/etc/rules/fim_win_test.xml file. This rule triggers alerts when a user deletes files with File Explorer. Replace USER with the username of your Windows endpoint:

<group name="syscheck">
  <rule id="100003" level="8">
    <if_sid>553</if_sid>
    <field name="process_name">explorer.exe$</field>
    <field name="user_name">USER$</field>
    <description>The user "$(user_name)" deleted a monitored file with  File Explorer</description>
    <mitre>
      <id>T1070.004</id>
      <id>T1485</id>
    </mitre>
  </rule>
</group>

Restart the Wazuh server to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Windows endpoint

Perform the following steps to configure the Wazuh FIM module to monitor file deletion in the C:\test directory.

Run the command below using PowerShell as an administrator to create the C:\test directory on the endpoint:
```
mkdir C:\test
```
Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Wazuh agent. Add the C:\test directory for monitoring:
```
<syscheck>
   <directories whodata="yes">C:\test</directories>
</syscheck>
```
Restart the Wazuh agent using Powershell with administrator privilege to apply the changes:
```
Restart-Service -Name wazuh
```

Test the configuration

Create a text file with Notepad and save the file in the C:\test directory as hello.txt.
Delete the hello.txt file with Windows File Explorer.

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects the deletion of files in the monitored directory.

You can see the alert fields that correspond to the decoded FIM fields in the alert data below:

{
  "_index": "wazuh-alerts-4.x-2025.12.12",
  "_id": "KBnpE5sBQJYplt2k_opT",
  "_score": null,
  "_source": {
    "syscheck": {
      "uname_after": "Administrators",
      "mtime_after": "2025-12-12T13:48:53",
      "size_after": "6",
      "win_perm_after": [
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "WRITE_DAC",
            "WRITE_OWNER",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES",
            [
              "DELETE",
              "READ_CONTROL",
              "WRITE_DAC",
              "WRITE_OWNER",
              "SYNCHRONIZE",
              "READ_DATA",
              "WRITE_DATA",
              "APPEND_DATA",
              "READ_EA",
              "WRITE_EA",
              "EXECUTE",
              "READ_ATTRIBUTES",
              "WRITE_ATTRIBUTES"
            ],
            [
              "READ_CONTROL",
              "SYNCHRONIZE",
              "READ_DATA",
              "READ_EA",
              "EXECUTE",
              "READ_ATTRIBUTES"
            ],
            [
              "DELETE",
              "READ_CONTROL",
              "SYNCHRONIZE",
              "READ_DATA",
              "WRITE_DATA",
              "APPEND_DATA",
              "READ_EA",
              "WRITE_EA",
              "EXECUTE",
              "READ_ATTRIBUTES",
              "WRITE_ATTRIBUTES"
            ]
          ],
          "name": "Administrators"
        },
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "WRITE_DAC",
            "WRITE_OWNER",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES"
          ],
          "name": "SYSTEM"
        },
        {
          "allowed": [
            "READ_CONTROL",
            "SYNCHRONIZE",
            "READ_DATA",
            "READ_EA",
            "EXECUTE",
            "READ_ATTRIBUTES"
          ],
          "name": "Users"
        },
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES"
          ],
          "name": "Authenticated Users"
        }
      ],
      "mode": "whodata",
      "path": "c:\\test\\hello.txt",
      "sha1_after": "516b7646ac0c595834cab65f1eae193f7cb61471",
      "audit": {
        "process": {
          "name": "C:\\Windows\\explorer.exe",
          "id": "1552"
        },
        "user": {
          "name": "admin",
          "id": "S-1-5-21-538477009-3096509201-3485284644-1001"
        }
      },
      "attrs_after": [
        "ARCHIVE"
      ],
      "uid_after": "S-1-5-32-544",
      "event": "deleted",
      "md5_after": "aae6ed4b61e41f088e8200ccc2fd4b8a",
      "sha256_after": "4923cd0e3c5bfd391c07e9bd1692114d43ca0aed3134b98642697977ca731116"
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.33.129",
      "name": "Windows-11",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu-VMware-Virtual-Platform"
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 8,
      "description": "The user \"admin\" deleted a monitored file with  File Explorer",
      "groups": [
        "syscheck"
      ],
      "mitre": {
        "technique": [
          "File Deletion",
          "Data Destruction"
        ],
        "id": [
          "T1070.004",
          "T1485"
        ],
        "tactic": [
          "Defense Evasion",
          "Impact"
        ]
      },
      "id": "100003"
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_deleted"
    },
    "id": "1765565655.916065",
    "full_log": "File 'c:\\test\\hello.txt' deleted\nMode: whodata\n",
    "timestamp": "2025-12-12T13:54:15.234-0500"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2025-12-12T13:48:53.000Z"
    ],
    "timestamp": [
      "2025-12-12T18:54:15.234Z"
    ]
  },
  "sort": [
    1765565655234
  ]
}

Change alert severity for sensitive files

With a custom rule, you can alter the level of an FIM alert when detecting changes to a specific file or file pattern. In the following example, the custom rule raises the FIM alert level to 12 when a user or process modifies a critical file.

Use case description

Endpoint	Description
macOS Monterey	The FIM module monitors a file on this endpoint and raises the alert severity when it’s modified.

Wazuh server

Perform the following steps on the Wazuh server.

Create a file fim_alert.xml in the /var/ossec/etc/rules/ directory on the Wazuh server:
```
# touch /var/ossec/etc/rules/fim_alert.xml
```

Add the following rule definition to the /var/ossec/etc/rules/fim_alert.xml file. This rule raises the FIM alert level to 12 when a user or process modifies a critical file:

<group name="syscheck">
  <rule id="100005" level="12">
    <if_sid>550</if_sid>
    <field name="file">customer_details.rtf</field>
    <description>Customer details file modified!</description>
  </rule>
</group>

Restart the Wazuh server to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

macOS endpoint

Use TextEdit to create a file customer_details.rtf. Then, save it in the Documents directory.

Edit the Wazuh agent /Library/Ossec/etc/ossec.conf configuration file and add the customer_details.rtf file for monitoring:

<syscheck>
  <frequency>300</frequency>
  <directories>/Users/*/Documents/customer_details.rtf</directories>
</syscheck>

Restart the Wazuh agent to apply the configuration changes:
```
/Library/Ossec/bin/wazuh-control restart
```

Test the configuration

Add text to the customer_details.rtf file with TextEdit. Wait for 5 minutes. This is the time configured for the FIM scan.

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert. In this example, you can see an alert with a severity of 12 on the Wazuh dashboard when the FIM module detects changes in the monitored file.

Advanced settings

In this section, we describe different advanced settings that can provide greater control and flexibility over how the FIM module works.

Who-data monitoring

The who-data functionality allows the FIM module to obtain information about who made modifications to a monitored file. This information contains the user who made the changes to the monitored files and the program name or process used.

Who-data monitoring on Linux

Wazuh supports two modes for who-data monitoring on Linux endpoints:

The eBPF mode

Extended Berkeley Packet Filter (eBPF) enables developers to build programs that run securely in the Linux operating system kernel space. Who-data monitoring in eBPF mode directly extracts FIM events from programs that use eBPF. This approach eliminates the need for external dependencies like auditd, allowing faster extraction of the generated events.

The FIM events extracted from eBPF programs for who-data monitoring include:

vfs_open: When a new file has been created on the endpoint.
security_inode_setattr: When a file has been modified on the endpoint.
vfs_unlink: When a file has been removed from the endpoint.

Wazuh uses a kernel data structure called ring_buffer to transfer these events from the kernel to the user space, where the FIM module analyzes them.

Note

Who-data monitoring with eBPF requires kernel version 5.8 or higher, as the data structure is only present in kernels starting with this version.

Configuration

Configuring who-data in eBPF mode requires a provider option within the <whodata> tag. The <provider> tag accepts two values, ebpf and audit. The eBPF mode (default) and audit mode should not be used together. If both are configured, only the last configured provider takes effect to monitor every who-data configured directory.

Note

If the <provider> tag is not configured, the FIM module defaults to the ebpf mode. Additionally, if ebpf mode is not supported due to kernel version incompatibility, you must configure audit mode.

A configuration block of who-data in eBPF mode to monitor the /home/user/documents directory is shown below:

<syscheck>
  <directories whodata="yes">/home/user/documents</directories>

  <whodata>
    <provider>ebpf</provider>
  </whodata>
</syscheck>

Given the high speed at which eBPF detects events, it's important to fine-tune the queue_size of the whodata option. This adjustment gives it enough size to handle a big burst of events that may be generated by the kernel, such as during a massive deletion event. An increase in the value of the queue_size prevents events from being lost when a large number of events are collected from monitored endpoints. Note that increasing the value of the queue_size increases the memory consumption of the Wazuh agent on the monitored endpoint.

The configuration below enables who-data in eBPF mode to handle up to 50000 events:

<whodata>
  <provider>ebpf</provider>
  <queue_size>50000</queue_size>
</whodata>

You can learn more about the available configuration options in the whodata reference section.

Alert fields

Who-data monitoring alerts generated using the eBPF mode preserve the same structure as the audit mode alert fields.

Example: Monitoring changes in configuration files

Monitoring configuration files such as the ../sshd_config file on Linux endpoints can help detect unauthorized changes. This approach ensures the integrity of configuration files is not tampered with and provides early detection of suspicious behavior.

Perform the steps below to monitor changes made to the /etc/ssh/sshd_config configuration file on an Ubuntu endpoint using who-data in eBPF mode.

Configuration

Append the configuration below to the /var/ossec/etc/ossec.conf configuration file on the Ubuntu endpoint:

<ossec_config>
  <syscheck>
    <directories whodata="yes">/etc/ssh/sshd_config</directories>

    <whodata>
      <provider>ebpf</provider>
      <queue_size>50000</queue_size>
    </whodata>
  </syscheck>
</ossec_config>

Restart the Wazuh agent to apply the configuration changes:
```
# systemctl restart wazuh-agent
```

Test the configuration

While logged in as the root user, append a new line of text to the /etc/ssh/sshd_config file on the Ubuntu endpoint:

# echo "eBPF test" >> /etc/ssh/sshd_config

Visualize the alert

Navigate to Endpoint security > File Integrity Monitoring > Events on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the monitored file.

Expand the alert to view more information. In the alert fields below, you can see that the user root added a config to the /etc/ssh/sshd_config file using the bash terminal program.

Alert output in JSON format.

{
  "_index": "wazuh-alerts-4.x-2025.04.08",
  "_id": "SR0rFZYBmHj4HFa46tcz",
  "_score": null,
  "_source": {
    "syscheck": {
      "size_before": "3365",
      "uname_after": "root",
      "mtime_after": "2025-04-08T11:31:57",
      "size_after": "3390",
      "gid_after": "0",
      "md5_before": "a66f733db81bc7c0822430a6c432d05c",
      "sha256_before": "3be5039e47d50f99d69b99ce2dfc1bf3476670cf583760930bca2286bdd82621",
      "mtime_before": "2025-04-08T10:34:05",
      "mode": "whodata",
      "path": "/etc/ssh/sshd_config",
      "sha1_after": "29bf442cd835f3020963b2ad7b08f590e149f6e7",
      "changed_attributes": [
        "size",
        "mtime",
        "md5",
        "sha1",
        "sha256"
      ],
      "gname_after": "root",
      "audit": {
        "process": {
          "parent_name": "sudo",
          "cwd": "/root",
          "parent_cwd": "/home/smith",
          "name": "bash",
          "id": "66474",
          "ppid": "66473"
        },
        "user": {
          "name": "root",
          "id": "0"
        },
        "group": {
          "name": "root",
          "id": "0"
        }
      },
      "uid_after": "0",
      "perm_after": "rw-r--r--",
      "event": "modified",
      "md5_after": "20d9f341b3440b35929c341242553b60",
      "sha1_before": "ec5f46ee42c9749237a4d321725e9e6ffae90cf9",
      "sha256_after": "ee89357aa17bd90d7201897a508a83df913f6d330e2eb0d8629d7c954b59c330",
      "inode_after": 1704987
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "Ubuntu-22",
      "id": "000"
    },
    "manager": {
      "name": "Ubuntu-22"
    },
    "rule": {
      "mail": false,
      "level": 7,
      "pci_dss": [
        "11.5"
      ],
      "hipaa": [
        "164.312.c.1",
        "164.312.c.2"
      ],
      "tsc": [
        "PI1.4",
        "PI1.5",
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Integrity checksum changed.",
      "groups": [
        "ossec",
        "syscheck",
        "syscheck_entry_modified",
        "syscheck_file"
      ],
      "nist_800_53": [
        "SI.7"
      ],
      "gdpr": [
        "II_5.1.f"
      ],
      "firedtimes": 1,
      "mitre": {
        "technique": [
          "Stored Data Manipulation"
        ],
        "id": [
          "T1565.001"
        ],
        "tactic": [
          "Impact"
        ]
      },
      "id": "550",
      "gpg13": [
        "4.11"
      ]
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1744111917.26911",
    "full_log": "File '/etc/ssh/sshd_config' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '3365' to '3390'\nOld modification time was: '1744108445', now it is '1744111917'\nOld md5sum was: 'a66f733db81bc7c0822430a6c432d05c'\nNew md5sum is : '20d9f341b3440b35929c341242553b60'\nOld sha1sum was: 'ec5f46ee42c9749237a4d321725e9e6ffae90cf9'\nNew sha1sum is : '29bf442cd835f3020963b2ad7b08f590e149f6e7'\nOld sha256sum was: '3be5039e47d50f99d69b99ce2dfc1bf3476670cf583760930bca2286bdd82621'\nNew sha256sum is : 'ee89357aa17bd90d7201897a508a83df913f6d330e2eb0d8629d7c954b59c330'\n",
    "timestamp": "2025-04-08T11:31:57.620+0000"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2025-04-08T11:31:57.000Z"
    ],
    "syscheck.mtime_before": [
      "2025-04-08T10:34:05.000Z"
    ],
    "timestamp": [
      "2025-04-08T11:31:57.620Z"
    ]
  },
  "sort": [
    1744111917620
  ]
}

The audit mode

Who-data monitoring in audit mode uses the Linux Audit subsystem to get information about who makes changes in a monitored directory. These changes produce audit events, which are processed by the FIM module and reported to the Wazuh server. The audit mode is an extension of the real-time monitoring with the who-data information added.

Requirements

You need to install the audit daemon if you don’t have it already installed on your endpoint.

# yum install audit

For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.

# yum install audispd-plugins
# service auditd restart

# apt-get install auditd

For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.

# apt-get install audispd-plugins
# service auditd restart

In most systems, auditd includes a rule to skip processing of every audit rule by default. This setting prevents the reporting of any who-data information. To ensure that auditd is not DISABLED BY DEFAULT, follow these steps.

Check the output of this command to find out if the auditd rules include the -a never,task rule.
```
# auditctl -l | grep task
```
If the output displays the -a never,task rule, remove it from the audit rules file located at /etc/audit/rules.d/audit.rules audit rules file.

Restart auditd and Wazuh agent to apply the changes:

# service auditd restart
# systemctl restart wazuh-agent

Configuration

Perform the following steps to enable who-data monitoring using the audit mode. In this example, we configure who-data monitoring for the /etc directory.

Add the configuration below within the <ossec_config> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file:
```
<syscheck>
  <directories check_all="yes" whodata="yes">/etc</directories>

  <whodata>
    <provider>audit</provider>
  </whodata>
</syscheck>
```
Note

If the <provider> tag is not configured, the FIM module defaults to using the ebpf mode.
Restart the Wazuh agent to apply the changes. This action adds an audit rule for the monitored directory:
```
# systemctl restart wazuh-agent
```
Execute the following command to check if the audit rule for monitoring the selected directory is applied:
```
# auditctl -l | grep wazuh_fim
```
```
auditctl -w /etc -p wa -k wazuh_fim
```
From the output above, you can see the rule was added:

Note

When the Wazuh agent service stops, it removes the rule. You can use the same command to check that it removed the rule successfully.

Alert fields

The following table establishes a correspondence between audit fields and their equivalent fields in an alert when who-data is enabled.

Audit field

Alert field

Fields description

User

audit.user.id

audit.user.name

Contains information about who started the process that modified the monitored file.

Login user

audit.login_user.id

audit.login_user.name

Contains information about the user who started the session. They correspond respectively to the login UID and login name. Upon login, this ID is assigned to a user and is inherited by every process, even when the user's identity changes.

Effective user

audit.effective_user.id

audit.effective_user.name

Contains the effective ID and name of the user who started the process that modified the monitored file. When a user executes a command using sudo, the effective user ID changes to 0, and the effective username becomes root.

Group

audit.group.id

audit.group.name

Contains the group ID and group name of the user who started the process that modified the monitored file.

Process ID

audit.process.id

Contains the ID of the process used to modify the monitored file.

Process name

audit.process.name

Contains the name of the process used to modify the monitored file.

Process ppid

audit.process.ppid

Contains the parent process ID of the process used to modify the monitored file.

Example: Monitor changes in the `/etc/hosts.allow` file on Linux

Perform the following steps to configure the FIM module to get the information about who makes changes to /etc/hosts.allow file.

Configuration

Append the configuration below to the /var/ossec/etc/ossec.conf file to monitor the /etc/hosts.allow file for changes:

<ossec_config>
  <syscheck>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc/hosts.allow</directories>

    <whodata>
      <provider>audit</provider>
    </whodata>
  </syscheck>
</ossec_config>

Restart the Wazuh agent to apply the configuration changes:
```
# systemctl restart wazuh-agent
```

Test the configuration

Create the user smith on a Linux endpoint:
```
# adduser smith
```
Log out of the Linux endpoint and log in as smith.
Open the nano editor and add a new IP address, such as 192.168.32.5 in the /etc/hosts.allow file on the Linux endpoint.
```
# nano /etc/hosts.allow
```

Visualize the alert

Navigate to Endpoint security > File Integrity Monitoring > Events on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the monitored file.

Expand the alert to view more information. In the alert fields below, you can see the user smith added a new IP address to the /etc/hosts.allow file using the nano text editor with root privileges.

Alert in JSON format:

{
  "_index": "wazuh-alerts-4.x-2025.12.15",
  "_id": "-ynvIpsBhUkrkhLo429p",
  "_score": null,
  "_source": {
    "syscheck": {
      "size_before": "1",
      "uname_after": "root",
      "mtime_after": "2025-12-15T11:54:54",
      "size_after": "13",
      "gid_after": "0",
      "md5_before": "68b329da9893e34099c7d8ad5cb9c940",
      "diff": "1c1\n< \n---\n> 192.168.32.5\n",
      "sha256_before": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
      "mtime_before": "2025-12-15T11:53:17",
      "mode": "whodata",
      "path": "/etc/hosts.allow",
      "sha1_after": "3c832d37ef2fa9f85931b072054464123f6125a2",
      "changed_attributes": [
        "size",
        "mtime",
        "md5",
        "sha1",
        "sha256"
      ],
      "gname_after": "root",
      "audit": {
        "process": {
          "parent_name": "/usr/bin/bash",
          "cwd": "/home/smith",
          "parent_cwd": "/home/smith",
          "name": "/usr/bin/nano",
          "id": "20337",
          "ppid": "20274"
        },
        "login_user": {
          "name": "smith",
          "id": "1001"
        },
        "effective_user": {
          "name": "root",
          "id": "0"
        },
        "user": {
          "name": "root",
          "id": "0"
        },
        "group": {
          "name": "root",
          "id": "0"
        }
      },
      "uid_after": "0",
      "perm_after": "rw-r--r--",
      "event": "modified",
      "md5_after": "3016df224717bfd1f51a8edaf6aa89ae",
      "sha1_before": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
      "sha256_after": "cf34fb40d08b630d166bf03fdfe4b82bfc6f593e19ef7bd713186be84d5e4874",
      "inode_after": 34715907
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.33.134",
      "name": "CentOS_Stream_10",
      "id": "005"
    },
    "manager": {
      "name": "ubuntu-VMware-Virtual-Platform"
    },
    "rule": {
      "mail": false,
      "level": 7,
      "pci_dss": [
        "11.5"
      ],
      "hipaa": [
        "164.312.c.1",
        "164.312.c.2"
      ],
      "tsc": [
        "PI1.4",
        "PI1.5",
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Integrity checksum changed.",
      "groups": [
        "ossec",
        "syscheck",
        "syscheck_entry_modified",
        "syscheck_file"
      ],
      "nist_800_53": [
        "SI.7"
      ],
      "gdpr": [
        "II_5.1.f"
      ],
      "firedtimes": 3,
      "mitre": {
        "technique": [
          "Stored Data Manipulation"
        ],
        "id": [
          "T1565.001"
        ],
        "tactic": [
          "Impact"
        ]
      },
      "id": "550",
      "gpg13": [
        "4.11"
      ]
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1765817694.1028827",
    "full_log": "File '/etc/hosts.allow' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '1' to '13'\nOld modification time was: '1765817597', now it is '1765817694'\nOld md5sum was: '68b329da9893e34099c7d8ad5cb9c940'\nNew md5sum is : '3016df224717bfd1f51a8edaf6aa89ae'\nOld sha1sum was: 'adc83b19e793491b1c6ea0fd8b46cd9f32e592fc'\nNew sha1sum is : '3c832d37ef2fa9f85931b072054464123f6125a2'\nOld sha256sum was: '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'\nNew sha256sum is : 'cf34fb40d08b630d166bf03fdfe4b82bfc6f593e19ef7bd713186be84d5e4874'\n",
    "timestamp": "2025-12-15T11:54:54.192-0500"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2025-12-15T11:54:54.000Z"
    ],
    "syscheck.mtime_before": [
      "2025-12-15T11:53:17.000Z"
    ],
    "timestamp": [
      "2025-12-15T16:54:54.192Z"
    ]
  },
  "sort": [
    1765817694192
  ]
}

Who-data monitoring on Windows

How it works

The who-data monitoring functionality uses the Microsoft Windows auditing subsystem. It gets the related information about who makes modifications in a monitored directory. These changes produce audit events. The FIM module processes these events and reports them to the Wazuh server. This feature is only compatible with Windows 7 and later.

Configuration

To enable the who-data feature, you must declare the tag whodata="yes" within the directories block in the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file. You need to properly configure the Local Audit Policies and the System Access Control List (SACLs) of each monitored directory. Wazuh automatically performs these configurations for the directory to monitor.

...
<syscheck>
  ...
  <directories check_all="yes" whodata="yes">C:\test</directories>
  ...
</syscheck>
...

The FIM module configures the required Local Audit Policies and SACLs when launched. However, other services might change this configuration which would prevent who-data from receiving the monitored events. To overcome this, FIM detects this configuration change and switches all the directories monitoring with who-data to real-time mode. The two available mechanisms to detect these configuration changes are:

Wazuh monitors specific events (ID 4719) that Windows generates when one of the Audit Policies is modified (Success removed).
Periodically, Wazuh checks that the Audit Policies and the SACLs are configured as expected. You can modify the frequency of this verification with windows_audit_interval.

If your Windows system didn’t automatically configure the audit policies, see the Manual configuration of the Windows Audit Policies guide.

The following table establishes a correspondence between audit fields and their equivalent fields in an alert when who-data is enabled:

Audit field

Alert field

Fields description

User

audit.user.id audit.user.name

Contain the ID and name of the user who started the process that modified the monitored file.

Process id

audit.process.id

Contain the ID of the process used to modify the monitored file.

Process name

audit.process.name

Contain the name of the process used to modify the monitored file.

Example: Monitor changes in a text file on Windows

Perform the following steps to configure the FIM module. This configuration gets the information about the user and the process that modified the monitored file.

Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and add the Documents directory for FIM monitoring. The configuration ensures that the FIM module records who-data information and also reports the exact changes made to text files:
```
<syscheck>
  <directories check_all="yes" whodata="yes" report_changes="yes">C:\Users\*\Documents</directories>
</syscheck>
```
Restart the Wazuh agent using PowerShell with administrator privileges to apply the changes:
```
Restart-Service -Name wazuh
```

Test the configuration

Create a text file audit_docu.txt in the Documents folder using Notepad.
Add the text “Hello” and save the changes.

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard and find the alert generated when the FIM module detects changes in the monitored directory.

Expand the alert with rule.id:550 to view all the information. In the alert fields below, you can see the user admin added the word “Hello” to the audit_docu.txt file using the Notepad text editor.

Alert in JSON:

{
  "_index": "wazuh-alerts-4.x-2023.04.18",
  "_id": "ZcS6lIcB57JzuUZxyH13",
  "_version": 1,
  "_score": null,
  "_source": {
    "syscheck": {
      "size_before": "0",
      "uname_after": "wazuh",
      "mtime_after": "2023-04-18T17:17:58",
      "size_after": "5",
      "md5_before": "d41d8cd98f00b204e9800998ecf8427e",
      "diff": "---\n> Hello\n",
      "win_perm_after": [
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "WRITE_DAC",
            "WRITE_OWNER",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES"
          ],
          "name": "SYSTEM"
        },
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "WRITE_DAC",
            "WRITE_OWNER",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES"
          ],
          "name": "Administrators"
        },
        {
          "allowed": [
            "DELETE",
            "READ_CONTROL",
            "WRITE_DAC",
            "WRITE_OWNER",
            "SYNCHRONIZE",
            "READ_DATA",
            "WRITE_DATA",
            "APPEND_DATA",
            "READ_EA",
            "WRITE_EA",
            "EXECUTE",
            "READ_ATTRIBUTES",
            "WRITE_ATTRIBUTES"
          ],
          "name": "wazuh"
        }
      ],
      "sha256_before": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "mtime_before": "2023-04-18T17:17:54",
      "mode": "whodata",
      "path": "c:\\users\\wazuh\\documents\\audit_docu.txt",
      "sha1_after": "f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0",
      "changed_attributes": [
        "size",
        "mtime",
        "md5",
        "sha1",
        "sha256"
      ],
      "audit": {
        "process": {
          "name": "C:\\Windows\\System32\\notepad.exe",
          "id": "5672"
        },
        "user": {
          "name": "wazuh",
          "id": "S-1-5-21-1189703717-396825564-3703043190-1000"
        }
      },
      "attrs_after": [
        "ARCHIVE"
      ],
      "uid_after": "S-1-5-21-1189703717-396825564-3703043190-1000",
      "event": "modified",
      "md5_after": "8b1a9953c4611296a827abf8c47804d7",
      "sha1_before": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha256_after": "185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.33.132",
      "name": "Windows10",
      "id": "021"
    },
    "manager": {
      "name": "wazuh"
    },
    "rule": {
      "mail": false,
      "level": 7,
      "pci_dss": [
        "11.5"
      ],
      "hipaa": [
        "164.312.c.1",
        "164.312.c.2"
      ],
      "tsc": [
        "PI1.4",
        "PI1.5",
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Integrity checksum changed.",
      "groups": [
        "ossec",
        "syscheck",
        "syscheck_entry_modified",
        "syscheck_file"
      ],
      "nist_800_53": [
        "SI.7"
      ],
      "gdpr": [
        "II_5.1.f"
      ],
      "firedtimes": 2,
      "mitre": {
        "technique": [
          "Stored Data Manipulation"
        ],
        "id": [
          "T1565.001"
        ],
        "tactic": [
          "Impact"
        ]
      },
      "id": "550",
      "gpg13": [
        "4.11"
      ]
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1681827479.1689265",
    "full_log": "File 'c:\\users\\wazuh\\documents\\audit_docu.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '5'\nOld modification time was: '1681827474', now it is '1681827478'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '8b1a9953c4611296a827abf8c47804d7'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969'\n",
    "timestamp": "2023-04-18T17:17:59.498+0300"
  },
  "fields": {
    "syscheck.mtime_after": [
      "2023-04-18T17:17:58.000Z"
    ],
    "syscheck.mtime_before": [
      "2023-04-18T17:17:54.000Z"
    ],
    "timestamp": [
      "2023-04-18T14:17:59.498Z"
    ]
  },
}

Manual configuration of the Windows Audit Policies

When monitoring a file or directory with the whodata option, Wazuh configures the Local Audit Policies and the System Access Control List (SACL) automatically. If it does not, you must configure the audit policies and the SACL manually.

Local Audit Policies in Windows

To manually configure the audit policies needed to run FIM in who-data mode, you need to activate the logging of successful events.

On the Run dialog box (win + R), open the Local Group Policy Editor using the following command:

gpedit.msc

Configure the Audit Events field to Success for the following policies:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Handle Manipulation

Advanced Audit Policy Configuration section

If your system doesn't allow configuring subcategories through Advanced Audit Policy Configuration, configure the Security Setting field to Success for the following policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit object access

System Access Control List (SACL) in Windows

A system access control list (SACL) enables administrators to log attempts to access a secured object. You can check and modify SACLs of each monitored directory through Properties, selecting the Security tab, and clicking on Advanced:

It's necessary to have a Success entry in the Auditing tab:

If there is no Success entry, click on Add, to create it with these advanced permissions:

Tuning audit to deal with a flood of who-data events

On the Wazuh side, the syscheck.rt_delay variable in the internal FIM configuration helps to prevent the loss of events by setting a delay between alerts. You can configure this variable in the /var/ossec/etc/internal_options.conf file on the Wazuh server. The allowed value for this variable is a numerical value. You must set the delay in milliseconds. To process who-data events faster, decrease this numerical value.

Windows installation directory monitoring

In 64-bit architecture systems, you can locate 32-bit and 64-bit DLLs in a special way.

System32 is reserved for 64-bit DLLs.
SysWOW64 is reserved for all 32-bit DLLs.

Furthermore, 32-bit processes running in 64-bit environments access System32 through a virtual folder called Sysnative.

We disabled this redirection and you can access System32 directly. Monitoring %WINDIR%/System32 and %WINDIR%/Sysnative directories is equivalent and Wazuh shows the path %WINDIR%/System32 in the alerts. SysWOW64 is a different directory. To monitor %WINDIR%/SysWOW64, you must add it to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file.

You can monitor the Windows special directories %WINDIR%/System32 and %WINDIR%/SysWOW64 directories by configuring them with any of the FIM modes. For example:

Scheduled scan

<syscheck>
  <directories>%WINDIR%/System32</directories>
  <directories>%WINDIR%/SysWOW64</directories>
</syscheck>

Real-time

<syscheck>
  <directories realtime="yes">%WINDIR%/System32</directories>
  <directories realtime="yes">%WINDIR%/SysWOW64</directories>
</syscheck>

Who-data

<syscheck>
  <directories whodata="yes">%WINDIR%/System32</directories>
  <directories whodata="yes">%WINDIR%/SysWOW64</directories>
</syscheck>

Note

Starting with Wazuh 4.13.0, the FIM module on Windows does not support monitoring network locations. This includes:

UNC paths (e.g., \\server\share\folder)
Mapped drives (e.g., Z:\folder)

If these types of paths are included in your <directories> configuration, they will be ignored and no FIM events will be generated for them. This applies to all FIM modes: scheduled, real-time, and whodata.

Recursion level

You can configure the maximum recursion level allowed for a specific directory by using the recursion_level attribute of the directories option. The recursion_level value must be an integer between 0 and 320.

In the configuration example below, you can see how to set the recursion_level of the folder_test directory to 3. Replace <FILEPATH_OF_MONITORED_DIRECTORY> with your own file paths.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <directories check_all="yes" recursion_level="3"><FILEPATH_OF_MONITORED_DIRECTORY></directories>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

If you have the following directory structure and the above setting with recursion_level="3", FIM then generates alerts for file_3.txt and all files up to <FILEPATH_OF_MONITORED_DIRECTORY>/level_1/level_2/level_3/ but not for any files in the directory deeper than level_3.

<FILEPATH_OF_MONITORED_DIRECTORY>
├── file_0.txt
└── level_1
    ├── file_1.txt
    └── level_2
        ├── file_2.txt
        └── level_3
            ├── file_3.txt
            └── level_4
                ├── file_4.txt
                └── level_5
                    └── file_5.txt

To disable the recursion and generate the alerts only for the files in the monitored folder, you need to set the recursion_level value to 0.

If you don’t specify recursion_level, it’s set to 256. This is the default value defined by syscheck.default_max_depth in the internal options configuration file.

Process priority

To adjust the CPU usage of the FIM module on the monitored endpoint, use the process_priority option in the agent configuration. You can configure process priority on Windows, Linux, and macOS operating systems.

The process priority scale for the Wazuh FIM module ranges from -20 to 19 for each agent. The default process_priority value is set to 10. Setting the process_priority value in an agent higher than the default, gives its FIM module lower priority, fewer CPU resources, and makes it run slower.

You need to edit the Wazuh agent /var/ossec/etc/ossec.conf configuration file to configure the process priority of the Wazuh FIM module.

In the configuration example below the FIM module of the agent gets the minimum process priority:

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <process_priority>19</process_priority>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Setting the process_priority value lower than the default gives the FIM module higher priority, more CPU resources, and makes it run faster. In the configuration example below the FIM module has the maximum process priority.

Add the following settings to the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<syscheck>
   <process_priority>-20</process_priority>
</syscheck>
```
Restart the Wazuh agent with administrator privilege to apply any configuration change:
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Synchronization

The FIM module keeps the Wazuh agent and the Wazuh server databases synchronized with each other through synchronization messages. It always updates the file inventory in the Wazuh server with the data available to the Wazuh agent.

Whenever the Wazuh agent service restarts, the module rebuilds the FIM database of the agent, runs a full scan, and synchronizes the result updating the file inventory in the Wazuh server. The module synchronizes directories monitored with the realtime or whodata options immediately, while others require a full scan before synchronization takes place. The module doesn’t report to the Wazuh server changes in the monitored files performed while the service was not running. If you restart the agent after the last scheduled scan, it also discards any event before the restart.

FIM includes an automatic recovery mechanism to detect and resolve synchronization inconsistencies between agent and manager databases. When the integrity_interval elapses after a successful synchronization, the agent validates integrity by calculating checksums of its FIM database and comparing them with the manager's. If mismatches are found, a full recovery synchronization is automatically triggered to restore data consistency.

You can see below the default synchronization setting on the /var/ossec/etc/ossec.conf configuration file:

<syscheck>
  <synchronization>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <response_timeout>60</response_timeout>
    <max_eps>10</max_eps>
    <integrity_interval>86400</integrity_interval>
  </synchronization>
</syscheck>

The table below explains the supported attributes of the synchronization option:

Attribute	Default value	Allowed values	Description
enabled	yes	yes, no	Enables FIM database synchronizations.
interval	5m	Any number greater than or equal to 0. Allowed suffixes (s, m, h, d)	Sets the starting number of seconds to wait for a new database synchronization attempt.
response_timeout	60	Any number greater than or equal to 0.	Specifies the minimum time in seconds that must elapse before considering a message sent to the manager as timed-out. If the agent message times out, the module starts a new synchronization session.
max_eps	10	Integer number between 0 and 1000000. 0 means disabled.	Sets the maximum synchronization message throughput.
integrity_interval	86400 (24 hours)	Any non-negative integer (seconds).	Defines how often the agent performs a periodic integrity validation for FIM databases. When the interval elapses, the agent calculates checksums and compares them with the manager. On mismatch, the agent triggers a recovery mechanism to resolve synchronization inconsistencies.

Use cases

The Wazuh FIM module monitors directories to detect file changes, additions and deletions. This module is useful for monitoring important files on endpoints. You can use the FIM module for several purposes such as change management processes, regulatory compliance, and detecting cyberattacks. Below are examples of some use cases of the Wazuh FIM module.

Detecting malware persistence technique

Adversaries might achieve persistence if they manage to add a malicious script or program to the startup folder of a Windows endpoint. The program in this folder executes when a user logs in to the endpoint.

By monitoring the Windows startup folder with the Wazuh FIM module, you can detect any suspicious or unknown programs that users might have added. This allows you to take appropriate action to remove them before they cause harm to your endpoint.

Use case description

Endpoint

Description

Windows 11

The FIM module monitors the startup folder on this endpoint.
Configuration

Wazuh monitors the startup folder automatically without requiring any user action. By default, the Wazuh configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup folder:
<syscheck>
  <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
</syscheck>
Test the configuration
Use PowerShell to download an EICAR test file to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup directory:
cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Invoke-WebRequest -Uri https://secure.eicar.org/eicar.com.txt -OutFile eicar.txt
Delete the file from the Windows endpoint:
Remove-Item eicar.txt
Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the Windows startup folder.

Additionally, you can integrate the Wazuh FIM module with VirusTotal to automatically remove this type of threat. You can find more information in our Proof of Concept guide.
Detecting account manipulation

Account manipulation refers to the creation, modification, or deletion of user accounts or other credentials within an organization's IT infrastructure. Monitoring this activity is critical to the cybersecurity of an organization. Unauthorized account manipulations might grant an attacker access to sensitive systems and data.

To maintain persistence on a victim endpoint, adversaries can alter the SSH authorized_keys file in Linux. The .ssh directory within a user home directory holds this file. For example, for a user named smith, you can find the authorized_keys file located at /home/smith/.ssh/authorized_keys. This file defines the public keys this user uses to login into some of their accounts. Each line in the file represents a single public key.

You can configure the Wazuh FIM module to monitor the authorized_keys file. This triggers an alert whenever a user or process modifies the public keys in the file. Detecting the modification of the SSH keys allows you to take action before a system compromise occurs.

Use case description

Endpoint

Description

Cent OS Stream 10

The FIM module detects SSH key modification on this endpoint.
Configuration

Perform the following steps to configure the FIM module to monitor SSH key modification.
Edit the /var/ossec/etc/ossec.conf configuration file and add authorized_keys for monitoring:
<syscheck>
  <directories whodata="yes">/home/*/.ssh/authorized_keys</directories>
</syscheck>
Restart the Wazuh agent to apply the configuration:
systemctl restart wazuh-agent
Test the configuration
Generate an SSH key-pair for user authentication and save it as .ssh/test_key using the following command:
ssh-keygen -f .ssh/test_key
Run the following command to copy your generated SSH public key test_key.pub and append it to the target CentOS user’s authorized_keys file. It will also create the .ssh directory with proper permissions if it doesn’t exist:
cat ~/.ssh/test_key.pub | ssh -t <USERNAME>@<IP_ADDRESS> "[ -d ~/.ssh ] || mkdir -m 700 ~/.ssh; tee -a ~/.ssh/authorized_keys > /dev/null"
Replace <USERNAME> and <IP_ADDRESS> with the username and IP address for your CentOS endpoint respectively.
Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects changes to the authorized_keys file.
Monitoring files at specific intervals

Compliance with regulatory standards and laws, such as PCI DSS, requires monitoring access and detecting changes to:

Critical files

Configuration files

Content files

This is important for protecting an organization's critical assets and data and detecting potential security breaches.

You can run scheduled scans with the FIM module to detect file modifications. In this example, the file is user_details.txt, and you schedule FIM to scan the file every 5 minutes.

Use case description

Endpoint

Description

macOS Monterey

The FIM module monitors a file on this endpoint within specific intervals.
Configuration

Perform the following steps to configure the FIM module to monitor a user_details.txt file every 5 minutes.
Create a text file user_details.txt and save it in the Documents directory.
Edit the Wazuh agent /var/ossec/etc/ossec.conf configuration file and add the user_details.txt file for monitoring:
<syscheck>
  <frequency>300</frequency>
  <directories>/Users/*/Documents/user_details.txt</directories>
</syscheck>
Restart the Wazuh agent to apply the configuration:
/Library/Ossec/bin/wazuh-control restart
Test the configuration

Modify the user_details.txt file and wait for 5 minutes which is the time configured for the FIM scan.

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects changes to the user_details.txt file.
Reporting file changes

The functionality to report changes made to a file allows you to confirm the implementation of changes to an application or system. For example, if you change an application configuration file, the FIM capability reports the specific changes made to the file and shows the state before and after the change.

Having a record of file changes might be useful for troubleshooting issues or for auditing purposes. By providing visibility into file changes, the FIM capability plays a crucial role in effective change management.

Use case description

Endpoint

Description

CentOS Stream 10

The FIM module monitors a directory on this endpoint for file changes. It reports the exact changes made to a specified file and hides the changes made to an excluded file.
Configuration

Perform the following steps to configure the FIM module to report changes made to a file. The configuration reports changes made to files in /appfolder except for the private-file.conf file.
Create a directory /appfolder to be monitored by the Wazuh FIM module.
# mkdir /appfolder
Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below. This sets /appfolder for monitoring and makes an exception in reporting changes for /appfolder/private-file.conf using nodiff:
<syscheck>
  <directories realtime="yes" report_changes="yes">/appfolder</directories>
  <nodiff>/appfolder/private-file.conf</nodiff>
</syscheck>
Restart the Wazuh agent to apply the configuration changes:
systemctl restart wazuh-agent
Test the configuration
Create the files appreport.conf and private-file.conf in the /appfolder directory:
# touch /appfolder/appreport.conf && touch /appfolder/private-file.conf
Add the value I added this text to the appreport.conf and private-file.conf files:
echo “I added this text” | tee /appfolder/appreport.conf /appfolder/private-file.conf
Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert. You can find four alerts related to the monitored directory.

Expand the alert for the appreport.conf file with rule.id:550 to find information about the changes made to the file. In the image below, under the syscheck.diff field, you see the content added to the file.

Expand the alert for the private-file.conf file with rule.id:550 to search for information about the changes made to the file. In the image below, under the syscheck.diff field, you see that FIM doesn’t report the content added to the file.
Monitoring configuration changes

Monitoring configuration changes helps to establish accountability for changes made to systems and applications. Organizations can identify responsible parties and ensure that changes are properly authorized and documented by maintaining a record of changes and who made them.

You can configure the FIM module to monitor configuration files and report any changes. The Wazuh FIM module uses the whodata and report_changes attributes to record the following information about such changes:

The login user that made the changes.

The time of the changes.

The process that the user executed.

The changes made to the file.

Use case description

Endpoint

Description

CentOS Stream 10

The FIM module monitors a configuration file on this endpoint to detect file changes.
Configuration

Perform the following steps to configure the FIM module to monitor the /etc/app.conf file and report changes.
Create a file app.conf in the /etc directory:
# touch /etc/app.conf
Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below:
<syscheck>
  <directories check_all="yes" report_changes="yes" whodata="yes">/etc/app.conf</directories>
</syscheck>
Restart the Wazuh agent to apply the configuration changes:
systemctl restart wazuh-agent
Test the configuration
Modify the /etc/app.conf file by using nano with root privilege:
# nano /etc/app.conf
Add updated image to V2 to the file and save.
Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects modification of the configuration file.

Expand the alert to get more information about the event. In this example, the nano text editor modified the configuration file. The logged-in user on the endpoint was wazuh. The user modified the file using root privilege. The content added to the file is updated image to V2.

Windows Registry monitoring

The Windows Registry is a vital part of the Windows operating system. It is a database that stores configuration information for programs and hardware installed on Microsoft Windows operating systems. When you install a program, Windows creates a new subkey in the registry. This subkey contains information such as the program location, version, and startup instructions.

An unauthorized or unexpected change to the registry might result in system instability, application failures, and security breaches. Attackers might modify registry keys to execute malicious code or to maintain persistence on the system. In addition, legitimate software and system updates might also modify the registry. It's essential to track these changes to ensure system stability and security.

The Wazuh FIM module scans the Windows Registry periodically and triggers an alert when it detects changes in the entries.

How it works

The FIM module runs periodic scans of monitored Windows Registry entries and stores their checksums and other attributes in a local FIM database. You can specify which registry entries to monitor in the configuration of the Wazuh agent.

Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored registry entries to the Wazuh server. The FIM module looks for file modifications by comparing the checksums of a registry entry to its stored checksums and attribute values. It generates an alert if it finds discrepancies.

The Wazuh FIM module uses two databases to collect FIM event data, such as registry entry creation, modification, and deletion data. One is a local SQLite-based database on the monitored endpoint that stores the data in C:\Program Files (x86)\ossec-agent\queue\fim\db. The other is an agent database on the Wazuh server stored at /var/ossec/queue/db.

The FIM module synchronization mechanism ensures synchronization between the Wazuh agent and the Wazuh server databases. It always updates the file inventory in the Wazuh server with the data available to the Wazuh agent. This allows for servicing FIM-related API queries regarding the Wazuh agents.

Configuration

To configure the FIM module, it’s necessary to specify the registry keys that FIM must monitor for creation, modification, and deletion. You can do this similarly to how you list directories and files, but using the label <windows_registry> instead.

You can modify the default FIM configuration on the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Wazuh agent to specify the Windows Registry keys to monitor. You can also configure this capability remotely by using centralized configuration.

You can use * and ? wildcards when configuring Windows registry keys. Use them in the same way you would in a shell or Windows command prompt (cmd) terminal for listing files. For example:

<syscheck>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\SOFTWARE\*</windows_registry>
  <windows_registry arch="both">HKEY_CURRENT_CONFIG\S?????</windows_registry>
  <windows_registry arch="both">HKEY_USERS\S-?-?-??\*</windows_registry>
</syscheck>

Note

Registry keys matching your configuration might be created after the initial FIM scan. Wazuh scans these new keys only from the next scheduled FIM scan.

The FIM module supports several configuration options for monitoring Windows Registry entries. For example, you can enable all the basic checks with the check_all attribute, or find the information about the specific change made to a registry entry with the report_changes attribute. You can find a list of all the supported attributes and options in the windows_registry section of the documentation.

In this guide, you can see different configuration options that you can apply to monitor the Windows Registry.

Record Windows Registry attributes

You can specify the Windows Registry keys to monitor using the windows_registry option. This option supports several attributes. This section explains the following attributes.

check_all: The allowed values for the check_all attribute are yes and no. This option is enabled by default. Records:
- File size
- Last modification date
- MD5, SHA1, and SHA256 hash sums
check_sum: Records the MD5, SHA1, and SHA256 hashes of the Windows Registry values. The allowed values for the check_sum attribute are yes and no.
check_mtime: The check_mtime attribute allows the FIM module to record the modification time of the Windows Registry keys and values. The allowed values for the check_mtime attribute are yes and no.

Follow these steps to configure the FIM module with the following settings:

Record last modification date and all the file hashes of the HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey1 registry key.
Disable the recording of file hashes (MD5, SHA1, and SHA256) of the HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey2 registry key.
Disable the recording of the modification time of the HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey3 registry key.

Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file:

<syscheck>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey1</windows_registry>
  <windows_registry check_sum="no">HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey2</windows_registry>
  <windows_registry check_mtime="no">HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey3</windows_registry>
</syscheck>

After configuring these attributes, restart the Wazuh agent using PowerShell with administrator privileges to apply the changes:
```
Restart-Service -Name wazuh
```

Recursion level

You can configure the maximum recursion level allowed for a Windows Registry entity with the recursion_level attribute of the windows_registry option. The allowed values for this attribute are any integer between 0 and 512.

Follow these steps to set the recursion_level of HKEY_LOCAL_MACHINE\SYSTEM\Setup to 3.

Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and add the configuration below:

<syscheck>
  <windows_registry recursion_level="3">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>
</syscheck>

After setting the recursion level, restart the Wazuh agent to apply the configuration:
```
Restart-Service -Name wazuh
```

When using the following registry structure and recursion_level="3", FIM generates alerts for Subkey_3 and all registry subkeys or values up to HKEY_LOCAL_MACHINE\SYSTEM\Setup\level_1\level_2\level_3\ but not for any registry subkeys or values deeper than level_3.

HKEY_LOCAL_MACHINE\SYSTEM\Setup
├── Subkey_0
└── level_1
    ├── Subkey_1
    └── level_2
        ├── Subkey_2
        └── level_3
            ├── Subkey_3
            └── level_4
                ├── Subkey_4
                └── level_5
                    └── Subkey_5

To disable the recursion and generate alerts only for the registry values in the monitored registry, you need to set the recursion_level value to 0.

If you don’t specify a value for recursion_level, it’s set to the default value defined by syscheck.default_max_depth in the internal options configuration file.

Reporting changes in registry values

To report the exact content changed in a Windows Registry value, you can configure the FIM module with the report_changes attribute of the windows_registry option. The allowed values are yes and no and the supported registry value types are:

REG_SZ
REG_MULTI_SZ
REG_DWORD
REG_DWORD_BIG_ENDIAN

You must use the report_changes attribute with caution. Wazuh copies every single monitored file to a C:\Program Files (x86)\ossec-agent\queue\diff\registry and this increases storage usage.

Follow these steps to configure the FIM module to report changes made to HKEY_LOCAL_MACHINE\SYSTEM\Setup key.

Open Registry Editor and create a subkey named Custom Key under the HKEY_LOCAL_MACHINE\SYSTEM\Setup registry key.

Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and add the configuration below:

<syscheck>
  <frequency>300</frequency>
  <windows_registry  report_changes="yes">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>
</syscheck>

Restart the Wazuh agent to apply the configuration:
```
Restart-Service -Name wazuh
```
Modify the Custom Key subkey and add a new string value FIM and data cmd.
Wait for 5 minutes which is the time configured for the FIM scan.

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects a modification of the monitored registry value.

Expand the alert to see the changed fields.

Adding exclusions

You can configure the FIM module to ignore certain Windows Registry keys with the registry_ignore option. It allows declaring only a single Windows Registry entry. However, you can specify multiple lines to declare multiple registry entries.

Follow these steps to configure the FIM module to ignore the HKEY_LOCAL_MACHINE\Security\Policy and any Windows Registry entry that matches the simple regex pattern \Enum$ from FIM results.

Add this configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Wazuh agent:

<syscheck>
  <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
  <registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>

Restart the Wazuh agent to apply the configuration:
```
Restart-Service -Name wazuh
```

Use case: Detect malware persistence in Windows Registry

Malware persistence in the Windows Registry is a technique attackers use to ensure that their malicious program runs every time the system starts or restarts. The malicious program is commonly added to the "Run" and "RunOnce" keys in the Registry.

With the Wazuh FIM module, you can detect any suspicious or unknown programs added to the startup registry keys. This allows you to take appropriate action to remove them before they cause harm to your system.

Use case description

Endpoint	Description
Windows 11	The FIM module monitors startup registry keys on this endpoint.

Configuration

Wazuh monitors the startup registry keys automatically, out-of-the-box, without requiring any user special action or configuration. By default, the Wazuh agent configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup registry keys:

<syscheck>
  <frequency>300</frequency>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
</syscheck>

Test the configuration

Warning

You must carry this out in a sandbox environment. Delete the added registry keys after running the test.

Open Registry Editor then add the string value name DemoValue and registry value data cmd to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key.
Open Registry Editor then add the string value name DemoValue and registry value data cmd to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce registry keys.
Wait for 5 minutes which is the time configured for the FIM scan.

Visualize the alert

Navigate to File Integrity Monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the Windows startup registries.

Malware detection

Malware detection refers to the process of analyzing a computer system or network for the existence of malicious software and files. Security products can identify malware by checking for signatures of known malware. Security tools can also detect malicious activity by detecting suspicious behavior from software activity. When malware infects a system, it can modify it using various techniques to evade detection. Wazuh uses a broad-spectrum approach to counter those techniques in order to detect malicious files and abnormal patterns that indicate the presence of malware.

The Wazuh file integrity monitoring (FIM) module helps detecting malicious files on monitored endpoints. On its own, the FIM module cannot detect malicious files. However, you can detect malware by combining the FIM module with threat detection rules and threat intelligence sources. You can configure Wazuh to use FIM events with threat intelligence sources like VirusTotal and CDB lists containing file hashes, and YARA scans to detect malware.

Wazuh detects rootkit behavior on monitored endpoints using the Rootcheck module. Rootcheck continuously monitors endpoints and generates alerts when it detects any anomaly. Anomaly monitoring ensures Wazuh detects malware that signature-based techniques might have missed. Rootcheck also uses known signatures of rootkits and trojans to detect their presence on monitored endpoints. Wazuh's flexibility ensures that users can update these rootkit signatures themselves.

Wazuh log collection capability allows you to collect logs from third-party malware detection software. Using this capability, Wazuh collects and analyzes logs from various malware detection software like Windows Defender and ClamAV.

Contents

File integrity monitoring and threat detection rules

Creating and modifying files on infected endpoints is typical malware behavior. File integrity monitoring enables you to check selected directories and generate alerts when there are any file changes.

Below, we show an example of an alert generated by the FIM module when it detects a change in a monitored file:

{
   "timestamp":"2022-11-14T18:07:18.810+0200",
   "rule":{
      "level":7,
      "description":"Integrity checksum changed.",
      "id":"550",
      "mitre":{
         "id":[
            "T1565.001"
         ],
         "tactic":[
            "Impact"
         ],
         "technique":[
            "Stored Data Manipulation"
         ]
      },
      "firedtimes":1,
      "mail":false,
      "groups":[
         "ossec",
         "syscheck",
         "syscheck_entry_modified",
         "syscheck_file"
      ],
      "pci_dss":[
         "11.5"
      ],
      "gpg13":[
         "4.11"
      ],
      "gdpr":[
         "II_5.1.f"
      ],
      "hipaa":[
         "164.312.c.1",
         "164.312.c.2"
      ],
      "nist_800_53":[
         "SI.7"
      ],
      "tsc":[
         "PI1.4",
         "PI1.5",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"010",
      "name":"Ubuntu",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668442038.4872352",
   "full_log":"File '/test/hello' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '8'\nOld modification time was: '1668441994', now it is '1668442038'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '99472f8d2f760bcc394e80d09275150a'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : '75fdf620d8a1c7e6ea7f4c24ba5ff991fbb82e86'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : 'a96db6890367a8bc049841501ba1b0ab38bbdca062885d94f0130b17d162dea9'\n",
   "syscheck":{
      "path":"/test/hello",
      "mode":"realtime",
      "size_before":"0",
      "size_after":"8",
      "perm_after":"rw-r--r--",
      "uid_after":"0",
      "gid_after":"0",
      "md5_before":"d41d8cd98f00b204e9800998ecf8427e",
      "md5_after":"99472f8d2f760bcc394e80d09275150a",
      "sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha1_after":"75fdf620d8a1c7e6ea7f4c24ba5ff991fbb82e86",
      "sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "sha256_after":"a96db6890367a8bc049841501ba1b0ab38bbdca062885d94f0130b17d162dea9",
      "uname_after":"root",
      "gname_after":"root",
      "mtime_before":"2022-11-14T18:06:34",
      "mtime_after":"2022-11-14T18:07:18",
      "inode_after":3014658,
      "changed_attributes":[
         "size",
         "mtime",
         "md5",
         "sha1",
         "sha256"
      ],
      "event":"modified"
   },
   "decoder":{
      "name":"syscheck_integrity_changed"
   },
   "location":"syscheck"
}

Furthermore, you can write rules based on file creation and modification events to detect specific malware. For example, the following rules detect when web shells create or modify files on web servers.

<group name="linux, webshell, windows,">
  <!-- This rule detects file creation. -->
  <rule id="100500" level="12">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i).php$|.phtml$|.php3$|.php4$|.php5$|.phps$|.phar$|.asp$|.aspx$|.jsp$|.cshtml$|.vbhtml$</field>
    <description>[File creation]: Possible web shell scripting file ($(file)) created</description>
    <mitre>
      <id>T1105</id>
      <id>T1505</id>
    </mitre>
  </rule>

  <!-- This rule detects file modification. -->
  <rule id="100501" level="12">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i).php$|.phtml$|.php3$|.php4$|.php5$|.phps$|.phar$|.asp$|.aspx$|.jsp$|.cshtml$|.vbhtml$</field>
    <description>[File modification]: Possible web shell content added in $(file)</description>
    <mitre>
      <id>T1105</id>
      <id>T1505</id>
    </mitre>
  </rule>

  <!-- This rule detects files modified with PHP web shell signatures. -->
  <rule id="100502" level="15">
    <if_sid>100501</if_sid>
    <field name="changed_content" type="pcre2">(?i)passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|show_source|proc_open|pcntl_exec|execute|WScript.Shell|WScript.Network|FileSystemObject|Adodb.stream</field>
    <description>[File Modification]: File $(file) contains a web shell</description>
    <mitre>
      <id>T1105</id>
      <id>T1505.003</id>
    </mitre>
  </rule>
</group>

Below you can see a screenshot showing the alerts displayed on the Wazuh dashboard.

Rootkits behavior detection

Wazuh uses the Rootcheck module to detect anomalies that might indicate the presence of malware in an endpoint. By default, Rootcheck scans run every 12 hours. However, you can configure a custom frequency based on your needs. Check the Rootcheck frequency option on the documentation to learn how to do this.

How it works

The image below describes the steps Wazuh performs to detect malicious behavior on a monitored endpoint.

After you install a Wazuh agent on an endpoint, the agent uses the Rootcheck module to monitor specified directories, registry entries, and system calls for abnormal behavior. The module scans the endpoint using out-of-the-box rootkit signatures. You can also define custom rootkit signatures.
The Wazuh manager analyzes the logs sent by the agent. The analysis includes pre-decoding, decoding, and matching the logs to predefined rules.
When a log matches a rule, the Wazuh manager creates alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files.

You can enable the <logall> option in the Wazuh server configuration file, /var/ossec/etc/ossec.conf. When this option is enabled, the Wazuh manager saves all the logs from monitored endpoints, whether they trigger alerts or not, to the /var/ossec/logs/archives/archives.log and /var/ossec/logs/archives/archives.json files.

We describe Rootcheck capabilities in the sections below.

Check running processes

A malicious process can prevent itself from being seen in a system list of running processes, for example, by replacing the ps command with a trojan version. Rootcheck inspects all process IDs (PID), looking for discrepancies using different system calls such as getsid and getpgid.

For example, diamorphine is a kernel-mode rootkit that can hide itself and other processes from the ps command. Suppose you install this rootkit and hide a process. In that case, you get an alert like this:

** Alert 1668497757.1838662: - ossec,rootcheck,
2022 Nov 15 09:35:57 (Ubuntu) any->rootcheck
Rule: 521 (level 11) -> 'Possible kernel level rootkit'
Process '659' hidden from /proc. Possible kernel level rootkit.
title: Process '659' hidden from /proc.

Check hidden ports

Malware might use hidden ports to communicate with attackers. Rootcheck scans every port in the system using the C language function bind(). If it can’t bind to a port and that port isn’t in the netstat output, it means malware might be present.

Check unusual files and permissions

Wazuh scans the entire file system looking for unusual files and permissions. An example is a file owned by the root user, which has write permissions for other user accounts. Rootcheck inspects suid files, hidden directories, and other files to check for unusual permissions.

Check hidden files using system calls

Wazuh scans the entire system, comparing the differences between the stat size and the file size when using the fopen + read calls. Wazuh also compares the number of nodes in each directory with the output of opendir + readdir. If any results don't match, malware might be present.

Below, we show an example of an alert generated by Rootcheck when it detects an anomaly in the filesystem:

** Alert 1668497750.1838326: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2022 Nov 15 09:35:50 (Ubuntu) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rootkit 't0rn' detected by the presence of file '/usr/bin/.t0rn'.
title: Rootkit 't0rn' detected by the presence of file '/usr/bin/.t0rn'.

By default, the Rootcheck module monitors the following directories:

Unix	`/bin`, `/sbin`, `/usr/bin`, `/usr/sbin`, `/dev`, `/lib`, `/etc`, `/root`, `/var/log`, `/var/mail`, `/var/lib`, `/var/www`, `/usr/lib`, `/usr/include`, `/tmp`, `/boot`, `/usr/local`, `/var/tmp` and `/sys`
Windows	`C:\WINDOWS` and `C:\Program Files`

Scan the /dev directory

The /dev directory should only contain device-specific files. Wazuh inspects all files in this directory because malware can use this partition to hide files.

For example, if you create a hidden file in the /dev directory, it triggers an alert in Wazuh because there is a hidden file in a directory that should only contain device-specific files. The following is an example of such an alert:

** Alert 1668498534.1862633: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2022 Nov 15 09:48:54 (Ubuntu) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/dev/.hidden' present on /dev. Possible hidden file.
title: File present on /dev.
file: /dev/.hidden

Scan network interfaces

Wazuh scans for any network interface in a system with promiscuous mode enabled. It checks the output of the ifconfig command. If an interface is in promiscuous mode, it triggers an alert. A network interface in promiscuous mode might be an indicator that malware is present.

CDB lists and threat intelligence

Wazuh detects malicious files by checking the presence of their signatures in a CDB list. This CDB list must contain known malware threat intelligence indicators. A CDB list is a text file you can use to save a list of users, file hashes, IP addresses, and domain names. You can add entries to a CDB list in key:value pairs or key: only. CDB lists can act as either allow or deny lists. You can learn more about CDB lists in the documentation.

How it works

Wazuh checks if field values, such as IP address, file hashes, and others, extracted from security events during decoding are in a CDB list to hunt and detect malware. To detect malware, you can use CDB lists with the file integrity monitoring (FIM) module. We describe how it works below:

The Wazuh FIM module scans monitored directories on endpoints to detect changes such as file creation and modifications. The FIM module stores the checksums and attributes of the monitored files.
When the FIM module generates an alert, the Wazuh analysis engine compares the file attributes, for example, the file hash, to the keys in a predefined CDB list.
If the Wazuh analysis engine finds a match, it generates or suppresses an alert based on how you configure your rule.

Use case: Detecting malware using file hashes in a CDB list

In this use case, we show how you can detect malware using file hashes that you have added to a CDB list. You can use this use case to detect malicious files on a Linux endpoint on which you have installed a Wazuh agent.

Wazuh server

Create a CDB list malware-hashes of known malware hashes and save it to the /var/ossec/etc/lists directory on the Wazuh server.
```
# vi /var/ossec/etc/lists/malware-hashes
```
Add the known malware hashes to the file as key:value pairs. In this case, you can use the known MD5 hashes of the Mirai and Xbash malware as shown below.
```
e0ec2cd43f71c80d42cd7b0f17802c73:mirai
55142f1d393c5ba7405239f232a6c059:Xbash
```

Add a reference to the CDB list in the Wazuh manager configuration file /var/ossec/etc/ossec.conf. You can do this by specifying the path to the list within the <ruleset> block:

...
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/malware-hashes</list>
  <ruleset>
...

Create a custom rule in the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule generates alerts when the Wazuh analysis engine matches the MD5 hash of a new or modified file to a hash in the CDB list. Rules 554 and 550 must previously match indicating a recently created or modified file.

<group name="malware,">
  <rule id="110002" level="13">
    <!-- The if_sid tag references the built-in FIM rules -->
    <if_sid>554, 550</if_sid>
    <list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
    <description>File with known malware hash detected: $(file)</description>
    <mitre>
      <id>T1204.002</id>
    </mitre>
  </rule>
</group>

Restart the Wazuh manager to apply changes.
```
# systemctl restart wazuh-manager
```

Linux endpoint

Configure directory monitoring by adding the <directories> block specifying the folders you want to monitor in the agent configuration file or using the centralized configuration option.
```
<ossec_config>
  <syscheck>
    <disabled>no</disabled>
    <directories check_all="yes" realtime="yes"><PATH_TO_MONITORED_DIRECTORY></directories>
  </syscheck>
</ossec_config>
```
Note

The check_all option ensures Wazuh checks all file attributes including the file size, permissions, owner, last modification date, inode, and the hash sums.
Apply the changes if you edited the local configuration file:
```
# systemctl restart wazuh-agent
```
If you used centralized configuration, no manual restart is required. The agent reloads automatically after receiving the update.

Test the configuration

To test that everything works correctly, download the Mirai and Xbash malware samples to the directory the FIM module is monitoring.

Warning

These malicious files are dangerous, so use them for testing purposes only. Do not install them in production environments.

Download the malware samples. Replace <PATH_TO_MONITORED_DIRECTORY> with the path of the monitored directory.

$ sudo curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/mirai --output <PATH_TO_MONITORED_DIRECTORY>/mirai
$ sudo curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/xbash --output <PATH_TO_MONITORED_DIRECTORY>/Xbash

Visualize the alerts

You can see these alerts on the Wazuh dashboard. To do this, go to the Threat Hunting module of the Wazuh dashboard to view the alerts.

VirusTotal integration

Wazuh detects malicious files through an integration with VirusTotal, a powerful platform aggregating multiple antivirus products and an online scanning engine. Combining this tool with our FIM module provides an effective way of inspecting monitored files for malicious content.

About VirusTotal

VirusTotal is an online service that analyzes files and URLs to detect viruses, worms, trojans, and other malicious content using antivirus engines and website scanners.

VirusTotal is a free service with numerous useful features. We highlight the following ones relevant to our purpose:

VirusTotal stores all the analyses it performs, allowing users to search for file hashes. By sending the hash to the VirusTotal engine, you can know if VirusTotal has already scanned that specific file, and you can analyze its report.
VirusTotal also provides an API that allows access to the information generated by VirusTotal without needing to utilize the HTML website interface. This API is subject to its Terms of Service, which we briefly discuss in the following section.

Terms of Service

VirusTotal's Terms of Service specify the two ways users may use the VirusTotal API:

Public API

This method uses a free API with many of VirusTotal's functionalities. However, it has some significant limitations, such as:

The Public API is limited to 500 requests per day and a rate of 4 requests per minute.
The Public API must not be used in commercial products or services.
The Public API must not be used in business workflows that do not contribute new files.
You are not allowed to register multiple accounts to overcome the aforementioned limitations.

Private API

VirusTotal also provides a premium Private API where the request rates allowed are only limited by the user's Terms of Service. Apart from that, it provides high-priority access for requests, along with additional advantages.

To find out more about VirusTotal, its Terms of Service, and using its API, please visit their website.

How it works

This integration uses the VirusTotal API to detect malicious content within the files and directories monitored by the File Integrity Monitoring capability of Wazuh. This integration functions as described below:

Wazuh FIM looks for any file addition, change, or deletion on the monitored folders. This module has the hash of these files stored and triggers alerts when it detects any changes.
If enabled, Wazuh triggers the VirusTotal integration when an FIM alert occurs. From this alert, the integration extracts the hash field of the file.
The integration then makes an HTTP POST request to the VirusTotal database using the VirusTotal API. This call sends the extracted file hash to compare it with the information in the VirusTotal database.
The integration receives a JSON response, which is the result of the request. The response triggers one of the following Wazuh alerts:
- Error: Check credentials.
- Error: Public API request rate limit reached.
- Alert: No records in VirusTotal database.
- Alert: No positives found.
- Alert: X engines detected this file. X is the number of antivirus engines.

Wazuh logs the triggered alert in the /var/ossec/logs/integrations.log file and stores it in the /var/ossec/logs/alerts/alerts.log file with all other alerts.

Find examples of these alerts in the VirusTotal integration alerts section below.

Use case: Scanning a file

Getting started

Follow the instructions from External API integration to enable the Integrator module and configure the VirusTotal integration.

Below is an example of settings you must add to the /var/ossec/etc/ossec.conf file on the Wazuh server:

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Using FIM to monitor a directory

For this use case, we show how to monitor the folder /media/user/software on Linux endpoints.

Add the following to the <syscheck> section of the configuration file. You can configure these options in the Wazuh server and the Wazuh agent /var/ossec/etc/ossec.conf file. You can also configure this capability remotely using the centralized configuration options provided by the agent.conf file. The list of all FIM configuration options is available in the syscheck section of the documentation. In our example, we configured the options below on the Wazuh server.
```
<syscheck>
  <directories check_all="yes" realtime="yes">/media/user/software</directories>
</syscheck>
```
After applying the configuration, you must restart the Wazuh manager:
# systemctl restart wazuh-manager
# service wazuh-manager restart

After restarting, FIM applies the new configuration and monitors the folder you specify in near real time.

Test the configuration

Now, you can download a malicious file on the endpoint in the monitored folder.

Warning

Download the Eicar file here for testing purposes only. We recommend testing in a sandbox, not in a production environment.

$ sudo curl -Lo /media/user/software/suspicious-file.exe https://secure.eicar.org/eicar.com

When FIM detects a new file in the monitored directory, Wazuh generates the alert below:

{
   "timestamp":"2022-11-17T19:17:42.694+0200",
   "rule":{
      "level":5,
      "description":"File added to the system.",
      "id":"554",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "ossec",
         "syscheck",
         "syscheck_entry_added",
         "syscheck_file"
      ],
      "pci_dss":[
         "11.5"
      ],
      "gpg13":[
         "4.11"
      ],
      "gdpr":[
         "II_5.1.f"
      ],
      "hipaa":[
         "164.312.c.1",
         "164.312.c.2"
      ],
      "nist_800_53":[
         "SI.7"
      ],
      "tsc":[
         "PI1.4",
         "PI1.5",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"010",
      "name":"Ubuntu",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668705462.50453",
   "full_log":"File '/media/user/software/suspicious-file.exe' added\nMode: realtime\n",
   "syscheck":{
      "path":"/media/user/software/suspicious-file.exe",
      "mode":"realtime",
      "size_after":"0",
      "perm_after":"rw-r--r--",
      "uid_after":"0",
      "gid_after":"0",
      "md5_after":"d41d8cd98f00b204e9800998ecf8427e",
      "sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "uname_after":"root",
      "gname_after":"root",
      "mtime_after":"2022-11-17T19:17:42",
      "inode_after":1704505,
      "event":"added"
   },
   "decoder":{
      "name":"syscheck_new_entry"
   },
   "location":"syscheck"
}

From this alert, the integrator module extracts the hash fields, and sends the request to VirusTotal for comparison.

Note

Find more information about how to use File Integrity Monitoring for different types of scans in its documentation.

VirusTotal integration alerts

When the integrator module sends a request to VirusTotal, as noted above, the response triggers an alert depending on the situation. Below are examples and explanations of these alerts:

The API credentials are incorrect:

{
   "timestamp":"2022-11-17T19:17:43.637+0200",
   "rule":{
      "level":3,
      "description":"VirusTotal: Error: Check credentials",
      "id":"87102",
      "firedtimes":3,
      "mail":false,
      "groups":[
         "virustotal"
      ],
      "gdpr":[
         "IV_35.7.d",
         "IV_32.2"
      ]
   },
   "agent":{
      "id":"000",
      "name":"localhost.localdomain"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668705463.51155",
   "decoder":{
      "name":"json"
   },
   "data":{
      "virustotal":{
         "error":"403",
         "description":"Error: Check credentials"
      },
      "integration":"virustotal"
   },
   "location":"virustotal"
}

This error means that the API key set in the configuration is invalid.

The API has reached the set rate limit:

{
   "timestamp":"2022-11-17T19:22:13.236+0200",
   "rule":{
      "level":3,
      "description":"VirusTotal: Error: Public API request rate limit reached",
      "id":"87101",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "virustotal"
      ]
   },
   "agent":{
      "id":"000",
      "name":"localhost.localdomain"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668705733.90632",
   "decoder":{
      "name":"json"
   },
   "data":{
      "virustotal":{
         "error":"204",
         "description":"Error: Public API request rate limit reached"
      },
      "integration":"virustotal"
   },
   "location":"virustotal"
}

VirusTotal triggers this error when a user has reached the request rate limit. See the Terms of Service for more information on this limitation.

While the two previous alerts represent errors that might occur, the following are samples of alerts returned from a successful request:

Alert created when there are no records of threat in the VirusTotal database:

{
   "timestamp":"2022-11-17T19:22:07.974+0200",
   "rule":{
      "level":3,
      "description":"VirusTotal: Alert - /media/user/software/suspicious-file10.exe - No positives found",
      "id":"87104",
      "firedtimes":4,
      "mail":false,
      "groups":[
         "virustotal"
      ]
   },
   "agent":{
      "id":"010",
      "name":"Ubuntu",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668705727.84464",
   "decoder":{
      "name":"json"
   },
   "data":{
      "virustotal":{
         "found":"1",
         "malicious":"0",
         "source":{
            "alert_id":"1668705721.82254",
            "file":"/media/user/software/suspicious-file10.exe",
            "md5":"d41d8cd98f00b204e9800998ecf8427e",
            "sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"
         },
         "sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709",
         "scan_date":"2022-11-17 17:19:48",
         "positives":"0",
         "total":"60",
         "permalink":"https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection/f-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-1668705588"
      },
      "integration":"virustotal"
   },
   "location":"virustotal"
}

Alert created when the scanned file was found and identified by the database as malware:

{
   "timestamp":"2022-11-17T19:30:25.085+0200",
   "rule":{
      "level":12,
      "description":"VirusTotal: Alert - /media/user/software/eicar.com - 66 engines detected this file",
      "id":"87105",
      "mitre":{
         "id":[
            "T1203"
         ],
         "tactic":[
            "Execution"
         ],
         "technique":[
            "Exploitation for Client Execution"
         ]
      },
      "firedtimes":1,
      "mail":true,
      "groups":[
         "virustotal"
      ],
      "pci_dss":[
         "10.6.1",
         "11.4"
      ],
      "gdpr":[
         "IV_35.7.d"
      ]
   },
   "agent":{
      "id":"010",
      "name":"Ubuntu",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1668706225.104492",
   "decoder":{
      "name":"json"
   },
   "data":{
      "virustotal":{
         "found":"1",
         "malicious":"1",
         "source":{
            "alert_id":"1668706222.103798",
            "file":"/media/user/software/eicar.com",
            "md5":"44d88612fea8a8f36de82e1278abb02f",
            "sha1":"3395856ce81f2b7382dee72602f798b642f14140"
         },
         "sha1":"3395856ce81f2b7382dee72602f798b642f14140",
         "scan_date":"2022-11-17 17:15:04",
         "positives":"66",
         "total":"68",
         "permalink":"https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection/f-275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f-1668705304"
      },
      "integration":"virustotal"
   },
   "location":"virustotal"
}

File integrity monitoring and YARA

You can combine the capabilities of the Wazuh FIM module with YARA to detect malware. YARA is an open source tool that identifies and classifies malware artifacts based on textual or binary patterns. These patterns are indicators found in malware samples and are defined in the YARA rules file. The YARA community updates the YARA rules file to include newly discovered malware signatures.

How it works

This technique detects malware in several stages and is achieved in the following way:

The Wazuh FIM module scans monitored directories on endpoints to detect changes such as file creation and modifications.
When FIM detects a change in the monitored directory or file, it triggers a YARA scan active response. The Active Response module automatically executes YARA using the yara.sh script. YARA then scans the file that triggered the FIM alert against its ruleset to determine whether it is malware.
When the YARA rules match a file, the scan results are forwarded to the Wazuh manager for decoding, analysis and alerting. These scan results are not decoded out-of-the-box so you have to add the decoders to your Wazuh server.

This implementation of YARA scans with the Active Response module concentrates the scans on new or recently modified files in monitored directories, thus optimizing resource consumption on the monitored endpoints.

The diagram below illustrates the flow of events between the different components.

You can configure YARA for malware detection on Linux and Windows endpoints. In the use cases below, we show how you can configure the FIM module to monitor changes in the /root/ directory of a Linux endpoint. We also show how you can obtain the same results on Windows endpoints.

Use case: Detecting malware on Linux endpoints using YARA

In this use case, we demonstrate how to configure YARA with Wazuh to detect malware on Linux endpoints.

Infrastructure

Endpoint	Description
Ubuntu 22.04	The Active Response module runs YARA scans on new or modified files whenever the Wazuh FIM module alerts about them.

Linux endpoint configuration

Perform the following steps to configure YARA and the FIM module on the monitored endpoint.

Download, compile, and install YARA:

$ sudo apt update
$ sudo apt install -y make gcc autoconf libtool libssl-dev pkg-config
$ sudo curl -LO https://github.com/VirusTotal/yara/archive/v4.5.5.tar.gz
$ sudo tar -xvzf v4.5.5.tar.gz -C /usr/local/bin/ && rm -f v4.5.5.tar.gz
$ cd /usr/local/bin/yara-4.5.5/
$ sudo ./bootstrap.sh && sudo ./configure && sudo make && sudo make install && sudo make check

Test that YARA is running properly.

$ yara

Expected output:

yara: wrong number of arguments
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Try `--help` for more options

If the error message below is displayed:

/usr/local/bin/yara: error while loading shared libraries: libyara.so.9: cannot open shared object file: No such file or directory.

This means that the loader doesn’t find the libyara library usually located in /usr/local/lib. Add the /usr/local/lib path to the /etc/ld.so.conf loader configuration file to solve this.

$ sudo su
# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig

Switch back to the previous user.

Download YARA detection rules:

$ sudo mkdir -p /tmp/yara/rules
$ sudo curl 'https://valhalla.nextron-systems.com/api/v1/get' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://valhalla.nextron-systems.com/' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
--data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
-o /tmp/yara/rules/yara_rules.yar

Create a /var/ossec/active-response/bin/yara.sh file and add the content below:

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.


#------------------------- Gather parameters -------------------------#

# Extra arguments
read INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)

# Set LOG_FILE path
LOG_FILE="logs/active-responses.log"

size=0
actual_size=$(stat -c %s ${FILENAME})
while [ ${size} -ne ${actual_size} ]; do
    sleep 1
    size=${actual_size}
    actual_size=$(stat -c %s ${FILENAME})
done

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
    echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
    exit 1
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
    # Iterate every detected rule and append it to the LOG_FILE
    while read -r line; do
        echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
    done <<< "$yara_output"
fi

exit 0;

This is the active response script that executes YARA scans when FIM detects changes in the monitored directory. The active response script receives these parameters from the generated FIM alerts:

The file path contained in the alert that triggered the active response. The parameters.alert.syscheck.path key of the JSON alert holds the value of the file path. The path in this use case is /root/.
YARA_PATH: This variable specifies the path to the directory where the YARA executable is located. We installed YARA in the /usr/local/bin directory as shown in step 2 above.
YARA_RULES: This variable specifies the path to the file containing the YARA rules used for the scan.

This snippet of the script uses the parameters above to perform a YARA scan and appends the results to a log file called active-responses.log:

# Iterate every detected rule and append it to the LOG_FILE
while read -r line; do
    echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
done <<< "$yara_output"

For every line in the output of the YARA scan, the script appends an event to the Active Response log, /var/ossec/logs/active-responses.log, with the following format:

wazuh-yara: INFO - Scan result: yara_rule file_path

Note

There's no need to configure the Wazuh agent to monitor the Active Response log as it’s part of the agent default configuration.

Change the script ownership and permissions with the following commands:

$ sudo chmod 750 /var/ossec/active-response/bin/yara.sh
$ sudo chown root:wazuh /var/ossec/active-response/bin/yara.sh

Install the jq utility to process the JSON data from the FIM alerts:
```
$ sudo apt install -y jq
```
Add the following within the <syscheck> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file to monitor the /root/ directory:
```
<directories realtime="yes">/root/</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server configuration

Perform the following steps to configure Wazuh FIM to alert file changes in a monitored directory on the endpoint. Then, configure the Active Response module to trigger a YARA scan on detection of a new or modified file.

Add the following custom decoders to the /var/ossec/etc/decoders/local_decoder.xml file. This extracts information from the YARA scan results:

<decoder name="yara_decoder">
  <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
  <parent>yara_decoder</parent>
  <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
  <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

Add the following custom rules to the /var/ossec/etc/rules/local_rules.xml file:

<group name="syscheck,">
  <rule id="100200" level="7">
    <if_sid>550</if_sid>
    <field name="file">/root/</field>
    <description>File modified in /root directory.</description>
  </rule>
  <rule id="100201" level="7">
    <if_sid>554</if_sid>
    <field name="file">/root/</field>
    <description>File added to /root directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>
  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

The rules group syscheck detects FIM events in the monitored directory. The rules group yara alerts when the YARA integration finds malware in the monitored endpoints directory. You can modify the rules to detect file creation and modification events from other directories.

Configure the execution of the YARA script when files are added or modified to a monitored directory. Edit the Wazuh server /var/ossec/etc/ossec.conf configuration file and add the following:
```
<ossec_config>
  <command>
    <name>yara_linux</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>yara_linux</command>
    <location>local</location>
    <rules_id>100200,100201</rules_id>
  </active-response>
</ossec_config>
```
The <command> block describes information about the action to be executed on the Wazuh agent. It includes the following parameters:
- <name>: This uniquely identifies it as the yara_linux command.
- <executable>: This specifies the active response script or executable that must execute after a trigger. In this case, yara.sh.
- <extra_args>: This specifies where the YARA binary and rules are located.
- <timeout_allowed>: This specifies if the Active Response needs to undo an action after a specified period. It is set to no, which represents a stateless active response.
The <active-response> block defines the criteria used to execute a specific command:
- <command>: The previously identified yara_linux command.
- <location>: This specifies where the command executes. Using the local value means the command executes on the Wazuh agent that reported the event.
- <rules_id>: This represents the rule IDs that trigger the command:
  - Rule 100200: File modified on the /root directory.
  - Rule 100201: New file added to the /root directory.
Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

To test that everything is working correctly, we use the Mirai and Xbash malware samples.

Warning

These malicious files are dangerous so use them for testing purposes only. Do not install them in production environments.

Download the malware samples and move them into the /root/ directory of the monitored endpoint.

$ curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/mirai --output ~/mirai
$ curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/xbash --output ~/Xbash
$ sudo mv ~/mirai /root/
$ sudo mv ~/Xbash /root/

Visualize the alerts

You can see these alerts on the Wazuh dashboard. To do this, go to the Threat Hunting module of the Wazuh dashboard to view the alerts.

Use case: Detecting malware on Windows endpoints using YARA

In this use case, we demonstrate how to configure YARA with Wazuh to detect malware on Windows endpoints.

Infrastructure

Endpoint	Description
Windows 11	The Active Response module runs YARA scans on new or modified files whenever the Wazuh FIM module alerts about them.

Windows endpoint configuration

Configure Python and YARA

Perform the following steps to install Python, and YARA, and download YARA rules.

Download Python executable installer from the official Python website.
Run the Python installer once downloaded and make sure to check the following boxes:
- Install launcher for all users
- Add Python 3.X to PATH. This places the interpreter in the execution path.
Download and install the latest Visual C++ Redistributable package.

Open PowerShell with administrator privileges to download and extract YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.5/yara-4.5.5-2368-win64.zip -OutFile v4.5.5-win64.zip
> Expand-Archive v4.5.5-win64.zip; Remove-Item v4.5.5-win64.zip

Create a directory called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA executable into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\yara-v4.5.5-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Install the valhallaAPI module:
```
> pip install valhallaAPI
```

Copy the following script and save it as download_yara_rules.py:

from valhallaAPI.valhalla import ValhallaAPI

v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()

with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

Run the following commands to download the rules and place them in the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory:

> python.exe download_yara_rules.py
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

Configure Active Response and FIM

Perform the steps below to configure the Wazuh FIM and a YARA scan active response script for the detection of malicious files on the endpoint.

Create the yara.bat script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This is necessary for the Wazuh-YARA active response scans:

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT


if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)

if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)


set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)

del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
)

exit /b

Add the C:\Users\<USER_NAME>\Downloads directory for monitoring within the <syscheck> block in the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf. Replace <USER_NAME> with the username of the endpoint:
```
<directories realtime="yes">C:\Users\<USER_NAME>\Downloads</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
> Restart-Service -Name wazuh
```

Wazuh server configuration

Perform the following steps on the Wazuh server. This allows alerting for changes in the endpoint monitored directory and configuring a YARA scan active response script to trigger whenever it detects a suspicious file.

Add the following decoders to the Wazuh server /var/ossec/etc/decoders/local_decoder.xml file. This allows extracting the information from YARA scan results:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

Add the following rules to the Wazuh server /var/ossec/etc/rules/local_rules.xml file. Replace <USER_NAME> with the username of the endpoint. The rules detect FIM events in the monitored directory. They also alert when malware is found by the YARA integration:

<group name="syscheck,">
  <rule id="100303" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File modified in C:\Users\<USER_NAME>\Downloads directory.</description>
  </rule>
  <rule id="100304" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File added to C:\Users\<USER_NAME>\Downloads  directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf file:

<ossec_config>
  <command>
    <name>yara_windows</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>yara_windows</command>
    <location>local</location>
    <rules_id>100303,100304</rules_id>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Note

For testing purposes, we download the EICAR anti-malware test file as shown below. We recommend testing in a sandbox, not in a production environment.

Download a malware sample on the monitored Windows endpoint:

Turn off Microsoft Virus and threat protection temporarily to avoid the EICAR file removal.

Download the EICAR zip file:

> Invoke-WebRequest -Uri https://secure.eicar.org/eicar_com.zip -OutFile eicar.zip

Unzip it:
```
> Expand-Archive .\eicar.zip
```

Copy the EICAR file to the monitored directory:

> cp .\eicar\eicar.com C:\Users\<USER_NAME>\Downloads

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.groups:yara

ClamAV logs collection

Wazuh detects malicious files through integration with ClamAV, a free and open source antimalware engine for detecting various types of malware, including viruses and trojans.

About ClamAV

ClamAV is an open source antimalware toolkit designed for various use cases like endpoint security, web scanning, and email scanning. ClamAV has the following features:

It offers real-time protection for Linux endpoints.
It provides automatic updates to the malware database.
It supports all standard mail file formats by default.
It supports several archive formats like ZIP and RAR.
It supports common document files like MS Office and Mac Office files, HTML, RTF, and PDF
It is designed with an advanced database updater that can either leverage scripted updates or digital signatures.
It uses a command-line scanner.
It has built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE and others.

Configuration

You can configure ClamAV and collect its logs from Linux and Windows endpoints. To collect ClamAV logs from Linux endpoints, remove the # comment tag before the LogSyslog true statement in /etc/clamav/clamd.conf. Uncommenting this statement forwards ClamAV logs to the Syslog file /var/log/syslog. You don’t need further configuration after this because the Wazuh agent reads the /var/log/syslog file by default. Your configuration should be similar to this:

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog true
LogRotate true
...

Decoders and rules

Wazuh has decoders for ClamAV logs out-of-the-box. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for ClamAV, which you can find at /var/ossec/ruleset/rules/0320-clam_av_rules.xml on the Wazuh server.

Note

The out-of-the-box decoders only decode ClamAV logs from /var/log/syslog on Linux endpoints.

Alert samples

Below are examples of ClamAV alerts. You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server when triggered on monitored endpoints. The Wazuh dashboard also displays these alerts.

Alert created when ClamAV detects malware:

{
   "timestamp":"2023-01-09T18:10:57.937+0000",
   "rule":{
      "level":8,
      "description":"ClamAV: Virus detected",
      "id":"52502",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673287857.654581",
   "full_log":"Jan  9 18:10:56 ip-172-31-44-227 clamd[5780]: /home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 18:10:56",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "parent":"clamd",
      "name":"clamd"
   },
   "data":{
      "id":"44d88612fea8a8f36de82e1278abb02f",
      "url":"/home/ubuntu/eicar.com",
      "extra_data":"Win.Test.EICAR_HDB-1"
   },
   "location":"/var/log/syslog"
}

Alert created when Clamd service is stopped:

{
   "timestamp":"2023-01-09T18:06:13.623+0000",
   "rule":{
      "level":6,
      "description":"Clamd stopped",
      "id":"52510",
      "mitre":{
         "id":[
            "T1562.001"
         ],
         "tactic":[
            "Defense Evasion"
         ],
         "technique":[
            "Disable or Modify Tools"
         ]
      },
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1"
      ],
      "gpg13":[
         "4.14"
      ],
      "nist_800_53":[
         "SI.3"
      ],
      "tsc":[
         "A1.2"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673287573.647539",
   "full_log":"Jan  9 18:06:12 ip-172-31-44-227 clamd[5468]: Mon Jan  9 18:06:12 2023 -> --- Stopped at Mon Jan  9 18:06:12 2023",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 18:06:12",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"clamd"
   },
   "location":"/var/log/syslog"
}

Alert created when ClamAV updates its signature database:

{
   "timestamp":"2023-01-09T17:46:30.473+0000",
   "rule":{
      "level":3,
      "description":"ClamAV database update",
      "id":"52507",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.2"
      ],
      "gpg13":[
         "4.4"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3"
      ],
      "tsc":[
         "A1.2"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673286390.636389",
   "full_log":"Jan  9 17:46:29 ip-172-31-44-227 freshclam[2718]: Mon Jan  9 17:46:29 2023 -> ClamAV update process started at Mon Jan  9 17:46:29 2023",
   "predecoder":{
      "program_name":"freshclam",
      "timestamp":"Jan  9 17:46:29",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"freshclam"
   },
   "location":"/var/log/syslog"
}

Alert created when Clamd service is restarted:

{
   "timestamp":"2023-01-09T17:23:49.081+0000",
   "rule":{
      "level":3,
      "description":"Clamd restarted",
      "id":"52505",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "gpg13":[
         "4.14"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673285029.597542",
   "full_log":"Jan  9 17:23:47 ip-172-31-44-227 clamd[5333]: clamd daemon 0.103.6 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan  9 17:23:47",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "name":"clamd"
   },
   "location":"/var/log/syslog"
}

Alert created when ClamAV detects a malware multiple times:

{
   "timestamp":"2023-01-11T19:01:16.719+0000",
   "rule":{
      "level":10,
      "description":"ClamAV: Virus detected multiple times",
      "id":"52511",
      "frequency":8,
      "firedtimes":1,
      "mail":false,
      "groups":[
         "clamd",
         "freshclam",
         "virus"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "nist_800_53":[
         "SI.3",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC6.1",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"016",
      "name":"ip-172-31-44-227",
      "ip":"172.31.44.227"
   },
   "manager":{
      "name":"wazuh-server"
   },
   "id":"1673463676.23800",
   "previous_output":"Jan 11 19:01:14 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:14 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:13 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:13 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:12 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:12 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:10 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:10 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:09 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:09 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:06 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:06 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND\nJan 11 19:01:01 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:01 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "full_log":"Jan 11 19:01:16 ip-172-31-44-227 clamd[506]: Wed Jan 11 19:01:16 2023 -> ~/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND",
   "predecoder":{
      "program_name":"clamd",
      "timestamp":"Jan 11 19:01:16",
      "hostname":"ip-172-31-44-227"
   },
   "decoder":{
      "parent":"clamd",
      "name":"clamd"
   },
   "data":{
      "id":"44d88612fea8a8f36de82e1278abb02f",
      "url":"~/home/ubuntu/eicar.com",
      "extra_data":"Win.Test.EICAR_HDB-1"
   },
   "location":"/var/log/syslog"
}

Windows Defender logs collection

Windows Defender is the anti-malware component of the Microsoft Windows operating system. You can configure Wazuh agents installed on Windows endpoints to collect Windows Defender logs. This provides visibility on malware infections detected by Windows Defender on Windows endpoints. These logs can also provide information about:

The status of the Windows Defender service.
Results of Windows Defender scans that the users run on these endpoints.

Configuration

To collect Windows Defender logs, you must configure the Wazuh agent using centralized configuration, or locally using the agent C:\Program Files (x86)\ossec-agent\ossec.conf file. Centralized configuration allows the instructions to be shared with a group of agents.

Add the following block to the configuration file to enable Windows Defender log collection:

<localfile>
  <location>Microsoft-Windows-Windows Defender/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Decoders and rules

Wazuh has out-of-the-box decoders for Microsoft Windows logs including Windows Defender. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for Windows Defender, which you can find at /var/ossec/ruleset/rules/0600-win-wdefender_rules.xml on the Wazuh server.

Alert samples

Below are examples of Windows Defender alerts. User and malware activity triggers these kinds of alerts on monitored endpoints. You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server. The Wazuh dashboard also displays these alerts.

Alert created when Windows Defender detects malware:

{
   "timestamp":"2023-01-05T11:44:58.557+0200",
   "rule":{
      "level":12,
      "description":"Windows Defender: Antimalware platform detected  potentially unwanted software ()",
      "id":"62123",
      "firedtimes":2,
      "mail":true,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "10.6.1",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3",
         "CC6.1",
         "CC6.8"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672911898.1113167",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"1116",
            "version":"0",
            "level":"3",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T09:44:55.1124563Z",
            "eventRecordID":"525",
            "processID":"2600",
            "threadID":"432",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"WARNING",
            "message":"\"Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064\r\n \tDetection Origin: Internet\r\n \tDetection Type: Concrete\r\n \tDetection Source: Downloads and attachments\r\n \tUser: Windows-11\\win11\r\n \tProcess Name: Unknown\r\n \tSecurity intelligence Version: AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0\r\n \tEngine Version: AM: 1.1.19900.2, NIS: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "detection ID":"{53737EEC-A8A6-45E0-9155-4566B8133573}",
            "detection Time":"2023-01-05T09:44:55.064Z",
            "threat ID":"2147519003",
            "threat Name":"Virus:DOS/EICAR_Test_File",
            "severity ID":"5",
            "severity Name":"Severe",
            "category ID":"42",
            "category Name":"Virus",
            "fWLink":"https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Virus:DOS/EICAR_Test_File&amp;threatid=2147519003&amp;enterprise=0",
            "status Code":"1",
            "state":"1",
            "source ID":"4",
            "source Name":"Downloads and attachments",
            "process Name":"Unknown",
            "detection User":"Windows-11\\\\win11",
            "path":"file:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064",
            "origin ID":"4",
            "origin Name":"Internet",
            "execution ID":"0",
            "execution Name":"Unknown",
            "type ID":"0",
            "type Name":"Concrete",
            "pre Execution Status":"0",
            "action ID":"9",
            "action Name":"Not Applicable",
            "error Code":"0x00000000",
            "error Description":"The operation completed successfully.",
            "post Clean Status":"0",
            "additional Actions ID":"0",
            "additional Actions String":"No additional actions required",
            "security intelligence Version":"AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0",
            "engine Version":"AM: 1.1.19900.2, NIS: 1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender responds to detected malware:

{
   "timestamp":"2023-01-05T11:45:06.032+0200",
   "rule":{
      "level":3,
      "description":"Windows Defender: Antimalware platform performed an action to protect you from potentially unwanted software ()",
      "id":"62124",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "10.6.1",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3",
         "CC6.1",
         "CC6.8"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672911906.1119694",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"1117",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T09:45:02.6103899Z",
            "eventRecordID":"526",
            "processID":"2600",
            "threadID":"432",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064\r\n \tDetection Origin: Internet\r\n \tDetection Type: Concrete\r\n \tDetection Source: Downloads and attachments\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tProcess Name: Unknown\r\n \tAction: Quarantine\r\n \tAction Status:  No additional actions required\r\n \tError Code: 0x00000000\r\n \tError description: The operation completed successfully. \r\n \tSecurity intelligence Version: AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0\r\n \tEngine Version: AM: 1.1.19900.2, NIS: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "detection ID":"{53737EEC-A8A6-45E0-9155-4566B8133573}",
            "detection Time":"2023-01-05T09:44:55.064Z",
            "threat ID":"2147519003",
            "threat Name":"Virus:DOS/EICAR_Test_File",
            "severity ID":"5",
            "severity Name":"Severe",
            "category ID":"42",
            "category Name":"Virus",
            "fWLink":"https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Virus:DOS/EICAR_Test_File&amp;threatid=2147519003&amp;enterprise=0",
            "status Code":"4",
            "state":"2",
            "source ID":"4",
            "source Name":"Downloads and attachments",
            "process Name":"Unknown",
            "detection User":"Windows-11\\\\win11",
            "path":"file:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064",
            "origin ID":"4",
            "origin Name":"Internet",
            "execution ID":"0",
            "execution Name":"Unknown",
            "type ID":"0",
            "type Name":"Concrete",
            "pre Execution Status":"0",
            "action ID":"2",
            "action Name":"Quarantine",
            "error Code":"0x00000000",
            "error Description":"The operation completed successfully.",
            "post Clean Status":"0",
            "additional Actions ID":"0",
            "additional Actions String":"No additional actions required",
            "remediation User":"NT AUTHORITY\\\\SYSTEM",
            "security intelligence Version":"AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0",
            "engine Version":"AM: 1.1.19900.2, NIS: 1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender protection is disabled:

{
   "timestamp":"2023-01-05T16:26:55.513+0200",
   "rule":{
      "level":5,
      "description":"Windows Defender: Antivirus real-time protection is disabled",
      "id":"62152",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "10.2.6",
         "10.6.1"
      ],
      "gpg13":[
         "4.14",
         "10.1"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.14",
         "AU.5",
         "AU.6"
      ],
      "tsc":[
         "A1.2",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672928815.1914866",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"5001",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T14:33:13.3093446Z",
            "eventRecordID":"540",
            "processID":"2600",
            "threadID":"7152",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender updates its signature database:

{
   "timestamp":"2023-01-05T12:55:10.920+0200",
   "rule":{
      "level":3,
      "description":"Windows Defender: Antimalware definitions updated successfully",
      "id":"62130",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "10.6.1",
         "5.2"
      ],
      "gdpr":[
         "IV_35.7.d",
         "IV_35.7.d"
      ],
      "gpg13":[
         "4.4",
         "4.14"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"011",
      "name":"ONEBOT-1",
      "ip":"10.5.0.2"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672916110.1441972",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"2000",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T10:55:07.4095656Z",
            "eventRecordID":"649",
            "processID":"6716",
            "threadID":"7528",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"ONEBOT-1",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus security intelligence version updated.\r\n \tCurrent security intelligence Version: 1.381.1755.0\r\n \tPrevious security intelligence Version: 1.381.1746.0\r\n \tSecurity intelligence Type: AntiSpyware\r\n \tUpdate Type: Delta\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tCurrent Engine Version: 1.1.19900.2\r\n \tPrevious Engine Version: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "current security intelligence Version":"1.381.1755.0",
            "previous security intelligence Version":"1.381.1746.0",
            "domain":"NT AUTHORITY",
            "user":"SYSTEM",
            "sID":"S-1-5-18",
            "security intelligence Type Index":"2",
            "security intelligence Type":"AntiSpyware",
            "update Type Index":"2",
            "update Type":"Delta",
            "current Engine Version":"1.1.19900.2",
            "previous Engine Version":"1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}

Custom rules to detect malware IOC

As cyber threat actors become creative in compromising systems, new malware variants are rising. These variants come with new behavioral patterns and Indicators of Compromise (IOCs) requiring new detection rules. Wazuh has an out-of-the-box rich set of rules that detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies, and security policy violations. These rules are maintained and updated on every release of the product to increase its detection capability. You can visit our repository on GitHub to view the rules in detail.

To stay current with malware evolution, you can create custom rules to detect these IOCs and behavioral patterns. To learn more about our ruleset, visit the ruleset documentation. You can also learn how to create custom rules and decoders from this section of our documentation.

Security Configuration Assessment

Security Configuration Assessment (SCA) is the process of verifying that all systems conform to a set of predefined rules regarding configuration settings and approved application usage. One of the most certain ways to secure endpoints is by reducing their vulnerability surface. This process is commonly known as hardening. Configuration assessment is an effective way to identify weaknesses in your endpoints and patch them to reduce your attack surface.

The Wazuh SCA module performs scans to detect misconfigurations and exposures on monitored endpoints and recommend remediation actions. Those scans assess the configuration of the endpoints using policy files that contain rules to be tested against the actual configuration of the endpoint. SCA policies can check for the existence of files, directories, registry keys and values, running processes, and recursively test for the existence of files inside directories.

For example, the SCA module could assess whether it is necessary to change password-related configuration, remove unnecessary software, disable unnecessary services, or audit the TCP/IP stack configuration.

Policies for the SCA module are written in YAML. This format was chosen because it is human-readable and easy to understand. You can easily write your own SCA policies or extend existing ones to fit your needs. Furthermore, Wazuh is distributed with a set of out-of-the-box policies mostly based on the CIS benchmarks, a well-established standard for endpoint hardening.

Further information is available in the following sections:

How SCA works

Each Wazuh agent has its own local database where it stores the current state of each SCA check. The Wazuh server maintains an SCA database for all agents that are enrolled to it. Wazuh agents only send the differences detected between scans to the Wazuh server. If there has been no change, only a summary of the SCA scan is sent, thus avoiding unnecessary network traffic while keeping the SCA database on the Wazuh server up to date. The Wazuh server then uses those updates to issue alerts that are shown in the Wazuh dashboard.

Integrity and alerting flow are depicted in the sequence diagram below.

Overview of an SCA check

Checks are the core of an SCA policy, as they describe the scan to be performed in the endpoint. The checks contain fields that define what actions the agent should take to scan the endpoint, and how to evaluate the scan results. Each check definition comprises:

Metadata information including a rationale, remediation, and a description of the check.
A logical description with the condition and rules fields.

As part of the metadata, the SCA policy can contain an optional compliance field used to specify if the check is relevant to any compliance specifications. SCA checks usually indicate standards or policies that they aim to comply with. For example, we map CIS benchmark, PCI-DSS, NIST, and TSC controls to the relevant SCA checks.

See below SCA policy ID 19115 for Ubuntu 20.04 operating system as an example of a policy definition.

- id: 19115
    title: "Ensure SSH HostbasedAuthentication is disabled."
    description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication."
    rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection."
    remediation: "Edit the /etc/ssh/sshd_config file to set the parameter above any Include entries as follows: HostbasedAuthentication no Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location."
    compliance:
       - cis: ["4.2.8"]
       - mitre_mitigations: ["M1042"]
       - mitre_tactics: ["TA0001"]
       - mitre_techniques: ["T1078", "T1078.001", "T1078.003"]
    condition: all
    rules:
       - 'c:sshd -T -> r:^\s*HostbasedAuthentication\s+no'
       - 'not f:/etc/ssh/sshd_config -> r:^\s*HostbasedAuthentication\s+yes'

Scan Results

SCA scan results appear as alerts with SCA scan data whenever a particular check changes its status between scans. Moreover, Wazuh agents only send those events necessary to keep the global status of the scan updated, avoiding potential events flooding.

Any given check event has three possible results:

Passed
Failed
Not applicable

This result is determined by the set of rules and the rule result aggregator of the check.

Take the following SCA check from policy cis_ubuntu20-04.yml as an example. The example SCA check shown scans the Ubuntu 20 endpoint to verify if you have implemented a “deny all” policy on your endpoint firewall:

- id: 19098
    title: "Ensure ip6tables default deny firewall policy."
    description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the ac$    rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage."
    remediation: "IF IPv6 is enabled on your system: Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP."
    compliance:
      - cis: ["3.4.3.3.1"]
      - cis_csc_v8: ["4.4", "4.5"]
      - cis_csc_v7: ["9.4"]
      - cmmc_v2.0: ["AC.L1-3.1.20", "CM.L2-3.4.7", "SC.L1-3.13.1", "SC.L2-3.13.6"]
      - iso_27001-2013: ["A.13.1.1"]
      - mitre_mitigations: ["M1031", "M1037"]
      - mitre_tactics: ["TA0011"]
      - mitre_techniques: ["T1562", "T1562.004"]
      - nist_sp_800-53: ["SC-7(5)"]
      - pci_dss_v3.2.1: ["1.1.4", "1.3.1", "1.4"]
      - pci_dss_v4.0: ["1.2.1", "1.4.1"]
      - soc_2: ["CC6.6"]
    condition: all
    rules:
      - "c:ip6tables -L -> r:^Chain INPUT && r:policy DROP"
      - "c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP"
      - "c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"

After evaluating the aforementioned check, the following event is generated:

"data": {
  "sca": {
    "scan_id": "1023532995",
    "check": {
      "result": "failed",
      "remediation": "IF IPv6 is enabled on your system: Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP.",
      "compliance": {
        "pci_dss_v4": {
          "0": "1.2.1,1.4.1"
        },
        "cis_csc_v8": "4.4,4.5",
        "soc_2": "CC6.6",
        "pci_dss_v3": {
          "2": {
            "1": "1.1.4,1.3.1,1.4"
          }
        },
        "nist_sp_800-53": "SC-7(5)",
        "mitre_tactics": "TA0011",
        "mitre_techniques": "T1562,T1562.004",
        "cis": "3.4.3.3.1",
        "cmmc_v2": {
          "0": "AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6"
        },
        "iso_27001-2013": "A.13.1.1",
        "cis_csc_v7": "9.4",
        "mitre_mitigations": "M1031,M1037"
      },
      "description": "A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: - Changing firewall settings while connected over network can result in being locked out of the system - Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.",
      "id": "19098",
      "title": "Ensure ip6tables default deny firewall policy.",
      "rationale": "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.",
      "command": [
        "ip6tables -L"
      ]
    },
    "type": "check",
    "policy": "CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.0"
  }
},

You can view the scan summaries on the Configuration Assessment module on the Wazuh dashboard.

In addition, you can expand each result to display additional information.

The above SCA scan result is Failed because the rule did not find Chain INPUT * policy DROP, Chain FORWARD * policy DROP, and Chain OUTPUT * policy DROP in the output of the command ip6tables -L. The steps below show how we implement the remediation steps suggested by Wazuh to harden the endpoint:

Run the following recommended commands on the monitored endpoint to apply the firewall rules:

# ip6tables -P INPUT DROP
# ip6tables -P OUTPUT DROP
# ip6tables -P FORWARD DROP

Save the firewall rules and make them persist on system reboot:

# ip6tables-save > /etc/ip6tables.conf
# crontab -l | { cat; echo "@reboot /usr/sbin/ip6tables-restore /etc/ip6tables.conf"; } | crontab -

Restart the Wazuh agent to trigger a new SCA scan:
```
# systemctl restart wazuh-agent
```

The scan result for check 19098 changes to Passed as shown in the image below:

A check is marked as Not applicable in case an error occurs while performing the check. In such cases, instead of including the result field, the status and reason fields are included.

Integrity mechanisms

Wazuh uses two integrity mechanisms to ensure integrity between agent-side and server-side SCA states. One of the integrity mechanisms ensures the integrity of the policy files and the second ensures the integrity of scan results.

Integrity of policy files

This mechanism is in charge of keeping policy files and scan results aligned. Whenever a change in a policy file is detected, SCA invalidates the results stored in the database for that policy and requests a new scan to generate new results.

In a nutshell, whenever the hash of a policy file changes, the recovery steps performed are:

A similar message appears in the Wazuh server log file /var/ossec/logs/ossec.log:
```
2022/11/01 15:31:23 wazuh-analysisd: INFO: Policy 'cis_debian10' information for agent '001' is outdated. Requested latest scan results.
```
The log shows the SCA policy file and the affected Wazuh agent.
The Wazuh server flushes its stored data for that SCA policy.
The Wazuh agent sends the new scan results of the SCA policy.
The Wazuh server updates its database and fires alerts for the new scan results.

Note

Alerts are triggered for every check in a policy when the policy is updated. This way, false negatives are avoided.

Integrity of the scan results

To illustrate how the integrity of scan results is kept, we use an example in which the agent-side database and the server-side differ. This scenario could happen when there is a network issue.

The table below shows an example of SCA state stored in the Wazuh agent and Wazuh server databases.

States stored in the Wazuh agent and Wazuh server databases
Check ID	Agent-side state	Manager-side state
1000	Passed	Passed
1001	Failed	Failed
1002	Failed	Missing
1003	Passed	Passed

For those databases, the corresponding SHA256 hashes are:

Wazuh agent:   1642AB1DC478052AC3556B5E700CD82ADB69728008301882B9CBEE0696FF2C84
Wazuh server: B43037CA28D95A69B6F9E03FCD826D2B253A6BB1B6AD28C4AE57A3A766ACE610

Given that the two hashes do not match, the Wazuh server requests the latest scan data from the Wazuh agent and refreshes its database with the newly received status information.

How to configure SCA

Wazuh agents include the appropriate policies for their particular operating system during installation. For the full list of officially supported policy files, see the table Available SCA policies. These policies are included with the Wazuh server installation so that they can be easily enabled.

For a detailed description of the various configuration parameters of SCA, please check the SCA reference.

Enabling and disabling policies

By default, the Wazuh agent runs scans for every policy (.yaml or .yml files) present in their ruleset folder:

Linux and Unix-based agents: /var/ossec/ruleset/sca.
Windows agents: C:\Program Files (x86)\ossec-agent\ruleset\sca.
macOS agents: /Library/Ossec/ruleset/sca.

Warning

The contents of the aforementioned default ruleset folders are neither kept across installations nor updates. Place them under an alternative folder if you wish to modify or add new policies.

To enable a policy file outside the Wazuh agent installation folder, add the policy file path to the <sca> block in the Wazuh agent configuration file. An example is shown below:

<sca>
  <policies>
    <policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

You can also specify a relative path to the Wazuh installation directory:

<sca>
  <policies>
    <policy>etc/shared/<CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

There are two ways to disable policies on the Wazuh agent. The simplest one is renaming the policy file by adding .disabled (or anything different from .yaml or .yml) after their YAML extension.

The second is to disable them from the Wazuh agent ossec.conf file by adding a line such as the following to the <policy> section of the SCA module:

<sca>
  <policies>
    <policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy>
  </policies>
</sca>

Note

From Wazuh 4.13.0, SCA policy files must be on local file systems. UNC network paths or mapped network drives are not supported.

How to share policy files and configuration with the Wazuh agents

As described in the centralized configuration section, the Wazuh manager can push files and configurations to connected Wazuh agents.

You can enable this feature to push policy files to the Wazuh agents in defined groups. By default, every Wazuh agent belongs to the default group, which is used here as an example:

On the Wazuh agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies that use the c (command) rule type sent from the Wazuh server:
```
# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
```
Note

By enabling the sca.remote_commands flag, the Wazuh server can execute commands on the monitored endpoint for SC policies that include rules of type c (command). This setting is only required for SCA policies using the c rule type; policies with other rule types (e.g., f for file, p for process, or r for registry) are not affected by the sca.remote_commands flag and will function without enabling it.

Remote command execution is disabled by default as a security measure to reduce the attack surface in case the Wazuh server is compromised. If you prefer not to enable remote commands, you can manually deploy policy files to each agent without using the Wazuh server to push them. For example, you can create the policy file directly on the monitored endpoint or use scp to copy the policy file to the endpoint.
On the Wazuh server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership. Replace <NEW_POLICY_FILE> with your policy name.
# chown wazuh:wazuh /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
Add the following configuration block to the Wazuh server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the Wazuh agent:
<agent_config>  <sca> <policies> <policy>etc/shared/<NEW_POLICY_FILE></policy> </policies> </sca> </agent_config>
All files remotely pushed from the Wazuh server are saved in the /<WAZUH_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to. We specify the relative file path of the policy in the configuration because the full file path could differ depending on the operating system of the monitored endpoint.

The new <sca> block in the Wazuh server /var/ossec/etc/shared/default/agent.conf file is merged with the <sca> block on the Wazuh agent side, and the new configuration is added.

Available SCA policies

The table below shows SCA policies pre-installed in Wazuh out-of-the-box. The Wazuh agent only installs the policy file that is applicable to the endpoint operating system:

Available SCA policies
Reference	Policy	Target
cis_win10_enterprise	CIS Benchmark for Windows 10 Enterprise	Windows 10
cis_win11_enterprise	CIS Benchmark for Windows 11 Enterprise	Windows 11
cis_win2012r2	CIS Benchmark for Windows Server 2012 R2	Windows Server 2012 R2
cis_win2012_non_r2	CIS Benchmark for Windows Server 2012 non R2	Windows Server 2012 non R2
cis_win2016	CIS Benchmark for Windows Server 2016	Windows Server 2016
cis_win2019	CIS Benchmark for Windows Server 2019 RTM	Windows Server 2019
cis_win2022	CIS Benchmark for Windows Server 2022	Windows Server 2022
cis_win2025	CIS Benchmark for Windows Server 2025	Windows Server 2025
sca_win_audit	Benchmark for Windows auditing	Windows
cis_alma_linux_8	CIS Benchmark for Alma Linux 8	Alma Linux 8
cis_alma_linux_9	CIS Benchmark for Alma Linux 9	Alma Linux 9
cis_alma_linux_10	CIS Benchmark for Alma Linux 10	Alma Linux 10
cis_rocky_linux_8	CIS Benchmark for Rocky Linux 8	Rocky Linux 8
cis_rocky_linux_9	CIS Benchmark for Rocky Linux 9	Rocky Linux 9
cis_rocky_linux_10	CIS Benchmark for Rocky Linux 10	Rocky Linux 10
cis_oracle_linux_9	CIS Benchmark for Oracle Linux 9	Oracle Linux 9
cis_centos6_linux	CIS Benchmark for CentOS Linux 6	CentOS Linux 6
cis_centos7_linux	CIS Benchmark for CentOS Linux 7	CentOS Linux 7
cis_centos8_linux	CIS Benchmark for CentOS Linux 8	CentOS Linux 8
cis_centos8_linux	CIS Benchmark for CentOS Linux 8	CentOS Stream 8
cis_centos9_linux	CIS Benchmark for CentOS Stream 9	CentOS Stream 9
cis_centos10_linux	CIS Benchmark for CentOS Stream 10	CentOS Stream 10
cis_rhel6_linux	CIS Benchmark for Red Hat Enterprise Linux 6	Red Hat Enterprise Linux 6
cis_rhel7_linux	CIS Benchmark for Red Hat Enterprise Linux 7	Red Hat Enterprise Linux 7
cis_rhel8_linux	CIS Benchmark for Red Hat Enterprise Linux 8	Red Hat Enterprise Linux 8
cis_rhel9_linux	CIS Benchmark for Red Hat Enterprise Linux 9	Red Hat Enterprise Linux 9
cis_rhel10_linux	CIS Benchmark for Red Hat Enterprise Linux 10	Red Hat Enterprise Linux 10
cis_debian7	CIS Benchmark for Debian/Linux 7	Debian 7
cis_debian8	CIS Benchmark for Debian/Linux 8	Debian 8
cis_debian9	CIS Benchmark for Debian/Linux 9	Debian 9
cis_debian10	CIS Benchmark for Debian/Linux 10	Debian 10
cis_debian11	CIS Benchmark for Debian/Linux 11	Debian 11
cis_debian12	CIS Benchmark for Debian/Linux 12	Debian 12
cis_debian13	CIS Benchmark for Debian/Linux 13	Debian 13
cis_ubuntu14-04	CIS Checks for Ubuntu Linux 14.04 LTS	Ubuntu 14.04
cis_ubuntu16-04	CIS Checks for Ubuntu Linux 16.04 LTS	Ubuntu 16.04
cis_ubuntu18-04	CIS Checks for Ubuntu Linux 18.04 LTS	Ubuntu 18.04
cis_ubuntu20-04	CIS Checks for Ubuntu Linux 20.04 LTS	Ubuntu 20.04
cis_ubuntu22-04	CIS Checks for Ubuntu Linux 22.04 LTS	Ubuntu 22.04
cis_ubuntu24-04	CIS Checks for Ubuntu Linux 24.04 LTS	Ubuntu 24.04
cis_sles12_linux	CIS SUSE Linux Enterprise 12 Benchmark	SUSE 12
cis_sles15_linux	CIS Checks for SUSE SLES 15	SUSE 15
cis_amazon_linux_1	CIS Checks for Amazon Linux 1	Amazon Linux 1
cis_amazon_linux_2	CIS Checks for Amazon Linux 2	Amazon Linux 2
cis_amazon_linux_2023	CIS Checks for Amazon Linux 2023	Amazon Linux 2023
cis_apple_macOS_10.11	CIS Apple macOS 10.11 Benchmark	macOS 10.11 (El Capitan)
cis_apple_macOS_10.12	CIS Apple macOS 10.12 Benchmark	macOS 10.12 (Sierra)
cis_apple_macOS_10.13	CIS Apple macOS 10.13 Benchmark	macOS 10.13 (High Sierra)
cis_apple_macOS_10.14	CIS Checks for macOS 10.14	macOS 10.14 (Mojave)
cis_apple_macOS_10.15	CIS Checks for macOS 10.15	macOS 10.15 (Catalina)
cis_apple_macOS_11.1	CIS Checks for macOS 11.x	macOS 11.x (Big Sur)
cis_apple_macOS_12.0	CIS Checks for macOS 12.x	macOS 12.0 (Monterey)
cis_apple_macOS_13.x	CIS Checks for macOS 13.x	macOS 13.x (Ventura)
cis_apple_macOS_14.x	CIS Checks for macOS 14.x	macOS 14.x (Sonoma)
cis_apple_macOS_15.x	CIS Checks for macOS 15.x	macOS 15.x (Sequoia)
cis_apple_macOS_26.x	CIS Checks for macOS 26.x	macOS 26.x (Tahoe)
web_vulnerabilities	System audit for web-related vulnerabilities	N/A
cis_apache_24	CIS Apache HTTP Server 2.4 Benchmark	Apache configuration files
cis_mysql5-6_community	CIS Benchmark for Oracle MySQL Community Server 5.6	MySQL configuration files
cis_mysql5-6_enterprise	CIS Benchmark for Oracle MySQL Enterprise 5.6	MySQL configuration files
cis_sqlserver_2012	CIS Microsoft SQL Server 2012	Microsoft SQL Server 2012
cis_sqlserver_2014	CIS Microsoft SQL Server 2014	Microsoft SQL Server 2014
cis_sqlserver_2016	CIS Microsoft SQL Server 2016	Microsoft SQL Server 2016
cis_sqlserver_2017	CIS Microsoft SQL Server 2017	Microsoft SQL Server 2017
cis_sqlserver_2019	CIS Microsoft SQL Server 2019	Microsoft SQL Server 2019
cis_iis_10	CIS Checks for Microsoft IIS 10	Microsoft IIS 10
cis_mongodb_36	CIS Checks for MongoDB	MongoDB 3.6
cis_nginx_1	CIS Benchmark for NGINX	NGINX 1.14.0
cis_oracle_database_19c	CIS Checks for Oracle Database 19c	Oracle Database 19c
cis_postgre-sql-13	CIS Checks for PostgreSQL 13	PostgreSQL 13
sca_distro_independent_linux	CIS Benchmark for Distribution Independent Linux	Distribution Independent Linux

Creating custom SCA policies

You need to consider the following four sections when creating custom policy files, although not all of them are required.

Policy file sections
Section	Required
policy	Yes
requirements	No
variables	No
checks	Yes

An SCA policy looks like the following:

# Security Configuration Assessment
# Audit for UNIX systems
# Copyright (C) 2015, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation

policy:
  id: "unix_audit"
  file: "sca_unix_audit.yml"
  name: "System audit for Unix based systems"
  description: "Guidance for establishing a secure configuration for Unix based systems."
  references:
    - https://www.ssh.com/ssh/

requirements:
  title: "Check that the SSH service and password-related files are present on the system"
  description: "Requirements for running the SCA scan against the Unix based systems policy."
  condition: any
  rules:
    - 'f:$sshd_file'
    - 'f:/etc/passwd'
    - 'f:/etc/shadow'

variables:
  $sshd_file: /etc/ssh/sshd_config
  $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd

checks:
  - id: 3000
    title: "SSH Hardening: Port should not be 22"
    description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections."
    rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port."
    remediation: "Change the Port option value in the sshd_config file."
    compliance:
      - pci_dss: ["2.2.4"]
      - nist_800_53: ["CM.1"]
    condition: all
    rules:
      - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22$'

  - id: 3001
    title: "SSH Hardening: Protocol should be set to 2"

Note

If the requirements aren't satisfied for a specific policy file, the scan for that file won't start.

Each section has its fields as described in the tables Policy section, Requirements section, Variables section, and Checks section.

Policy section
Field	Mandatory	Type	Allowed values	Description
id	Yes	String	Any string	Policy ID
file	Yes	String	Any string	Policy filename
name	Yes	String	Any string	Policy title
description	Yes	String	Any string	Brief description
references	No	Array of strings	Any string (empty by default)	Links to references
regex_type	No	String	"osregex" (default), "pcre2"	Policy regex engine

Requirements section
Field	Mandatory	Type	Allowed values
title	Yes	String	Any string
description	Yes	String	Any string
condition	Yes	String	Any string
rules	Yes	Array of strings	Any string

Variables section
Field	Mandatory	Type	Allowed values
variable_name	Yes	Array of strings	Any string

Note

The id field under policy and checks must be unique across policy files.

Variables

Variables are set in the variables section. Their names are preceded by $. For instance:

$list_of_files: /etc/ssh/sshd_config, /etc/sysctl.conf, /var/log/dmesg
$list_of_folders: /etc, /var, /tmp
$program_name: apache2

Variables can be placed anywhere in the left part of the rule. Therefore, regarding the variables above, the following rules could be built:

f:$list_of_files -> r:^Content to be found
c:systemctl is-enabled $program_name -> r:^enabled

There is no limit on the number of variables to add within a rule.

Checks

Checks section
Field	Mandatory	Type	Allowed values
id	Yes	Numeric	Any integer number
title	Yes	String	Any string
description	No	String	Any string
rationale	No	String	Any string
remediation	No	String	Any string
compliance	No	Array of arrays of strings	Any string
references	No	Array of strings	Any string
condition	Yes	String	all, any, none
rules	Yes	Array of strings	Any string
regex_type	No	String	"pcre2" or "osregex"

Check evaluation is governed by its rule result aggregation strategy, as set in its condition field, and the results of the evaluation of its rules.

Note

If you set a regex_type, it overrides the regex engine type defined in the policy.

Condition

The result of each SCA check is governed by the conditions set in the condition field, and the results of the evaluation of its rules. The condition field specifies how rule results are aggregated in order to calculate the final value of a check. There are three options:

all: The check is evaluated as Passed if all of its rules are satisfied and as Failed as soon as one rule is not satisfied.
any: The check is evaluated as Passed as soon as any of its rules are satisfied.
none: The check is evaluated as Passed if none of its rules are satisfied and as Failed as soon as one rule is satisfied.

There are certain situations in which the aforementioned aggregators are evaluated as Not applicable.

all: If any rule returns Not applicable, and no rule returns Failed, the result is Not applicable.
any: The check is evaluated as Not applicable if no rule is evaluated as Passed and any rule returns Not applicable.
none: The check is evaluated as Not applicable if no rule is evaluated as Passed and any rule returns Not applicable.

Condition / rule evaluation
Condition \ Rule evaluation	Passed	Failed	Not applicable	Result
`all`	yes	no	no	Passed
`all`	*	no	yes	Not applicable
`all`	*	yes	*	Failed
`any`	yes	*	*	Passed
`any`	no	yes	no	Failed
`any`	no	*	yes	Not applicable
`none`	yes	*	*	Failed
`none`	no	*	yes	Not applicable
`none`	no	yes	no	Passed

* This result does not affect the final result.

Rules

Rules can check for the existence of files, directories, registry keys and values, running processes, and recursively test for the existence of files inside directories. When it comes to content checking, they are able to check for file contents, recursively check for the contents of files inside directories, command output, and registry value data.

Abstractly, rules start with a location and a type of location that is the target of the test, followed by the actual test specification. Such tests fall into two categories: existence and content checks. The type of location is listed in the Rule types table below, and the location could be a file name, directory, process name, command, or a registry key.

There are five main types of rules as described below.

Rule types
Type	Character
File	`f`
Directory	`d`
Process	`p`
Commands	`c`
Registry (Windows Only)	`r`

The operators for content checking are shown in the content comparison operators table below.

Content comparison operators
Operation	Operator	Example
Literal comparison, exact match	by omission (the absence of an operator signifies a literal comparison or exact match)	`f:/file -> CONTENT`
Lightweight Regular expression match	`r:`	`f:/file -> r:REGEX`
Numeric comparison (integers)	`n:`	`f:/file -> n:REGEX_WITH_CAPTURE_GROUP compare <= VALUE`

The operators for numeric comparison are shown in the table below.

Numeric comparison operators
Arithmetic relational operator	Operator	Example
less than	`<`	`n:SomeProperty (\d) compare < 42`
less than or equal to	`<=`	`n:SomeProperty (\d) compare <= 42`
equal to	`==`	`n:SomeProperty (\d) compare == 42`
not equal to	`!=`	`n:SomeProperty (\d) compare != 42`
greater than or equal to	`>=`	`n:SomeProperty (\d) compare >= 42`
greater than	`>`	`n:SomeProperty (\d) compare > 42`

You can place not at the beginning of a rule to negate it. For example:

not f:/some_file -> some_text

The SCA rule above fails if some_text is found within the contents of some_file.

By combining the aforementioned rule types and operators, both existence and content checking can be performed.

Note

Process rules only allow existence checks.
Command rules only allow content (output) checks.

Existence checking rules

Existence checks are created by setting rules without a content operator.The general form is as follows:

RULE_TYPE:target

Examples of existence checks:

f:/etc/sshd_config checks the existence of /etc/sshd_config file.
d:/etc checks the existence of the /etc directory.
not p:sshd tests the presence of processes called sshd and fails if one is found.
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa checks for the existence of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa key.
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse checks for the existence of LimitBlankPasswordUse value in the key.

Content checking rules

The general form of a rule testing for contents is as follows:

RULE_TYPE:target -> CONTENT_OPERATOR:value

Warning

The context of a content check is limited to a line.
It is mandatory to respect the spaces around the -> and compare separators.
If the target of a rule that checks for contents does not exist, the result will be Not applicable as it could not be checked.

Content check operator results can be negated by adding a ! before then, for example:

f:/etc/ssh_config -> !r:PermitRootLogin

Warning

Be careful when negating content operators as that makes them evaluate as Passed for anything that does not match with the check specified. For example, rule f:/etc/ssh_config -> !r:PermitRootLogin is evaluated as Passed if it finds any line that does not contain PermitRootLogin.

Content check operators can be chained using the operator && (AND) as follows:

f:/etc/ssh_config -> !r:^# && r:Protocol && r:2

This rule reads as Pass if there's a line whose first character is not # and contains Protocol and 2.

Warning

It is mandatory to respect the spaces around the && operator.
There's no particular order of evaluation between tests chained using the && operator.

Examples of content checks:

c:systemctl is-enabled cups -> r:^enabled checks that the output of the command contains a line starting with enabled.
f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4 checks that MaxAuthTries is less or equal to 4.
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1 checks that the value of LimitBlankPasswordUse is 1.

Examples

The following sections cover each rule type, illustrating them with several examples. It is also recommended to check the actual policies and, for minimalistic although complete examples, the SCA test suite policies.

Rule syntax for files

Check that a file exists: f:/path/to/file
Check that a file does not exist: not f:/path/to/file
Check file contains (whole line literal match): f:/path/to/file -> content
Check file contents against regex: f:/path/to/file -> r:REGEX
Check a numeric value: f:/path/to/file -> n:REGEX(\d+) compare <= Number

Rule syntax for directories

Check if a directory exists: d:/path/to/directory
Check if a directory contains a file: d:/path/to/directory -> file
Check if a directory contains files that match a regex: d:/path/to/directory -> r:^files
Check files matching file_name for content: d:/path/to/directory -> file_name -> content

Rule syntax for processes

Check if a process is running p:process_name
Check if a process is not running not p:process_name

Rule syntax for commands

Check the output of a command c:command -> output
Check the output of a command using regex c:command -> r:REGEX
Check a numeric value c:command -> n:REGEX_WITH_A_CAPTURE_GROUP compare >= number

Rule syntax for Windows Registry

Check if a registry exists r:path/to/registry
Check if a registry key exists r:path/to/registry -> key
Check registry key contents r:path/to/registry -> key -> content

Composite rules

Check if there is a line that does not begin with # and contains Port 22 f:/etc/ssh/sshd_config -> !r:^# && r:Port\.+22
Check if there is no line that does not begin with # and contains Port 22 not f:/etc/ssh/sshd_config -> !r:^# && r:Port\.+22

Other examples

Check for file contents, whole line match: f:/proc/sys/net/ipv4/ip_forward -> 1
Check if a file exists: f:/proc/sys/net/ipv4/ip_forward
Check if a process is running: p:avahi-daemon
Check value of registry: r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0
Check if a directory contains files: d:/home -> ^.mysql_history$
Check if a directory exists: d:/etc/mysql
Check the running configuration of sshd for the maximum authentication tries allowed: c:sshd -T -> !r:^\s*maxauthtries\s+4\s*$
Check if root is the only account with UID 0: f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:

Use cases

This section shows some custom SCA use cases for various operating systems. We provide detailed steps on how to replicate these use cases.

Prerequisites

You need the following deployment to test the use cases defined in this section:

A Wazuh server: Follow the instructions in our quickstart guide to set up a Wazuh server.
Monitored endpoint(s): Deploy any or all of the following endpoints, install a Wazuh agent on each of them and enroll them to the Wazuh server.
- An Ubuntu 22.04 endpoint.
- A Windows 11 endpoint.
- A macOS 12 endpoint.

The use cases covered in this section include Detecting keyword in a file and Detecting a running process.

Detecting keyword in a file

In this use case, we demonstrate how you can configure Wazuh SCA to detect the presence of a keyword in a file. We monitor a file testfile.txt for the phrase password_enabled: yes. The Wazuh SCA module triggers an alert when it detects the pattern in the file.

Ubuntu endpoint

Take the following steps on your Ubuntu endpoint to create the file /usr/share/testfile.txt and monitor it with the Wazuh SCA module:

Create the test file and add some text to it, including the phrase password_enabled: yes:

# echo -e "config_file\nsecond line of configuration\npassword_enabled: yes" > /usr/share/testfile.txt

Verify that the file has been created:

# cat /usr/share/testfile.txt

You should get output similar to the following:

config_file
second line of configuration
password_enabled: yes

Create a new directory to save your custom policy files:
```
# mkdir /var/ossec/etc/custom-sca-files/
```

Create a new SCA policy file /var/ossec/etc/custom-sca-files/keywordcheck.yml and add the following content to it:

policy:
  id: "keyword_check"
  file: "keywordcheck.yml"
  name: "SCA use case: Keyword check"
  description: "Guidance for checking for a keyword or phrase in files on Ubuntu endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check that the desired file exists on the monitored endpoints"
  description: "Requirements for running the SCA scans against endpoints with testfile.txt on them."
  condition: any
  rules:
    - 'f:/usr/share/testfile.txt'

checks:
  - id: 10000
    title: "Ensure password is disabled in the test configuration file"
    description: "Password is enabled in the test configuration file."
    rationale: "Password is considered weak for the custom test application. Threat actors can brute-force your password."
    remediation: "Disable password by setting the value of the password_enabled option to no."
    condition: none
    rules:
      - 'f:/usr/share/testfile.txt -> r:^password_enabled: yes$'

We create a requirement to ensure that the policy runs only if the file /usr/share/testfile.txt exists on the endpoint.
Check ID 10000 scans the file /usr/share/testfile.txt to find any line that contains the string password_enabled: yes. The none condition ensures that the check fails if a match is found.

Change the ownership of the file so Wazuh has permission to it:

# chown wazuh:wazuh /var/ossec/etc/custom-sca-files/keywordcheck.yml

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at /var/ossec/etc/ossec.conf:
<sca> <policies> <policy enabled="yes">/var/ossec/etc/custom-sca-files/keywordcheck.yml</policy> </policies> </sca>
Restart the Wazuh agent to apply the changes and to run the new SCA check:
```
# systemctl restart wazuh-agent
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the Ubuntu endpoint to view the results of the custom SCA check you have created.

Windows endpoint

Take the following steps on your Windows endpoint to create the file C:\Program Files\testfile.txt and monitor it with the Wazuh SCA module:

Run PowerShell as an administrator and create the test file and add some text to it, including the keyword password_enabled: yes:

# New-Item "C:\Program Files\testfile.txt" -ItemType File -Value "config_file`nsecond line of configuration`npassword_enabled: yes"

Verify that the file has been created:

# Get-Content "C:\Program Files\testfile.txt"

You should get output similar to the following:

config_file
second line of configuration
password_enabled: yes

Create a new directory to save your custom policy files:

# New-Item "C:\Program Files (x86)\ossec-agent\custom-sca-files" -itemType Directory

Open Notepad as an administrator, create a new SCA policy file with the following content and save it as C:\Program Files (x86)\ossec-agent\custom-sca-files\keywordcheck.yml:

policy:
  id: "keyword_check_windows"
  file: "keywordcheck.yml"
  name: "SCA use case: Keyword check"
  description: "Guidance for checking for a keyword or phrase in files on Windows."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html
requirements:
  title: "Check that the desired file exists on the monitored endpoints"
  description: "Requirements for running the SCA scans against endpoints with testfile.txt on them."
  condition: any
  rules:
    - 'f:C:\Program Files\testfile.txt'
checks:
  - id: 10001
    title: "Ensure password is disabled in the test configuration file"
    description: "Password is enabled in the test configuration file."
    rationale: "Password is considered weak for the custom test application. Threat actors can brute-force your password."
    remediation: "Disable password by setting the value of the password_enabled option to no."
    condition: none
    rules:
      - 'f:C:\Program Files\testfile.txt -> r:^password_enabled: yes$'

We create a requirement to ensure that the policy runs only if the file C:\Program Files\testfile.txt exists on the endpoint.
Check ID 10001 scans the file C:\Program Files\testfile.txt to find any line that contains the string password_enabled: yes. The none condition ensures that the check fails if a match is found.

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf:
<sca> <policies> <policy enabled="yes">C:\Program Files (x86)\ossec-agent\custom-sca-files\keywordcheck.yml</policy> </policies> </sca>
Restart the Wazuh agent to apply the changes and to run the new SCA check:
```
# Restart-Service -Name wazuh
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the Windows endpoint to view the results of the custom SCA check you have created.

macOS endpoint

Take the following steps on your macOS endpoint to create the file /usr/local/testfile.txt and monitor it with the Wazuh SCA module:

Create the test file and add some text to it, including the phrase password_enabled: yes:

# echo "config_file\nsecond line of configuration\npassword_enabled: yes" > /usr/local/testfile.txt

Verify that the file has been created:

# cat /usr/local/testfile.txt

You should get output similar to the following:

config_file
second line of configuration
password_enabled: yes

Create a new directory to save your custom policy files:
```
# mkdir /Library/Ossec/etc/custom-sca-files/
```

Create a new SCA policy file /Library/Ossec/etc/custom-sca-files/keywordcheck.yml and add the following content to it:

policy:
  id: "keyword_check"
  file: "keywordcheck.yml"
  name: "SCA use case: Keyword check"
  description: "Guidance for checking for a keyword or phrase in files on macOS endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check that the desired file exists on the monitored endpoints"
  description: "Requirements for running the SCA scans against endpoints with testfile.txt on them."
  condition: any
  rules:
    - 'f:/usr/local/testfile.txt'

checks:
  - id: 10002
    title: "Ensure password is disabled in the test configuration file"
    description: "Password is enabled in the test configuration file."
    rationale: "Password is considered weak for the custom test application. Threat actors can brute-force your password."
    remediation: "Disable password by setting the value of the password_enabled option to no."
    condition: none
    rules:
      - 'f:/usr/local/testfile.txt -> r:^password_enabled: yes$'

We create a requirement to ensure that the policy runs only if the file /usr/local/testfile.txt exists on the endpoint.
Check ID 10002 scans the file /usr/local/testfile.txt to find any line that contains the string password_enabled: yes. The none condition ensures that the check fails if a match is found.

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at /Library/Ossec/etc/ossec.conf:
<sca> <policies> <policy enabled="yes">/Library/Ossec/etc/custom-sca-files/keywordcheck.yml</policy> </policies> </sca>
Restart the Wazuh agent to apply the changes and to run the new SCA check:
```
# /Library/Ossec/bin/wazuh-control restart
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the macOS endpoint to view the results of the custom SCA check you have created.

Detecting a running process

In this use case, we demonstrate how to detect running processes with the Wazuh SCA module.

Ubuntu endpoint

Netcat is a utility that uses TCP and UDP to read and write data on an IP network. Netcat can open connections, send packets, or listen on TCP and UDP ports. Threat actors use netcat for malicious purposes such as creating backdoor access. Take the following steps to configure the Wazuh SCA module to detect netcat processes and to simulate an attack:

Create a new directory to save your custom policy files:
```
# mkdir /var/ossec/etc/custom-sca-files/
```

Create a new SCA policy file /var/ossec/etc/custom-sca-files/processcheck.yml and add the following content to it:

policy:
  id: "process_check"
  file: "processcheck.yml"
  name: "SCA use case to detect running processes"
  description: "Guidance for checking running processes on Linux endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check that the SSH service and password-related files are present on the system"
  description: "Requirements for running the SCA scan against the Unix based systems policy."
  condition: any
  rules:
    - "f:$sshd_file"
    - "f:/etc/passwd"
    - "f:/etc/shadow"

variables:
  $sshd_file: /etc/ssh/sshd_config

checks:
  - id: 10003
    title: "Ensure that netcat is not running on your endpoint"
    description: "Netcat is running on your endpoint."
    rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers."
    remediation: "Kill the netcat process if confirmed to be malicious after further investigation."
    condition: none
    rules:
      - 'p:nc'
      - 'p:netcat'

We create a requirement to ensure that the policy runs only on Linux endpoints. The requirement checks for the presence of the /etc/ssh/sshd_config, /etc/passwd, and /etc/shadow files, and passes if any of them is found.
Check ID 10003 scans the endpoint for processes named nc or netcat. The none condition ensures that the check fails if a match is found.

Change the ownership of the file so Wazuh has permission to it:

# chown wazuh:wazuh /var/ossec/etc/custom-sca-files/processcheck.yml

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at /var/ossec/etc/ossec.conf:
<sca> <policies> <policy enabled="yes">/var/ossec/etc/custom-sca-files/processcheck.yml</policy> </policies> </sca>
Install netcat if you don’t have it on your endpoint:
```
# apt install netcat
```
Run netcat on a new terminal and let the listener run:
```
# netcat -l 4444
```
Restart the Wazuh agent to apply the changes and to run the new SCA check:
```
# systemctl restart wazuh-agent
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the Ubuntu endpoint to view the results of the custom SCA check you have created.

Windows endpoint

System administrators use PowerShell to configure systems. Standard users utilize PowerShell less frequently. Threat actors may take advantage of the living-off-the-land attack tactic via PowerShell. Take the following steps to configure the Wazuh SCA module to detect PowerShell processes and simulate an attack:

Run CMD as an administrator and create a new directory to save your custom policy files:
```
> mkdir "C:\Program Files (x86)\ossec-agent\custom-sca-files"
```

Open Notepad as an administrator, create a new SCA policy file with the following content and save it as C:\Program Files (x86)\ossec-agent\custom-sca-files\processcheck.yml:

policy:
  id: "process_check"
  file: "processcheck.yml"
  name: "SCA use case to detect running processes"
  description: "Guidance for checking running PowerShell processes on Windows 10 endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check that the Windows platform is Windows 10"
  description: "Requirements to check if it's a Windows 10 (or Windows 11) machine"
  condition: all
  rules:
    - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10'

checks:
  - id: 10004
    title: "Ensure PowerShell is not running on the endpoint"
    description: "PowerShell is running on the endpoint."
    rationale: "PowerShell should be used by only the system administrators. Threat actors can leverage PowerShell for living-off-the-land attacks."
    remediation: "Disable PowerShell for non-admins."
    condition: none
    rules:
      - 'p:powershell.exe'

We create a requirement to ensure that the policy runs only on Windows 10 endpoints. The requirement checks the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion for the value Windows 10.
Check ID 10004 scans the endpoint for processes named powershell.exe. The none condition ensures that the check fails if a match is found.

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf:
<sca> <policies> <policy enabled="yes">C:\Program Files (x86)\ossec-agent\custom-sca-files\processcheck.yml</policy> </policies> </sca>
Open a second command prompt and run the following command to spawn a hidden PowerShell process. This is a dummy Powershell process that sleeps for 300 seconds (5 minutes), enough time for you to restart the Wazuh agent for the SCA scan to run.
```
> powershell -windowstyle hidden -command Start-Sleep -Seconds 300
```
Note

The command prompt closes after you run this command and PowerShell runs in the background.
Run the following commands on CMD as an Administrator to restart the Wazuh agent:
```
> NET STOP Wazuh
> NET START Wazuh
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the Windows endpoint to view the results of the custom SCA check you have created.

macOS endpoint

Create a new directory to save your custom policy files:
```
# mkdir /Library/Ossec/etc/custom-sca-files/
```

Create a new SCA policy file /Library/Ossec/etc/custom-sca-files/processcheck.yml and add the following content to it:

policy:
  id: "process_check"
  file: "processcheck.yml"
  name: "SCA use case to detect running processes"
  description: "Guidance for checking running processes on mac endpoints."
  references:
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html

requirements:
  title: "Check macOS"
  description: "Requirements to verify that the endpoint is macOS."
  condition: any
  rules:
    - 'c:sw_vers -> r:^ProductName:\t*\s*macOS'

checks:
  - id: 10005
    title: "Ensure that netcat is not running on your endpoint"
    description: "Netcat is running on your endpoint."
    rationale: "Threat actors can use netcat to open ports on your endpoints or to connect to remote servers."
    remediation: "Kill the netcat process if confirmed to be malicious after further investigation."
    condition: none
    rules:
      - 'c:sh -c "ps -e -o command | grep -E \"^(nc|netcat) .*((-.*l.+[0-9]{1,5})|([0-9]{1,5}.*-.*l))\"" -> r:nc'

We create a requirement to ensure that the policy runs only on macOS endpoints. The requirement runs the sw_vers command to check if the output contains the string ProductName: macOS.
Check ID 10005 runs a command which spawns a shell to run the ps utility to view all running processes. The command uses the grep utility to filter the output of the ps command for patterns of the netcat process. The none condition ensures that the check fails if a match is found.

Enable the policy file by adding the following lines to the <ossec_config> block of the Wazuh agent configuration file at /Library/Ossec/etc/ossec.conf:
<sca> <policies> <policy enabled="yes">/Library/Ossec/etc/custom-sca-files/processcheck.yml</policy> </policies> </sca>
Run netcat on a new terminal and let the listener run:
```
# nc -l 4444
```
Restart the Wazuh agent to apply the changes and to run the new SCA check:
```
# /Library/Ossec/bin/wazuh-control restart
```
On your Wazuh dashboard, navigate to the Configuration Assessment module and select the macOS endpoint to view the results of the custom SCA check you have created.

Active Response

Security teams often encounter problems in incident response such as addressing high severity events in a timely manner or providing complete mitigation actions. They might struggle to collect relevant information in real time, which makes it difficult to understand the full scope of an incident. These problems increase the difficulty to contain and mitigate the impact of a cyberattack.

Wazuh SIEM and XDR platform improves incident response by:

Providing real-time visibility into security events.
Reducing alert fatigue.
Automating response actions to threats.
Providing out-of-the-box response scripts.

Wazuh has an Active Response module that helps security teams automate response actions based on specific triggers, enabling them to effectively manage security incidents.

Automating response actions ensures that high-priority incidents are addressed and remediated in a timely and consistent manner. This is especially valuable in environments where security teams are resource constrained and need to prioritize their response efforts.

In addition, the module includes a range of out-of-the-box response scripts that help respond to threats and mitigate them. For example, some scripts block malicious network access and delete malicious files on monitored endpoints. These actions reduce the workload on security teams and enable them to effectively manage incidents.

The Wazuh Active Response module executes these scripts on monitored endpoints when an alert of a specific rule ID, level, or rule group triggers. You can set any number of scripts to initiate in response to a trigger; however, you must consider these responses carefully. Poor implementation of rules and responses might increase the vulnerability of an endpoint.

The image below shows the Active Response workflow.

Types of active response

An active response can either be:

Stateless
Stateful

Stateless active responses are one-time actions without an event definition to revert or stop them. Stateful responses revert or stop their actions after a period of time.

Contents

How to configure Active Response

The following steps describe how to configure the Active Response module to perform an action on a monitored endpoint.

Configuring the Wazuh server

Check the configuration of the <command> block in the Wazuh server /var/ossec/etc/ossec.conf configuration file. Add one if it doesn’t exist already.

The <command> block sets the script to run in response to a trigger. When using out-of-the-box active response scripts, the <command> blocks for them are present in the Wazuh server /var/ossec/etc/ossec.conf by default, and you don’t need to add them. But when using custom active response scripts, you need to add the required <command> blocks for them in between the <ossec_config> tags of the Wazuh server configuration file. For example:
```
<command>
  <name>host-deny</name>
  <executable>host-deny</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>
```
Where:
- <name>: Sets a name for the command. In this case, host-deny.
- <executable>: Specifies the active response script or executable that must run upon a trigger. You don't need to specify the file name extension unless you have multiple scripts sharing the same name. In this case, it’s the host-deny executable.
- <timeout_allowed>: Allows a timeout after a period of time. Setting this value to yes reverts the action after a period of time. Check stateful active response below for more details.
Refer to the command section for more information and options used to create a command.
Add an <active-response> block within the <ossec_config> tag in the same Wazuh server /var/ossec/etc/ossec.conf file. The <active-response> block defines when and where a command executes. For example, when an alert meets response criteria, such as a specific rule ID, alert level, or rule group. This configuration further defines if the command action specified in the previous step executes on the Wazuh agent, Wazuh server, or everywhere. For example:
```
<active-response>
  <disabled>no</disabled>
  <command>host-deny</command>
  <location>local</location>
  <level>7</level>
  <timeout>600</timeout>
</active-response>
```
Where:
- <command>: Specifies the command to configure. This is the command name defined in the previous step.
- <location>: Specifies where the command must execute. The options are:
  - local: It runs the script on the monitored endpoint that generated the alert.
  - server: It runs the script on the Wazuh server.
  - defined-agent: It runs the script on a predefined agent. Use the <agent_id> tag to specify the ID of the Wazuh agent that must run the script regardless of where the event occurred. For example:
    <ossec_config> <active-response> <disabled>no</disabled> <command>host-deny</command> <location>defined-agent</location> <agent_id>001</agent_id> <level>10</level> <timeout>180</timeout> </active-response> </ossec_config>
  - all: Every Wazuh agent in the environment must run the script. Use this option with caution. Incorrect configuration can cause problems in your environment.
- <timeout>: Specifies how long the active response action is effective, in seconds.
Refer to the Active Response configuration section for more information on the supported options.
Restart the Wazuh manager to apply all the changes made:
```
$ sudo systemctl restart wazuh-manager
```

Configuring the monitored endpoint

Using out-of-the-box active response scripts

No configuration is required. Check out the Default active response scripts section for more information on out-of-the-box active response scripts.

Using custom active response scripts

Linux/Unix

Add your custom active response script or executable to the /var/ossec/active-response/bin directory on Linux/Unix endpoints.

Change the script permissions and ownership as shown below:

$ sudo chmod 750 /var/ossec/active-response/bin/<CUSTOM_SCRIPT>
$ sudo chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_SCRIPT>

macOS

Add your custom active response script or executable to the /Library/Ossec/active-response/bin directory on Linux/Unix endpoints.

Change the script permissions and ownership as shown below:

$ sudo chmod 750 /Library/Ossec/active-response/bin/<CUSTOM_SCRIPT>
$ sudo chown root:wazuh /Library/Ossec/active-response/bin/<CUSTOM_SCRIPT>

Windows

Add your custom active response script or executable to the C:\Program Files (x86)\ossec-agent\active-response\bin directory on Windows endpoints.

Note

You can find the results of the execution of the active response scripts in the:

/var/ossec/logs/active-responses.log file on Linux endpoints.
/Library/Ossec/logs/active-responses.log file on macOS endpoints.
C:\Program Files (x86)\ossec-agent\active-response\active-responses.log file on Windows endpoints.

Default active response scripts

This section lists out-of-the-box active response scripts for the following operating systems:

Linux, macOS, and Unix-based endpoints

The table below lists out-of-the-box active response scripts for:

Linux/Unix endpoints located in the Wazuh agent /var/ossec/active-response/bin directory.
macOS endpoints located in the Wazuh agent /Library/Ossec/active-response/bin directory.

Click on the name of each active response to open its source code.

Name of script	Description
disable-account	Disables a user account
firewall-drop	Adds an IP address to the iptables deny list.
firewalld-drop	Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint.
host-deny	Adds an IP address to the `/etc/hosts.deny` file.
ip-customblock	Custom Wazuh block, easily modifiable for a custom response.
ipfw	Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint.
npf	Firewall-drop response script created for NPF. Requires NPF installed on the endpoint.
wazuh-slack	Posts notifications on Slack. Requires a slack hook URL passed as an `extra_args`.
pf	Firewall-drop response script created for PF. Requires PF installed on the endpoint.
restart.sh	Restarts the Wazuh agent or manager.
restart-wazuh	Restarts the Wazuh agent or manager.
route-null	Adds an IP address to a null route.
kaspersky	Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger.

Windows endpoints

The table below lists out-of-the-box scripts for Windows endpoints, located in the Wazuh agent C:\Program Files (x86)\ossec-agent\active-response\bin directory. Click on the name of each script to see its source code.

Name of script	Description
netsh.exe	Blocks an IP address using `netsh`.
restart-wazuh.exe	Restarts the Wazuh agent.
route-null.exe	Adds an IP address to null route.

Custom active response scripts

You can create custom active response scripts that execute when an alert of a specific rule ID, alert level, or rule group triggers. You can create active response scripts in any programming language. A trigger initiates the script using a defined command. An Active Response configuration determines when and where the command executes.

Programming an active response

The active response script receives a JSON input including the full alert via STDIN. Each active response script extracts from this JSON the information necessary for its execution.

This is an example of a message. It includes a full alert for the firewall-drop active response script:

{
    "version":1,
    "origin":{
        "name":"worker01",
        "module":"wazuh-execd"
    },
    "command":"add",
    "parameters":{
        "extra_args":[],
        "alert":{
            "timestamp":"2021-02-01T20:58:44.830+0000",
            "rule":{
                "level":15,
                "description":"Shellshock attack detected",
                "id":"31168",
                "mitre":{
                    "id":["T1068","T1190"],
                    "tactic":["Privilege Escalation","Initial Access"],
                    "technique":["Exploitation for Privilege Escalation","Exploit Public-Facing Application"]
                },
                "info":"CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271",
                "firedtimes":2,
                "mail":true,
                "groups":["web","accesslog","attack"],
                "pci_dss":["11.4"],
                "gdpr":["IV_35.7.d"],
                "nist_800_53":["SI.4"],
                "tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]
            },
            "agent":{
                "id":"000",
                "name":"wazuh-server"
            },
            "manager":{
                "name":"wazuh-server"
            },
            "id":"1612213124.6448363",
            "full_log":"192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"",
            "decoder":{
                "name":"web-accesslog"
            },
            "data":{
                "protocol":"GET",
                "srcip":"192.168.0.223",
                "id":"200",
                "url":"/"
            },
            "location":"/var/log/nginx/access.log"
        },
        "program":"/var/ossec/active-response/bin/firewall-drop"
    }
}

As you can see, the JSON message format that an active response script analyzes is as follows:

{
    "version":1,
    "origin":{
        "name":"",
        "module":""
    },
    "command":"",
    "parameters":{
        "extra_args":[],
        "alert":{},
        "program":""
    }
}

The parameters field of the Active Response alert corresponds to:

extra_args: The extra arguments required to execute the active response script.
alert: The full alert that triggered the active response script.
program: The active response script to execute.

As we mentioned before, an active response can either be stateless or stateful.

Stateless active response

Stateless active responses are one-time actions without an event definition to revert or stop them.

Wazuh allows you to program stateless custom active responses in any programming language. They need to be able to perform the following actions for proper execution:

Read STDIN to get the JSON message.
Parse the JSON message.
Confirm that the command field has the add action.
Extract the necessary information for its execution.

Stateful active response

A stateful active response reverts or stops its action after a specified period of time. As part of the timed out behavior, the active response must execute the following operations:

Read STDIN to get the JSON message.
Parse the JSON message.
Analyze the command field to check if it has the add or delete actions. If it has the add action, the active response executes the main action. Conversely, if it has the delete action, then the active response stops or reverts the main action.
Extract the necessary information for its control and execution. As an example, the firewall-drop script uses the value in the srcip alert field to block or unblock an IP address.
Build a control message in JSON format with keys extracted from alert fields. The control message contains relevant information to identify the specific conditions and assess the active response. For example, it might contain a srcip key with the IP address to block. The script extracts this value from the alert.

The control message is as follows:
```
{
    "version":1,
    "origin":{
        "name":"program-name",
        "module":"active-response"
    },
    "command":"check_keys",
    "parameters":{
        "keys":["10.0.0.1"]
    }
}
```
Write STDOUT to send the control message.
Wait for the response via STDIN.
Parse the JSON object in the response.
Analyze the command field to check if it has to continue or abort the execution. For example, it might need to abort the action if it’s repeating a previous active response action that hasn’t timed out yet and it’s already in execution.

The response message is as follows:
```
{
  "version":1,
  "origin":{
      "name":"node01",
      "module":"wazuh-execd"
  },
  "command":"continue",
  "parameters":{}
}
```

Warning

When the STDIN reading occurs, the active response script reads up to the newline character (\n). In the same way, when writing to STDOUT, the active response must add a newline character at the end. Otherwise, a deadlock might occur.

Python active response script sample

This subsection provides an example of a Python active response script, which you can use as a template to develop your custom scripts.

You can customize the behavior of the script by modifying three sections:

Custom key: Select the necessary parameters to use from the alert message fields. For example, select the srcip parameter to use in blocking an IP address or the processname parameter to use in stopping a process.
Custom action - add: Perform the main action of the active response script. For example, execute the command: pkill <PROCESS_NAME>.
Custom action - delete: Perform the secondary action, which is usually a recovery action after a time period. For example, unblocking an IP address after the main action has blocked it for a period of time.

Stateless active response configuration

Stateless active responses perform one-time actions. You must set the following sections only for stateless active response:

Custom key
Custom action - add

Stateful active response configuration

Stateful active responses need the following sections so they can undo the action after a specified period of time:

Custom key
Custom action - add
Custom action - delete

You must also set the following:

<timeout> option in the <active-response> block in the /var/ossec/etc/ossec.conf file on the Wazuh server.

Configuring the Python active response script sample

We show how to configure the sample custom-ar.py Python script below as an active response script on Linux and Windows endpoints. The script creates a file called ar-test-result.txt in the Wazuh agent directory to demo an active response performed. This file is then deleted after the configured timeout period has elapsed to demo an active response reverted. The file contains the rule ID that triggered the active response — Active response triggered by rule ID: <RULE_ID>.

#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.

# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

import os
import sys
import json
import datetime
from pathlib import PureWindowsPath, PurePosixPath

if os.name == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"

ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3

OS_SUCCESS = 0
OS_INVALID = -1

class message:
    def __init__(self):
        self.alert = ""
        self.command = 0


def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        ar_name_posix = str(PurePosixPath(PureWindowsPath(ar_name[ar_name.find("active-response"):])))
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name_posix + ": " + msg +"\n")


def setup_and_check_message(argv):

    # get alert from stdin
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break

    write_debug_file(argv[0], input_str)

    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        message.command = OS_INVALID
        return message

    message.alert = data

    command = data.get("command")

    if command == "add":
        message.command = ADD_COMMAND
    elif command == "delete":
        message.command = DELETE_COMMAND
    else:
        message.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)

    return message


def send_keys_and_check_message(argv, keys):

    # build and send message with keys
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})

    write_debug_file(argv[0], keys_msg)

    print(keys_msg)
    sys.stdout.flush()

    # read the response of previous message
    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break

    write_debug_file(argv[0], input_str)

    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return message

    action = data.get("command")

    if "continue" == action:
        ret = CONTINUE_COMMAND
    elif "abort" == action:
        ret = ABORT_COMMAND
    else:
        ret = OS_INVALID
        write_debug_file(argv[0], "Invalid value of 'command'")

    return ret


def main(argv):

    write_debug_file(argv[0], "Started")

    # validate json and get command
    msg = setup_and_check_message(argv)

    if msg.command < 0:
        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:

        """ Start Custom Key
        At this point, it is necessary to select the keys from the alert and add them into the keys array.
        """

        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]

        """ End Custom Key """

        action = send_keys_and_check_message(argv, keys)

        # if necessary, abort execution
        if action != CONTINUE_COMMAND:

            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)

        """ Start Custom Action Add """

        with open("ar-test-result.txt", mode="a") as test_file:
            test_file.write("Active response triggered by rule ID: <" + str(keys) + ">\n")

        """ End Custom Action Add """

    elif msg.command == DELETE_COMMAND:

        """ Start Custom Action Delete """

        os.remove("ar-test-result.txt")

        """ End Custom Action Delete """

    else:
        write_debug_file(argv[0], "Invalid command")

    write_debug_file(argv[0], "Ended")

    sys.exit(OS_SUCCESS)


if __name__ == "__main__":
    main(sys.argv)

Configurable sections in this script

Custom key: Rule ID taken from the alert:

alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]

Custom action - add: It creates the ar-test-result.txt file in /var/ossec folder with this content - Active response triggered by rule ID: <503>:

with open("ar-test-result.txt", mode="a") as test_file:
    test_file.write("Active response triggered by rule ID: <" + str(keys) + ">\n")

Custom action - delete: It deletes the file once the timeout triggers.
```
os.remove("ar-test-result.txt")
```

The timeout action must be set in the <active-response> block in /var/ossec/etc/ossec.conf configuration file.

Linux/Unix custom active response configuration

Copy the sample custom-ar.py script to the /var/ossec/active-response/bin directory of the monitored endpoint.

Change the active response script ownership and permissions as shown below:

$ sudo chmod 750 /var/ossec/active-response/bin/custom-ar.py
$ sudo chown root:wazuh /var/ossec/active-response/bin/custom-ar.py

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Add the <command> and <active-response> blocks below to the Wazuh server /var/ossec/etc/ossec.conf file to use this active response Python script:

<ossec_config>
  <command>
    <name>linux-custom-ar</name>
    <executable>custom-ar.py</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>linux-custom-ar</command>
    <location>local</location>
    <rules_id>503</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

This configuration executes the Python script on the monitored endpoint anytime rule ID 503 is triggered.

macOS custom active response configuration

Add the Python script to the /Library/Ossec/active-response/bin directory of the monitored endpoint.

Change the active response script permissions and ownership as shown below:

$ sudo chmod 750 /Library/Ossec/active-response/bin/custom-ar.py
$ sudo chown root:wazuh /Library/Ossec/active-response/bin/custom-ar.py

Restart the Wazuh agent to apply the changes:

$ sudo /Library/Ossec/bin/wazuh-control restart

Add the <command> and <active-response> blocks below to the Wazuh server /Library/Ossec/etc/ossec.conf file to use this active response Python script:

<ossec_config>
  <command>
    <name>macos-custom-ar</name>
    <executable>custom-ar.py</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>macos-custom-ar</command>
    <location>local</location>
    <rules_id>503</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

This configuration executes the Python script on the monitored endpoint anytime rule ID 503 is triggered.

Windows custom active response configuration

You can implement the custom Python script on Windows endpoints using two methods. The first method converts Python scripts to executable applications, while the second method uses a Windows Batch launcher to run the Python script.

Both methods require Python installed on the Windows endpoint. Use the following steps below to install Python on the Windows endpoint.

Download Python executable installer from the official Python website.
Run the Python installer once downloaded. Check the following boxes when prompted and start the installation:
- Use admin privileges when installing py.exe.
- Add python.exe to PATH. This places the interpreter in the execution path.

Method 1: Convert the Python script to an executable application

Open an administrator PowerShell terminal and use pip to install pyinstaller:
```
> pip install pyinstaller
> pyinstaller --version
```
Run the following command using PowerShell with administrator privileges to create the executable file:
```
> pyinstaller -F <PATH_TO_CUSTOM-AR.PY>
```
You can find the created custom-ar.exe executable in the C:\Users\<USER>\dist\ directory.
Copy the custom-ar.exe executable file to C:\Program Files (x86)\ossec-agent\active-response\bin\ directory on the monitored endpoint.
Restart the Wazuh agent using PowerShell with administrator privileges to apply the changes:
```
> Restart-Service -Name wazuh
```

On the Wazuh server, add the <command> and <active-response> blocks below to the /var/ossec/etc/ossec.conf configuration file. This uses the custom-ar.exe executable for Windows endpoints.

<ossec_config>
  <command>
    <name>windows-custom-ar</name>
    <executable>custom-ar.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>windows-custom-ar</command>
    <location>local</location>
    <rules_id>503</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the changes:
```
# systemctl restart wazuh-manager
```

With this configuration, Wazuh runs an executable instead of a Python script when triggering an active response on a Windows endpoint.

Method 2: Run a Python script through a Batch launcher

In this method, the Wazuh Active Response module executes the launcher.cmd script which subsequently executes the custom-ar.py script.

Create a launcher.cmd file in C:\Program Files (x86)\ossec-agent\active-response\bin\ with the following content. This allows you to run any Windows script through the launcher.cmd script when triggering an active response.

@echo off

setlocal enableDelayedExpansion

set ARPATH="%programfiles(x86)%\ossec-agent\active-response\bin\\"

if "%~1" equ "" (
    call :read

    set aux=!input:*"extra_args":[=!
    for /f "tokens=1 delims=]" %%a in ("!aux!") do (
        set aux=%%a
    )
    set script=!aux:~1,-1!

    if exist "!ARPATH!!script!" (
        set aux=!input:*"command":=!
        for /f "tokens=1 delims=," %%a in ("!aux!") do (
            set aux=%%a
        )
        set command=!aux:~1,-1!

        echo !input! >alert.txt

        start /b cmd /c "%~f0" child !script! !command!

        if "!command!" equ "add" (
            call :wait keys.txt
            echo(!output!
            del keys.txt

            call :read
            echo !input! >result.txt
        )
    )
    exit /b
)

set "name=%~1"
goto !name!


:child
copy nul pipe1.txt >nul
copy nul pipe2.txt >nul

"%~f0" launcher %~3 <pipe1.txt >pipe2.txt | <PYTHON_ABSOLUTE_PATH> !ARPATH!%~2 <pipe2.txt >pipe1.txt

del pipe1.txt pipe2.txt
exit /b


:launcher
call :wait alert.txt
echo(!output!
del alert.txt

if "%~2" equ "add" (
    call :read
    echo !input! >keys.txt

    call :wait result.txt
    echo(!output!
    del result.txt
)
exit /b


:read
set input=
for /f "delims=" %%a in ('<PYTHON_ABSOLUTE_PATH> -c "import sys; print(sys.stdin.readline())"') do (
    set input=%%a
)
exit /b


:wait
if exist "%*" (
    for /f "delims=" %%a in (%*) do (
        set output=%%a
    )
) else (
    goto :wait
)
exit /b

Where <PYTHON_ABSOLUTE_PATH> is the absolute path of the Python.exe executable.

Move the custom-ar.py script to C:\Program Files (x86)\ossec-agent\active-response\bin\ directory.
Restart the Wazuh agent using PowerShell with administrator privileges to apply the changes:
```
> Restart-Service -Name wazuh
```

On the Wazuh server, add the <command> and <active-response> blocks below to the Wazuh configuration /var/ossec/etc/ossec.conf file. The Active Response module runs the launcher.cmd script which runs the Python script in its <extra_args> option. This action executes for 60 seconds when rule ID 503 is triggered.

<ossec_config>
  <command>
    <name>custom-ar</name>
    <executable>launcher.cmd</executable>
    <extra_args>custom-ar.py</extra_args>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>custom-ar</command>
    <location>local</location>
    <rules_id>503</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the changes:
```
# systemctl restart wazuh-manager
```

Use cases

Blocking SSH brute-force attack with Active Response

Wazuh uses the Active Response module to run scripts or executables on a monitored endpoint, taking action on certain triggers. In this use case, we simulate an SSH brute-force attack against a RHEL endpoint and configure the Active Response module to block the IP address of the attacker endpoint. The goal is to prevent SSH brute force attacks. The Active Response module executes a script to block the IP address of the attacker when rule 5763 - SSHD brute force trying to get access to the system triggers.

Infrastructure

Endpoint

Description

Ubuntu 22.04

This is the attacker endpoint that performs a brute-force attack. You must install an SSH client on this endpoint.

RHEL 9.0

We perform an SSH brute-force attack against this victim endpoint. You must install an SSH server on this endpoint.
Wazuh server

Wazuh comes with a set of default scripts used in Active Response. These scripts are located in the /var/ossec/active-response/bin/ directory on Linux/Unix endpoints. The firewall-drop active response script works with Linux/Unix operating systems. It uses iptables to block malicious IP addresses.
Open the Wazuh server /var/ossec/etc/ossec.conf file and verify that a <command> block called firewall-drop with the following configuration is present within the <ossec_config> block:
<command>
  <name>firewall-drop</name>
  <executable>firewall-drop</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>
The <command> block contains information about the action to be executed on the Wazuh agent:

<name>: Sets a name for the command. In this case, firewall-drop.

<executable>: Specifies the active response script or executable that must run upon a trigger. In this case, it’s the firewall-drop executable.

<timeout_allowed>: Allows a timeout after a period of time. This tag is set to yes here, which represents a stateful active response.

Note

You can create your own custom script to block an IP address or perform any other action.
Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file:
<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>5763</rules_id>
    <timeout>180</timeout>
  </active-response>
</ossec_config>
<command>: Specifies the command to configure. This is the command name firewall-drop defined in the previous step.

<location>: Specifies where the command executes. Using the local value means that the command executes on the monitored endpoint where the trigger event occurs.

<rules_id>: The Active Response module executes the command if rule ID 5763 - SSHD brute force trying to get access to the system fires.

<timeout>: Specifies how long the active response action must last. In this use case, the module blocks for 180 seconds the IP address of the endpoint carrying out the brute-force attack.
Restart the Wazuh manager service to apply the changes:
$ sudo systemctl restart wazuh-manager
Test the configuration

Perform the steps below to perform an SSH brute-force attack against the RHEL endpoint.
Ping the RHEL endpoint from the Ubuntu endpoint to confirm there is network connectivity between the attacker and the victim endpoints:
$ ping <RHEL_IP>
PING <RHEL_IP> (<RHEL_IP>) 56(84) bytes of data.
64 bytes from <RHEL_IP>: icmp_seq=1 ttl=64 time=0.602 ms
64 bytes from <RHEL_IP>: icmp_seq=2 ttl=64 time=0.774 ms
On the Ubuntu endpoint, install Hydra. You need Hydra to execute the brute-force attack:
$ sudo apt update && sudo apt install -y hydra
On the Ubuntu endpoint, create a text file with 10 random passwords.
Run Hydra from the Ubuntu endpoint to execute brute-force attacks against the RHEL endpoint using the command below. Replace <RHEL_USERNAME> with the username of the RHEL endpoint, <PASSWD_LIST.txt> with the path to the passwords file created in the previous step, and <RHEL_IP> with the IP address of the RHEL endpoint:
$ sudo hydra -t 4 -l <RHEL_USERNAME> -P <PASSWD_LIST.txt> <RHEL_IP> ssh
Once the attack ends, you can see on the Wazuh dashboard that rule ID 5763 fired.
Ping the victim endpoint from the attacker within 3 minutes of the attack execution to verify that the Active Response module has blocked the attacker's IP address:
$ ping <RHEL_IP>
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
^C
--- 10.0.0.5 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11000ms
Generating an alert when an active response is fired

Monitored Linux/Unix endpoints have a log file at /var/ossec/logs/active-responses.log where Wazuh registers the active response activities. By default, the Wazuh server monitors the Active Response log file. You can find the relevant section in the Wazuh server /var/ossec/etc/ossec.conf configuration file as shown below:
<localfile>
  <log_format>syslog</log_format>
  <location>/var/ossec/logs/active-responses.log</location>
</localfile>
When the active response triggers, a corresponding alert appears on the Wazuh dashboard.

The alert appears because rule ID 651 is part of the default /var/ossec/ruleset/rules/0015-ossec_rules.xml rule file on the Wazuh server. If you create a custom active response script, you must add a proper custom rule to analyze the Active Response logs that are generated.
Restarting the Wazuh agent with Active Response

You can use the restart-wazuh active response script to restart the Wazuh agent on a monitored endpoint. In this use case, we configure it to restart the Wazuh agent whenever the /var/ossec/etc/ossec.conf configuration file changes.

Infrastructure

Endpoint

Description

Ubuntu 22.04

We save changes to the Wazuh agent configuration file on this endpoint to trigger an active response.
Wazuh server
Open the Wazuh server /var/ossec/etc/ossec.conf file and verify that a <command> block called restart-wazuh with the following configuration is present within the <ossec_config> block:
<command>
  <name>restart-wazuh</name>
  <executable>restart-wazuh</executable>
</command>
The <command> block contains information about the action to be executed on the Wazuh agent:

<name>: Sets a name for the command. In this case, restart-wazuh.

<executable>: Specifies the active response script or executable that must run after a trigger. In this case, it’s the restart-wazuh executable.

<timeout_allowed>: Allows a timeout after a period of time. This tag is set to no here, which represents a stateless active response.
Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file:
<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>restart-wazuh</command>
    <location>local</location>
    <rules_id>100009</rules_id>
  </active-response>
</ossec_config>
<command>: Specifies the command to configure. This is the command name restart-wazuh defined in the previous step.

<location>: Specifies where the command executes. Using the local value here means that the command executes on the monitored endpoint where the trigger event occurs.

<rules_id>: The Active Response module executes the command if rule ID 100009 fires.
Add the rules below to the Wazuh server /var/ossec/etc/rules/local_rules.xml configuration file:
<group name="restart,">
  <rule id="100009" level="5">
    <if_sid>550</if_sid>
    <match>ossec.conf</match>
    <description>Changes made to the agent configuration file - $(file)</description>
  </rule>
</group>
This rule detects changes in the Wazuh agent configuration file.
Restart the Wazuh manager service to apply changes:
$ sudo systemctl restart wazuh-manager
Ubuntu endpoint
Edit the /var/ossec/etc/ossec.conf file and add the following configuration to the <syscheck> section:
<directories realtime="yes">/var/ossec/etc/ossec.conf</directories>
This monitors the Wazuh agent configuration file for any changes.
Restart the Wazuh agent service to apply changes:
$ sudo systemctl restart wazuh-agent
Test the configuration
Add the following block in the <syscheck> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file and save it:
<directories realtime="yes">/root</directories>
This addition allows monitoring file changes in the /root directory of the monitored endpoint. You don’t need to actually add or modify files. It’s just to test the configuration.

Warning

Incorrect modifications to the Wazuh agent configuration file might cause the service to crash. It’s important to thoroughly review any changes before implementing them in a production environment.
Visualize the alerts

You can visualize the alert data on the Wazuh dashboard.
Disabling a Linux user account with Active Response

Without knowledge of the password for an account, an adversary might opt to systematically guess the password using a repetitive or iterative mechanism. In this use case, we configure the disable-account active response to disable a Linux/Unix account subject to brute-force attacks. Wazuh uses the disable-account active response on Linux/Unix endpoints to disable the account for the user in the dstuser field of a Wazuh alert.

Infrastructure

Endpoint

Description

Ubuntu 22.04

The endpoint to monitor for brute-force attacks.
Wazuh server
Add the rule below to the Wazuh server /var/ossec/etc/rules/local_rules.xml file:
<group name="pam,syslog,">
  <rule id="120100" level="10" frequency="3" timeframe="120">
    <if_matched_sid>5503</if_matched_sid>
    <description>Possible password guess on $(dstuser): 3 failed logins in a short period of time</description>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
</group>
This rule checks for 3 failed authentication logins on the same user account within 2 minutes.
Open the Wazuh server /var/ossec/etc/ossec.conf file and verify that a <command> block called disable-account with the following configuration is present within the <ossec_config> block:
<command>
  <name>disable-account</name>
  <executable>disable-account</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>
The <command> block contains information about the action to be executed on the Wazuh agent.

<name>: Sets a name for the command. In this case, disable-account.

<executable>: Specifies the active response script that must run after a trigger. In this case, it’s the disable-account executable.

<timeout_allowed>: Allows a timeout after a period of time. This tag is set to yes here, which represents a stateful active response.
Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file:
<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>disable-account</command>
    <location>local</location>
    <rules_id>120100</rules_id>
    <timeout>300</timeout>
  </active-response>
</ossec_config>
<command>: Specifies the command to configure. This is the command name disable-account defined in the previous step.

<location>: Specifies where the command executes. Using the local value here means that the command executes on the monitored endpoint where the trigger event occurs.

<rules_id>: The Active Response module executes the command if rule ID 120100: Possible password guess on $(dstuser): 3 failed logins in a short period of time fires.

<timeout>: Specifies how long the active response action must last. In this use case, we configure it to last for 300 seconds. After that period, the Active Response reverts its action and re-enables the account.
Restart the Wazuh manager service to apply changes:
$ sudo systemctl restart wazuh-manager
Ubuntu endpoint
Create two users for testing purposes:
$ sudo adduser user1
$ sudo adduser user2
Test the configuration

To test our use case, sign in to the user1 account and attempt to switch to user2 using a wrong password. Then verify that the user2 account is disabled, and the related alerts are displayed on the Wazuh dashboard.
Switch to user1 using the correct password:
$ su user1
As user1, run the following commands three(3) times and type in any wrong password for user2 when prompted to enter the password:
$ su user2
Check that the account was successfully locked using the passwd command:
$ sudo passwd --status user2
user2 L 02/20/2023 0 99999 7 -1
The L flag indicates the account is locked.
Visualize the alerts

You can visualize the alert data on the Wazuh dashboard. In the image below, you can see that the active response triggers just after rule ID 120100 fires to disable the account. Then re-enables it again after 5 minutes.

Additional information

White list

You can set a list of IP addresses that should never be blocked by the Active Response using the white_list field. It allows setting one IP address, netblock, or hostname. Although you must specify only one value for each <white_list> tag, you can use multiple <white_list> tags to include multiple values.

To configure a white list for the endpoint(s), add the related IP address, netblock, or hostname to the <white_list> field present in the global section of the Wazuh server /var/ossec/etc/ossec.conf configuration file:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <email_notification>no</email_notification>
    <logall>yes</logall>
    <white_list><WHITE_LISTED_IP></white_list>
  </global>
</ossec_config>

Restart the Wazuh manager service to apply the changes:

$ sudo systemctl restart wazuh-manager

Increasing blocking time for repeated offenders

In cases where you need to increase the Active Response blocking time for repeated offenders, add the following configuration in the /var/ossec/etc/ossec.conf file of the Wazuh agent:

<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <repeated_offenders>10,20,30</repeated_offenders>
  </active-response>
</ossec_config>

Note

This option is currently not available for Wazuh agents running on Windows operating endpoints. The <repeated offenders> timer is in minutes while the Active Response <timeout> is in seconds. Also, it can contain a maximum of 5 entries.

Restart the Wazuh agent to apply changes:

$ sudo systemctl restart wazuh-agent

The first time the Active Response triggers, it blocks the IP address for the specified period using the <timeout> configured on the Wazuh server side. Then, the second time for 10 minutes, the third time for 20 minutes, and the fourth time for 30 minutes using the <repeated offenders> on the agent side.

Using the Active Response module, you can respond to several scenarios like restricting malicious activities and blocking attacks. Be aware that improperly configured responses can make an endpoint vulnerable, so you have to define your active responses carefully.

Log data collection

Log data collection involves gathering and consolidating logs from different log sources within a network. Log data collection helps security teams to meet regulatory compliance, detect and remediate threats, and identify application errors and other security issues.

Wazuh collects, analyzes, and stores logs from endpoints, network devices, and applications. The Wazuh agent, running on a monitored endpoint, collects and forwards system and application logs to the Wazuh server for analysis. Additionally, you can send log messages to the Wazuh server via syslog, or third-party API integrations.

Contents

How it works

Wazuh uses the Logcollector module to collect logs from monitored endpoints, applications, and network devices. The Wazuh server then analyzes the collected logs in real-time using decoders and rules. Wazuh extracts relevant information from the logs and maps them to appropriate fields using decoders. The Analysisd module in the Wazuh server evaluates the decoded logs against rules and records all alerts in /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files.

In addition to alert logs, Wazuh stores all collected logs in dedicated archive log files, specifically /var/ossec/logs/archives/archives.log and /var/ossec/logs/archives/archives.json. These archive log files comprehensively capture all logs, including those that do not trigger any alerts. This feature ensures a comprehensive record of all system activities for future reference and analysis.

The Wazuh server also receives syslog messages from devices that do not support the installation of Wazuh agents, ensuring seamless integration and coverage across your entire network environment.

By default, the Wazuh server retains logs and does not delete them automatically. However, you can choose when to manually or automatically delete these logs according to your legal and regulatory requirements.

The image below illustrates the flow of log data collection and analysis in Wazuh.

Configuration for monitoring log files

You can use a local configuration file on the Wazuh agent or Wazuh server to monitor log files. There is also a centralized configuration file on the Wazuh server to monitor log files across multiple endpoints. These two configuration options for monitoring log files are explained below.

Local configuration: The ossec.conf file is the main configuration file on the Wazuh server and the Wazuh agent. The Wazuh agent collects logs from monitored endpoints and forwards these logs to the Wazuh server for analysis. You can configure the Wazuh agent ossec.conf file to collect logs from specific log files on a monitored endpoint. The table below shows the location of the ossec.conf file on different operating systems.

Operating systems	Location of the ossec.conf file
Windows	`C:\Program Files (x86)\ossec-agent\ossec.conf`
Linux/Unix	`/var/ossec/etc/ossec.conf`
macOS	`/Library/Ossec/etc/ossec.conf`

Note

From Wazuh 4.13.0, log data collection on Windows does not support monitoring log files located on UNC network paths such as \\server\share\file.log or mapped network drives such as Z:\logs\file.log. Only log files on local file systems are supported. If you specify a UNC path or mapped drive in the <localfile> block of your Windows agent configuration, it will be ignored by the agent and no monitoring or alerts will occur for those locations.

Centralized configuration: The agent.conf file on the Wazuh server enables centralized distribution of configuration settings to multiple monitored endpoints in the same operating system or group. For example, you can configure the agent.conf file to distribute configuration settings to all monitored Windows endpoints. Configuration settings in the agent.conf file take precedence over the settings in the ossec.conf file.

Note

The Wazuh agent is designed to be a lightweight application that minimizes RAM and CPU usage on the endpoint where it is installed. On the Wazuh server side, the CPU and memory consumption is influenced by the number of events per second (EPS) that the server needs to analyze.

Monitoring basic log files

You can configure the Wazuh agent ossec.conf file on Windows, Linux, and macOS endpoints to monitor basic log files. For example, perform the following steps to monitor the file file.log.

Add the following settings in between the <ossec_config> tags of the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<localfile>
  <location>/<FILE_PATH>/file.log</location>
  <log_format>syslog</log_format>
</localfile>
```
Where:
- location: is the full path of the monitored file.
- log_format: represents the format of the log. Refer to the log format documentation to learn more about the different types of log_format you can configure.
Refer to the localfile documentation to learn more about the options of the <localfile> configuration block.
Restart the Wazuh agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart wazuh-agent
- Windows (PowerShell): Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Monitoring date-based log files

You can configure Wazuh to dynamically monitor log files on endpoints, adapting to changes based on the date. It employs the strftime format to accurately represent date-based log files, encompassing day, month, year, and other relevant information. Perform the following steps to monitor a date-based log file file-23-06-15.log.

Add the following settings in between the <ossec_config> tags of the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<localfile>
  <location>/<FILE_PATH>/file-%y-%m-%d.log</location>
  <log_format>syslog</log_format>
</localfile>
```
Note

In the file name file-23-06-15.log, 23 is the last two digits of the year, 06 is the month, and 15 is the day.
Restart the Wazuh agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart wazuh-agent
- Windows (PowerShell): Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Monitoring log files using wildcard patterns

Wazuh offers support for wildcard patterns when monitoring log files, allowing for flexible file selection. For example, you can monitor all files ending with .log within a monitored endpoint’s directory. Perform the following steps to monitor every log file that starts with file and ends with .log in a directory of a monitored endpoint.

Add the following settings in between the <ossec_config> tags of the Wazuh agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<localfile>
  <location>/<FILE_PATH>/file*.log</location>
  <log_format>syslog</log_format>
</localfile>
```
Restart the Wazuh agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart wazuh-agent
- Windows (PowerShell): Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart

Monitoring log files with environment variables

Note

You can use environment variables in the log file path only on Windows endpoints.

Wazuh leverages Windows environment variables like %WINDIR% and %ProgramFiles% to monitor log files. For example, perform the following steps to monitor C:\Windows\Logs\StorGroupPolicy.log file.

Add the following configuration in between the <ossec_config> tags of the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file:
```
<localfile>
  <location>%WINDIR%\Logs\StorGroupPolicy.log</location>
  <log_format>syslog</log_format>
</localfile>
```
Note

%WINDIR% in %WINDIR%\Logs\StorGroupPolicy.log represents C:\Windows. Hence, %WINDIR%\Logs\StorGroupPolicy.log is equivalent to C:\Windows\Logs\StorGroupPolicy.log.
Restart the Wazuh agent via PowerShell with administrator privileges to apply the configuration change:
```
> Restart-Service -Name wazuh
```

Configuring syslog on the Wazuh server

The Wazuh server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of Wazuh agents. Perform the following steps on the Wazuh server to receive syslog messages on a specific port.

Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
```
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.2.15/24</allowed-ips>
  <local_ip>192.168.2.10</local_ip>
</remote>
```
Where:
- <connection> specifies the type of connection to accept. This value can either be secure or syslog.
- <port> is the port used to listen for incoming syslog messages from endpoints. We use port 514 in the example above.
- <protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.
- <allowed-ips> is the IP address or network range of the endpoints forwarding events to the Wazuh server. In the example above, we use 192.168.2.15/24.
- <local_ip> is the IP address of the Wazuh server listening for incoming log messages. In the example above, we use 192.168.2.10.
Refer to remote - local configuration documentation for more information on remote syslog options.
Restart the Wazuh manager to apply the changes:
```
# systemctl restart wazuh-manager
```

Note

The allowed-ips label is mandatory. The configuration will not take effect without it.

If you have a central logging server like Syslog or Logstash in place, you can install the Wazuh agent on that server to streamline log collection. This setup enables seamless forwarding of logs from multiple sources to the Wazuh server, facilitating comprehensive analysis.

Journald log collection

Journald is a system service that offers a modern approach to system logging. It provides powerful tools for managing and analyzing log data on Linux endpoints. Journald replaces traditional syslog daemons and provides a centralized and structured approach to logging.

Wazuh Logcollector capability collects logs from sources such as kernel messages, applications, and system services using the journald service. This enables the Wazuh agentd daemon to forward the collected logs to the Wazuh server.

In this document, we cover the basic configuration needed to forward logs from the journald service to the Wazuh server. Additionally, we show real world use cases that demonstrate the value of journald log collection.

How this works

Wazuh agent utilizes the Logcollector module to gather log messages using journald from Linux endpoints. journald collects log data from various sources and stores them in a binary format within the /var/log/journal/ directory, enabling the inclusion of structured metadata, which improves log search capabilities and reliability. Users interact with logs in journald using tools like journalctl, which extract fields from the stored logs based on various criteria such as service, priority, or time. Learn more about the systemd journal fields.

Wazuh collects log data from journald service in syslog format for better compatibility with the Wazuh ruleset, using the following fields:

_HOSTNAME
SYSLOG_IDENTIFIER
MESSAGE
SYSLOG_PID or _PID (if available)

Wazuh uses the above fields to construct log data:

$TIMESTAMP $_HOSTNAME $SYSLOG_IDENTIFIER[$PID]: $MESSAGE

Once the Wazuh agent collects logs using journald service, they are forwarded to the Wazuh server for further processing. The Wazuh analysis engine integrated within the Wazuh server then performs real time analysis of the collected journald log messages, extracting relevant information from the logs and mapping them to appropriate fields using decoders. After decoding, it compares the log messages against its rules, triggering alerts when specific criteria are met, and records all alerts in both /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server.

The image below illustrates the flow of log data collection from the journald service and analysis in Wazuh.

Configuration

The Wazuh agent allows you to configure the local ossec.conf configuration file on the monitored endpoint to collect journald log messages. This configuration is enabled by default in the /var/ossec/etc/ossec.conf file, as shown below:

<localfile>
  <location>journald</location>
  <log_format>journald</log_format>
</localfile>

The above configuration in the Wazuh agent forwards all logs stored in the journald service to the Wazuh server.

However, we can apply additional journald filters to selectively collect logs, reducing noise from unwanted service logs. By applying these filters, users simplify log management and focus on the most relevant log entries.

A filter with the <_SYSTEMD_UNIT> field is useful for collecting logs of a specific systemd service.
A filter with the <PRIORITY> field is useful for collecting logs that have a priority level.

In the next section, we show two use cases to illustrate how the filters are configured to enhance the journald log collection capabilities.

It is worth noting that Wazuh only collects future log events from the journald service after a successful configuration. However, you can disable the only-future-events option if you also need to collect historical events generated since the Wazuh log collector service was stopped.

Use cases

Using the journald service to forward SSH and CRON logs to Wazuh

In this section, we configure the Wazuh Logcollector module on a monitored Ubuntu endpoint to capture and forward SSH and CRON log messages from the journald service to the Wazuh server. Then we utilize custom decoders and rules on the Wazuh server to process the received log messages and visualize the alerts.

Ubuntu

Below, we show Wazuh agent configurations for collecting SSH and CRON logs from the journald service on an Ubuntu endpoint.

Perform the steps below on your monitored Ubuntu endpoint.

Modify and add the following <localfile> configuration block to the <ossec_conf> section in the /var/ossec/etc/ossec.conf file:
```

<localfile>
  <location>journald</location>
  <log_format>journald</log_format>
  <filter field="_SYSTEMD_UNIT">^ssh.service$</filter>
</localfile>

<localfile>
  <location>journald</location>
  <log_format>journald</log_format>
  <filter field="_SYSTEMD_UNIT">^cron.service$</filter>
  <filter field="PRIORITY">[0-6]</filter>
</localfile>
```
Where:
- The <filter field> is set to _SYSTEM_UNIT with the value ssh.service and cron.service to collect SSH and CRON logs.
- The <filter field> is set to PRIORITY to define a range of priority levels.
- The priority level is set to [0-6] to forward logs that have a priority level within this range. Logs with a priority level higher than 6 will be ignored.
Note

When a log collected from the journald service matches two or more filters in a <localfile> block, the Wazuh agent sends the log only once. This avoids sending duplicate logs.
Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```

Wazuh server

Wazuh decodes SSH logs and generates alerts from them by default. We create custom decoders and rules for the CRON logs to extract relevant data from them and generate security alerts.

Perform the steps below on your Wazuh server.

Add the following custom decoders to the local decoder /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="cron-service">
    <program_name>cron|CRON</program_name>
</decoder>

<decoder name="cron-service1">
    <parent>cron-service</parent>
    <regex type="pcre2">\((\w+)\) CMD \((.*?)\)$</regex>
    <order>service_user, command</order>
</decoder>

<decoder name="cron-service1">
    <parent>cron-service</parent>
    <regex type="pcre2">\((\w+)\) INFO \(Skipping @(\w+) jobs .*?\)$</regex>
    <order>service, message</order>
</decoder>

Add the following custom rules to the local rule /var/ossec/etc/rules/local_rules.xml file:

<!-- Rules for journald logs for CRON services-->
<group name="cron-service,">
  <!-- rule for groupped logs -->
  <rule id="111800" level="0">
    <decoded_as>cron-service</decoded_as>
    <description>Journald logs for CRON.</description>
  </rule>

  <!-- rules to detect when the cron.service executes a command-->
  <rule id="111801" level="8">
    <if_sid>111800</if_sid>
    <match>CMD</match>
    <description>CRON: The $(service_user) user executed ($(command)) on $(hostname).</description>
  </rule>

  <!-- rules to detect when the cron.service performs a reboot-->
  <rule id="111802" level="12">
    <if_sid>111800</if_sid>
    <match>not system startup</match>
    <description>CRON: The cron.service on $(hostname) just performed a $(message).</description>
  </rule>

</group>

Where:

Rule ID 111800 groups all CRON logs from the journald service.
Rule ID 111801 triggers when the CRON service executes a command.
Rule ID 111802 triggers when the CRON service reboots after a configuration change.

Restart the Wazuh manager for the changes to take effect:
```
# systemctl restart wazuh-manager
```

Testing the configuration

In this section, we proceed to establish an SSH connection to the monitored Ubuntu endpoint and configure a cron job to verify our configuration.

SSH

Run the following command from any endpoint to establish an SSH connection to the monitored Ubuntu endpoint:
```
# ssh <USER_NAME>@<WAZUH_AGENT_IP_ADDRESS>
```
Where:
- <USER_NAME> is the monitored Ubuntu endpoint user.
- <WAZUH_AGENT_IP_ADDRESS> is the IP address of the monitored Ubuntu endpoint.

CRON

Create a Python file hello.py in the root (/) directory:
```
# cd /
# touch hello.py
```

Add the following contents to the hello.py file:

#!/usr/bin/env python3

def main():
    print("Hello, World!")

if __name__ == "__main__":
    main()

Run the following command to open the CRON service configuration file:
```
# crontab -e
```
Add the following line to the CRON service configuration file to run the hello.py every minute:
```
* * * * * /hello.py
```

Visualizing the alerts

The image below displays a security alert generated on the Wazuh dashboard when an SSH connection is established to the Ubuntu endpoint.

{
  "timestamp": "2024-05-20T12:00:54.149+0000",
  "rule": {
    "level": 12,
    "description": "System user successfully logged to the system.",
    "id": "40101",
    "mitre": {
      "id": [
        "T1078"
      ],
      "tactic": [
        "Defense Evasion",
        "Persistence",
        "Privilege Escalation",
        "Initial Access"
      ],
      "technique": [
        "Valid Accounts"
      ]
    },
    "firedtimes": 1,
    "mail": true,
    "groups": [
      "syslog",
      "attacks",
      "invalid_login"
    ],
    "pci_dss": [
      "10.2.4",
      "10.2.5"
    ],
    "gpg13": [
      "7.8"
    ],
    "gdpr": [
      "IV_35.7.d",
      "IV_32.2"
    ],
    "hipaa": [
      "164.312.b"
    ],
    "nist_800_53": [
      "AU.14",
      "AC.7"
    ],
    "tsc": [
      "CC6.1",
      "CC6.8",
      "CC7.2",
      "CC7.3"
    ]
  },
  "agent": {
    "id": "001",
    "name": "ubuntulab2204",
    "ip": "172.28.8.167"
  },
  "manager": {
    "name": "wazuhserver"
  },
  "id": "1716206454.722325",
  "full_log": "May 20 12:00:52ubuntulab2204 sshd[11279]: Accepted password for user from 172.28.8.190 port 55348 ssh2",
  "predecoder": {
    "program_name": "sshd",
    "timestamp": "May 20 12:00:52",
    "hostname": "ubuntulab2204"
  },
  "decoder": {
    "parent": "sshd",
    "name": "sshd"
  },
  "data": {
    "srcip": "172.28.8.190",
    "srcport": "55348",
    "dstuser": "user"
  },
  "location": "journald"
}

The image below displays a security alert generated on the Wazuh dashboard when a CRON service executed hello.py on the Ubuntu endpoint.

{
  "timestamp": "2024-05-20T12:01:02.158+0000",
  "rule": {
    "level": 8,
    "description": "CRON: The root user executed (/hello.py) on ubuntulab2204.",
    "id": "111801",
    "firedtimes": 2,
    "mail": false,
    "groups": [
      "cron-service"
    ]
  },
  "agent": {
    "id": "001",
    "name": "ubuntulab2204",
    "ip": "172.28.8.167"
  },
  "manager": {
    "name": "wazuhserver"
  },
  "id": "1716206462.723273",
  "full_log": "May 20 12:01:01 ubuntulab2204 CRON[11354]: (root) CMD (/hello.py)",
  "predecoder": {
    "program_name": "CRON",
    "timestamp": "May 20 12:01:01",
    "hostname": "ubuntulab2204"
  },
  "decoder": {
    "name": "cron-service"
  },
  "data": {
    "service_user": "root",
    "command": "/hello.py"
  },
  "location": "journald"
}

Using the journald service to forward Docker logs to Wazuh

In this section, we configure the journald service on a monitored Ubuntu endpoint to capture and forward Docker activity log messages to the Wazuh server. Then we utilize custom decoders and rules on the Wazuh server to process the received log messages and visualize the alerts.

Ubuntu

Perform the steps below on your monitored Ubuntu endpoint to forward Docker log messages to the Wazuh server.

Modify and add the following line to the Wazuh agent configuration file /var/ossec/etc/ossec.conf:

<localfile>
  <log_format>journald</log_format>
  <location>journald</location>
  <filter field="_SYSTEMD_UNIT">^docker.service$</filter>
</localfile>

Restart the Wazuh agent service to apply the changes:
```
# systemctl restart wazuh-agent
```

Wazuh server

We create custom decoders and rules for the Docker logs to extract relevant data from them and generate security alerts.

Perform the steps below on your Wazuh server.

Add the following custom decoders to the local decoder /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="docker-service">
    <program_name type="pcre2">^\w{12}$</program_name>
    <prematch type="pcre2">\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[\w+]</prematch>
</decoder>

<decoder name="docker-service1">
    <parent>docker-service</parent>
    <regex type="pcre2">(\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}) \[(\w+)] .*: (.*)$</regex>
    <order>log_timestamp, severity, message</order>
</decoder>

Add the following custom rules to the local rule /var/ossec/etc/rules/local_rules.xml file:

<!-- Rules for journald logs for docker services-->
<group name="docker-service,">
  <!-- rule for grouped logs -->
  <rule id="111700" level="0">
    <decoded_as>docker-service</decoded_as>
    <description>Journald logs for Docker.</description>
  </rule>

  <!-- rule to detect the  launching of docker containers -->
  <rule id="111701" level="8">
    <if_sid>111700</if_sid>
    <match>start worker processes</match>
    <description>Docker with container ID $(program_name) just launched.</description>
  </rule>

  <!-- rule to detect when a container is stopped -->
  <rule id="111702" level="12">
    <if_sid>111700</if_sid>
    <match>gracefully shutting down</match>
    <description>Docker with container ID $(program_name) just shut down.</description>
  </rule>

</group>

Where:

Rule ID 111700 groups all Docker logs from the journald service.
Rule ID 111701 triggers when the Docker service starts a container.
Rule ID 111702 triggers when the Docker service stops a container.

Restart the Wazuh manager for the changes to take effect:
```
# systemctl restart wazuh-manager
```

Testing the configuration

In this section, we proceed to install Docker on the monitored Ubuntu endpoint and execute various Docker commands to verify our configuration.

Run the following command to install Docker packages:
```
# curl -sSL https://get.docker.com/ | sh
```
Start the Docker service:
```
# systemctl start docker
```
Pull a Docker image. In this case, we pulled the latest NGINX image:
```
# docker pull nginx:latest
```
Run the docker image with the following command:
```
# docker run --log-driver=journald --name nginx_webserver -d -p 8080:80 nginx
```
Where:
- --log-driver is set to journald to forward Docker logs to the journald service.
- --name defines the Docker container name as nginx_werbserver.

Verify if the journald is configured for the NGINX Docker image:

# docker inspect -f '{{.HostConfig.LogConfig.Type}}' nginx_webserver

journald

Stop the Docker container:
```
# docker stop nginx_webserver
```

Visualizing the alerts

The image below displays a security alert generated on the Wazuh dashboard when Docker started the container with ID ac64e69504d9.

{
  "timestamp": "2024-05-16T16:48:03.519+0000",
  "rule": {
    "level": 8,
    "description": "Docker with container ID ac64e69504d9 just launched.",
    "id": "111701",
    "firedtimes": 3,
    "mail": false,
    "groups": [
      "docker-service"
    ]
  },
  "agent": {
    "id": "001",
    "name": "ubuntulab2204",
    "ip": "172.28.8.167"
  },
  "manager": {
    "name": "wazuhserver"
  },
  "id": "1715878083.4307",
  "full_log": "May 16 16:48:02 ubuntulab2204 ac64e69504d9[761]: 2024/05/16 16:48:02 [notice] 1#1: start worker processes",
  "predecoder": {
    "program_name": "ac64e69504d9",
    "timestamp": "May 16 16:48:02",
    "hostname": "ubuntulab2204"
  },
  "decoder": {
    "name": "docker-service"
  },
  "data": {
    "log_timestamp": "2024/05/16 16:48:02",
    "severity": "notice",
    "message": "start worker processes"
  },
  "location": "journald"
}

The image below displays a security alert generated on the Wazuh dashboard when the Docker service stops a container with container ID ac64e69504d9.

{
  "timestamp": "2024-05-16T16:50:01.574+0000",
  "rule": {
    "level": 12,
    "description": "Docker with container ID ac64e69504d9 just shut down.",
    "id": "111702",
    "firedtimes": 3,
    "mail": true,
    "groups": [
      "docker-service"
    ]
  },
  "agent": {
    "id": "001",
    "name": "ubuntulab2204",
    "ip": "172.28.8.167"
  },
  "manager": {
    "name": "wazuhserver"
  },
  "id": "1715878201.4867",
  "full_log": "May 16 16:50:01 ubuntulab2204 ac64e69504d9[761]: 2024/05/16 16:50:01 [notice] 29#29: gracefully shutting down",
  "predecoder": {
    "program_name": "ac64e69504d9",
    "timestamp": "May 16 16:50:01",
    "hostname": "ubuntulab2204"
  },
  "decoder": {
    "name": "docker-service"
  },
  "data": {
    "log_timestamp": "2024/05/16 16:50:01",
    "severity": "notice",
    "message": "gracefully shutting down"
  },
  "location": "journald"
}

Using multiple socket outputs

Note

You can use sockets only on Linux/Unix and macOS endpoints.

Log data is sent to the Wazuh agent socket by default, but it's also possible to specify other sockets as output. The logcollector module uses UNIX-type sockets to communicate, thereby allowing TCP or UDP protocols. One scenario where this may be useful is inter-process communication where you may need to redirect the logs to a different socket for another process to read.

You can use the <socket> tag to add new output sockets and then configure the Wazuh agent to output logs to that socket. Perform the following steps on the monitored endpoint to create a new output socket and forward logs from file.log to it:

Note

You need to create the new socket on your endpoint before adding it to your Wazuh configuration file. You can create the socket with your custom application or with netcat. For example, the command nc -lkU /var/run/custom.sock creates a new socket /var/run/custom.sock which you can forward logs to.

Add the following configuration in between the <ossec_config> tags of the Wazuh agent /var/ossec/etc/ossec.conf file to add a new socket named custom_socket:
- Linux: /var/ossec/etc/ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
```
<socket>
  <name>custom_socket</name>
  <location>/var/run/custom.sock</location>
  <mode>tcp</mode>
  <prefix>custom_syslog: </prefix>
</socket>
```
Where:
- <name> is the name of the socket. This is a required field.
- <location> is the path of the socket. This is a required field.
- <mode> is the socket communication protocol set to UDP by default. The allowed values are either tcp or udp. This field is not mandatory.
- <prefix> is a string placed before the message. This field is not mandatory.
Refer to the socket documentation for more information about defining a socket.
Add the following to the agent configuration file to forward logs from file.log to custom_socket:
```
<localfile>
  <log_format>syslog</log_format>
  <location>/<FILE_PATH>/file.log</location>
  <target>agent,custom_socket</target>
</localfile>
```
Warning

To keep the output to the default socket, we need to specify it using 'agent' as the target. Otherwise, the output will be redirected only to the specified targets.
Restart the Wazuh agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart wazuh-agent
- macOS: /Library/Ossec/bin/wazuh-control restart

Configuring log collection for different operating systems

Windows

Windows logs are descriptive messages that provide information about events that occur in Windows systems. The Windows Event Viewer shows events, as well as the software, applications, or components that generate them. The Wazuh agent captures essential information from events, such as their descriptions, standard system fields, and eventdata specifics. The Wazuh server analyzes and translates the collected events to JSON format. This format makes it easier for users to query and filter the various event fields.

Windows event channel

Event channel is a log format that supports Windows Vista and recent versions. It captures Applications and Services logs, as well as basic Windows logs, including Application, Security, and System logs. This log format also supports the use of queries to monitor specific Windows events. By default, the Wazuh agent monitors the System, Application, and Security Windows event channels. You can configure the Wazuh agent to monitor other Windows event channels of interest.

The table below shows the channels and providers that the Wazuh agent supports.

Source	Channel name	Provider name	Description
Application	Application	Any	This channel collects events related to system application management and is one of the main Windows administrative channels along with Security, and System.
Security	Security	Any	This channel gathers information related to user and group creation, login, logoff, and audit policy modifications.
System	System	Any	The System channel collects events associated with kernel and service control.
Sysmon	Microsoft-Windows-Sysmon/Operational	Microsoft-Windows-Sysmon	Sysmon monitors system activity such as process creation and termination, network connections, and file changes.
Windows Defender	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender	The Windows Defender log shows information about the scans passed, malware detection, and actions taken against them.
McAfee	Application	McLogEvent	This source shows McAfee scan results, virus detection, and actions taken against them.
EventLog	System	Eventlog	This source retrieves information about audit and Windows logs.
Microsoft Security Essentials	System	Microsoft Antimalware	This source gives information about real-time protection for the system, malware detection scans, and changes in antivirus settings.
Remote Access	File Replication Service	Any	Other channels (they are grouped in a generic Windows rule file).
Terminal Services	Microsoft-Windows-TerminalServices-RemoteConnectionManager	Any
Powershell	Microsoft-Windows-PowerShell/Operational	Microsoft-Windows-PowerShell	This channel collects and audits PowerShell activity.

Monitoring the Windows event channel with Wazuh

To monitor specific Windows event channels using the Wazuh agent, simply include the channel name in the location field and set the log format as eventchannel within the localfile block in the C:\Program Files (x86)\ossec-agent\ossec.conf file. For example, perform the following steps to monitor the Microsoft-Windows-PrintService/Operational channel:

Add the following configuration in between the <ossec_config> tags of the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file:

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Restart the Wazuh agent via PowerShell with administrator privileges to apply the configuration change:

> Restart-Service -Name wazuh

Monitoring specific events from Windows event channel

You can configure Wazuh agent to collect specific Windows events from the Windows event channel using queries. For example, the following configuration collects Windows events from the System channel whose levels are equal to or less than 3 (warning):

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
   <query>
     \<QueryList\>
       \<Query Id="0" Path="System"\>
         \<Select Path="System"\>*[System[(Level&lt;=3)]]\</Select\>
          \</Query\>
        \</QueryList\>
  </query>
</localfile>

Wazuh uses the following configuration to collect Windows events whose event ID is 7040:

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID=7040]</query>
</localfile>

Note

When using the <QueryList> syntax, remember to escape the XML labels inside the query as shown above. Refer to the query documentation to learn the different options of query you can configure.

Windows event channel ruleset

Wazuh provides a comprehensive ruleset designed for different Windows event channels. The rules are categorized based on the event channels to which they belong. This classification enables Wazuh to efficiently maintain the ruleset. Additionally, users can add custom rules specific to their desired event channel. The Windows event channel ruleset has the following characteristics:

By default, the monitored event channels are System, Security, and Application.
Each event channel has one or more rule files specific to it. For example, you can find the rules specific to the System event channel in the /var/ossec/ruleset/rules/0590-win-system_rules.xml file.
A base file /var/ossec/ruleset/rules/0575-win-base_rules.xml includes every parent rule for the specific event channels the Wazuh agent monitors.
Every rule file has a specific rule ID range. Wazuh has reserved 100 rule IDs for the base rules and 500 rule IDs have been reserved for each of the other rule files.
A generic rule file /var/ossec/ruleset/rules/0620-win-generic_rules.xml contains rules that cannot be easily classified into specific event channels.

The table below shows the rule ID range and rule filenames reserved for rules from the various Windows event channel sources.

Source	Rule IDs	Rule file
Base rules	60000 - 60099	0575-win-base_rules.xml
Security	60100 - 60599	0580-win-security_rules.xml
Application	60600 - 61099	0585-win-application_rules.xml
System	61100 - 61599	0590-win-system_rules.xml
Sysmon	61600 - 62099	0595-win-sysmon_rules.xml
Windows Defender	62100 - 62599	0600-win-wdefender_rules.xml
McAfee	62600 - 63099	0605-win-mcafee_rules.xml
Eventlog	63100 - 63599	0610-win-ms_logs_rules.xml
Microsoft Security Essentials	63600 - 64099	0615-win-ms-se_rules.xml
Others	64100 - 64599	0620-win-generic_rules.xml
Powershell	91801 - 92000	0915-win-powershell_rules.xml

Windows event log

The Windows event log format is compatible with all Windows versions and monitors all logs except for particular Applications and Services logs. This format allows monitoring of logs such as Application, System, and Security. By default, the Wazuh agent is configured to monitor only event channels, but you can configure it to also utilize the Windows event log format.

Monitoring the Windows event log with Wazuh

You can configure Wazuh agent to monitor Windows event logs by placing the name of the event log in the location field and eventlog as the log format within the localfile block in the ossec.conf file.

For example, perform the following steps to monitor Application logs from Windows event log:

Add the following configuration in between the <ossec_config> tags of the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file:
```
<localfile>
  <location>Application</location>
  <log_format>eventlog</log_format>
</localfile>
```
Restart the Wazuh agent via PowerShell with administrator privileges to apply the configuration change:
```
> Restart-Service -Name wazuh
```

Linux

The Wazuh agent collects and forwards Linux events to the Wazuh server for analysis. You can also configure a Linux endpoint to forward events via syslog directly to the Wazuh server for analysis. The Wazuh server has out-of-the-box decoders and rules to extract and analyze relevant fields from Linux events. You can create custom decoders and rules to parse and analyze unsupported Linux events.

Monitoring Linux endpoint using rsyslog

Perform the following steps to configure a Linux endpoint to forward events using rsyslog to the Wazuh server for analysis:

Add the following configuration to the /etc/rsyslog.conf file on the Linux endpoint:
```
*.info@@<WAZUH_SERVER_IP_ADDRESS>:514
```
Note

@@ indicates a TCP connection, while @ indicates a UDP connection.

Where:
- <WAZUH_SERVER_IP_ADDRESS> represents the IP address of the Wazuh server.
Restart the rsyslog service to apply the configuration change:
# systemctl restart rsyslog
# service rsyslog restart
Add the configuration below in between the <ossec_config> tags of the /var/ossec/etc/ossec.conf file on the Wazuh server. This configuration allows the Wazuh server to listen for remote syslog messages from the Linux endpoint:
```
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.2.15</allowed-ips>
  <local_ip>192.168.2.5</local_ip>
</remote>
```
Where:
- <connection> specifies the type of connection to accept. This value can either be secure or syslog.
- <port> is the port used to listen for incoming events from the Linux endpoint. The default port for syslog is 514.
- <protocol> is the protocol used to listen for incoming events from the Linux endpoint. This value is either tcp or udp.
- <allowed-ips> is the IP address of the Linux endpoint forwarding events to the Wazuh server.
- <local_ip> is the IP address of the Wazuh server listening for the incoming Linux events.
For more information on remote options, refer to remote - local configuration.
Restart the Wazuh manager to apply the changes:
```
# systemctl restart wazuh-manager
```

macOS

The macOS unified logging system (ULS) centralizes the management and storage of logs across all the system levels. macOS ULS does not write data to text-based log files, requiring Wazuh to use the CLI log tool to collect logs from macOS endpoints. The CLI log tool provides an interface for filtering and collecting logs. The query parameters in the Wazuh configuration allow users to:

Set the level of the messages to collect.
Filter by the log type.
Use a precise predicate to filter logs, given their specific characteristics.

Collecting macOS ULS logs with the Wazuh agent

Wazuh interfaces with the CLI log tool using the –style syslog format to collect logs from macOS ULS:

<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">(process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")</query>
</localfile>

Warning

You can only have one configuration block with log_format set as macos. If you add more blocks, only the last one will be used.

To filter the system logs, it's necessary, but not mandatory, to use the <query> label. This label allows setting different filtering options such as:

type: Specifies the type of logs collected. The values of types are activity, log, and trace. You can combine multiple values.
level: Indicates the level of verbosity. It includes the event at and below the set value. The possible values for level are default, debug, and info. Check the macOS log levels section to learn more about the different levels.
<query>: Filters the macOS logs. It is used as the ULS predicate. Check the macOS ULS predicates section to learn more about the predicates.

Warning

Be sure to be as restrictive as possible when filtering the logs. macOS ULS produces a lot of log data that may be overwhelming, and some logs of interest could be lost in the noise.

macOS ULS log levels

macOS ULS logs are tagged with one of the following levels:

fault: These are very descriptive messages and are always stored on the disk. These logs are always displayed regardless of the level configured.
error: This is similar to fault. These logs are always displayed regardless of the level configured.
default: Logs at this level are stored on disk. These logs are always displayed regardless of the level configured.
info: Logs at this level are only stored in memory. You can configure these logs to be stored on disk. These logs are displayed when info or debug level is set.
debug: These messages are not stored by default, but they can be useful for developers. These logs are displayed when the debug level is set.

When filtering with the level label, you can set only one of the options default, info, or debug. If you don’t set any of these options, then the agent uses the default option.

macOS ULS predicates

You can use predicate-based filters to collect logs based on the provided filter criteria. The filter argument defines one or more pattern clauses based on NSPredicate rules:

Useful filtering keys

eventType: This specifies the type of event. These events are activityCreateEvent, activityTransitionEvent, logEvent, signpostEvent, stateEvent, timesyncEvent, traceEvent and userActionEvent.
eventMessage: Specifies the pattern within the message text or activity name of a log/trace entry.
messageType: This is used to filter the logs by their level of verbosity, and it works only for logEvent and traceEvent. The possible values you can filter by are: default, info, debug, error, or fault.
process: This specifies the name of the process that generated the event.
processImagePath: This specifies the full path of the process that generated the event.
sender: This represents the name of the library, framework, kernel extension, or mach-o image that originated the event.
senderImagePath: This represents the full path of the library, framework, kernel extension, or mach-o image that originated the event.
subsystem: This specifies the subsystem used to log an event. It only works with log messages generated with os_log(3) APIs.
category: This is the category used to log an event. Only works with log messages generated with os_log(3) APIs. The subsystem filter should also be provided when the category filter is used.

Basic comparison operators

=, ==: The left-hand expression equals the right-hand expression.
>=, =>: The left-hand expression is greater than or equal to the right-hand expression.
<=, =<: The left-hand expression is less than or equal to the right-hand expression.
>: The left-hand expression is greater than the right-hand expression.
<: The left-hand expression is less than the right-hand expression.
!=, <>: The left-hand expression is not equal to the right-hand expression.
BETWEEN: The left-hand expression is between, or equal to either of, the values specified on the right-hand side. The right-hand side is a two-value array. An array is required to specify the order, giving upper and lower bounds. For example, 1 BETWEEN { 0, 33 }, or processID BETWEEN { 15320, 16000 }.

Basic compound predicates

AND, &&: represents a logical AND.
OR, ||: represents a logical OR.
NOT, !: represents a logical NOT.

String comparison operators

String comparison operators are by default case and diacritic-sensitive. You can modify an operator using the key characters c and d within square braces to specify case and diacritic insensitivity respectively. For example, processImagePath BEGINSWITH[cd] "/usr/libexec" matches any process whose full path starts with either /usr/libexec, or /USR/LIBEXEC.

BEGINSWITH: The left-hand expression begins with the right-hand expression.
CONTAINS: The left-hand expression contains the right-hand expression.
ENDSWITH: The left-hand expression ends with the right-hand expression.
LIKE: The left-hand expression equals the right-hand expression. You can use ? and * as wildcard characters. ? matches 1 character and * matches 0 or more characters.
MATCHES: The left-hand expression equals the right-hand expression using a regex-style comparison according to ICU v3. For more information, see the ICU User Guide for Regular Expressions.
IN: Equivalent to an SQL IN operation, the left-hand side must appear in the collection specified by the right-hand side. For example, category IN { 'APBonjourCache', 'cas', 'client' }.

Note

For more information about predicates, see the Predicate Programming Guide.

macOS decoders and rules

The Wazuh server has default decoders and rules to analyze macOS events. These decoders and rules are in the files /var/ossec/ruleset/decoders/0580-macos_decoders.xml and /var/ossec/ruleset/rules/0960-macos_rules.xml respectively.

Log data analysis

Log data analysis involves reviewing logs generated by network devices, endpoints, and applications to gain visibility into an IT infrastructure. This visibility extends to multiple areas, including threat detection, system performance monitoring, troubleshooting, compliance auditing, and identifying anomalous activities. Log data analysis in Wazuh involves three phases:

Pre-decoding
Decoding
Rule matching

To illustrate the phases, let's consider a sample log entry:

Feb 14 12:19:04 192.168.1.1 sshd[25474]: Accepted password for Stephen from 192.168.1.133 port 49765 ssh2

Pre-decoding

In the pre-decoding phase, the log analysis engine extracts syslog-like information such as timestamp, hostname, and program name from the log header.

Extracted information:

timestamp: 'Feb 14 12:19:04'
hostname: '192.168.1.1'
program_name: 'sshd'

Decoding

In the decoding phase, the log analysis engine looks for a decoder that matches the sample log. The decoders below match the sample log. These decoders are in the /var/ossec/rulesets/decoders/0310-ssh_decoders.xml file on the Wazuh server:

<decoder name="sshd">
  <program_name>^sshd</program_name>
</decoder>

<decoder name="sshd-success">
  <parent>sshd</parent>
  <prematch>^Accepted</prematch>
  <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port (\S+)</regex>
  <order>user, srcip, srcport</order>
  <fts>name, user, location</fts>
</decoder>

The decoder sshd matches the program name sshd, while the decoder ssh-success extracts Stephen, 192.168.1.133, and 49765 from the sample log.

Extracted information:

dstuser: 'Stephen'
srcip: '192.168.1.133'
srcport: '49765'

To learn more about decoders, see the decoders syntax section.

Rule matching

In this phase, the Wazuh server compares the logs against a ruleset. Rule 5715 matches the sample log. This rule is in the /var/ossec/ruleset/rules/0095-sshd_rules.xml file on the Wazuh server.

<rule id="5715" level="3">
  <if_sid>5700</if_sid>
  <match>^Accepted|authenticated.$</match>
  <description>sshd: authentication success.</description>
  <group>authentication_success,pci_dss_10.2.5,</group>
</rule>

By default, the Wazuh server generates alerts for any rule whose level is above 2. In this scenario, the log triggers an alert because the rule level is 3 and this will be visible on the Wazuh dashboard.

You can create custom decoders and rules to analyze logs that are not supported by default. To learn how to create custom rules and decoders, refer to custom rules and decoders.

Use cases

Forwarding Linux logs using rsyslog

In this use case, we configure a CentOS 7 endpoint to forward logs using rsyslog to the Wazuh server for analysis. On the CentOS 7 endpoint, we create and delete the user account Stephen. Wazuh has default rules that generate alerts for the creation and deletion of user accounts.

CentOS endpoint

Perform the following steps to forward logs using rsyslog to the Wazuh server.

Edit the /etc/rsyslog.conf file and add the following configuration:
```
*.info@@<WAZUH_SERVER_IP_ADDRESS>:514
```
Where:
- <WAZUH_SERVER_IP_ADDRESS> represents the IP address of the Wazuh server.
Restart the rsyslog service to apply the change:
```
# systemctl restart rsyslog
```

Wazuh server

Perform the following steps to configure the Wazuh server to receive logs from the CentOS 7 endpoint.

Edit the /var/ossec/etc/ossec.conf file and add the following configuration in between the <ossec_config> tags:
```
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips><LINUX_ENDPOINT_IP_ADDRESS></allowed-ips>
</remote>
```
Where:
- <LINUX_ENDPOINT_IP_ADDRESS> represents the IP address of the CentOS 7 endpoint.
Restart the Wazuh manager for the changes to take effect:
```
# systemctl restart wazuh-manager
```

Test the configuration

Perform the following on the CentOS 7 endpoint to test the configuration.

Add the user Stephen:
```
# useradd Stephen
```
Delete the same user Stephen:
```
# userdel Stephen
```

Navigate to Threat Hunting module on the Wazuh dashboard to view the alerts.

Note

You can filter for only the CentOS endpoint events by taking the following steps.

Click on the Add filter button.
Search for “location” in the Field input, then select the is Operator.
Enter the IP address of the CentOS 7 endpoint as the Value, and click save.

The image below shows an alert for user creation.

The image below shows an alert for user deletion.

Detecting the installation of applications on Windows

In this use case, we detect when an application is installed on a Windows endpoint. We test this use case by installing an application called Dr. Memory.

Dr. Memory is an open source memory monitoring tool capable of detecting invalid memory accesses, memory leaks, handle leaks, accesses to freed memory, and other memory-related issues.

Windows endpoint

Download and install Dr. Memory.

By default, the Wazuh agent monitors the installation of applications using the configuration below located in the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf:

<localfile>
  <location>Application</location>
  <log_format>eventchannel</log_format>
</localfile>

Wazuh server

Wazuh has a built-in rule 60612 to detect when an application is installed on a Windows endpoint. You can view this rule in the /var/ossec/ruleset/rules/0585-win-application_rules.xml file on the Wazuh server.

<rule id="60612" level="3">
  <if_sid>60609</if_sid>
  <field name="win.system.eventID">^11707$|^1033$</field>
  <options>no_full_log</options>
  <description>Application installed $(win.eventdata.data).</description>
</rule>

Test the configuration

After installing Dr. Memory, navigate to Threat Hunting on the Wazuh dashboard and apply the filter rule.id:60612 to view the alert.

Monitoring PowerShell activity

In this use case, we configure Wazuh to detect when PowerShell adds a new Windows registry key.

Windows endpoint

Perform the following steps to enable PowerShell logging on a Windows endpoint and configure the Wazuh agent to monitor logged PowerShell activities.

Press Windows + R keys on your keyboard to open the run dialog box.
Type gpedit.msc in the search box and click OK to open the local group policy editor.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging.

Note

Turning on PowerShell Script Block Logging will log a lot of PowerShell events in the Microsoft-Winndows-PowerShell/Operational event channel.
Select Enabled, and then click OK.
Add the following in between the <ossec_config> tags of the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf to monitor PowerShell logs:
```
<localfile>
  <location>Microsoft-Windows-PowerShell/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
```
Restart the Wazuh agent via PowerShell with administrator privileges to apply the change:
```
> Restart-Service -Name wazuh
```

Wazuh server

Wazuh has a built-in rule 91843 to detect when a PowerShell adds a new Windows registry key. You can view this rule in the /var/ossec/ruleset/rules/0915-win-powershell_rules.xml file on the Wazuh server:

<rule id="91843" level="3">
  <if_sid>91802</if_sid>
  <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)New-ItemProperty.+\-Path</field>
  <options>no_full_log</options>
  <description>Powershell executed "New-ItemProperty -Path". Possible addition of new item to registry</description>
  <mitre>
    <id>T1059.001</id>
    <id>T1112</id>
  </mitre>
</rule>

Test the configuration

Perform the following steps to test the configuration:

On the Windows endpoint, run the following command via PowerShell with administrator privileges to add a registry entry NoofAlerts to the HKLM\Software\Microsoft\ADs registry key, and set the value to 2:
```
> New-ItemProperty -Path "HKLM:\Software\Microsoft\ADs" -Name "NoofAlerts" -Value 2
```
Note

We recommend running the above command in a sandbox environment, and not in a production environment.
Navigate to Threat Hunting on the Wazuh dashboard and apply the rule.id:91843 filter to view the alert.

Vulnerability detection

Vulnerabilities are security flaws in a system, application, or network that threat actors can exploit to compromise confidentiality, integrity, or availability. When exploited, vulnerabilities may allow unauthorized access, remote code execution, data exfiltration, or system disruption. Therefore, organizations must implement a vulnerability management strategy to help minimize the attack surface and prevent exploitation by continuously identifying and remediating these security flaws. Timely detection and response to vulnerabilities are critical to ensuring a strong and resilient security posture.

Wazuh offers users a means to manage vulnerabilities within an IT infrastructure using the Vulnerability Detection module. The Wazuh Vulnerability Detection module helps users discover vulnerabilities in the operating system and applications installed on the monitored endpoints. The module functions using one of the following vulnerability sources:

Wazuh vulnerabilities repository in our Cyber Threat Intelligence (CTI) platform.
Offline vulnerabilities repository - a locally hosted copy of the Wazuh threat intelligence repository from the Wazuh CTI platform.

The Wazuh agent collects a list of installed applications (software inventory data) from monitored endpoints and sends it to the Wazuh server. The Vulnerability Detection module then correlates this software inventory data with vulnerability information obtained from the vulnerability repository.

Content

How it works

The Wazuh agent uses the Syscollector module to collect detailed system inventory data, including information about the operating system and installed packages or applications. The collected data is periodically sent to the Wazuh server and stored in a local SQLite database. Each agent’s inventory is maintained separately and continuously updated to reflect changes on the monitored endpoint.

The Vulnerability Detection module on the Wazuh server analyzes this inventory data by correlating it with vulnerability information from the Wazuh Cyber Threat Intelligence (CTI) platform. When the module identifies a match between a known vulnerability (identified by a CVE ID) and a software version on a monitored endpoint, it flags it as a detected vulnerability. A package is marked as vulnerable when its version falls within the affected range of a CVE. The module generates alerts to display the results; the findings are stored in a general vulnerability inventory. This inventory is filterable by agent and contains vulnerability data that can be queried to review alerts and details about vulnerabilities.

For Microsoft Windows systems and certain Microsoft products, the Vulnerability Detection module includes the hotfixes option in the Wazuh agent's Syscollector configuration. Enabling this option allows the module to detect packages that users have patched. When a patch is detected, the module uses information provided by Microsoft to verify whether the patch resolves the relevant CVEs. If it does, the module updates the status of the vulnerabilities in the inventory.

Wazuh Cyber Threat Intelligence (CTI) platform

The Wazuh Cyber Threat Intelligence (CTI) platform is a publicly accessible service that collects, analyzes, and disseminates actionable information on emerging cyber threats and vulnerabilities. The Wazuh CTI platform aggregates vulnerability data from various sources, including operating system vendors and public vulnerability databases. This data is consolidated into a unified, reliable repository used by the Wazuh Vulnerability Detection module.

Vulnerability data sources

The Wazuh CTI platform gathers vulnerability data from a defined set of trusted sources, including official feeds from operating system vendors and reputable security databases. The sources include:

Operating system vendors: AlmaLinux, Amazon Linux, ArchLinux, Ubuntu (Canonical), Debian, Fedora, Oracle Linux, Red Hat Enterprise Linux (RHEL), Rocky Linux, and SUSE Linux Enterprise.
Security databases: Microsoft Security Updates (MSU), National Vulnerability Database (NVD), Open Source Vulnerabilities (OSV), Cybersecurity and Infrastructure Security Agency (CISA).

Vulnerability Detector Provider (VDP)

A core component of the CTI platform is the Vulnerability Detector Provider (VDP). The VDP organizes vulnerability data from multiple vendors into a standardized format and produces consistent, high-quality intelligence. This ensures the Vulnerability Detection module can identify vulnerabilities across various operating systems, including Windows, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Amazon Linux, Arch Linux, SUSE, and macOS.

The VDP performs three key functions:

Content migration: This process fetches raw vulnerability data from vendors and normalizes it into a common structure using the CVE JSON v5 format. This normalization enables the consolidation of diverse vulnerability information into a reliable, centralized repository.
Data sanitization: This process enhances the normalized data by fixing inconsistencies (e.g., version mismatches and typos) and completing missing fields. This ensures the data's accuracy and reliability.
Content merging: This process combines vendor-specific content with internally maintained intelligence data. This includes product name mappings, product translations, and OS base rules. This results in a single, unique document for each CVE.

This final document is published through the CTI API, making it accessible to all Wazuh managers. The publication process includes traceability features to ensure only updated content is published. The Wazuh Vulnerability Detection module retrieves vulnerability intelligence by querying the CTI API or an offline local repository. It compares the newly fetched content with previously stored data to detect updates. This allows the module to continuously identify vulnerabilities on monitored endpoints with high accuracy and coverage.

Accessing Wazuh CTI

The Wazuh CTI API powers the public threat intelligence website and the vulnerability detection feature within the Wazuh XDR & SIEM unified platform. The Wazuh CTI platform is accessible either through the Wazuh CTI website or from the Wazuh dashboard by navigating to the Vulnerability Detection module.

Wazuh CTI Website

The Wazuh CTI website is open to the public and requires no registration or Wazuh installation. It features a search tool for filtering vulnerabilities by CVE ID, affected application, CVSS score, severity, and publication date, with customizable sorting.

From the Wazuh dashboard

You can access the Wazuh CTI platform directly through the vulnerability detection page in the Wazuh dashboard. Navigate to Vulnerability Detection > Inventory, then click the vulnerability ID of any listed vulnerability to open detailed threat intelligence on the Wazuh CTI website.

You can also access the Wazuh CTI platform by clicking the Inspect vulnerability details icon. Then, navigate to the reference section and click the provided URL to be redirected to the Wazuh CTI page, which contains detailed information about the vulnerability.

Alert generation

The Vulnerability Detection module generates alerts when new vulnerabilities are detected or existing vulnerabilities are resolved due to package updates, removals, or system upgrades. While these conditions are necessary, they are not always sufficient. Alert generation depends on specific detection scenarios.

Operating system alerts

Operating system alerts are not generated during the initial inventory scan. When a Wazuh agent syncs with the Wazuh manager for the first time, it does not recognize changes to the OS version or recent patches as new events. Alerts are only triggered in subsequent scans if a change in OS version or patch state is detected.

Packages alerts

Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to installing or removing a package. This requires that the event be captured during a scheduled Syscollector scan. If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered.

Other factors to consider regarding alert generation include:

Cluster environment: When a Wazuh agent reconnects to a different manager node in a clustered deployment, it will synchronize its inventory with the new node. However, this initial sync does not generate alerts, even if changes are present.
Content update: When the vulnerability content (CVE definitions, translations, or mapping rules) is updated on the server, all agents are re-evaluated to ensure their results remain accurate. No alerts are generated during the initial sync triggered by the vulnerability content updates.

Viewing vulnerability data

You can view the vulnerability data of each monitored endpoint from the Wazuh dashboard. To do this:

Click on Threat intelligence from the menu (☰), then select Vulnerability Detection. The Dashboard tab provides a visual summary of vulnerabilities by severity, score, and asset. It links each CVE to affected systems, with charts showing the trend over time, highlighting impacted agents.

Note

To view the vulnerability data for a specific agent, select an agent from your Wazuh dashboard and navigate to the Vulnerability detection module.
Click on the Inventory tab. This tab shows the list of all vulnerabilities detected on the Wazuh agents.
Click on the Events tab. This shows the alerts generated for vulnerabilities detected on Wazuh agents. An alert is generated when vulnerabilities are detected or remediated. It also contains key information such as detection timestamps, severity levels, package names and versions, and the current vulnerability status (e.g., Active or Solved).

Note

As mentioned earlier, alert generation depends on specific detection scenarios. For more information, refer to the Alert generation section.

Each vulnerability alert contains key fields such as:

CVE: The Common Vulnerabilities and Exposures identifier for the corresponding vulnerability.
Rule description: Short description of the impact of the vulnerability.
Description: Broad description of the vulnerability.
Severity: Impact of the vulnerability in terms of severity.
Package: Information about the affected package, including why the package is marked as vulnerable.
Status: The current status of the vulnerability (Active or Solved )
Reference: Wazuh CTI website URL, providing additional information on the vulnerability.

Sample Alert

{
  "_index": "wazuh-states-vulnerabilities-server",
  "_id": "002_f54fb41d71bab144a6022ca87fbad36902348cce_CVE-2025-4050",
  "_score": 0,
  "_source": {
    "agent": {
      "id": "002",
      "name": "WindowOS",
      "type": "Wazuh",
      "version": "v4.10.0"
    },
    "host": {
      "os": {
        "full": "Microsoft Windows 11 Enterprise Evaluation 10.0.22631.2861",
        "name": "Microsoft Windows 11 Enterprise Evaluation",
        "platform": "windows",
        "type": "windows",
        "version": "10.0.22631.2861"
      }
    },
    "package": {
      "architecture": "x86_64",
      "name": "Google Chrome",
      "size": 0,
      "type": "win",
      "version": "134.0.6998.118"
    },
    "vulnerability": {
      "category": "Packages",
      "classification": "CVSS",
      "description": "Out of bounds memory access in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)",
      "detected_at": "2025-06-03T05:35:59.947Z",
      "enumeration": "CVE",
      "id": "CVE-2025-4050",
      "published_at": "2025-05-05T18:15:43Z",
      "reference": "https://issues.chromium.org/issues/409342999, https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_29.html",
      "scanner": {
        "condition": "Package less than 136.0.7103.59",
        "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-4050",
        "source": "National Vulnerability Database",
        "vendor": "Wazuh"
      },
      "score": {
        "base": 8.8,
        "version": "3.1"
      },
      "severity": "High",
      "under_evaluation": false
    },
    "wazuh": {
      "cluster": {
        "name": "server"
      },
      "schema": {
        "version": "1.0.0"
      }
    }
  },
  "fields": {
    "vulnerability.detected_at": [
      "2025-06-03T05:35:59.947Z"
    ],
    "vulnerability.published_at": [
      "2025-05-05T18:15:43.000Z"
    ]
  }
}

Compatibility matrix

Wazuh continuously expands its compatibility list to include new operating systems. The following table highlights the operating systems officially supported by the Vulnerability Detection module. While other systems are also supported, we don't guarantee full detection.

Vulnerability Information Provider	Operating Systems and Versions	Provider Security Website
AlmaLinux	AlmaLinux 10 AlmaLinux 9 AlmaLinux 8	AlmaLinux Security Measures
Amazon Linux	Amazon Linux 2023 Amazon Linux 2022 Amazon Linux 2 Amazon Linux 1	Amazon Linux Security Center
Arch Linux	Rolling release	Arch Linux Security
Canonical	Ubuntu 24.04 LTS (Noble Numbat) Ubuntu 22.04 LTS (Jammy Jellyfish) Ubuntu 20.04 LTS (Focal Fossa) Ubuntu 18.04 LTS (Bionic Beaver) Ubuntu 16.04 LTS (Xenial Xerus) Ubuntu 14.04 LTS (Trusty Tahr)	Ubuntu Security
Debian	Debian 14 (Forky) Debian 13 (Trixie) Debian 12 (Bookworm) Debian 11 (Bullseye) Debian 10 (Buster)	Debian Security Information
Fedora Linux	The same versions reported by the Fedora feed — generally, all versions.	Fedora Update System
NPM	-	NPM Vulnerabilities
NVD	Windows: The same versions reported by the NVD feed — generally, all versions.	NVD Data Feeds
NVD	macOS: The same versions reported by the NVD feed — generally, all versions.	NVD Data Feeds
Oracle Linux	The same versions reported by the Oracle feed — generally, all versions.	Oracle Linux Security
PyPI	-	PyPI Vulnerabilities
Red Hat Enterprise Linux	RedHat 10 and CentOS 10 RedHat 9 and CentOS 9 RedHat 8 and CentOS 8 RedHat 7 and CentOS 7 RedHat 6 and CentOS 6	Product Security Center
Rocky Linux	The same versions reported by the Rocky Linux feed — generally, all versions.	Rocky Linux Advisories
SUSE	SLES 15 and SLED 15 SLES 12 and SLED 12	SUSE Security

Configuration

The Vulnerability Detection module is enabled by default on the Wazuh manager and works with the Syscollector module to detect vulnerable packages and software on a monitored endpoint.

The block below is the default vulnerability detection settings in the Wazuh manager configuration file at /var/ossec/etc/ossec.conf.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

Where:

<enabled> specifies whether the Vulnerability Detection module is enabled or not. The default value is yes. The allowed values are yes and no.
<index-status> enables the indexing of vulnerability inventory data. The default value is yes. The allowed values are yes and no.
<feed-update-interval> specifies the time interval for periodic feed updates. The default value is 60m (one hour), the minimum allowed. The allowed value is a positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).

The detected vulnerabilities are forwarded to the Wazuh indexer for querying, visualization, and deeper analysis using the indexer connector setting. The indexer connector setting is enabled by default in the /var/ossec/etc/ossec.conf file of the Wazuh manager.

The indexer connector may be missing if the Wazuh manager is using an old configuration file or if vulnerability detection was disabled during installation. In such cases, follow the steps below to add the indexer connector setting.

Add the indexer connector configuration block below to the /var/ossec/etc/ossec.conf file on the Wazuh manager:

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

Ensure:

The <hosts> section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml.
The <ca>, <certificate>, and <key> names match the files located in /etc/filebeat/certs/.

If you are running a Wazuh indexer cluster infrastructure, add a <host> entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:
```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
```
# echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```
If you have forgotten your Wazuh indexer password, refer to the password management guide to reset it.

Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted:

# curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <WAZUH_INDEXER_USER> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

Where:

<ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.
<WAZUH_INDEXER_USER>: Admin username of the Wazuh indexer.
<INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.

If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer.

To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted:

# curl -k -u <WAZUH_INDEXER_USERNAME> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

A successful connection returns a result similar to the following:

{
    "cluster_name": "opensearch",
    "status": "green",
    "timed_out": false,
    "number_of_nodes": 1,
    "number_of_data_nodes": 1,
    "discovered_master": true,
    "discovered_cluster_manager": true,
    "active_primary_shards": 9,
    "active_shards": 9,
    "relocating_shards": 0,
    "initializing_shards": 0,
    "unassigned_shards": 0,
    "delayed_unassigned_shards": 0,
    "number_of_pending_tasks": 0,
    "number_of_in_flight_fetch": 0,
    "task_max_waiting_in_queue_millis": 0,
    "active_shards_percent_as_number": 100.0
}

Restart the Wazuh manager to apply the configuration:
```
# sudo systemctl restart wazuh-manager
```

Note

To enable vulnerability detection on the Wazuh manager, modify the internal_options.conf file at /var/ossec/etc/internal_options.conf. Set the parameter vulnerability-detection.disable_scan_manager from 1 to 0. This change allows the Vulnerability Detection module to include the Wazuh manager host in its scans. After updating the configuration, restart the Wazuh manager to ensure the changes take effect.

The Syscollector module sends system inventory data from the monitored endpoint to the Wazuh manager for analysis that identifies vulnerable packages and software. The following configuration block shows the default settings for the Syscollector module on a Wazuh agent.

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <users>yes</users>
  <groups>yes</groups>
  <services>yes</services>
  <browser_extensions>yes</browser_extensions>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
    <integrity_interval>24h</integrity_interval>
  </synchronization>
</wodle>

You can find the Syscollector configuration in the Wazuh agent configuration file at:

/var/ossec/etc/ossec.conf for Linux endpoints.
C:\Program Files (x86)\ossec-agent\ossec.conf for Windows endpoints.
/Library/Ossec/ossec.conf for macOS endpoints.

Refer to the Syscollector configuration for more information.

Offline vulnerability detection

If the Wazuh server does not have direct internet access, it is still possible to keep the Common Vulnerabilities and Exposures (CVE) database up to date. This can be achieved by downloading a snapshot of the threat intelligence repository and making it available within the local network or environment.

Threat intelligence snapshot

Wazuh regularly publishes a snapshot of its threat intelligence repository to the Cyber Threat Intelligence (CTI) API. This snapshot includes all CVE documents in a compressed format suitable for offline use.

Retrieving Wazuh threat intelligence snapshot

To retrieve the download link and the timestamp of the latest snapshot, run the following command:

$ curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'

This command queries the CTI API and returns a direct URL to the most recent threat intelligence snapshot file with the date and time it was published.

https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip
2025-06-02T11:38:28.279172Z

Where 2025-06-02T11:38:28.279172Z is the time of the last update.

Offline vulnerability detection configuration

Follow the steps below to configure the Vulnerability detection module for offline mode.

Download the threat intelligence repository using the URL from querying the CTI API.
```
$ curl https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip -o cves.zip
```
Note

Refer to the previous section for instructions on retrieving the latest URL for the threat intelligence snapshot

Run the command below to update the permissions and ownership of the file cves.zip:

# chmod 750 /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip
# chown root:wazuh /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip

Edit the Wazuh server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.
```
<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url><FILE_PATH_TO_OFFLINE_REPOSITORY></offline-url>
</vulnerability-detection>
```
Where:
- <FILE_PATH_TO_OFFLINE_REPOSITORY> is the file path to the threat intelligence repository downloaded in the previous step.

Restart the Wazuh manager to apply the configuration.

# systemctl restart wazuh-manager

# service wazuh-manager restart

Command monitoring

Wazuh command monitoring capability allows you to monitor the output of specific commands and treat the output as log content. Command monitoring can be used to monitor a variety of things, such as disk space utilization, load average, a change in network listeners, and running processes to ensure all important processes are running.

Command monitoring can be used to detect a variety of anomalies and threats. For example, you could use it to monitor for a change in the output of the netstat command, which would indicate that a new network listener has been added or removed. You could also use it to monitor for the presence of specific strings in the output of the ps command, which could indicate that a malicious process is running.

Contents

How it works

The command monitoring capability works on all endpoints where the Wazuh server or agent is installed. Wazuh uses the Command and the Logcollector modules to run commands on the endpoints and forward the output to the Wazuh server for analysis.

The steps below describe the sequence of actions from when a user configures the command monitoring module to when the Wazuh server generates alerts:

The user adds the desired command to the local agent configuration file or remotely through the Wazuh server. You can achieve this configuration by using either the Command or the Logcollector module.
The Wazuh agent periodically executes the command on the configured endpoint based on the set frequency or interval.
The Wazuh agent monitors the command’s execution and forwards its output to the Wazuh server for analysis.
The Wazuh server pre-decodes, decodes, and matches the received logs against predefined rules to generate security alerts. If the logs match the rules, an alert is generated and stored in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the Wazuh server. The alert is simultaneously displayed on the Wazuh dashboard.

The image below shows the components involved in the command monitoring process.

Configuration

This section of the documentation shows how to configure the modules responsible for running and monitoring commands, executables, and scripts on endpoints. It also provides the different configuration files available and suitable for different use cases.

Modules

Wazuh provides two modules for monitoring the output of system commands executed on an endpoint. The Command and the Logcollector modules periodically run and monitor commands or executables on Windows, Linux, and macOS endpoints.

Command module

We recommend using the Command module to run and monitor endpoint commands. It provides the following capabilities:

Checksum verification: It verifies and validates the integrity of every executed system binary or script by comparing predefined MD5, SHA1, and SHA256 hashes. This procedure ensures that the binary has not been altered or replaced.
Encrypted communication: All messages exchanged between the Wazuh server and agents are encrypted using AES encryption. This implies that every command output from the Wazuh agents is sent securely to the Wazuh server.
Scheduling execution: The Command module is flexible and can be configured to run commands on endpoints as follows:
- Immediately after the Wazuh agent starts.
- At specific time intervals (interval).
- On a particular day of the month (day) represented by the day's number.
- On a specific day of the week (wday) represented by the day’s name.
- At a particular time (time) of the day represented in the format hh:mm.

A standard command configuration block looks like this:

<wodle name="command">
  <disabled>no</disabled>
  <tag>test</tag>
  <command>/bin/bash /root/script.sh</command>
  <interval>1d</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
  <verify_md5>11227b11f565de042c48654a241e9d1c</verify_md5>
  <verify_sha1>be705c5a89d7bf74185c86c5c3c562608f6e6478</verify_sha1>
  <verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>
</wodle>

The table below shows the configuration options available for the Command module.

Options	Default value	Allowed values	Description	Note
Main options
disabled	no	yes, no	Disables the Command module when set to `yes`.
tag	N/A	Characters set	Tags the command with a descriptive name in the command output. For example, `test` in the configuration block above will be present in the command output.
command		A command Path to a binary Path to a script	Specifies the path to a command, binary, or script to be executed.	From Wazuh 4.13.0, commands and scripts must be on local file systems. UNC network paths or mapped network drives such as are not supported.
ignore_output	no	yes, no	Specifies whether the output of a command is ignored. When this option is set to `yes`, the command output is not forwarded to the Wazuh server.
timeout	N/A	A positive number	Specifies the time (in seconds) for each command to wait for the completion of its execution. When this option is set to `0`, it will wait indefinitely for the end of the process. If the timeout is any value other than `0`, then the execution will finish when the set value expires.
verify_md5	N/A	MD5 checksum	Verifies the MD5 sum of the binary or the script to be executed against this value. If the checksum does not match, the command output is ignored.	Verifies only the first argument of the command option if you passed two or more arguments.
verify_sha1	N/A	SHA1 checksum	Verifies the SHA1 sum of the binary or the script to be executed against this value. If the checksum does not match, the command output is ignored.	Verifies only the first argument of the command option if you passed two or more arguments.
verify_sha256	N/A	SHA256 checksum	Verifies the SHA256 sum of the binary or the script to be executed against this value. If the checksum does not match, the command output is ignored.	Verifies only the first argument of the command option if you passed two or more arguments.
skip_verification	no	yes, no	Runs the command defined even if the checksum does not match. When set to `yes` and there is a verification failure, the agent will log that the checksum verification failed but will run the specified command regardless of the failure.
Scheduling options
run_on_start	yes	yes, no	Runs the configured command immediately when the Wazuh service starts.
interval	2s	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)	Specifies how often a defined command executes.
day	N/A	Day of the month [1..31]	Day of the month to run the command configured.	When the `day` option is set, the interval value must be a multiple of months. By default, the interval is set to a month.
wday	N/A	sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat	Day of the week to run the command configured. This option is not compatible with the `day` option.	When the `wday` option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.
time	N/A	Time of day [hh:mm]	Time of the day to run the command configured. It has to be represented in the format `hh:mm`.	When only the `time` option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

How to configure the Command module

The Command module configuration consists of the command or script, the status of the command, the interval of execution of the command, and the checksum of the script.

To use the Wazuh command monitoring capability, you first need to configure the system to monitor the command's output. This can be a central configuration on the Wazuh server or locally on the endpoints. Once the command is configured, you can then create custom rulesets to process the output and trigger an alert.

For example, we use the Command module to monitor running processes on a Windows endpoint and alert if the notepad.exe process is running. Follow the steps below to configure the module.

Create a batch script named tasklist.bat in the C:\ root directory of the Windows endpoint and add the following content. The script adds a tasklist header to the output of the tasklist command:
```
@Echo Off
setlocal enableDelayedExpansion

for /f "delims=" %%a in ('powershell -command "& tasklist"') do (
    echo tasklist: %%a
)

exit /b
```
Add the following configuration to the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file:
```
<ossec_config>
  <wodle name="command">
    <disabled>no</disabled>
    <tag>tasklist</tag>
    <command>PowerShell.exe C:\tasklist.bat</command>
    <interval>2m</interval>
    <run_on_start>yes</run_on_start>
    <timeout>10</timeout>
  </wodle>
</ossec_config>
```
Where:
- The PowerShell.exe C:\tasklist.bat value in the <command> tag is the command to be executed by the Command module. The PowerShell program executes the C:\tasklist.bat script.
- The value 2m in the <interval> tag indicates that the Command module runs the command every 2 minutes.
Note

You can use the centralized configuration file to distribute this setting across multiple monitored endpoints. Skip the next step, as centralized configuration changes apply immediately without requiring a restart.
Restart the Wazuh agent to apply the changes, using PowerShell with administrator privileges:
```
> Restart-Service -Name wazuh
```

Custom ruleset

Configure the Wazuh server with a custom decoder and rule to analyze the events received from the Windows endpoint by following the steps below.

Add the following decoder to the /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="tasklist">
  <prematch>^tasklist: </prematch>
</decoder>

Add the rule below to the /var/ossec/etc/rules/local_rules.xml file to generate an alert when the notepad.exe process is running:

<group name="process_monitor,">
  <rule id="100010" level="6">
    <decoded_as>tasklist</decoded_as>
    <regex type="pcre2">(?i)notepad.exe</regex>
    <description>Notepad.exe is running.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Visit the Wazuh dashboard and navigate to the Threat Hunting module to visualize the generated alert as shown below.

Logcollector module

The Logcollector module receives logs through text files, Windows event logs, and also directly through syslog messages, which makes it suitable for firewalls and other such devices. In addition to its primary use as a log collector, it also functions as a viable alternative for running commands and processing the command outputs.

The Logcollector module offers the following features:

Formatting command output: This allows you to format the output of a command by including fields like timestamp, hostname, program_name, and more for better log identification and readability.
Reading multiline command output: This allows the module to read a command output as one or more log messages depending on the command or full_command options configured on the module.

A basic Logcollector module configuration block looks like this:

<localfile>
  <log_format>full_command</log_format>
  <command><COMMAND></command>
  <frequency>120</frequency>
</localfile>

Where:

<log_format> specifies whether the command output is read as one or more log messages depending on command or full_command values.
- full_command reads the output of an executed command as a single line entry.
- command reads the output of an executed command as multiline entries.
<COMMAND> specifies the endpoint command, script, or binary to execute.
<frequency> specifies the time (in seconds) interval of running the configured command. When the frequency option is not specified, by default, the configured command runs every 360 seconds (6 minutes).

Learn more about the different options to configure the Logcollector module in the localfile section of the documentation.

How to configure the Logcollector module

A basic configuration for the Logcollector module requires the command to monitor, the frequency of execution of the command, and the log format of the executed command.

For example, to monitor the percentage of memory available on a Linux endpoint every 120 seconds, perform the following steps on the Linux endpoint.

Add the configuration below within the </ossec_config> block of the Wazuh agent’s local configuration file, /var/ossec/etc/ossec.conf:
```
<localfile>
  <log_format>full_command</log_format>
  <command>free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }'</command>
  <alias>memory_utilization</alias>
  <frequency>120</frequency>
</localfile>
```
Where:
- The full_command value in the <log_format> tag specifies the output of the command free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' is read as a single event.
- The value free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' in the <command> tag is the command the Logcollector module executes.
- The value memory_utilization of the <alias> tag is a string that represents the free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' command for better identification in creating rules.
- The value 120 in the <frequency> tag implies the command runs every 120 seconds (2 minutes).
Note

You can use the centralized configuration file to distribute this setting across multiple monitored endpoints. Skip the next step, as centralized configuration changes apply immediately without requiring a restart.
Restart the Wazuh agent service to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

At this stage, the Logcollector module is configured to execute the specified command on the Linux endpoint and forward its output to the Wazuh server for analysis. The command output however needs to be analyzed to generate security alerts. Wazuh provides a default decoder called ossec to analyze command outputs from the Logcollector module.

Additionally, Wazuh provides a default rule definition with ID 530 that is triggered when it matches a command output of the Logcollector module. The rule level is set to 0, which means that it does not generate an alert by default when a command output triggers it. To generate security alerts for command outputs of the Logcollector module, you must create a custom rule with an increased level that inherits this base rule.

Perform the following steps on the Wazuh server to generate alerts when Wazuh analyzes the output of the command free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2.

Add the custom rule below to the /var/ossec/etc/rules/local_rules.xml file:

<group name="memory_utilization,">
  <rule id="100059" level="6">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'memory_utilization'</match>
    <description>Memory metrics.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

After you perform the steps above, the Wazuh server can now analyze the output of the command, free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2, and trigger security alerts every 120 seconds.

Visit the Wazuh dashboard and navigate to the Threat Hunting module to visualize the generated alert as shown below.

As shown in the figure above, the alert is expanded to show the available fields. The full_log field contains the message received from the Linux endpoint. The value 76.42 in the full_log field represents the percentage of memory utilized by the Linux endpoint. This value can be captured in a variable and displayed in the message description on the Wazuh dashboard. Visit the section on Creating a custom ruleset to see how this is done.

Custom ruleset

Wazuh provides an out-of-the-box decoder and rule to analyze the output of commands executed with the Logcollector module to generate security alerts.

The decoder is known as ossec as shown below and is available in the /var/ossec/ruleset/decoders/0200-ossec_decoders.xml file on the Wazuh server.

<decoder name="ossec">
  <prematch>^ossec: </prematch>
  <type>ossec</type>
</decoder>

The rule is defined with ID 530 as shown below and is available in the /var/ossec/ruleset/rules/0015-ossec_rules.xml file on the Wazuh server.

<rule id="530" level="0">
  <if_sid>500</if_sid>
  <match>^ossec: output: </match>
  <description>OSSEC process monitoring rules.</description>
  <group>process_monitor,</group>
</rule>

The rule level is set to 0, which means it does not generate an alert when it matches the expression ossec: output: of the Logcollector module’s command output. To generate alerts for command outputs, you must create a custom rule that inherits this base rule with an increased level unless you have created custom decoders. For example, the df -P command output triggers the rule below when the disk usage of the /dev directory of a Linux endpoint is 100%.

<rule id="531" level="7" ignore="7200">
  <if_sid>530</if_sid>
  <match>ossec: output: 'df -P': /dev/</match>
  <regex>100%</regex>
  <description>Partition usage reached 100% (disk space monitor).</description>
  <group>low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

From the rule definition above, you can see that rule ID 531 inherits from the base rule with ID 530. Additionally, the rule level has been increased from 0 to 7 to generate a security alert as highlighted.

The default decoder and rule are limited and do not provide coverage for all available scenarios. For this reason, Wazuh offers you the ability to create custom decoders and rules to meet your specific use case. Kindly visit the Creating a custom ruleset section of this documentation for more information.

Configuration files

Wazuh agents can be configured to run and monitor the output of commands in either one of the following ways:

Locally on each Wazuh agent using the local configuration file.
Centrally on the Wazuh server using the centralized configuration file.

The local configuration file

The commands to run and monitor their output can be configured in the local configuration (ossec.conf) file of individual Wazuh agents on an endpoint. We use this file to manage the configuration of specified endpoints.

The local configuration file of agents is found in the following locations of the supported endpoints, as shown in the table below.

Endpoint	Location
Windows	`C:\Program Files (x86)\ossec-agent\ossec.conf`
Linux	`/var/ossec/etc/ossec.conf`
macOS	`/Library/Ossec/etc/ossec.conf`

The centralized configuration file

The centralized configuration file is used to remotely manage a group of endpoints. Unlike the local configuration file, it is used to manage one or more endpoints. The Wazuh server runs commands on monitored endpoints remotely using the Remoted daemon. We can enable this functionality by configuring the commands to be monitored in the appropriate configuration section of the centralized configuration (agent.conf) file on the Wazuh server.

By default, the Wazuh agents can not accept remote commands configured on the Wazuh server. The remote command execution feature is disabled on the agents for security reasons. You must explicitly configure the Wazuh agents to accept remote commands from the Wazuh server.

The configuration depends on the module in use, as described below:

When using the Command module, add the configuration wazuh_command.remote_commands to the local_internal_options.conf file of the Wazuh agent on every monitored endpoint. This configuration enables the Wazuh agents to accept remote commands from the Wazuh server.
When using the Logcollector module, add the configuration logcollector.remote_commands to the local_internal_options.conf file of the Wazuh agent on every monitored endpoint. This configuration enables the Wazuh agents to accept remote commands from the Wazuh server.

Warning

Enable remote command execution with caution, as this action authorizes the Wazuh user to run commands with elevated privileges on the monitored endpoint.

The location for the Wazuh agent local_internal_options.conf file on each monitored endpoint is shown in the table below.

Endpoint	Location
Windows	`C:\Program Files (x86)\ossec-agent\local_internal_options.conf`
Linux	`/var/ossec/etc/local_internal_options.conf`
macOS	`/Library/Ossec/local_internal_options.conf`

Example configuration

The configurations below shows how to enable and disable remote command execution on Wazuh agents in Linux endpoints.

Note

These configurations require you to restart the Wazuh agent to apply the changes.

To enable the Wazuh agent to accept remote commands from a Wazuh server, add the configuration below to the /var/ossec/etc/local_internal_options.conf file on the Linux endpoint.
- For the Command module:
  wazuh_command.remote_commands=1
- For the Logcollector module:
  logcollector.remote_commands=1
To disable remote command execution after explicitly enabling it, remove the configuration entirely or modify the appropriate value to 0 in the /var/ossec/etc/local_internal_options.conf file.
- For the Command module:
  wazuh_command.remote_commands=0
- For the Logcollector module:
  logcollector.remote_commands=0

Command output analysis

Wazuh is shipped with a default ruleset that analyzes events from monitored endpoints and generates security alerts. The Wazuh server processes the output of commands executed on the endpoints by the Command or the Logcollector module. Wazuh processes the output like it processes logs from other sources. There are several stages of log processing in Wazuh including pre-decoding, decoding, and rule matching.

Decoding and rule matching

Decoders extract defined fields from logs sent to the Wazuh server. The pre-decoding phase of analysis extracts information such as timestamp, hostname, and program name from the log header. After this phase, the analysis engine looks for a decoder matching a log. When a decoder is found, it extracts the fields of the logs and matches the appropriate rules to generate security alerts. When a decoder is not found, the log is ignored.

Utilize the Wazuh-Logtest utility to simulate and visualize the process of decoding and matching logs against rules. When a decoder is found, it is used to extract the defined fields, otherwise, it throws the message, No decoder matched.

Viewing the raw logs

The Wazuh archives provide the option to view the raw log format of executed commands that the Wazuh server processes. This feature allows you to gather log information required to develop decoders when no decoders are available to process specific log formats.

When you enable the Wazuh archives, all the logs the Wazuh server receives are stored in the /var/ossec/logs/archives/archives.log and /var/ossec/logs/archives/archives.json files on the Wazuh server. By default, this feature is disabled on the Wazuh server to prevent the server from storing raw logs and filling the disk storage.

To view the output of executed commands, you need to enable the Wazuh archives on the Wazuh server using the following steps:

Set the value of the <logall> and <logall_json> tags to yes within the <global> block of the Wazuh server /var/ossec/etc/ossec.conf file.
Restart the Wazuh manager to apply the configuration changes:
# systemctl restart wazuh-manager
Open the /var/ossec/logs/archives/archives.log and /var/ossec/logs/archives/archives.json files on the Wazuh server to view the newly received logs.

Visit the logall and logall_json options of the global configuration section to get detailed information.

Note

As earlier stated, the Wazuh archives retain logs collected from all monitored endpoints, therefore consuming significant storage resources on the Wazuh server over time. So, you might want to disable it after successful log analyses.

Creating a custom ruleset

The Wazuh agent collects logs and events that contain specific information on monitored endpoints. You need to create a custom ruleset to extract relevant information from the collected logs.

To demonstrate the process of creating a custom ruleset, we configure the Command module to obtain the amount of physical RAM left unused in a Linux endpoint every five minutes. In this example, the module executes a command to generate memory usage events on the Linux endpoint and forward the logs to the Wazuh server.

Perform the steps below to generate the events and create a custom ruleset.

Wazuh server

Enable the Wazuh archives to store the raw logs by setting the value of <logall_json> to yes within the <global> block of the /var/ossec/etc/ossec.conf file.
Restart the Wazuh manager to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Linux endpoint

Add the Command module configuration below within the <ossec_config> block of the /var/ossec/etc/ossec.conf file:

<wodle name="command">
  <disabled>no</disabled>
  <tag>unused_memory</tag>
  <command>grep MemFree /proc/meminfo</command>
  <interval>5m</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>

Restart the Wazuh agent to apply the configuration changes:
```
# systemctl restart wazuh-agent
```

Wazuh server

Run the command below to obtain the log received from the monitored Linux endpoint:

# grep "unused_memory" /var/ossec/logs/archives/archives.json

{"timestamp":"2023-07-26T09:06:08.947+0000","agent":{"id":"002","name":"Ubuntu-22-LTS","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1690362368.662599","full_log":"MemFree:          90008 kB","decoder":{},"location":"command_unused_memory"}

The full_log field in the log contains the actual event generated on the monitored Linux endpoint.

Run the /var/ossec/bin/wazuh-logtest program and paste the value of the full_log field in the prompt:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.12.0
Type one log per line

MemFree:          90008 kB

**Phase 1: Completed pre-decoding.
  full event: 'MemFree:           90008 kB'

**Phase 2: Completed decoding.
  No decoder matched.

You can see that there is no decoder available to decode the log as highlighted. You need to create a decoder to extract information from the log.

To extract information such as the free memory and unit of measurement from the log, add the following custom decoder to the /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="unused-memory">
  <prematch>^MemFree: </prematch>
  <regex offset="after_prematch">\t*(\S+)\s(\S+)</regex>
  <order>free_memory, unit_of_measurment</order>
</decoder>

Run the /var/ossec/bin/wazuh-logtest program and paste the value of the full_log field in the log again. This time you can see that the log is properly decoded by the decoder unused-memory and the fields free_memory and unit_of_measurment are extracted accordingly:

# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.12.0
Type one log per line

MemFree:          90008 kB

**Phase 1: Completed pre-decoding.
  full event: 'MemFree:           90008 kB'

**Phase 2: Completed decoding.
  name: 'unused-memory'
  free_memory: '90008'
  unit_of_measurment: 'kB'

The decoded output of the command needs to trigger a rule to generate an alert. Add the custom rule below to the /var/ossec/etc/rules/local_rules.xml file to generate an alert when the Command module executes the grep MemFree /proc/meminfo command. The rule uses the <decoded_as> tag to reference the unused-memory decoder created above:
```
<group name="unused_memory">
  <rule id="100003" level="5">
    <decoded_as>unused-memory</decoded_as>
    <description>The system’s free memory is $(free_memory) $(unit_of_measurment).</description>
  </rule>
</group>
```
Restart the Wazuh manager to apply the configuration changes:
```
# systemctl restart wazuh-manager
```

Run the command below to see the JSON alert generated when the Command module runs the grep MemFree /proc/meminfo command:

# grep "unused_memory" /var/ossec/logs/alerts/alerts.json | /var/ossec/framework/python/bin/python3 -mjson.tool

{
    "timestamp": "2023-07-26T09:21:07.928+0000",
    "rule": {
        "level": 5,
        "description": "The system\u2019s free memory is 88456 kB.",
        "id": "100003",
        "firedtimes": 1,
        "mail": false,
        "groups": [
            "unused_memory"
        ]
    },
    "agent": {
        "id": "002",
        "name": "Ubuntu-22-LTS",
        "ip": "10.0.2.15"
    },
    "manager": {
        "name": "wazuh-server"
    },
    "id": "1690363267.663636",
    "full_log": "MemFree:           88456 kB",
    "decoder": {
        "name": "unused-memory"
    },
    "data": {
        "free_memory": "88456",
        "unit_of_measurment": "kB"
    },
    "location": "command_unused_memory"
}

Wazuh dashboard

Click the upper-left menu icon ☰ to open the options, go to Agents management > Summary and select the monitored Linux endpoint. Then, navigate to the Threat Hunting module to view the alerts generated when the Command module runs the grep MemFree /proc/meminfo command.

Use cases

Explore practical use cases of Wazuh command monitoring and discover how this feature can benefit your security operations.

Contents

Monitoring running processes

In this use case, we configure Wazuh agents to run commands locally to monitor running processes on Windows, Linux, and macOS endpoints. Then, we create custom rules on the Wazuh server to generate alerts when a particular process is running or not.

Monitoring running processes on Windows endpoint

We configure the Command module to monitor running processes on the Windows endpoint and alert if the notepad.exe process is running.

Configuration

Windows endpoint

Perform the following steps to configure the Command module to run a batch script on the Windows endpoint.

Create a batch script named tasklist.bat in the C:\ directory of the Windows endpoint and add the following content. The script adds a tasklist header to the output of the tasklist command:
```
@Echo Off
setlocal enableDelayedExpansion

for /f "delims=" %%a in ('powershell -command "& tasklist"') do (
    echo tasklist: %%a
)

exit /b
```
Append the following configuration to the Wazuh agent’s C:\Program Files (x86)\ossec-agent\ossec.conf file. The tasklist command lists running processes on Windows endpoints:
```
<ossec_config>
  <wodle name="command">
    <disabled>no</disabled>
    <tag>tasklist</tag>
    <command>PowerShell.exe C:\tasklist.bat</command>
    <interval>2m</interval>
    <run_on_start>yes</run_on_start>
    <timeout>10</timeout>
  </wodle>
</ossec_config>
```
Where:
- The PowerShell.exe C:\tasklist.bat value in the <command> tag is the command to be executed by the Command module. As seen, the PowerShell executable is used to execute the C:\tasklist.bat script.
- The value 2m in the <interval> tag indicates that the Command module runs the command every 2 minutes.
Restart the Wazuh agent to apply the changes, using PowerShell with administrator privileges:
```
> Restart-Service -Name wazuh
```

Wazuh server

Configure the Wazuh server with a custom decoder and rule to analyze the events received from the Windows endpoint using the steps below.

Add the following decoder to the /var/ossec/etc/decoders/local_decoder.xml file:

<decoder name="tasklist">
  <prematch>^tasklist: </prematch>
</decoder>

Add the rule below to the /var/ossec/etc/rules/local_rules.xml file to generate an alert when the notepad.exe process is running:

<group name="process_monitor,">
  <rule id="100010" level="6">
    <decoded_as>tasklist</decoded_as>
    <regex type="pcre2">(?i)notepad.exe</regex>
    <description>Notepad.exe is running.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Trigger the alert by launching the Notepad application on the Windows endpoint.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alerts when the monitored command runs.

Monitoring running processes on Linux endpoint

Linux endpoints run a number of processes by default including the Cron daemon. For this endpoint, we monitor the running processes using the Logcollector module and alert if the /usr/sbin/cron process is not running as expected. We use the ps command to get the status of active processes on the Linux endpoint.

Configuration

Perform the following steps on the respective endpoints to check if the Cron daemon is not running as expected.

Linux endpoint

Configure this endpoint to monitor the status of the running processes every two minutes and forward its output to the Wazuh server for analysis.

Append the Logcollector module configuration below to the Wazuh agent /var/ossec/etc/ossec.conf file:
```
<ossec_config>
  <localfile>
    <log_format>full_command</log_format>
    <command>ps -auxw</command>
    <frequency>120</frequency>
  </localfile>
</ossec_config>
```
Where:
- The full_command value in the <log_format> tag specifies the output of the command is read as a single event.
- The value ps -auxw in the <command> tag specifies the command the Logcollector module executes.
- The value 120 in the <frequency> tag specifies the command runs every 120 seconds (2 minutes).
Restart the Wazuh agent service to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Configure the Wazuh server with custom rules to analyze the events received from the Linux endpoint using the steps below.

Add the rules below to the /var/ossec/etc/rules/local_rules.xml file. The rules generate an alert when the /usr/sbin/cron process is not running as expected:

<group name="process_monitor,">
  <rule id="100012" level="6">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'ps -auxw'</match>
    <description>Cron process not running.</description>
  </rule>

  <rule id="100013" level="0">
    <if_sid>100012</if_sid>
    <match>/usr/sbin/cron</match>
    <description>Cron process is running as expected.</description>
  </rule>
</group>

The first rule with ID 100012 generates an alert ("Cron process not running.") unless it is overridden by its child rule with ID 100013 that matches /usr/sbin/cron in the command output. You can add as many child rules as needed to enumerate all of the important processes you want to monitor.

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Trigger the alert by stopping the Cron process on the Linux endpoint with the command below:

$ sudo systemctl stop cron

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert when the Cron process is not running.

Monitoring running processes on macOS endpoint

Monitoring running processes on macOS endpoints is similar to that of Linux endpoints. For this use case, we monitor if a particular process is running using the Logcollector module. Unlike the configuration for the Windows and Linux endpoints which filters the command output using rules, the configuration for this endpoint filters the command output using the configured command itself. This method reduces the command output result and streamlines rule creation. The configuration also introduces the alias attribute of the Logcollector module.

Configuration

macOS endpoint

Perform the following steps to configure the Wazuh Logcollector module to check if the calendar application Calendar.app or calendar.app is running.

Append the following configuration to the Wazuh agent /Library/Ossec/etc/ossec.conf file:
```
<ossec_config>
  <localfile>
    <log_format>full_command</log_format>
    <command>ps auxw | grep -i [C]alendar.app</command>
    <alias>check_calendar_status</alias>
    <frequency>120</frequency>
  </localfile>
</ossec_config>
```
Where:
- The full_command value in the <log_format> tag specifies the output of the command is read as a single event.
- The value ps auxw | grep -i [C]alendar.app in the <command> tag is the command the Logcollector module executes to check the state of the Calendar application.
- The value check_calendar_status in the <alias> tag is a string that represents the ps auxw | grep -i [C]alendar.app command for better identification.
- The value 120 in the <frequency> tag specifies the command runs every 120 seconds (2 minutes).
Restart the Wazuh agent service to apply the changes:
```
# /Library/Ossec/bin/wazuh-control restart
```

Wazuh server

Configure the Wazuh server with a custom rule to analyze the Calendar application events received from the macOS endpoint using the steps below.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule only matches the string ossec: output: 'check_calendar_status' in the command output as only one log is generated from the Logcollector configuration specified above:
```
<group name="process_monitor,">
  <rule id="100013" level="6">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'check_calendar_status'</match>
    <description>Calendar is running.</description>
  </rule>
</group>
```
Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Trigger the alert by launching the Calendar application on the macOS endpoint.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert.

Disk space utilization

This use case involves monitoring the partitions on Windows, Linux, and macOS endpoints to determine whether a defined amount of free space is not exceeded. We use a centralized configuration to perform this on all the endpoints.

Disk space utilization on Windows endpoint

We use the PowerShell command, Get-Volume, to get the free space and size of the available volumes on the filesystem. Then create a rule to trigger an alert when the free space of the C: drive is less than 20%.

Configuration

Windows endpoint

Perform the following steps on the Windows endpoint.

Enable remote command execution on the Windows endpoint by appending the following settings to the C:\Program Files (x86)\ossec-agent\local_internal_options.conf file:

Warning

Enable remote command execution with caution as this gives the Wazuh user permission to run any command on the endpoint.
```
logcollector.remote_commands=1
```
Restart the Wazuh agent to apply the changes, using PowerShell with administrator privileges:
```
> Restart-Service -Name wazuh
```

Wazuh server

Perform the following steps on the Wazuh server.

Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh server:
```
<agent_config os="Windows">
  <localfile>
    <log_format>command</log_format>
    <command>Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}"</command>
    <alias>check_win_disk_space</alias>
  </localfile>
</agent_config>
```
Where:
- The value command of the <log_format> tag specifies the output of the command is read as multiple events.
- The value Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}" of the <command> tag is the command the Logcollector module executes to get the percentage of free space available in the C: drive.
- The value check_win_disk_space of the <alias> tag is a string that represents the Powershell -c "Get-Volume -DriveLetter C | Select-Object -Property @{'Name' = '% Free'; Expression = {'{0:P}' -f ($_.SizeRemaining / $_.Size)}}" command for better identification in creating rules.
- Notice the absence of the <frequency> tag. This implies the command is scheduled to run periodically using the default frequency value of 360 seconds.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="disk_space_utilization,">
  <rule id="100014" level="7">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'check_win_disk_space': </match>
    <regex type="pcre2">[0-1]\d.\d+%$</regex>
    <description>C: Drive free space less than 20%.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert when the free disk space is less than 20%.

Disk space utilization on Linux endpoint

For this endpoint, we monitor the disk space using the df -h command and create a rule to trigger an alert when the disk usage of the /dev partition is above 80%. We use the Command module to define the configuration in this scenario. You can also use the Logcollector module.

Configuration

Linux endpoint

Perform the following steps on the Linux endpoint.

Enable remote command execution on the Linux endpoint by appending the following settings to the /var/ossec/etc/local_internal_options.conf file:

Warning

Enable remote command execution with caution as this gives the Wazuh user permission to run any command on the endpoint.
```
wazuh_command.remote_commands=1
```
Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Knowing the Command module does have a default decoder for its log format, we need to figure out a way to format the command output so that a custom decoder can parse it. So, we leverage the below script to format the command output.

Create a bash script named disk-usage.sh in the /var/ossec/etc/shared/default/ directory of the Wazuh server and add the following content. Wazuh pushes the script to the /var/ossec/etc/shared/ directory on the Linux endpoint where it is executed. The script adds a disk-usage header to the output of the df -h command:
```
#!/bin/bash
df -h | while IFS= read -r line;
do
  echo "disk-usage: "$line
done
```
Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh server. Replace <MD5_HASH>, <SHA1_HASH>, and <SHA256_HASH> with the appropriate hashes of the /bin/bash shell binary on the Linux endpoint:
```
<agent_config os="Linux">
  <wodle name="command">
    <disabled>no</disabled>
    <tag>disk-usage</tag>
    <command>/bin/bash /var/ossec/etc/shared/disk-usage.sh</command>
    <interval>2m</interval>
    <run_on_start>yes</run_on_start>
    <timeout>10</timeout>
    <verify_md5><MD5_HASH></verify_md5>
    <verify_sha1><SHA1_HASH></verify_sha1>
    <verify_sha256><SHA256_HASH></verify_sha256>
  </wodle>
</agent_config>
```
Where:
- The value /bin/bash /var/ossec/etc/shared/disk-usage.sh of the <command> tag specifies the Command module uses the /bin/bash binary to execute the /var/ossec/etc/shared/disk-usage.sh script.
- The value 2m of the <interval> tag indicates that the command module runs the command every 2 minutes.

Add the following decoder to the /var/ossec/etc/decoders/local_decoder.xml file on the Wazuh server:

<decoder name="disk-usage">
  <prematch>^disk-usage: </prematch>
  <regex offset="after_prematch">(\S+)\s*(\S+)\s*(\S+)\s*(\S+)\s*(\S+)%\s*(\S+)</regex>
  <order>filesystem, size, used, available, usage, mnt</order>
</decoder>

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule generates an alert when the disk usage of the /dev partition exceeds 80%:

<group name="disk_space_utilization,">
  <rule id="100015" level="7">
    <decoded_as>disk-usage</decoded_as>
    <field name="filesystem">^/dev/</field>
    <field name="usage">^9\d|^8\d</field>
    <description>Usage $(usage)% of $(filesystem) partition exceeded 80%.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alerts when the disk usage of the /dev partition exceeds 80%.

Disk space utilization on macOS endpoint

For this endpoint, we monitor the disk space using the df -P command. Wazuh triggers a rule to generate an alert when the disk usage of the /dev partition is 100%. We use the Logcollector module to demonstrate this use case. You can also use the Command module.

Configuration

macOS endpoint

Perform the following steps on the macOS endpoint.

Enable remote command execution on the macOS endpoint by appending the following settings to the /Library/Ossec/etc/local_internal_options.conf file:

Warning

Enable remote command execution with caution as this gives the Wazuh user permission to run any command on the endpoint.
```
logcollector.remote_commands=1
```

Restart the Wazuh agent to apply the changes:

# /Library/Ossec/bin/wazuh-control restart

Wazuh server

Wazuh has an out-of-the-box rule with ID 531 that generates an alert when the disk usage of the /dev partition is 100%. The rule is defined below and is found in the Wazuh GitHub repository.

<rule id="531" level="7" ignore="7200">
  <if_sid>530</if_sid>
  <match>ossec: output: 'df -P': /dev/</match>
  <regex>100%</regex>
  <description>Partition usage reached 100% (disk space monitor).</description>
  <group>low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Perform the following steps on the Wazuh server.

Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh server:
```
<agent_config os="macOS">
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>180</frequency>
  </localfile>
</agent_config>
```
Where:
- The value command of the <log_format> tag specifies the output of the command is read as multiple events.
- The value df -P of the <command> tag specifies the command the Logcollector module executes.
- The value 180 of the <frequency> tag specifies the command runs every 180 seconds (3 minutes).

Test the configuration

Run the following command on the macOS endpoint to fill the disk space with random data of 10GB. This action can take approximately 45 seconds:

# df -h .; date; dd if=/dev/zero of=big_file count=10240000 bs=1024 ; date; df -h .

Note

Depending on the size of your disk, you can increase the value of count to fill up more disk space.
After viewing the generated alert on the Wazuh dashboard, you can remove the file big_file to regain your disk space.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert when the disk usage of the /dev partition is 100%.

Check if the output changed

In this use case, we use the Linux netstat command with the check_diff option to monitor for changes by listening to the network tcp sockets. Then, we create rules to generate alerts when there is a change in the tcp socket output.

Configuration

Linux endpoint

For this endpoint, we configure Wazuh to monitor the output of the Linux netstat command and alert when a change is detected.

Perform the following steps on the Linux endpoint.

Install netstat on the Linux endpoint:
```
$ sudo apt install net-tools
```

Append the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file:

<ossec_config>
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>
</ossec_config>

Where:

The full_command value of the <log_format> tag specifies the output of the command is read as multiple events.
The value of the <command> tag specifies the output of the command is read as a single event.

Restart the Wazuh agent service to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Wazuh has an out-of-the-box rule with ID 533 that generates an alert when there is a change in the netstat listening ports. The rule is defined below and is found in the Wazuh GitHub repository.

<rule id="533" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'netstat listening ports</match>
    <check_diff />
    <description>Listened ports status (netstat) changed (new port opened or closed).</description>
    <group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Test the configuration

We trigger a port change in the Linux endpoint by changing the default ssh port from 22 to 2021. Follow the steps below to simulate this.

Edit the ssh_config file:
```
# nano /etc/ssh/ssh_config
```

Add port 2021 as the new ssh port:

#Port 22
Port 2021
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Restart the ssh service:
```
# systemctl restart ssh
```

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the alert showing the changes in the network.

Detect USB Storage

In this use case, we configured the Wazuh agent to detect when a USB storage device is connected to a Windows endpoint. Then we create rules to generate alerts when the USB device is detected.

Configuration

Windows endpoint

On the Windows endpoint, we want to monitor the output of the USBSTOR registry entry using the reg Query command. Then, we create a rule to trigger an alert when the command output contains a value.

Perform the following steps on the Windows endpoint.

Enable remote command execution on the Windows endpoint by appending the following settings to the C:\Program Files (x86)\ossec-agent\local_internal_options.conf file:

Warning

Enable remote command execution with caution as this gives the Wazuh user permission to run any command on the endpoint.
```
logcollector.remote_commands=1
```
Restart the Wazuh agent to apply the changes, using PowerShell with administrator privileges:
```
> Restart-Service -Name wazuh
```

Wazuh server

Perform the following steps on the Wazuh server.

Append the following configuration to the /var/ossec/etc/shared/default/agent.conf file on the Wazuh server:
```
<agent_config os="Windows">
  <localfile>
    <log_format>command</log_format>
    <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
    <alias>check_usb_connetivity</alias>
  </localfile>
</agent_config>
```
Where:
- The value command of the <log_format> tag specifies the output of the command is read as multiple events.
- The value reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR of the <command> tag is the command the Logcollector module executes to know if a USB device is attached to the endpoint.
- The value check_usb_connetivity of the <alias> tag is a string that represents the reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR command for better identification in creating rules.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="detect_usb_storage,">
  <rule id="100016" level="7">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'check_usb_connetivity':</match>
    <description>New USB device connected</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Trigger the alert by plugging a USB storage to the Windows endpoint.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert when a USB device is connected to the Windows endpoint.

Load average

In this use case, we configure the Wazuh agent to monitor the output of the Linux uptime command to measure the current load average of the system. The load average helps to keep track of the usage of system resources.

Configuration

Linux endpoint

We configure Wazuh agent on the Linux endpoint to monitor the load average output of the Linux uptime command and alert when it is higher than a given threshold. For this use case, we monitor when the load average threshold is higher than 2.

Perform the following steps on the Linux endpoint.

Append the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file:
```
<ossec_config>
  <localfile>
    <log_format>command</log_format>
    <command>uptime</command>
    <frequency>30</frequency>
  </localfile>
</ossec_config>
```
Where:
- The command value of the <log_format> tag specifies the output of the command is read as multiple events
- The value uptime of the <command> tag specifies the command the Logcollector module executes.
Restart the Wazuh agent service to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Perform the following steps on the Wazuh server.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule generates an alert when there is a load average higher than 2:

<group name="load_average,">
  <rule id="100017" level="7" ignore="7200">
    <if_sid>530</if_sid>
    <match>ossec: output: 'uptime': </match>
    <regex>load average: 2.</regex>
    <description>Load average reached 2.</description>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Follow the steps below to trigger a load average alert on the Linux endpoint.

Install Stress, a Linux utility for stress testing:
```
$ sudo apt install stress
```
Check the number of CPU cores on the Linux endpoint:
```
$ nproc
```
Run the stress test by executing the command below:
```
$ stress --cpu <NUMBER_OF_THREADS> –-timeout <DURATION_IN_SECONDS>
```
Where:
- <NUMBER_OF_THREADS> is the number of CPU cores present in the Linux endpoint.
- <DURATION_IN_SECONDS> is the desired duration of the stress test.

Visualize the alerts

Go to Threat Hunting module on the Wazuh dashboard to visualize the generated alert.

Container security

Container security involves implementing measures and practices to ensure the protection and availability of containers and the applications they contain, thereby safeguarding their integrity and confidentiality. Wazuh provides several capabilities and features to help organizations secure their container environments, including centralized logging, real-time monitoring, vulnerability scanning, and incident response automation.

Wazuh enables users to effectively monitor container platforms like Docker, providing comprehensive visibility into container resources, including monitoring container health. Additionally, Wazuh offers the capability to audit Kubernetes infrastructure, ensuring a holistic approach to container security and monitoring.

Using Wazuh to monitor Docker

To maintain the security and compliance of your Docker environment, it is crucial to proactively monitor both your Docker server and containers. The Docker server is the backbone of your container infrastructure and manages the deployment of containers and resource allocation. By monitoring the Docker server, you can keep track of resource usage, unauthorized access attempts, performance issues, and other security concerns.

However, it is not enough to monitor only the Docker server, you also need to monitor the containers themselves. Container monitoring provides insight into the activities of your containers, such as network connections, file system changes, and process executions. Monitoring these activities helps to detect suspicious behavior, identify malware or malicious processes, and respond to security incidents in real-time.

By monitoring both the Docker server and the containers, you can proactively detect and respond to security threats, ensuring the security and compliance of your Docker environment to regulatory standards.

Take the following steps to monitor your Docker environment with Wazuh:

Install the Wazuh agent on your Docker server. The Wazuh agent secures the underlying Docker infrastructure by monitoring the server where the Docker daemon is running.
Enable the Wazuh Docker listener to monitor container activity. The Docker listener runs on the agent deployed on the Docker server to collect and forward Docker-related logs to the Wazuh server.

Enable the Wazuh Docker listener

The Docker listener allows the Wazuh agent to capture Docker events and forward them to the Wazuh server. The following sections describe how to install the Python Docker module and enable the Wazuh Docker listener.

Python

The Docker container module requires Python 3. Specifically, it's compatible with Python 3.8–3.13. While later Python versions should work as well, we can't assure they are compatible.

Docker library for Python

Warning

The Wazuh manager includes all dependencies installed. These steps are only necessary when configuring the integration in a Wazuh agent.

Python Docker library is the official Python library for the Docker Engine API. The Wazuh docker integration requires docker 6.0.0.

$ pip3 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2

$ pip3 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2 --break-system-packages

Note

This command modifies the default externally managed Python environment. See the PEP 668 description for more information.

To prevent the modification, you can run pip3 install --upgrade pip within a virtual environment. You must update the docker /var/ossec/wodles/docker/DockerListener script shebang with your virtual environment interpreter. For example: #!</path/to/your/virtual/environment>/bin/python3.

Configure the Wazuh agent

Perform the following steps on the Docker server to configure the Wazuh agent to forward Docker events to the Wazuh server.

Add the following configuration to the Wazuh agent configuration file /var/ossec/etc/ossec.conf to enable the Docker listener:
```
<wodle name="docker-listener">
  <disabled>no</disabled>
</wodle>
```
Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```

Wazuh Docker dashboard

The Wazuh Docker dashboard offers a centralized and user-friendly interface that allows you to monitor the security of your Dockerized infrastructure. With real-time insights and actionable information, the Wazuh Docker listener dashboard empowers system administrators and security teams to detect and respond to potential threats, ensuring the integrity and reliability of containerized applications. From monitoring container events to analyzing logs and implementing custom rules, this dashboard streamlines the security management process, enhancing the overall protection of your Docker environment.

Wazuh Docker listener configuration options

In this section, we provide more information about the Wazuh Docker listener and all possible configuration options. The Docker listener has the main options and the scheduling options.

Main options

The main options allow you to enable or disable the Docker listener, and to configure the number of attempts to rerun the listener in case it fails. The two main options are disabled and attempts.

disabled

The disabled option allows you to enable or disable the Docker listener.

Default value	no
Allowed values	yes, no

attempts

The attempts option specifies the number of attempts to execute the listener in case it fails.

Default value	5
Allowed values	A positive number

Scheduling options

The scheduling options allow you to configure when the Docker listener should execute. The available scheduling options are run_on_start, interval, day, wday, and time. The Docker listener runs on start by default when enabled without any scheduling options.

run_on_start

Run the Docker listener immediately when the Wazuh agent starts.

Default value	yes
Allowed values	yes, no

interval

Waiting time to rerun the Docker listener in case it fails.

Default value	1m
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), d (days), M (months).

day

Day of the month to run the scan.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value

n/a

Allowed values

Day of the week:

sunday/sun
monday/mon
tuesday/tue
wednesday/wed
thursday/thu
friday/fri
saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Example configuration

The example configuration below shows an enabled Docker listener. The listener attempts to execute five times at ten-minute intervals if it fails.

<wodle name="docker-listener">
  <interval>10m</interval>
  <attempts>5</attempts>
  <run_on_start>no</run_on_start>
  <disabled>no</disabled>
</wodle>

Use cases

In these use cases, we create a Docker setup, and demonstrate how Wazuh logs activities that occur in the Docker environment.

Requirements

Docker installed on an Ubuntu 22.04 endpoint. Follow the official documentation to set up Docker.
Install Wazuh agent on the Docker server, and enroll it to a Wazuh server.
Enable the Wazuh Docker listener on the Docker server.

Monitoring user interaction with Docker resources

In this use case, we demonstrate how Wazuh monitors Docker events and triggers alerts for interaction with containers and images. Perform the following steps to test the use case:

Run test-container from the httpd image:

# docker run -d --name test-container httpd

Pause test-container:
```
# docker pause test-container
```
Resume test-container:
```
# docker unpause test-container
```
Stop test-container:
```
# docker stop test-container
```
Remove test-container:
```
# docker rm test-container
```
Remove the httpd image:
```
# docker rmi httpd
```

View the alerts on the Wazuh dashboard

Navigate to the Threat Hunting module or the dedicated Docker listener dashboard on the Wazuh dashboard to view the alerts. The following alerts are generated when we perform all the actions above. We have highlighted the alerts and labeled them according to the action that triggered each of them for ease of understanding.

Below, we show the full data of an alert triggered when a Docker container is started:

{
  "agent": {
    "ip": "192.168.132.140",
    "name": "Ubuntu22",
    "id": "001"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "data": {
    "integration": "docker",
    "docker": {
      "Type": "container",
      "Action": "start",
      "Actor": {
        "Attributes": {
          "image": "httpd",
          "name": "test-container"
        },
        "ID": "d47511d28ebf226e6bebff7be58ba8b03cb62fba7686a877e565d837e3d438da"
      },
      "scope": "local",
      "from": "httpd",
      "timeNano": "1683632491049788416.000000",
      "id": "d47511d28ebf226e6bebff7be58ba8b03cb62fba7686a877e565d837e3d438da",
      "time": "1683632491",
      "status": "start"
    }
  },
  "rule": {
    "firedtimes": 3,
    "mail": false,
    "level": 3,
    "description": "Docker: Container test-container started",
    "groups": [
      "docker"
    ],
    "id": "87903"
  },
  "decoder": {
    "name": "json"
  },
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-05-09T11:41:31.033Z",
  "location": "Wazuh-Docker",
  "id": "1683632491.847900",
  "timestamp": "2023-05-09T14:41:31.033+0300",
  "_id": "ApVRAIgBKQU4L4_oLMjj"
}

Monitoring container runtime

All Docker container runtime logs on Linux endpoints are saved by default to /var/lib/docker/containers/<CONTAINER_ID>/<CONTAINER_ID>-json.log. In this use case, we show how Wazuh monitors the runtime logs of a web container to detect web attacks.

Wazuh agent configuration

Configure the Wazuh agent on the Docker server to forward all container runtime logs to the Wazuh server. Add the following configuration to the /var/ossec/etc/ossec.conf agent configuration file:
```
<localfile>
  <log_format>syslog</log_format>
  <location>/var/lib/docker/containers/*/*-json.log</location>
</localfile>
```
- We use wildcards * in the <location> field of the configuration so Wazuh can monitor the dynamically named log file path. The file path of the container log usually contains the container ID as shown in the pattern /var/lib/docker/containers/<CONTAINER_ID>/<CONTAINER_ID>-json.log
Restart the Wazuh agent service to apply the changes:
```
# systemctl restart wazuh-agent
```

Wazuh server configuration

Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml decoder file on the Wazuh server:

<decoder name="web-accesslog-docker">
  <parent>json</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^log":"\S+ \S+ \S+ \.*[\S+ \S\d+] \.*"\w+ \S+ HTTP\S+" \d+</prematch>
  <regex offset="after_parent">^log":"(\S+) \S+ \S+ \.*[\S+ \S\d+] \.*"(\w+) (\S+) HTTP\S+" (\d+)</regex>
  <order>srcip,protocol,url,id</order>
</decoder>

<decoder name="json">
  <parent>json</parent>
  <use_own_name>true</use_own_name>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

The web-accesslog-docker decoder extracts the relevant fields in a web log, and sets the log type to web-log so the Wazuh analysis engine can analyze the log for web attacks.
The json decoder enables Wazuh to continue decoding the log as a regular json log in case it does not meet the criteria of the first decoder web-accesslog-docker.

Restart the Wazuh manager service to apply the changes:
```
# systemctl restart wazuh-manager
```

Run the Docker container and simulate the attack

Run the following command on the Docker server to create a web container called test-container:
```
# docker run --name test-container -p 80:80 -d nginx
```
Run the following command on the Wazuh server to simulate an SQL injection (SQLi) attack. Replace <WEB_IP_ADDRESS> with the IP address of the Docker server:
```
# curl -XGET "http://<WEB_IP_ADDRESS>/users/?id=SELECT+*+FROM+users";
```

View the alerts on the Wazuh dashboard

Navigate to the Threat Hunting module on the Wazuh dashboard to view the alert. The following alert is generated when we simulate the SQLi attack.

We show the full alert event data below:

Note

The highlighted location field in the alert data shows the container where the event was generated.

{
  "agent": {
    "ip": "192.168.132.140",
    "name": "Ubuntu22",
    "id": "001"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "data": {
    "protocol": "GET",
    "srcip": "192.168.132.1",
    "id": "404",
    "url": "/users/?id=SELECT+*+FROM+users"
  },
  "rule": {
    "firedtimes": 1,
    "mail": false,
    "level": 7,
    "pci_dss": [
      "6.5",
      "11.4",
      "6.5.1"
    ],
    "tsc": [
      "CC6.6",
      "CC7.1",
      "CC8.1",
      "CC6.1",
      "CC6.8",
      "CC7.2",
      "CC7.3"
    ],
    "description": "SQL injection attempt.",
    "groups": [
      "web",
      "accesslog",
      "attack",
      "sql_injection"
    ],
    "mitre": {
      "technique": [
        "Exploit Public-Facing Application"
      ],
      "id": [
        "T1190"
      ],
      "tactic": [
        "Initial Access"
      ]
    },
    "id": "31103",
    "nist_800_53": [
      "SA.11",
      "SI.4"
    ],
    "gdpr": [
      "IV_35.7.d"
    ]
  },
  "decoder": {
    "parent": "json",
    "name": "web-accesslog-docker"
  },
  "full_log": "{\"log\":\"192.168.132.1 - - [12/May/2023:14:12:14 +0000] \\\"GET /users/?id=SELECT+*+FROM+users HTTP/1.1\\\" 404 153 \\\"-\\\" \\\"curl/7.68.0\\\" \\\"-\\\"\\n\",\"stream\":\"stdout\",\"time\":\"2023-05-12T14:12:14.882936144Z\"}",
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-05-12T14:12:15.875Z",
  "location": "/var/lib/docker/containers/f736fa30f2ce3f818425ae562696ca84910e4ac1c13d2ca884052b2f1622f871/f736fa30f2ce3f818425ae562696ca84910e4ac1c13d2ca884052b2f1622f871-json.log",
  "id": "1683900735.283081",
  "timestamp": "2023-05-12T17:12:15.875+0300",
  "_id": "wZVOEIgBKQU4L4_oKMyk"
}

System inventory

A system inventory is a resource that contains information about the hardware and software assets within an IT infrastructure. Keeping an inventory of all assets helps organizations maximize the visibility of hardware and software in their environment. An up-to-date system inventory is essential for maintaining good IT hygiene within an enterprise network.

Wazuh agents collect system information from monitored endpoints and forward it to the Wazuh server to maintain a centralized system inventory. This information is processed on the Wazuh server and then sent to the Wazuh indexer, where it is stored as global state data. The Wazuh Syscollector module on the Wazuh agent collects hardware, operating system, installed software, network interfaces, port, running processes, browser extensions, services, users and groups information from each agent. The Wazuh agent can also collect data about Windows updates from Windows endpoints. You can configure what kind of information you want the Syscollector module to collect or ignore.

Users can generate system inventory reports from the Wazuh dashboard, which can be valuable resources during threat hunting and IT hygiene exercises. The information contained in the report can be used to identify unwanted applications, processes, services, and malicious artifacts.

Contents

How it works

The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodic scans and collects data on the system properties defined in your configuration. The data is first stored in a temporary local database on the endpoint.

The Wazuh agent then forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server, which updates the appropriate tables of its inventory database using the received information. For example, the Wazuh server stores hardware-related information in a table called sys_hwinfo.

The Wazuh Inventory Harvester module on the Wazuh manager processes this data, standardizes it using Wazuh Common Schemas (WCS), and forwards it to the Wazuh indexer, where it is stored as global state data. This global state data is organized under dedicated indices for each data type, allowing users to efficiently run targeted queries and generate visualizations directly from the Wazuh dashboard. For example, the packages inventory is indexed as wazuh-states-inventory-packages-* in the Wazuh indexer.

You can query and visualize centralized system inventory data from all monitored endpoints in the IT Hygiene section on the Wazuh dashboard. In addition, you can query the system inventory data using the Wazuh indexer API, the Wazuh server API, or the SQLite tool. The Vulnerability Detector module uses packages and Windows updates information in the inventory to detect vulnerable and patched software on monitored endpoints.

Configuration

The Wazuh system inventory requires both Wazuh agent and Wazuh manager configurations to collect, process, and store system inventory data.

Wazuh agent configuration

The Syscollector module is enabled by default on all endpoints where the Wazuh agent is installed. You can find the Syscollector configuration in the Wazuh agent configuration file at:

/var/ossec/etc/ossec.conf for Linux endpoints.
C:\Program Files (x86)\ossec-agent\ossec.conf for Windows endpoints.
/Library/Ossec/ossec.conf for macOS endpoints.

You can also use the centralized configuration file to make changes to the Syscollector module across multiple monitored endpoints that belong to the same agent group. For example, the default group uses the configuration file, which you can find at /var/ossec/etc/shared/default/agent.conf on the Wazuh server. Any setting done with the centralized configuration will take precedence over the local agent configuration.

The block below is the default Syscollector configuration present in the Wazuh agent configuration file:

   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
     <interval>1h</interval>
     <scan_on_start>yes</scan_on_start>
     <hardware>yes</hardware>
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
     <users>yes</users>
     <groups>yes</groups>
     <services>yes</services>
     <browser_extensions>yes</browser_extensions>

     <!-- Database synchronization settings -->
     <synchronization>
       <max_eps>10</max_eps>
       <integrity_interval>24h</integrity_interval>
     </synchronization>
   </wodle>

Where:

<disabled> specifies whether the Syscollector module is enabled or not. The default value is no. The allowed values are yes and no.

<interval> specifies the time between system scans. The default value is 1 hour. The allowed value is a positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).
<scan_on_start> initiates a system scan immediately after you restart the Wazuh service on the endpoint. The default value is yes. The allowed values are yes and no.
<hardware> option enables or disables the hardware information collection by Syscollector. The default value is yes. The allowed values are yes and no.
<os> option enables or disables the operating system scan. The default value is yes. The allowed values are yes and no.
<network> enables or disables the network scan. The default value is yes. The allowed values are yes and no.
<packages> enables or disables the scanning of packages, with a default value of yes. The allowed values are yes and no.
<ports all="no"> enables or disables the port scan. The default value is yes. You can configure two allowed values is yes and no. This option also accepts an additional parameter all, with which you can restrict the scan to only listening ports using <ports all="no">. If you want Syscollector to scan all ports, then you change the value to yes.
<processes> enables or disables the scanning for running processes on a monitored endpoint. The default value is yes. The allowed values are yes and no.
<users> enables or disables the scanning for user accounts on a monitored endpoint. The default value is yes. The allowed values are yes and no.
<groups> enables or disables the scanning for user account groups on a monitored endpoint. The default value is yes. The allowed values are yes and no.
<services> enables or disables the scanning for services. The default value is yes. The allowed values are yes and no.
<browser_extensions> enables or disables the scanning for browser extensions. The default value is yes. The allowed values are yes and no.
<max_eps> allows you to set the maximum event reporting throughput. The default value is 10, which signifies 10 events per second. The allowed value is an Integer number between 0 and 1000000.

In Windows systems, you can use the <hotfixes> option. Check hotfixes for the details.

Note

Restart the agent when you make any changes to the configuration file. This will ensure that the changes take effect. If you used centralized configuration, no manual restart is required because the agent reloads automatically after receiving the update.

Wazuh manager configuration

The Wazuh Inventory Harvester module on the Wazuh manager processes the collected system inventory data and forwards it to the Wazuh indexer using the indexer connector setting. The indexer connector setting is enabled by default in the /var/ossec/etc/ossec.conf file of the Wazuh manager.

Add the indexer connector configuration block below to the /var/ossec/etc/ossec.conf file on the Wazuh manager:

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

Ensure:

The <hosts> section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml.
The <ca>, <certificate>, and <key> names match the files located in /etc/filebeat/certs/.

If you are running a Wazuh indexer cluster infrastructure, add a <hosts> entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:
```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
```
# echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```
If you have forgotten your Wazuh indexer password, refer to the password management guide to reset it.

Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted:

# curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <WAZUH_INDEXER_USER> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

Where:

<ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.
<USER> and <PASS>: Admin username of the Wazuh indexer.
<WAZUH_INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.

If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer.

To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted:

# curl -k -u <WAZUH_INDEXER_USERNAME> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

A successful connection returns a result similar to the following:

{
    "cluster_name": "opensearch",
    "status": "green",
    "timed_out": false,
    "number_of_nodes": 1,
    "number_of_data_nodes": 1,
    "discovered_master": true,
    "discovered_cluster_manager": true,
    "active_primary_shards": 9,
    "active_shards": 9,
    "relocating_shards": 0,
    "initializing_shards": 0,
    "unassigned_shards": 0,
    "delayed_unassigned_shards": 0,
    "number_of_pending_tasks": 0,
    "number_of_in_flight_fetch": 0,
    "task_max_waiting_in_queue_millis": 0,
    "active_shards_percent_as_number": 100.0
}

Restart the Wazuh manager to apply the configuration:
```
# sudo systemctl restart wazuh-manager
```

Viewing system inventory data

You can query and visualize centralized system inventory data from all monitored endpoints in the IT Hygiene section on the Wazuh dashboard. This provides a unified view of your environment's status across all monitored endpoints.

The IT Hygiene section organizes data into multiple categories:

Dashboard: View an overview of key metrics and a summary of your environment.
System: Analyze operating system and hardware information.
Software: Review installed packages and software vendors.
Processes: Monitor running processes.
Network: Inspect network configurations, interfaces, and traffic.
Identity: View users and groups.
Services: Analyze services related information.

To access the IT hygiene section, navigate to Security operations > IT Hygiene on the Wazuh dashboard.

Dashboard

Shows a consolidated view of the system inventory data across multiple or selected monitored endpoints. It visualizes key metrics such as operating system families, package types, installed packages, running packages, operating systems, host CPUs, source ports, and process start times.

System

Provides a detailed breakdown of the operating systems and hardware in your environment.

The OS tab provides an operating system and hardware information breakdown across all monitored endpoints.
The Hardware tab displays top CPU models, CPU cores, the most used memory, and a summary data table.

Software

Contains an overview of software packages, Windows KBs and browser extensions on monitored endpoints.

The Packages tab displays package data, including top software vendors, the number of installed packages, the types of packages, and a summary data table.
The Windows KBs tab displays the Windows Knowledge Base data, including the most and least common Knowledge Bases.
The Browser extensions tab displays top browsers and packages, and a summary data table containing the browser and extension details.

Processes

Displays running processes, process start times, and a summary data table containing process details for the monitored endpoints.

Network

Contains the Addresses, Interfaces, Protocols, Services, and Traffic tabs.

The Addresses tab provides a detailed view of network types, unique network IP addresses, interface names, and a summary data table containing detailed network address information.
The Interfaces tab offers a detailed view of network interfaces, displaying average packet loss, interface states, interface types, and a summary data table of interface-level details.
The Protocols tab offers a detailed view of network types, network metrics, and DHCP status, and a summary table with more protocol-level details.
The Services tab presents a detailed view of source ports, transport protocols, processes, and a summary data table for each endpoint.
The Traffic tab provides a detailed view of active listening ports, including source ports, destination ports, transport protocols, processes, and a summary data table for each endpoint.

Identity

Provides a detailed breakdown of the users and groups in your environment.

The Users tab displays user account information, including top users, user groups, user shells and a summary data table.
The Groups tab displays information about the user account groups, including top groups, the number of unique groups and a summary data table.

Services

Displays top running services, total unique services and a summary data containing service details for the monitored endpoints.

Query the agent inventory data

The Syscollector module runs periodic scans and sends the updated data in JSON format to the Wazuh server. The Wazuh server analyzes and stores this data in a separate database for each endpoint. The databases contain tables that store each type of system information. The system inventory databases on the Wazuh server are then processed and forwarded to the Wazuh indexer, where it is stored as the global state data. You can query the system inventory data for specific information using the Wazuh indexer API, Wazuh server API, or the SQLite tool.

Using the Wazuh indexer API

The Wazuh indexer API enables you to perform actions such as adding new indices, querying existing indices, and modifying the Wazuh indexer settings. It can retrieve system inventory data from global state indices for selected or multiple monitored endpoints and display it in a human‑readable format. You can perform these queries through the Wazuh indexer API interface on the dashboard or by using command‑line tools such as cURL.

Wazuh indexer API GUI

Follow these steps to access the Wazuh indexer API from the Wazuh dashboard.

On the Wazuh dashboard, click the hamburger icon from the top left side and navigate to Indexer management > Dev Tools.
Type the following command in the console and click the play icon to run the query:
```
GET /_cat/indices/wazuh-states-inventory-*?v
```
The command retrieves information about the system inventory indices
Use the command below to query the system inventory index for installed packages within your infrastructure. After typing, click the play icon to run the query.
```
GET /wazuh-states-inventory-packages-*/_search?pretty
```
You can query the system inventory index to look up specific details, such as whether a particular package is installed on any monitored endpoints. For example, the following command checks the package inventory for the presence of the wazuh-agent package.
```
GET /wazuh-states-inventory-packages-*/_search?pretty
{
  "query": {
    "match": {
      "package.name": "wazuh-agent"
    }
  }
}
```

Furthermore, you can check whether a package is installed on a specific endpoint. In the command below, we check if the Wazuh agent is installed on a Windows endpoint. Replace <AGENT_NAME> with the name of the Wazuh endpoint.

GET /wazuh-states-inventory-packages-*/_search?pretty
{
  "query": {
    "bool": {
      "must": [
        { "term": { "agent.name": "<AGENT_NAME>" }},
        { "match": { "package.name": "Wazuh Agent" }}
      ]
    }
  }
}

cURL

Follow the steps below to query the system inventory indices from the command line using cURL.

Run the command below to retrieve information about the system inventory indices. Replace <WAZUH_INDEXER_USERNAME> with the Wazuh indexer username and type the Wazuh indexer password when prompted:

# curl -k -u "<WAZUH_INDEXER_USERNAME>" https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-states-inventory-*?v

health status index                                                           uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   wazuh-states-inventory-hotfixes-localhost.localdomain           0VISw7egSCOqS4_iW6lF-A   1   0         24            0      7.5kb          7.5kb
green  open   wazuh-states-inventory-networks-localhost.localdomain           2VeQaHbKQGyGAw-zsBBG-Q   1   0          6            0       17kb           17kb
green  open   wazuh-states-inventory-services-localhost.localdomain           8ZMbiB4eSvmQXxFhBOF3Wg   1   0        860            4    469.7kb        469.7kb
green  open   wazuh-states-inventory-users-localhost.localdomain              Gj_vVwsORSW75SSNHRLo5A   1   0         60            1     89.2kb         89.2kb
green  open   wazuh-states-inventory-browser-extensions-localhost.localdomain lmd4L0CKQVSZ6MkHPggKOg   1   0         22            0     56.7kb         56.7kb
green  open   wazuh-states-inventory-system-localhost.localdomain             1KLOw7tZTc2mrLXigyAgOA   1   0          2            0     18.5kb         18.5kb
green  open   wazuh-states-inventory-interfaces-localhost.localdomain         26kqFEdaQT6zLXCexqOm2g   1   0          3            0       21kb           21kb
green  open   wazuh-states-inventory-packages-localhost.localdomain           OKQau-AmQd2XYKtMTbIiAA   1   0       1576           18    522.3kb        522.3kb
green  open   wazuh-states-inventory-groups-localhost.localdomain             mKSYvXZ3QgWyP4gK3xymlA   1   0        101            0       62kb           62kb
green  open   wazuh-states-inventory-ports-localhost.localdomain              GG3ZzWV8SbaLFmCDOymy8A   1   0        104            9     56.4kb         56.4kb
green  open   wazuh-states-inventory-hardware-localhost.localdomain           pHS7eI08QAW7oEiDLSO2LA   1   0          2            0     16.1kb         16.1kb
green  open   wazuh-states-inventory-protocols-localhost.localdomain          55hrDEMMTIS9UzzteTjnBQ   1   0          6            0     16.2kb         16.2kb
green  open   wazuh-states-inventory-processes-localhost.localdomain          G-vbdw1WRsaRmNdoqqcaqQ   1   0        528          100    138.7kb        138.7kb

Use the command below to query the system inventory index for the packages on the endpoints. Replace <WAZUH_INDEXER_USERNAME> with the Wazuh indexer username and type the Wazuh indexer password when prompted.

# curl -k -u "<WAZUH_INDEXER_USERNAME>" https://<WAZUH_INDEXER_IP>:9200/wazuh-states-inventory-packages-*/_search?pretty

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1585,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_041f8e6a4f5473b6ad05a32d8cbcc6fba389cabb",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "A library that wraps other spell checking backends.",
            "installed" : "2025-06-30T19:18:17.000Z",
            "name" : "enchant2",
            "size" : 167594,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "2.2.15-6.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_044fc408c207df2320ea52d29231919b2616f4ce",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "The ATK library provides a set of interfaces for adding accessibility\nsupport to applications and graphical user interface toolkits. By\nsupporting the ATK interfaces, an application or toolkit can be used\nwith tools such as screen readers, magnifiers, and alternative input\ndevices.",
            "installed" : "2025-06-30T19:18:17.000Z",
            "name" : "atk",
            "size" : 1304627,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "2.36.0-5.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_045d1c99dc4f5c48377352432af35e0cd2c2451c",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "A backend implementation for xdg-desktop-portal that is using various pieces of\nGNOME infrastructure, such as the org.gnome.Shell.Screenshot or\norg.gnome.SessionManager D-Bus interfaces.",
            "installed" : "2025-06-30T19:31:26.000Z",
            "name" : "xdg-desktop-portal-gnome",
            "size" : 568978,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "41.2-3.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_0467d452f839f61a318267d502b6c81154316e40",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "This package contains the shared library for sqlite.",
            "installed" : "2025-06-30T19:30:06.000Z",
            "name" : "sqlite-libs",
            "size" : 1368872,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "3.34.1-8.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_0480a23ae60e573ec6b243b3a6068723fda63ee2",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "Cheese is a Photobooth-inspired GNOME application for taking pictures and\nvideos from a webcam. It can also apply fancy graphical effects.",
            "installed" : "2025-06-30T19:19:07.000Z",
            "name" : "cheese",
            "size" : 378533,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "2:3.38.0-6.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_048923b45c38753ce27dc4346d16612a6e9fa6bc",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "The filesystem package is one of the basic packages that is installed\non a Linux system. Filesystem contains the basic directory layout\nfor a Linux operating system, including the correct permissions for\nthe directories.",
            "installed" : "2025-06-30T19:30:05.000Z",
            "name" : "filesystem",
            "size" : 106,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "3.16-5.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_04c8813e7928463fee47e0006c90e16e5d924ca6",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "The POSIX module permits you to access all (or nearly all) the standard POSIX\n1003.1 identifiers. Many of these identifiers have been given Perl interfaces.",
            "installed" : "2025-07-17T14:42:06.000Z",
            "name" : "perl-POSIX",
            "size" : 240020,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "1.94-483.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_0507d1d203a41466eddaf4e8ea773427f6137e4b",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "A library to handle bidirectional scripts (for example Hebrew, Arabic),\nso that the display is done in the proper way; while the text data itself\nis always written in logical order.",
            "installed" : "2025-06-30T19:18:13.000Z",
            "name" : "fribidi",
            "size" : 347380,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "1.0.10-6.el9.2"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_050946eb0960e99615ecf95988f96aa67b278099",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\nprovides safe and convenient access to these libraries using the ElementTree It\nextends the ElementTree API significantly to offer support for XPath, RelaxNG,\nXML Schema, XSLT, C14N and much more.To contact the project, go to the project\nhome page < or see our bug tracker at case you want to use the current ...\n\nPython 3 version.",
            "installed" : "2025-06-30T19:18:20.000Z",
            "name" : "python3-lxml",
            "size" : 4351883,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "4.6.5-3.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      },
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_054268e7568db7e74481fec3f76cabba9612d810",
        "_score" : 1.0,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "noarch",
            "description" : "Python3 bindings for firewalld.",
            "installed" : "2025-06-30T19:30:16.000Z",
            "name" : "python3-firewall",
            "size" : 2193288,
            "type" : "rpm",
            "vendor" : "CentOS",
            "version" : "1.3.4-9.el9"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      }
    ]
  }
}

You can query the system inventory index to look up specific details, such as whether a particular package is installed on any monitored endpoints. For example, the following command checks the package inventory for the presence of the wazuh-agent package. Replace <WAZUH_INDEXER_USERNAME> with the Wazuh indexer username and type the Wazuh indexer password when prompted:

curl -k -u "<WAZUH_INDEXER_USERNAME>" "https://<WAZUH_INDEXER_IP>:9200/wazuh-states-inventory-packages-*/_search?pretty" \
-H 'Content-Type: application/json' \
-d '{
  "query": {
    "term": {
      "package.name": "wazuh-agent"
    }
  }
}'

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 6.9660244,
    "hits" : [
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "006_1cdcea1b59fb2fd59b3de004d393bcbcfea352ee",
        "_score" : 6.9660244,
        "_source" : {
          "agent" : {
            "id" : "006",
            "name" : "Cent_Stream",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "x86_64",
            "description" : "Wazuh helps you to gain security visibility into your infrastructure by monitoring\nhosts at an operating system and application level. It provides the following capabilities:\nlog analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring",
            "installed" : "2025-09-12T18:04:48.000Z",
            "name" : "wazuh-agent",
            "size" : 31169915,
            "type" : "rpm",
            "vendor" : "Wazuh",
            "version" : "4.13.0-1"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      }
    ]
  }
}

Furthermore, you can check whether a package is installed on a specific endpoint. In the command below, we check if the Wazuh agent is installed on a Windows endpoint. Replace <WAZUH_INDEXER_USERNAME> with the Wazuh indexer username, <AGENT_NAME> with the name of the Wazuh endpoint, and type the Wazuh indexer password when prompted.

curl -k -u "<WAZUH_INDEXER_USERNAME>" "https://<WAZUH_INDEXER_IP>:9200/wazuh-states-inventory-packages-*/_search?pretty" \
-H 'Content-Type: application/json' \
-d '{
  "query": {
    "bool": {
      "must": [
        { "term": { "agent.name": "Windows-11" }},
        { "match": { "package.name": "Wazuh Agent" }}
      ]
    }
  }
}'

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 10.26218,
    "hits" : [
      {
        "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform",
        "_id" : "005_717e026c55c0e6b98d7a00d73963ca70cba8609f",
        "_score" : 10.26218,
        "_source" : {
          "agent" : {
            "id" : "005",
            "name" : "Windows-11",
            "version" : "v4.14.0"
          },
          "package" : {
            "architecture" : "i686",
            "name" : "Wazuh Agent",
            "size" : 0,
            "type" : "win",
            "vendor" : "Wazuh",
            "version" : "4.13.0"
          },
          "wazuh" : {
            "cluster" : {
              "name" : "wazuh-VMware-Virtual-Platform"
            },
            "schema" : {
              "version" : "1.0"
            }
          }
        }
      }
    ]
  }
}

Using the Wazuh server API

You can query the Wazuh inventory data using the Wazuh server API, which retrieves nested data in JSON format. You can use the Wazuh server API GUI on the dashboard or a command-line tool like cURL to query the inventory database of a Wazuh agent.

Wazuh server API GUI

Follow these steps to access the Wazuh server API from the Wazuh dashboard.

On the Wazuh dashboard, click the hamburger icon from the top left side and navigate to Server management > Dev Tools.
Type the following command in the console and click the play icon to run the query:
```
GET /syscollector/<AGENT_ID>/
```
Where <AGENT_ID> corresponds to the agent ID of the endpoint.

The Wazuh dashboard will suggest a list of available tables that you can query via the API.
You can use the command GET /syscollector/<AGENT_ID>/packages to query the inventory data for installed packages on the endpoint. After typing, click the play icon to run the query.

Furthermore, you can query the inventory data for specific information about any property. For example, the command below queries the package inventory to check for the wazuh-agent package:
```
GET /syscollector/<AGENT_ID>/packages?pretty=true&name=wazuh-agent
```
Where:
- packages reference the package table in the inventory database, which stores information about the currently installed software on an endpoint. You can reference the table of your interest.
- name=wazuh-agent specifies the wazuh-agent package name. You can use different properties and values.
- pretty=true ensures the output is properly formatted and easy to read.

cURL

Follow the steps below to query the system inventory indices from the command line using cURL:

Generate a JSON Web Token (JWT) for authenticating to the Wazuh server by running the following command. Enter the Wazuh server API password when prompted:

TOKEN=$(curl -u <USER> -k -X GET "https://<WAZUH_SERVER_IP>:55000/security/user/authenticate?raw=true")
Where:

<USER> is the Wazuh server API username. The default username is wazuh.

<WAZUH_SERVER_IP> is the Wazuh server IP address.

Run the command echo $TOKEN to confirm that you successfully generated the token. The output should be like this:
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjQzMDExMjQ0LCJleHAiOjE2NDMwMTIxNDQsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.Ad6zOZvx0BEV7K0J6s3pIXAXTWB-zdVfxaX2fotLfZMQkiYPMkwDaQHUFiOInsWJ_7KZV3y2BbhEs9-kBqlJAMvMAD0NDBPhEQ2qBd_iutZ7QWZECd6eYfIP83xGqH9iqS7uMI6fXOKr3w4aFV13Q6qsHSUQ1A-1LgDnnDGGaqF5ITYo

Query the endpoint information of interest using a command which takes the following format:

curl -k -X GET "https://<WAZUH_SERVER_IP>:55000/syscollector/<AGENT_ID>/<SYSCOLLECTOR_PROPERTY>?pretty=true" -H "Authorization: Bearer $TOKEN"

For example, to retrieve information about the applications installed on an endpoint with agent ID of 010, the command will be:

curl -k -X GET "https://<WAZUH_SERVER_IP>:55000/syscollector/010/packages?pretty=true" -H  "Authorization: Bearer $TOKEN"

The other inventory properties are hardware, hotfixes, netaddr, netiface, netproto, os, ports, and processes. These all correspond to the tables in the inventory database. You can learn more about these options in our API documentation.

{
   "data": {
      "affected_items": [
         {
            "scan": {
               "id": 0,
               "time": "2022-09-27T09:16:45+00:00"
            },
            "priority": "optional",
            "multiarch": "foreign",
            "format": "deb",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "size": 12219,
            "version": "0.4.9-2",
            "description": "encoding data for the poppler PDF rendering library",
            "section": "misc",
            "name": "poppler-data",
            "architecture": "all",
            "agent_id": "010"
         },
         {
            "scan": {
               "id": 0,
               "time": "2022-09-27T09:16:45+00:00"
            },
            "priority": "optional",
            "multiarch": "foreign",
            "format": "deb",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "size": 31,
            "version": "3.20-4",
            "description": "data tables pertaining to HTML",
            "section": "perl",
            "name": "libhtml-tagset-perl",
            "architecture": "all",
            "agent_id": "010"
         },
         {
            "scan": {
               "id": 0,
               "time": "2022-09-27T09:16:45+00:00"
            },
            "priority": "optional",
            "multiarch": "same",
            "format": "deb",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "size": 426,
            "version": "1.17-6ubuntu4.1",
            "description": "MIT Kerberos runtime libraries - krb5 GSS-API Mechanism",
            "section": "libs",
            "source": "krb5",
            "name": "libgssapi-krb5-2",
            "architecture": "amd64",
            "agent_id": "010"
         },
…

Furthermore, you can query the inventory data to find specific information about any property. For example, the command below queries the package inventory to check if the wazuh-agent package is present.

curl -k -X GET "https://<WAZUH_SERVER_IP>:55000/syscollector/010/packages?pretty=true&name=wazuh-agent" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "scan": {
               "id": 0,
               "time": "2025-08-18T16:50:06+00:00"
            },
            "name": "wazuh-agent",
            "section": "System Environment/Daemons",
            "architecture": "x86_64",
            "description": "Wazuh helps you to gain security visibility into your infrastructure by monitoring\nhosts at an operating system and application level. It provides the following capabilities:\nlog analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring",
            "location": " ",
            "source": " ",
            "format": "rpm",
            "install_time": "1755535740",
            "version": "4.12.0-1",
            "size": 30461944,
            "priority": " ",
            "vendor": "Wazuh, Inc <info@wazuh.com>",
            "agent_id": "010"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All specified syscollector information was returned",
   "error": 0
}

Using SQLite

The location of the database for each monitored endpoint is on the Wazuh server at /var/ossec/queue/db/. You can query each database directly by following these steps.

If SQLite is not already installed, install it with this command:
$ sudo apt install sqlite3
$ sudo yum install sqlite3

Use the command below to connect to the database of an endpoint:

$ sqlite3 /var/ossec/queue/db/<AGENT_ID>.db

Where <AGENT_ID> corresponds to the agent ID of the monitored endpoint.

SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>

After connecting to the database, you can query the list of tables in it using the command below:

sqlite>.tables

ciscat_results          sca_scan_info           sys_netiface
fim_entry               scan_info               sys_netproto
metadata                sync_info               sys_osinfo
pm_event                sys_browser_extensions  sys_ports
sca_check               sys_groups              sys_processes
sca_check_compliance    sys_hotfixes            sys_programs
sca_check_rules         sys_hwinfo              sys_services
sca_policy              sys_netaddr             sys_users

You can further query the tables for any information you are interested in. For example, if you want to know if a particular software is present on an endpoint, you can query the sys_programs table using sqlite>select * from sys_programs where name="<SOFTWARE_NAME>";. The command below checks whether the wazuh-agent program is present on a monitored Linux endpoint and shows the captured details:

sqlite>select * from sys_programs where name="wazuh-agent";

0|2023/01/06 13:48:56|rpm|wazuh-agent||System Environment/Daemons|25988677|Wazuh, Inc <info@wazuh.com>|1673012221|4.3.10-1|x86_64|||Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring||1|||1cf5a056a0ff5b6201939eba76ef68f6d860af36|5747279dac052d61c6d3ec87b475edddb84e9dd1

Generating system inventory reports

You can generate two types of reports from the Wazuh dashboard. These reports are the IT Hygiene report and the property-specific report.

IT Hygiene report

This feature allows you to export a summary of the properties collected by the Wazuh Syscollector module for a specific endpoint or all monitored endpoints. This report is generated in PDF format and can serve a variety of uses. To download the IT hygiene report:

Click Generate Report in the Dashboard section of the IT Hygiene page.
When the report is ready, click Open report to download it immediately, or go to Dashboard Management > Reporting to download it later.

Property-specific report

This feature allows you to export CSV reports of a specific property of an endpoint. For example, you can generate a report of the installed software on an endpoint. This kind of report is only available for system, software, processes, and network categories.

To download this report, click Export Formatted in the IT Hygiene page for the specific property you are interested in. In the image below, we download the software inventory data for all monitored endpoints.

To streamline the report to a specific endpoint, click Explore agent and select an endpoint. In the image below, we download the software inventory data for a Windows 11 endpoint.

Available inventory fields

The Wazuh server stores the data collected by the Wazuh agents in separate databases for each agent. Each database contains tables with distinct inventory information types, such as hardware, software, and network data. This inventory information is then forwarded to the Wazuh indexer, where it is consolidated for querying, visualization, and deeper analysis. The following section details the structure of the tables within the Wazuh server database and the corresponding indices in the Wazuh indexer. The data in these tables depends directly on the scan configuration defined for the Syscollector module.

Hardware

This scan collects baseline hardware information from monitored endpoints, including CPU, memory, and serial number. The data is stored in the sys_hwinfo table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-hardware-* indices.

The table below maps the fields from the sys_hwinfo table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-hardware-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	573872577	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`board_serial`	`host.serial_number`	keyword	Motherboard serial number	XDR840TUGM65E03171	All
`cpu_name`	`host.cpu.name`	keyword	CPU name	Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz	All
`cpu_cores`	`host.cpu.cores`	short	Number of cores of the CPU	4	All
`cpu_mhz`	`host.cpu.speed`	long	Current processor frequency	2,420	All
`ram_total`	`host.memory.total`	long	Total RAM	3.9GB	All
`ram_free`	`host.memory.free`	long	Free RAM	2.5GB	All
N/A	`host.memory.used`	long	Used memory, in Bytes	1.4GB	All
`ram_usage`	`host.memory.usage`	scaled_float	Percentage of RAM in use	87	All
`checksum`	N/A	N/A	Integrity synchronization value	503709147600c8e0023cf2b9995772280eee30	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Operating system

This scan collects system-level details about each monitored endpoint, including the operating system, version, hostname, and architecture. This data is stored in the sys_osinfo table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-system-* indices.

The table below maps the fields from the sys_osinfo table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-system-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	468455719	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`hostname`	`host.hostname`	keyword	Hostname of the machine	ag-ubuntu-16	All
`architecture`	`host.architecture`	keyword	OS architecture	x86_64	All
`os_name`	`host.os.name`	keyword	OS name	Ubuntu	All
`os_version`	`host.os.version`	keyword	OS version	16.04.5 LTS (Xenial Xerus)	All
`os_codename`	`host.os.codename`	keyword	OS version codename	Xenial Xerus	All
`os_major`	`host.os.major`	keyword	Major release version	16	All
`os_minor`	`host.os.minor`	keyword	Minor release version	04	All
`os_patch`	`host.os.patch`	keyword	Patch release version	5	macOS
`os_build`	`host.os.build`	keyword	Optional build-specific	14393	Windows
`os_release`	`host.os.distribution.release`	keyword	Windows Release ID	SP2	Windows
`os_display_version`	`host.os.full`	keyword	Windows display version	20H2	Windows
`os_platform`	`host.os.platform`	keyword	OS platform	ubuntu	All
`sysname`	`host.os.kernel.name`	keyword	System name	Linux	Linux
`release`	`host.os.kernel.release`	keyword	Release name	4.15.0-29-generic	Linux
`version`	`host.os.kernel.version`	keyword	Release version	#31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018	All
`checksum`	N/A	keyword	Integrity synchronization value	503709147600c8e0023cf2b9995772280eee30	All
N/A	`host.os.type`	keyword	Which commercial OS family (one of: linux, macos, unix, windows, ios or android)		All
`reference`	N/A	keyword	Unified primary key	94b6f7b3c1d905aae22a652448df6372da98e5b8	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Packages

This scan collects details about the currently installed software on a monitored endpoint, including the package name, installation date, and version. The Vulnerability Detector module uses information from this table to scan and detect vulnerable software. On Linux systems, retrieved packages can be deb, pacman, or rpm. This data is stored in the sys_programs table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-packages-* indices.

The table below maps the fields from the sys_programs table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-packages-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	1454946158	All
`scan_time`	N/A	N/A	Scan date	2018/07/27 07:27:14	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`format`	`package.type`	keyword	Format of the package	deb	All
`name`	`package.name`	keyword	Name of the package	linux-headers-generic	All
`priority`	`package.priority`	keyword	Priority of the package	optional	Linux (deb)
`section`	N/A	N/A	Section of the package	kernel	Linux (deb/rpm) and macOS (pkg)
`size`	`package.size`	long	Size of the installed package in bytes	14	Linux (deb/rpm/pacman)
`vendor`	`package.vendor`	keyword	Vendor name	Ubuntu Kernel Team	All
`install_time`	`package.installed`	date	Install date and time of the package	2018/02/08 18:45:48	Linux (rpm/pacman)
`version`	`package.version`	keyword	Version of the package	4.4.0.130.136	All
`architecture`	`package.architecture`	keyword	Architecture of the package	amd64	All
`multiarch`	`package.multiarch`	keyword	Multiarchitecture support	same	Linux (deb)
`source`	`package.source`	keyword	Source of the package	linux-meta	Linux (deb/rpm) and macOS (pkg)
`description`	`package.description`	keyword	Description of the package	Generic Linux kernel headers	Linux (deb/rpm/pacman) and macOS (pkg)
`location`	`package.path`	keyword	Location of the package	C:\Program Files\VMware\VMware Tools\	Windows and macOS (pkg)
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	All
`item_id`	N/A	N/A	Unified primary key	4323709147600c8e0023cf2b9995772280eef451	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Networks

The network scan retrieves information about the network configuration of a monitored endpoint. It includes details about the existing network interfaces (up and down interfaces), IP addresses, and the routing configuration. The information is organized into three categories of network scans, ensuring the data is structured and easy to interpret.

Network interfaces
Network addresses
Network protocols

Network interfaces

This scan collects details about the network interfaces on monitored endpoints. This information is stored in the sys_netiface table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-interfaces-* indices.

The table below maps the fields from the sys_netiface table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-interfaces-* index on the Wazuh indexer.

Syscollector Field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	160615720	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 16:46:20	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`name`	`interface.name`	keyword	Interface name	eth0	All
`adapter`	`interface.alias`	keyword	Physical adapter name	Intel(R) PRO/1000 MT Desktop Adapter	Windows
`type`	`interface.type`	keyword	Network interface adapter	ethernet	All
`state`	`interface.state`	keyword	State of the interface	up	All
`mtu`	`interface.mtu`	long	Maximum Transmission Unit	1500	All
`mac`	`host.mac`	keyword	MAC Address	08:00:27:C0:14:A5	All
`tx_packets`	`host.network.egress.packets`	long	Transmitted packets	10034626	All
`rx_packets`	`host.network.ingress.packets`	long	Received packets	12754	All
`tx_bytes`	`host.network.egress.bytes`	long	Transmitted bytes	10034626	All
`rx_bytes`	`host.network.ingress.bytes`	long	Received bytes	1111175	All
`tx_errors`	`host.network.egress.errors`	long	Transmission errors	0	All
`rx_errors`	`host.network.ingress.errors`	long	Reception errors	0	All
`tx_dropped`	`host.network.egress.drops`	long	Dropped transmission packets	0	All
`rx_dropped`	`host.network.ingress.drops`	long	Dropped reception packets	0	All
`checksum`	N/A	N/A	Integrity synchronization value	8503709147600c8e0023cf2b9995772280eee30	All
`item_id`	N/A	N/A	Unified primary key	4323709147600c8e0023cf2b9995772280eef41	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Network addresses

Network address scan collects information about the IPv4 and IPv6 addresses assigned to network interfaces on monitored endpoints. This information is stored in the sys_netaddr table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-networks-* indices.

The table below maps the fields from the sys_netaddr table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-networks-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`id`	N/A	N/A	Referenced ID from sys_netiface	1	All
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	160615720	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`iface`	`interface.name`	keyword	Network interface name	eth0	All
`metric`	`network.metric`	long	Interface metric for routing decisions		All
`proto`	`network.type`	keyword	Protocol name	ipv4	All
`address`	`network.ip`	ip	IPv4/IPv6 address	192.168.1.87	All
`netmask`	`network.netmask`	ip	Netmask address	255.255.255.0	All
`dhcp`	`network.dhcp`	boolean	Indicates whether DHCP is enabled (yes/no).		All
`broadcast`	`network.broadcast`	ip	Broadcast address	192.168.1.255	All
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	All
`item_id`	N/A	N/A	Unified primary key	4323709147600c8e0023cf2b9995772280eef4	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Network protocols

This scan stores details about network routing and supported protocols for each interface on monitored endpoints, including protocol types, routing tables, and interface associations. This information is stored in the sys_netproto table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-protocols-* indices.

The table below maps the fields from the sys_netproto table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-protocols-* index on the Wazuh indexer.

Syscollector Field	Wazuh indexer field	Type	Description	Example	Available
`id`	N/A	N/A	Referenced ID from sys_netiface	1	All
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	160615720	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`type`	`network.type`	keyword	Protocol of the interface data	ipv4	All
`gateway`	`network.gateway`	ip	Default gateway	192.168.1.1	Linux/Windows/macOS
`iface`	`interface.name`	keyword	Interface name	eth0	All
`dhcp`	`network.dhcp`	boolean	DHCP status	enabled	Linux/Windows
`metric`	`network.metric`	long	Routing metric value		All
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	All
`item_id`	N/A	N/A	Unified primary key	4323709147600c8e0023cf2b9995772280eef4	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Ports

This scan retrieves information about the open ports on a monitored endpoint, including the port number, port protocol, associated services, and listening states. This information is stored in the sys_ports table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-ports-* indices.

The table below maps the fields from the sys_ports table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-ports-* index on the Wazuh indexer.

Syscollector Field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	1618114744	All
`scan_time`	N/A	N/A	Scan date	2018/07/27 07:27:15	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`protocol`	`network.transport`	keyword	Protocol of the port	tcp	All
`local_ip`	`destination.ip`	ip	Local IP address	0.0.0.0	All
`local_port`	`destination.port`	long	Local port	22	All
`remote_ip`	`source.ip`	ip	Remote IP address	0.0.0.0	All
`remote_port`	`source.port`	long	Remote port	0	All
`tx_queue`	`host.network.egress.queue`	long	Packets pending to be transmitted	0	Linux
`rx_queue`	`host.network.ingress.queue`	long	Packets at the receiver queue	0	Linux
`inode`	`file.inode`	keyword	Inode of the port	16974	Linux
`state`	`interface.state`	keyword	State of the port	listening	All
`PID`	`process.pid`	long	PID owner of the opened port	4	Windows/macOS
`process`	`process.name`	keyword	Name of the process using the port	System	Windows/macOS
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	All
`item_id`	N/A	N/A	Unified primary key	4323709147600c8e0023cf2b9995772280eef412	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Processes

The processes scan collects details about processes running on monitored endpoints, including the process name, process ID (PID), and the associated user. This information is stored in the sys_processes table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-processes-* indices.

The table below maps the fields from the sys_processes table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-processes-* index on the Wazuh indexer.

Syscollector Field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	215303769	All
`scan_time`	N/A	N/A	Scan date	2018/08/03 12:57:58	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`pid`	`process.pid`	long	PID of the process	603	All
`name`	`process.name`	keyword	Name of the process	rsyslogd	All
`state`	`process.state`	keyword	State of the process	S	Linux/macOS
`ppid`	`process.parent.pid`	long	PPID of the process	1	All
`utime`	`process.utime`	long	Time spent executing user code	157	Linux
`stime`	`process.stime`	long	Time spent executing system code	221	All
`cmd`	`process.command_line`	keyword	Command executed	/usr/sbin/rsyslogd	Linux/Windows
`argvs`	`process.args`	keyword	Arguments of the process	-n	Linux
`euser`	N/A	N/A	Effective user	root	Linux/macOS
`ruser`	N/A	N/A	Real user	root	Linux/macOS
`suser`	N/A	N/A	Saved-set user	root	Linux
`egroup`	N/A	N/A	Effective group	root	Linux
`rgroup`	N/A	N/A	Real group	root	Linux/macOS
`sgroup`	N/A	N/A	Saved-set group	root	Linux
`fgroup`	N/A	N/A	Filesystem group name	root	Linux
`priority`	N/A	N/A	Kernel scheduling priority	20	All
`nice`	N/A	N/A	Nice value of the process	0	Linux/macOS
`size`	N/A	N/A	Size of the process	53030	All
`vm_size`	N/A	N/A	Total VM size (KB)	212120	All
`resident`	N/A	N/A	Resident set size of the process in bytes	902	Linux
`share`	N/A	N/A	Shared memory	814	Linux
`start_time`	`process.start`	date	Time when the process started	1893	Linux
`pgrp`	N/A	N/A	Process group	603	Linux
`session`	N/A	N/A	Session of the process	603	All
`nlwp`	N/A	N/A	Number of light weight processes	3	All
`tgid`	N/A	N/A	Thread Group ID	603	Linux
`tty`	N/A	N/A	Number of TTY of the process	0	Linux
`processor`	N/A	N/A	Number of the processor	0	Linux
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	All
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Windows updates

This scan collects details about the updates installed on Windows endpoints. The Vulnerability Detector module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. This information is stored in the sys_hotfixes table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-hotfixes-* indices.

The table below maps the fields from the sys_hotfixes table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-hotfixes-* index on the Wazuh indexer.

Syscollector Field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	1618114744	Windows
`scan_time`	N/A	N/A	Scan date	2019/08/22 07:27:15	Windows
`architecture`	`agent.host.architecture`	keyword	Operating system architecture.	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`hotfix`	`package.hotfix.name`	keyword	Name or identifier of the applied hotfix	KB4489899	Windows
`checksum`	N/A	N/A	Integrity synchronization value	78503709147600c8e0023cf2b9995772280eee30	Windows
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Users

This scan collects user account information on monitored endpoints, including username, login status, and ID. The data is stored in the sys_users table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-users-* indices.

The table below maps the fields from the sys_users table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-users-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	573872577	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`host_ip`	`host.ip`	ip	Host ip addresses	192.168.1.2	All
`login_status`	`login.status`	boolean	Whether the login was successful or the user is currently logged in	true	All
`login_tty`	`login.tty`	keyword	Terminal associated with the login session (e.g., pts/1)	pts/1	All
`login_type`	`login.type`	keyword	Type of login session. Example values: "user", "system", "remote"	user	All
`process_pid`	`process.pid`	long	Process id	4242	All
`user_auth_failures.count`	`user.auth_failures.count`	integer	Number of failed authentication attempts	3	macOS
`user_auth_failed_timestamp`	`user.auth_failures.timestamp`	date	Timestamp of the last authentication failure	1714067165.0	macOS
`user_created`	`user.created`	date	Datetime when the user was created	2024-04-25T10:15:05.707Z	macOS
`user_full_name`	`user.full_name`	keyword	User's full name, if available	Albert Einstein	All
`user_group_id`	`user.group.id`	unsigned_long	Group ID	1001	All
`user_group_id_signed`	`user.group.id_signed`	long	Signed group ID	1001	All
`user_groups`	`user.groups`	keyword	List of groups the user belongs to	Test,Default,Sudo	All
`user_home`	`user.home`	keyword	Home directory of the user	/home/wazuh	All
`user_id`	`user.id`	keyword	Unique identifier of the user	S-1-5-21-202424912787-2692429404-2351956786-1000 \| All
`user_is_hidden`	`user.is_hidden`	boolean	Whether the user is hidden	false	macOS
`user_is_remote`	`user.is_remote`	boolean	Whether the user is remote	true	Linux
`user_last_login`	`user.last_login`	date	Date of the last login	2025-05-21T12:10:04Z	All
`user_name`	`user.name`	keyword	Short name or login of the user	a.einstein	All
`user_password_expiration_date`	`user.password.expiration_date`	date	Password expiration date (epoch)	1	Linux
`user_password_hash_algorithm`	`user.password.hash_algorithm`	keyword	Algorithm used to hash the password	6	Linux
`user_password_inactive_days`	`user.password.inactive_days`	integer	Number of days of inactivity before disabling the password	1	Linux
`user_password_last_change`	`user.password.last_change`	date	Last time the password was changed (Unix epoch)	1714057168.4795	Linux, macOS
`user_password_max_days_between_changes`	`user.password.max_days_between_changes`	integer	Maximum days between password changes	99999	Linux
`user_password_min_days_between_changes`	`user.password.min_days_between_changes`	integer	Minimum days between password changes	0	Linux
`user_password_status`	`user.password.status`	keyword	Password status (e.g., active)	active	Linux
`user_password_warning_days_before_expiration`	`user.password.warning_days_before_expiration`	integer	Days before expiration to warn user	7	Linux
`user_roles`	`user.roles`	keyword	Roles assigned to the user	sudo	Linux, macOS
`user_shell`	`user.shell`	keyword	Shell used by the user	/bin/bash	All
`user_type`	`user.type`	keyword	Type of user (e.g., "system", "regular")	local	Windows
`user_uid_signed`	`user.uid_signed`	long	Signed user ID	1001	All
`user_uuid`	`user.uuid`	keyword	UUID (macOS) or SID (Windows)	D883AD4F-AF58-4BA6-AE07...	macOS, Windows
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Groups

The scan collects details about user account groups on monitored endpoints, such as group identifiers, names, associated users. The data is stored in the sys_groups table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-groups-* indices.

The table below maps the fields from the sys_groups table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-groups-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	573872577	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`group_description`	`group.description`	keyword	Description of the group	Administrative group	macOS, Windows
`group_id`	`group.id`	unsigned_long	Unsigned Group ID	80	All
`group_id_signed`	`group.id_signed`	long	Signed Group ID	-80	All
`group_is_hidden`	`group.is_hidden`	boolean	Whether the group is hidden	false	All
`group_name`	`group.name`	keyword	Name of the group	admin	All
`group_users`	`group.users`	keyword	List of users that belong to the group	alice	All
`group_uuid`	`group.uuid`	keyword	Unique group ID	S-1-5-21-3623811015-...	Windows
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Services

This scan collects services information from monitored endpoints, including service name, description and state. The data is stored in the sys_services table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-services-* indices.

The table below maps the fields from the sys_services table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-services-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Available
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	573872577	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`error_log_file_path`	`error.log.file.path`	keyword	Full path to the log file this event came from	/var/log/fun-times.log	All
`file_path`	`file.path`	keyword	Full path to the file, including the file name	/home/alice/example.png	Linux / macOS
`log_file_path`	`log.file.path`	keyword	Full path to the log file this event came from	/var/log/fun-times.log	macOS
`process_args`	`process.args`	keyword	Array of process arguments	["/usr/bin/ssh", "-l", "user", "10.0.0.16"]	macOS
`process_executable`	`process.executable`	keyword	Absolute path to the process executable	/usr/bin/ssh	All
`process_group_name`	`process.group.name`	keyword	Name of the group	admin	macOS
`process_pid`	`process.pid`	long	Process id	4242	All
`process_root_directory`	`process.root_directory`	keyword	Chroot directory before execution		macOS
`process_user_name`	`process.user.name`	keyword	Short name or login of the user	a.einstein	All
`process_working_directory`	`process.working_directory`	keyword	The working directory of the process	/home/alice	macOS
`service_address`	`service.address`	keyword	Path to the service DLL (ServiceDll)	172.26.0.2:5432	Windows
`service_description`	`service.description`	keyword	Description of the service	Apache HTTP Server	Windows / Linux
`service_enabled`	`service.enabled`	keyword	Whether the unit file is enabled, masked, disabled, etc	enabled	Linux / macOS
`service_exit_code`	`service.exit_code`	integer	Service-specific exit code on failure	0	Windows
`services.win32_exit_code`	`service.win32_exit_code`	integer	Service-specific exit code on failure	0	Windows
`service_frequency`	`service.frequency`	long	Frequency in seconds at which the service is run	3600	macOS
`service_id`	`service.id`	keyword	Unique identifier of the running service	d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6	All
`service_inetd_compatibility`	`service.inetd_compatibility`	boolean	Run job as if launched from inetd	FALSE	macOS
`service_name`	`service.name`	keyword	Name of the service	elasticsearch-metrics	Windows / macOS
`service_object_path`	`service.object_path`	keyword	D-Bus object path of the service	/org/freedesktop/systemd1/unit/apache2_2eservice	Linux
`service_restart`	`service.restart`	keyword	Restart policy for the service, e.g. always, on-failure, never	on-failure	macOS
`service_start_type`	`service.start_type`	keyword	Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED	AUTO_START	Windows / macOS
`service_starts_on_mount`	`service.starts.on_mount`	boolean	Launches every time a filesystem is mounted	TRUE	macOS
`service_starts_on_not_empty_directory`	`service.starts.on_not_empty_directory`	keyword	Launches when directories become non-empty	[/var/spool/mail, /tmp/uploads]	macOS
`service_starts_on_path_modified`	`service.starts.on_path_modified`	keyword	Launches on path modification	['/var/log', '/etc/config']	macOS
`service_state`	`service.state`	keyword	Current state of the service.	inactive	All
`service_sub_state`	`service.sub_state`	keyword	The low-level unit activation state, values depend on unit type	running	All
`service_target_address`	`service.target.address`	keyword	Address of this service	/	Linux
`service_target_ephemeral_id`	`service.target.ephemeral_id`	keyword	Ephemeral identifier of this service	8a4f500f	Linux
`service_target_type`	`service.target.type`	keyword	The type of the service	notify	Linux
`service_type`	`service.type`	keyword	The type of the service	SHARE_PROCESS	Windows / macOS
`service_win32_exit_code`	`service.win32_exit_code`	integer	Win32 exit code on start/stop	0	Windows
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node name	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Browser extensions

This scan collects browser extensions details from monitored endpoints, including browser name, extension description and status. The data is stored in the sys_browser_extensions table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-browser-extensions-* indices.

The table below maps the fields from the sys_browser_extensions table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-browser-extensions-* index on the Wazuh indexer.

Syscollector field	Wazuh indexer field	Type	Description	Example	Browser / OS
`scan_id`	N/A	N/A	Identifier for the last syscollector scan	573872577	All
`scan_time`	N/A	N/A	Scan date	2018/07/31 15:31:26	All
`architecture`	`agent.host.architecture`	keyword	Operating system architecture	x86_64	All
`agent_ip`	`agent.host.ip`	ip	IP address of the agent	192.168.33.1	All
`agent_name`	`agent.name`	keyword	Name of the agent	wazuh	All
`agent_version`	`agent.version`	keyword	Agent version	v4.14.0	All
`agent_id`	`agent.id`	keyword	Unique ID of the agent	001	All
`browser_name`	`browser.name`	keyword	Name of the browser. Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta.	chrome	All
`browser_profile_name`	`browser.profile.name`	keyword	Name of the browser profile	default	Chrome
`browser_profile_path`	`browser.profile.path`	keyword	Path to the browser profile	/home/user/.config/google-chrome/Default	Chrome
`browser_profile_referenced`	`browser.profile.referenced`	boolean	Indicates if the extension is referenced by the Preferences file of the browser profile	TRUE	Chrome
`file_hash_sha256`	`file.hash.sha256`	keyword	SHA256 hash	848f07be3c32aa5a4f23670b99b48ff34e7c9eb51af137d61832feb244ba6132	Chrome
`package_autoupdate`	`package.autoupdate`	boolean	Indicates if the browser extension is set to auto-update.	TRUE	Firefox
`package_build_version`	`package.build_version`	keyword	Build version information	36f4f7e89dd61b0988b12ee000b98966867710cd	Safari
`package_description`	`package.description`	keyword	Description of the package	Open source programming language to build simple/reliable/efficient software	All
`package_enabled`	`package.enabled`	boolean	Indicates if the browser extension is enabled	TRUE	Chrome, Firefox
`package_from_webstore`	`package.from_webstore`	boolean	Indicates if the browser extension was installed from a webstore	TRUE	Chrome
`package_id`	`package.id`	keyword	Unique identifier for the browser extension	com.example.extension	All
`package_installed`	`package.installed`	date	Time when package was installed	Oct 22, 2025 @ 18:16:37.000	Chrome
`package_name`	`package.name`	keyword	Package name	Data Leak Blocker	All
`package_path`	`package.path`	keyword	Path where the package is installed	/usr/local/Cellar/go/1.12.9/	All
`package_permissions`	`package.permissions`	keyword	Permissions required by the browser extension	["tabs", "storage"]	Chrome
`package_persistent`	`package.persistent`	boolean	Indicates if the browser extension is persistent accross tabs	TRUE	Chrome
`package_reference`	`package.reference`	keyword	Package home page or reference URL	https://golang.org	Chrome
`package_type`	`package.type`	keyword	Package type	theme	Firefox
`package_vendor`	`package.vendor`	keyword	Vendor, author or creator of the browser extension	Example Inc.	Chrome, Firefox, Safari
`package_version`	`package.version`	keyword	Package version	1.12.9	All
`package_visible`	`package.visible`	boolean	Indicates if the browser extension is visible in the toolbar.	TRUE	Firefox
`user_id`	`user.id`	keyword	Unique identifier of the user	S-1-5-21-202424912787-2692429404-2351956786-1000	All except IE
`cluster_name`	`wazuh.cluster.name`	keyword	Wazuh cluster name	wazuh	All
`cluster_node`	`wazuh.cluster.node`	keyword	Wazuh cluster node name	node01	All
`schema_version`	`wazuh.schema.version`	keyword	Wazuh schema version	1.0	All

Compatibility matrix

The Syscollector module supports different options across various operating systems on which the Wazuh agent can be installed. The following table shows the scans that are compatible with various operating systems.

Operating System	Syscollector scan
Operating System	Hardware	OS	Packages	Network	Ports	Processes	Hotfixes	Users	Groups	Services	Browser extensions
Windows	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓	✓
Linux	✓	✓	✓	✓	✓	✓	✗	✓	✓	✓	✓
macOS	✓	✓	✓	✓	✓	✓	✗	✓	✓	✓	✓
FreeBSD	✓	✓	✓	✓	✗	✗	✗	✗	✗	✗	✗
OpenBSD	✓	✓	✗	✓	✗	✗	✗	✗	✗	✗	✗

The module detects various package formats depending on the operating system. This is shown in the table below.

The packages scan supports detection of NPM (Node Package Manager) and PyPI (Python Package Index) packages in some of operating systems. The NPM and PyPI scan isn't available in all operating systems. The scan requires a C++ compiler supporting the 17 standard (GCC>=7).

Note

Support for scanning NPM and PyPI packages is limited to the default installation paths.

Operating System	Syscollector package scan support
Operating System	NPM	PyPI	rpm	deb	pacman	pkg
Windows	√	√	–	–	–	–
Linux	√	√	√	√	√	–
macOS	√	√	–	–	–	–
FreeBSD	√	√	–	–	–	√
OpenBSD	✗	✗	–	–	–	✗
Solaris	√	√	–	–	–	√

Using Syscollector information to trigger alerts

You can create rules to trigger alerts based on the information collected by the Syscollector module and display this information in the alert's description. Syscollector uses the rule ID 221, and the rule level is 0, so by default, it is not shown on the Wazuh dashboard. To see Syscollector searchable fields on the Wazuh dashboard, you need a custom rule that inherits the Syscollector rule ID.

Create a custom rule that uses the built-in Syscollector rule 221

You must create custom rules that inherit the parent rule ID 221 with a severity level of 3 or higher. For example, the custom rule in the /var/ossec/etc/rules/local_rules.xml file below is triggered when a port is opened, modified, or closed on a monitored endpoint:

<group name="syscollector,">
  <!-- ports -->
  <rule id="100310" level="3" >
      <if_sid>221</if_sid>
      <field name="type">dbsync_ports</field>
      <description>Syscollector ports event.</description>
  </rule>

  <rule id="100311" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">INSERTED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been opened. Syscollector creation event detected.</description>
  </rule>

  <rule id="100312" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">MODIFIED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been modified. Syscollector modification event detected.</description>
  </rule>

  <rule id="100313" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">DELETED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been closed. Syscollector deletion event detected.</description>
  </rule>
</group>

After adding the configuration, restart the Wazuh manager.

# systemctl restart wazuh-manager

The alerts for a port opening operation are displayed in the Wazuh dashboard as follows:

Note

The initial scan does not generate alerts. Alerts are triggered after a difference in results between the first and second Syscollector scans is detected. This second scan will occur when the configured interval is reached.

New searchable fields on the Wazuh dashboard

You can create Syscollector custom rules using any of the discussed methods, then search for Syscollector alerts on the Wazuh dashboard. The Wazuh indexer saves the Syscollector fields as data.type.value. For example, for hardware type, the cpu_name field is data.hardware.cpu_name. The table lists all searchable fields for the different Syscollector properties.

Type	Fields	Example
Hardware	cpu_name, cpu_cores, cpu_mhz, ram_total, ram_free, ram_usage	data.hardware.cpu_mhz
Operating System	architecture, name, version, codename, major, minor, build, platform, sysname, release, release_version	data.os.codename
Port	local_ip, local_port, remote_ip, remote_port, tx_queue, rx_queue, inode, state, pid, process	data.port.inode
Program	name, priority, section, size, vendor, install_time, version, architecture, multiarch, source, description, location	data.program.name
Process	name, state, ppid, utime, stime, cmd, args, euser, ruser, suser, egroup, sgroup, fgroup, rgroup, priority, nice, size, vm_size, resident, share, start_time, pgrp, session, nlwp, tgid, tty, processor	data.process.state
Network	mac, adapter, type, state, mtu, tx_bytes, rx_bytes, tx_errors, rx_errors, tx_dropped, rx_dropped, tx_packets, rx_packets, ipv4, ipv6	data.netinfo.iface.ipv4.address, data.netinfo.iface.mac
Hotfix	hotfix	data.hotfix
Users	host_ip, login_status, login_tty, login_type, process_pid, user_auth_failures.count, user_auth_failed_timestamp, user_created, user_full_name, user_group_id, user_group_id_signed, user_groups, user_home, user_id, user_is_hidden, user_is_remote, user_last_login, user_name, user_password_expiration_date, user_password_hash_algorithm, user_password_inactive_days, user_password_last_change, user_password_max_days_between_changes, user_password_min_days_between_changes, user_password_status, user_password_warning_days_before_expiration, user_roles, user_shell, user_type, user_uid_signed, user_uuid	data.host_ip
Groups	group_id, group_id_signed, group_is_hidden, group_name, group_users, group_uuid	data.group_id
Services	error_log_file_path, file_path, log_file_path, process_args, process_executable, process_group_name, process_pid, process_root_directory, process_user_name, process_working_directory, service_address, service_description, service_enabled, service_exit_code, services.win32_exit_code, service_frequency, service_id, service_inetd_compatibility, service_name, service_object_path, service_restart, service_start_type, service_starts_on_mount, service_starts_on_not_empty_directory, service_starts_on_path_modified, service_state, service_sub_state, service_target_address, service_target_ephemeral_id, service_target_type, service_type, service_win32_exit_code	data.error_log_file_path
Browser extensions	browser_name, browser_profile_name, browser_profile_path, browser_profile_referenced, file_hash_sha256, package_autoupdate, package_build_version, package_description, package_enabled, package_from_webstore, package_id, package_installed, package_name, package_path, package_permissions, package_persistent, package_reference, package_type, package_vendor, package_version, package_visible, user_id	data.browser_name

Use cases

The following use cases show practical applications of visualizing system inventory data for security operations on the Wazuh dashboard.

Use case 1. Resource monitoring

Monitor memory usage across all endpoints to assess system performance and find devices with low available memory.

Navigate to the Security operations tab and select IT Hygiene.
Select the System tab and then Hardware.
Click + Add filter and configure it as follows:
- Field: host.memory.free
- Operator: exists

Use case 2: Vulnerability management

Identify all endpoints running a specific software package to assess vulnerability exposure. In this example, we identify all endpoints running a vulnerable version of systemd ( CVE-2025-4598).

Click the ☰ icon and navigate to the Security operations tab and select IT Hygiene.
Select the Software tab and then Packages.
Click + Add filter and configure it as follows:
- Field: package.name
- Operator: is
- Value is systemd
Click the ☰ icon at the top left corner and navigate to Threat intelligence and select Vulnerability Detection.
Select the Inventory tab.
Click + Add filter and configure it as follows:
- Field: package.name
- Operator: is
- Value is systemd

Monitoring system calls

Monitoring system calls on Linux endpoints provides information for security auditing purposes. Collecting and analyzing system call data helps security teams identify patterns of suspicious behavior and investigate potential security incidents on time.

The Linux Audit system is a powerful tool for collecting security and non-security events on Linux endpoints. However, the sheer volume of data generated by the audit logs can make it difficult for system administrators to identify potential security threats and violations.

Wazuh uses the Linux Audit system to monitor system calls on Linux endpoints. The Wazuh agent installs and configures audit rules on monitored endpoints to collect system call events and sends them to the Wazuh server for analysis. These audit rules capture events relevant to security monitoring. Wazuh provides out-of-the-box detection rules that use the system call events to detect multiple activities, including file access, command execution, privilege escalation, malware, and more. Security teams can customize these rules to meet specific security requirements or compliance standards, thereby obtaining real-time insights into potential security incidents.

By providing a centralized view of audit events, Wazuh simplifies the task of monitoring system activities and helps organizations comply with regulatory requirements. Overall, the Wazuh auditing capability provides a robust and comprehensive security monitoring solution for Linux systems, helping organizations improve their security posture and protect against cyber threats.

Contents

How it works

Note

This guide is based on the official Audit guide.

The Linux Audit system is a feature of the Linux kernel that provides a framework for system auditing and monitoring. It is usually installed by default on RedHat and CentOS operating systems but can be manually installed on other Linux distributions. It captures and records various events, including system calls, file system activity, and network activity, among others.

When an event occurs on an endpoint, the Linux kernel generates an audit record that contains information about the event, such as the date and time, the user who initiated the event, the type of event, and any relevant parameters. The audit daemon collects and stores these audit records in a secure audit log file.

You can view and analyze the audit log files using various audit management tools, which provide insights into system activity, detect security issues, and help identify potential threats.

You can configure the Linux Audit system to monitor specific events based on user-defined rules and policies. This enables security teams to customize the auditing process to their specific needs and requirements. It uses a set of rules to define what is to be monitored and captured in the log files. The following are the three types of audit rules specification:

File system rules: These rules track access to files and directories.
Control rules: These allow the behavior and default configuration of the Linux Audit system to be modified.
System call rules: These rules log specific programs’ system calls.

Audit rules are specified interactively using the auditctl utility, but to make changes persistent, you need to add the audit rules to the /etc/audit/audit.rules file.

Note

You need root user privileges to run all the commands described below.

File system rules

You can use these rules to monitor file access on a Linux endpoint. They track when specific files are accessed or modified, or monitor changes to entire directories. File system rules can also track failed attempts to access files.

To define a file system rule, use the following syntax:

# auditctl -w <PATH> -p <PERMISSIONS> -k <KEY_NAME>

Where:

`-w <PATH>`	`<PATH>`: specifies what file or directory to audit.
`-p <PERMISSIONS>`	`<PERMISSIONS>` are the permissions that are for auditing, including the following:
	Values	r	read access to a file or a directory
		w	write access to a file or a directory
		x	execute access to a file or a directory
		a	change in the file's or directory's attribute
`-k <KEY_NAME>`	`<KEY_NAME>` assigns a unique identifier to the rule. It tags the audit events that match the rule to make searching for and analyzing related events easier. Wazuh requires this argument to analyze the logs more accurately.

For example, the following command defines a rule that logs all write access and every attribute change of the /etc/passwd file:

# auditctl -w /etc/passwd -p wa -k passwd_changes

Control rules

These rules enforce security policies on the system, including implementing access controls and limiting the actions that specific users or processes can perform. For example, a policy that prevents processes from executing certain commands or accessing specific system resources.

The table illustrates some examples of how to modify the behavior of the audit system.

`auditctl -b`	Set the maximum amount of existing audit buffers in the kernel.
`auditctl -f`	Define the action to be executed upon detecting a critical error.
`auditctl -e`	Enable/disable the audit feature or set its configuration as read-only.
`auditctl -s`	Display the status of the Linux Audit System, including the enabled audit rules, failure modes, and other relevant information.
`auditctl -l`	List all the audit rules that are currently loaded into the system.
`auditctl -D`	Delete all currently loaded audit rules.

System call rules

These rules monitor system calls made by specific users or processes. They track specific or all system calls a particular user or process makes. System call rules can be specified in several ways, including by a syscall number, name, or by a combination of both.

To define a system call rule, use the following syntax:

# auditctl -a <ACTION>,<FILTER> -S <SYSTEM_CALL> -F FIELD=VALUE -k <KEY_NAME>

Where:

`-a <ACTION>, <FILTER>`	Tells the kernel's rule matching engine to append a rule at the end of the rule list. We must specify which rule list to append it to and what action to take when it triggers.
	`<ACTION>`	always	Sets the rule to always generate an audit event when the specified action occurs, regardless of whether it succeeded or failed.
		never	Sets the rule to never generate an audit event for the specified action, even if the event would normally be audited.
	The `<FILTER>` value specifies which kernel rule-matching filter is applied to the event
	`<FILTER>`	task	Only audit events fork or clone syscalls. This is rarely used in practice.
		exit	All syscall and file system audit requests are evaluated.
		user	This is used to remove some events that originate in user space. By default, any event originating in user space is allowed.
		exclude	This is used to exclude certain events from being logged. msgtype is used to tell the kernel which message to filter out. For more granular control over which events to audit, use the user and exit filters instead.
`-S <SYSTEM_CALL>`	This specifies which system_call to audit. Multiple system calls can be specified in a single rule. A list of all system calls can be found with the command `ausyscall --dump`.
`-F <FIELD=VALUE>`	Use `FIELD=VALUE` to specify additional criteria to narrow down which events to audit, based on: architecture, group ID, process ID, and more. Multiple `-F` options can be used in a single rule.
`-k <KEY_NAME>`	`<KEY_NAME>` assigns a unique identifier to the rule. It tags the audit events that match the rule to make searching for and analyzing related events easier. Wazuh requires this argument to analyze the logs more accurately.

For example, the following configuration defines a rule that creates a log entry every time a file is deleted or renamed by a system user whose ID is 500 or larger:

# auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

Note

-F auid!=4294967295 option is used to exclude users whose login UID is not set.

It is also possible to define a file system rule using the system call rule syntax. The following command creates a rule for system calls that is similar to the -w /etc/shadow -p wa file system rule:

# auditctl -a always,exit -F path=/etc/shadow -F perm=wa

Configuration

The Linux Audit system generates numerous events for write access, read access, execute access, attribute change, or system call rule. Wazuh uses the key argument in audit rules because it is difficult to distinguish audit events using rules and decoders alone. As previously explained, each audit rule can add a descriptive key value to identify what rule generated a particular audit log entry. We use a CDB list to determine the types of audit rules fired. This list will have the following syntax:

<KEY_NAME>:<VALUE>

where:

<KEY_NAME> is the string you used in the argument -k of a file system or system call rule.
<VALUE> is one of the following values:
- write: File system rules with -p w.
- read: File system rules with -p r.
- execute: File system rules with -p x.
- attribute: File system rules with -p a.
- command: System call rules.

Wazuh server

By default, Wazuh includes an audit CDB list. This CDB list contains audit keys that map against write, read, attribute change, execution, and command events.

Run the command below to view the content of the CDB list:

# cat /var/ossec/etc/lists/audit-keys

audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command

You can add your custom key with its value to the list like this:

# echo "<YOUR_KEY>:<VALUE>" >> /var/ossec/etc/lists/audit-keys

Where <YOUR_KEY> is the key set in the audit rule and <VALUE> is used by Wazuh to process the event.

Restart the Wazuh manager any time you modify the CDB list:

# systemctl restart wazuh-manager

Out-of-the-box rules for Audit events are located in the /var/ossec/ruleset/rules/0365-auditd_rules.xml file on the Wazuh server.

Monitored endpoint

To use the Linux Audit system, you must install the audit package on your endpoint. If you do not have this package installed, execute the following command as the root user to install it:
# apt install -y auditd
# yum install -y auditd
# dnf install -y auditd
Note

If the audit package is already present on the endpoint before installing the Wazuh agent, the actions below should not be performed. This configuration will be added by default.
Add the configuration below to the Wazuh agent configuration /var/ossec/etc/ossec.conf file. This configures Wazuh to read the audit file log to process events the Linux Audit system detects:
```
<localfile>
  <log_format>audit</log_format>
  <location>/var/log/audit/audit.log</location>
</localfile>
```
Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```
Create proper audit rules using the auditctl command or the audit rules file.

Linux audit alerts are displayed in the Threat Hunting module of the Wazuh dashboard.

Use cases

The use cases described below are performed on an Ubuntu 22.04 endpoint that has a Wazuh agent installed and enrolled to a Wazuh server.

Monitoring file and directory access

In this example, we monitor various types of access to the /home directory of the monitored endpoint. This includes write, read, execution access, and changes in the directory's attributes.
Ubuntu endpoint
Run the commands below to configure the following audit rules:
# echo "-w /home -p w -k audit-wazuh-w" >> /etc/audit/audit.rules
# echo "-w /home -p a -k audit-wazuh-a" >> /etc/audit/audit.rules
# echo "-w /home -p r -k audit-wazuh-r" >> /etc/audit/audit.rules
# echo "-w /home -p x -k audit-wazuh-x" >> /etc/audit/audit.rules
Reload the audit rules to apply the changes:
# auditctl -R /etc/audit/audit.rules
# auditctl -l
-w /home -p w -k audit-wazuh-w
-w /home -p a -k audit-wazuh-a
-w /home -p r -k audit-wazuh-r
-w /home -p x -k audit-wazuh-x
Audit configuration alerts are displayed in the Threat Hunting module of the Wazuh dashboard.

Note

While it would be possible to define the previous audit rules as one rule specifying -p warx,we intentionally separate them out. So, each rule has its own unique key value that is important for analysis.
Test the configuration

Perform the following actions on the monitored endpoint.
Create a new file

Run the command below to create a new file in the /home directory:
$ touch /home/malware.py
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80790 filter to query the alert.
Write access

Run the command below to read the new file:
$ nano /home/malware.py
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80784 filter to query the alert.
Change permissions

Run the command below to change the permission of the /home/malware.py file:
$ chmod u+x /home/malware.py
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80787 filter to query the alert.
Read and execute access

Run the command below to execute the /home/malware.py file:
$ /home/malware.py
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and apply the rule.id: (80784 or 80789) filters to query the alerts.
Delete file

Run the command below to delete the /home/malware.py file:
$ rm /home/malware.py
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and apply the rule.id:80791 filter to query the alert.
Monitoring commands run as root

In this use case, we use Wazuh and Linux Audit system to monitor all commands executed using root privileges.
Ubuntu endpoint
Add the rules below in the /etc/audit/audit.rules audit rule file:
# echo "-a exit,always -F euid=0 -F arch=b64 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules
# echo "-a exit,always -F euid=0 -F arch=b32 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules
-a always,exit: Specifies that the audit event should always be generated, regardless of whether the system call was successful or not.

-S execve: Specifies that the rule should match events that involve the execve system call.

-F euid=0: Specifies that the rule should only match events where the effective user ID (euid) is equal to 0, which is the root user.

-k audit-wazuh-c: Specifies a key value that will be used to tag the generated audit events.

Overall, this rule generates audit events for every execution of the execve system call by the root user (euid=0) and tags those events with the key "audit-wazuh-c".
Reload the audit rules to apply the changes:
# auditctl -R /etc/audit/audit.rules
# auditctl -l
-w /home -p w -k audit-wazuh-w
-w /home -p a -k audit-wazuh-a
-w /home -p r -k audit-wazuh-r
-w /home -p x -k audit-wazuh-x
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F key=audit-wazuh-c
Test the configuration

Perform the following actions below.
Run the following command as a regular user using root privileges:
$ sudo touch newfile.txt
Run the command below as the root user:
# touch newfile2.txt
You can visualize the alerts for rule.id:80792 in the Wazuh dashboard.

Checking the euid field, we see both actions were performed using root privileges. It is also possible to go further and see who initiated the action by checking the auid field.
Privilege abuse

This use case shows how Wazuh can audit access to sensitive data in users' home directories. We use an audit rule that monitors all files and subdirectories in a user's home directory and tracks when another user tries to access them. Then, we create a Wazuh custom rule to alert for such behavior so that security teams can take action accordingly.
Ubuntu endpoint

In this use case, we have two users, John and Jane. We monitor Jane’s home directory and track if any other user that is not Jane or root tries to access this directory.
Create the two users, Jane and John, on your endpoint:
# useradd jane
# useradd john
Edit the audit rule file /etc/audit/audit.rules and add the following configuration:
# echo "-a always,exit -S open -S openat -F dir=/home/jane/ -F perm=rwa -F auid>=1000 -F auid!=-1 -F euid!=<EUID_OF_JANE> -F uid!=0 -C auid!=obj_uid -F key=power_abuse">>/etc/audit/audit.rules
Here is a breakdown of the rule:

-a always,exit specifies that the rule should always trigger on a process exit.

-F dir=/home/jane/ specifies that the rule should only apply to files and directories inside the /home/jane directory.

-F perm=rwa specifies the permissions being monitored for the system call to occur, in this case, read, write, and append permissions.

-F auid>=1000 this specifies the audit UID (auid), which is the user ID associated with the process that triggered the event, should be more than or equal to 1000.

-F auid!=-1 specifies the auid should not be equal to -1, which is used when a process is launched without a user ID.

-F euid!=<EUID_OF_JANE> specifies that the audit rule should not apply to Jane herself. <EUID_OF_JANE> represents Jane’s euid. You can obtain a user euid using the following command: id -u <USERNAME>.

-F uid!=0 specifies that the audit rule doesn’t apply to the root user.

-C auid!=obj_uid specifies that the auid should not be equal to the object UID (obj_uid), which is the UID associated with the accessed file or directory.

-k power_abuse provides a unique ID that Wazuh uses to analyze the audit logs.

This audit rule logs all attempts by another user to open files or directories inside Jane’s home directory.
Reload the rules and confirm they are in place:
# auditctl -R /etc/audit/rules.d/audit.rules
# auditctl -l
-a always,exit -S open,openat -F dir=/home/jane/ -F perm=rwa -F auid>=1000 -F auid!=-1 -F euid!=1003 -F uid!=0 -C auid!=obj_uid -F key=power_abuse
Wazuh server
Update the /var/ossec/etc/lists/audit-keys CDB list with the custom audit key:
# echo "power_abuse:abuse" >> /var/ossec/etc/lists/audit-keys
Add the following rule to the custom /var/ossec/etc/rules/local_rules.xml file:
<group name="audit">
  <rule id="100210" level="8">
    <if_sid>80700</if_sid>
    <list field="audit.key" lookup="match_key_value" check_value="abuse">etc/lists/audit-keys</list>
    <description>Audit: User with uid $(audit.uid) trying to access $(audit.directory.name) files.</description>
    <group>audit_command,</group>
  </rule>
</group>
Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Test the configuration

Perform the following actions on the monitored endpoint to test the configuration.
Switch to the user John:
$ su john
Then, try to list the content of /home/jane or open any file under this directory:
$ ls /home/jane/
You can visualize the alerts for rule.id:100210 in the Wazuh dashboard.

Agentless monitoring

The Wazuh server analyzes the data it receives from the Wazuh agents to monitor, detect, and trigger alerts for security events and incidents on endpoints. However, some endpoints may have limitations that prevent the installation of the Wazuh agent. Wazuh solves this problem by using the agentless monitoring capability.

Agentless monitoring refers to a type of endpoint monitoring that does not require the installation of an agent or software. This approach uses existing protocols to access and gather information from the monitored endpoint.

The Wazuh agentless monitoring capability uses the SSH (Secure Shell) protocol to collect and transfer events from endpoints to the Wazuh server. The supported platforms include routers, firewalls, switches, and Linux/BSD systems. It allows endpoints with software installation restrictions to meet security and compliance requirements.

Contents

How it works

To monitor endpoints without an agent, Wazuh requires an SSH connection between the Wazuh server and the endpoints to be monitored. These endpoints can range from network devices, such as firewalls and routers, to computers. After a connection is established between the Wazuh manager and the monitored endpoint, the Wazuh agentless monitoring module can perform the following actions:

Monitor files, directories, or configuration of an endpoint

You can configure the Wazuh agentless monitoring module to monitor files and directories on SSH-accessible endpoints and configurations of network devices such as firewalls and routers. If there is a change to the monitored files and directories or the configuration of the network devices, an alert is triggered and this can be viewed on the Wazuh dashboard.

Run commands on an endpoint

You can specify commands to be run periodically on a monitored endpoint and track their output with the Wazuh agentless monitoring module. When the output of these commands changes, the module detects the change and triggers alerts that can be viewed on the Wazuh dashboard.

Connection

Wazuh provides a register_host.sh script to connect the agentless endpoint to the Wazuh server using SSH authentication. This script is located in the /var/ossec/agentless/ directory of the Wazuh server. You can add an endpoint and list connected endpoints with the add and list options.

Add an endpoint

The add option of the register_host.sh script adds an agentless endpoint to the Wazuh server. Specify the NOPASS option to use public key authentication rather than using a password.

Endpoints with public key authentication

To add agentless endpoints that use public key authentication, perform the following steps on the Wazuh server.

Generate a public key with the following command. It saves the public key in /var/ossec/.ssh/id_rsa.pub by default.
```
sudo -u wazuh ssh-keygen
```
Run the following command to copy the public key to the monitored endpoint. Replace user@test.com with the username and the hostname or IP address of the agentless endpoint.
```
ssh-copy-id -i /var/ossec/.ssh/id_rsa.pub user@test.com
```
Add the endpoint by running the following command on the Wazuh server:
```
# /var/ossec/agentless/register_host.sh add user@test.com NOPASS
```
The command output must be similar to the following:
```
*Host user@test.com added.
```

Endpoints with password authentication

Run the following command to add agentless endpoints to the Wazuh server using the password authentication method. Replace user@test.com with the username and the hostname or IP address of the agentless host. Replace test_password with the password of the agentless host.

# /var/ossec/agentless/register_host.sh add user@test.com test_password

The command output must be similar to the following:

*Host user@test.com added.

Cisco PIX

For Cisco devices, such as routers or firewalls, use enablepass to specify the enable password.

Add a Cisco device using the configuration command example below:

# /var/ossec/agentless/register_host.sh add pix@example_address.com example_password enablepass

The command output must be similar to the following:

*Host pix@example_address.com added.

List connected endpoints

The list option of the register_host.sh script displays all agentless endpoints connected to the Wazuh server.

Use the following command to display the connected endpoints:

/var/ossec/agentless/register_host.sh list

The command output must be similar to the following:

*Available hosts:
user@example_address.com
pix@example_address.com

Remove agentless configuration

Agentless endpoint credentials are stored in the /var/ossec/agentless/.passlist file on the Wazuh server. This file must be deleted to remove all agentless configurations, as it is currently not possible to remove the configuration of only one endpoint.

Perform the following steps on the Wazuh server to remove your agentless configuration and passwords.

Remove the agentless monitoring setting from the /var/ossec/etc/ossec.conf file.
Delete the /var/ossec/agentless/.passlist file.
Restart the Wazuh manager to apply the changes:
```
systemctl restart wazuh-manager
```

Configuration

You need to configure the Wazuh server to monitor the connected agentless endpoints. To configure the agentless monitoring capability, install the expect package, then add the agentless monitoring configuration setting on the Wazuh server.

Execute the following command as the root user to install the expect package:

# yum install -y expect

# apt install -y expect

To view configuration options for agentless monitoring, refer to the supported attributes section below.

Supported attributes

The following table explains the different attributes the agentless monitoring module supports.

Attribute	Allowed values	Description
type	ssh_integrity_check_bsd	Defines the agentless configuration type to be run on the monitored endpoint.
	ssh_integrity_check_linux
	ssh_pixconfig_diff
	ssh_generic_diff
frequency	An integer in seconds	Controls the number of seconds between each check of the agentless endpoint.
host	Any username and host (`username@hostname`)	Defines the username and the hostname or IP address of the agentless endpoint.
state	periodic	Output from each check is analyzed with the Wazuh ruleset as if it is a monitored log.
	periodic_diff	Output from each agentless check is compared to the output of the previous run. Changes are alerted on, similar to file integrity monitoring.
	periodic_diff
arguments	For BSD integrity check and Linux integrity check settings, this is a space-delimited list of files or directories to be monitored. For generic diff settings, this is a command to be run on the endpoint.	Defines the arguments passed to the agentless check.

Monitoring files, directories, or configuration settings on an endpoint

This setting allows the agentless monitoring module to monitor changes to files, directories, and the configuration of an endpoint. You can configure this using the following agentless configuration types:

BSD integrity check
Linux integrity check
Pix config

BSD integrity check

You need to set the type as ssh_integrity_check_bsd for BSD endpoints, as referenced in the sample configuration below. A space-separated list of files or directories may be referenced in the configuration section using the <arguments> tag. Using this configuration, Wazuh performs an integrity check on the specified files or directories of the monitored endpoint. An alert is triggered if the specified files or directories change.

Add the setting below to the /var/ossec/etc/ossec.conf configuration file of the Wazuh server to monitor the file integrity of /bin and /var directories:

<agentless>
  <type>ssh_integrity_check_bsd</type>
  <frequency>20000</frequency>
  <host>user@test.com</host>
  <state>periodic</state>
  <arguments>/bin /var/</arguments>
</agentless>

Multiple files or directories may be included in the <arguments> tag, separated by a space.

Linux integrity check

You need to set the type as ssh_integrity_check_linux for Linux endpoints, as referenced in the sample configuration below. Here also, a space-separated list of directories may be referenced in the configuration section using the <arguments> tag. Using this configuration, Wazuh performs an integrity check on the specified files or directories of the monitored endpoint.

Add the setting below to the /var/ossec/etc/ossec.conf configuration file of the Wazuh server to monitor the /bin, /etc, and /sbin directories:

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>36000</frequency>
  <host>user@test.com</host>
  <state>periodic</state>
  <arguments>/bin /etc /sbin</arguments>
</agentless>

Multiple files or directories may be included in the <arguments> tag, separated by a space.

Pix config

This option triggers an alert if a Cisco PIX/router configuration changes. Set the type to ssh_pixconfig_diff as referenced in the sample configuration below.

Add the setting below to the /var/ossec/etc/ossec.conf configuration file of the Wazuh server to monitor a Cisco PIX or router configuration:

<agentless>
  <type>ssh_pixconfig_diff</type>
  <frequency>36000</frequency>
  <host>pix@pix.fw.local</host>
  <state>periodic_diff</state>
</agentless>

Running commands on an endpoint

This configuration setting allows the agentless monitoring module to run a command on a monitored endpoint. When the output of the command changes, this triggers an alert on the Wazuh server.

You can configure this using the following agentless configuration type:

Generic diff

Generic diff

You can configure a command to run on a monitored endpoint. Wazuh will alert you if the output of the command changes. For this option, set the type as ssh_generic_diff, as shown below.

In the configuration below, the ls -la /etc command will execute every 20000 seconds. An alert is triggered if the output of the commands changes.

<agentless>
  <type>ssh_generic_diff</type>
  <frequency>20000</frequency>
  <host>user@test.com</host>
  <state>periodic_diff</state>
  <arguments>ls -la /etc</arguments>
</agentless>

Note

To use su in a command, use_su must be set before the hostname. In the previous example, this would appear as <host>use_su user@test.com</host>

Applying the configuration

After you configure the agentless monitoring on the Wazuh server, restart the Wazuh manager with the following command to apply the configuration:

systemctl restart wazuh-manager

Visualization

The Wazuh server registers events from agentless endpoints under the Wazuh server name and ID 000. Therefore, they do not appear as individual agents on the Wazuh dashboard. Agentless endpoints don't affect the total agent count. You can create a custom visualization to view the alerts from agentless endpoints.

Perform the following steps to create a visualization for the alerts from agentless endpoints.

Navigate to the Discover section.
Filter agentless logs by searching for agentless.host:*.
Add the following fields from the Available fields section:
- rule.description
- rule.level
- rule.id
- agentless.host
You can see in the image below how you can add the rule.description field. Follow the same step for the remaining fields.
After adding all the fields, the dashboard should look similar to the image below.
Click on Save and assign a name to the dashboard. In this example, you can name it as Agentless monitoring.
After assigning a name, click the Save button to apply the configuration.
Click on Open to access the visualization.
Click on Details button in the table to view more information about the event.

Alert in JSON:

{
  "_index": "wazuh-alerts-4.x-2023.04.13",
  "_id": "VPPfeocBfkbi0eGUYKSc",
  "_version": 1,
  "_score": null,
  "_source": {
    "syscheck": {
      "path": "/special_dir/file1",
      "sha1_after": "9e7633f2260abb2b3de4cdf7589305a4197e757b",
      "size_before": "5",
      "changed_attributes": [
        "size",
        "md5",
        "sha1"
      ],
      "size_after": "6",
      "uid_after": "0",
      "gid_after": "0",
      "md5_before": "14a47f5bf4c5b0fa3f8e4abc97c5f11e",
      "perm_after": "001204",
      "event": "modified",
      "md5_after": "ba62eb8d83f89e2cab34d63a06ed43c5",
      "sha1_before": "a9ff574809c81ac1c3f8a7b6fd33a9a88c868741"
    },
    "input": {
      "type": "log"
    },
    "agent": {
      "hostname": "wazuh",
      "name": "wazuh",
      "id": "3e201657-df9c-4c0d-8518-aa9556aaf110",
      "type": "filebeat",
      "ephemeral_id": "6fed6291-e32d-4a30-ad9b-20fcf172ee7a",
      "version": "7.10.2"
    },
    "manager": {
      "name": "wazuh"
    },
    "agentless": {
      "host": "192.168.33.137",
      "user": "agentless",
      "script": "ssh_integrity_check_linux"
    },
    "rule": {
      "mail": false,
      "level": 7,
      "pci_dss": [
        "11.5"
      ],
      "hipaa": [
        "164.312.c.1",
        "164.312.c.2"
      ],
      "tsc": [
        "PI1.4",
        "PI1.5",
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Integrity checksum changed.",
      "groups": [
        "ossec",
        "syscheck",
        "syscheck_entry_modified",
        "syscheck_file"
      ],
      "nist_800_53": [
        "SI.7"
      ],
      "gdpr": [
        "II_5.1.f"
      ],
      "firedtimes": 3,
      "mitre": {
        "technique": [
          "Stored Data Manipulation"
        ],
        "id": [
          "T1565.001"
        ],
        "tactic": [
          "Impact"
        ]
      },
      "id": "550",
      "gpg13": [
        "4.11"
      ]
    },
    "location": "syscheck",
    "decoder": {
      "name": "syscheck_integrity_changed"
    },
    "id": "1681393661.11766",
    "full_log": "File '/special_dir/file1' checksum changed.\nSize changed from '5' to '6'\nOld md5sum was: '14a47f5bf4c5b0fa3f8e4abc97c5f11e'\nNew md5sum is : 'ba62eb8d83f89e2cab34d63a06ed43c5'\nOld sha1sum was: 'a9ff574809c81ac1c3f8a7b6fd33a9a88c868741'\nNew sha1sum is : '9e7633f2260abb2b3de4cdf7589305a4197e757b'\n",
    "timestamp": "2023-04-13T16:47:41.557+0300"
  },
  "fields": {
    "timestamp": [
      "2023-04-13T13:47:41.557Z"
    ]
  },
  "highlight": {
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1681393661557
  ]
}

Use cases

Monitoring the output of a command on an endpoint

In this example, we configure the agentless monitoring module to run some commands on a monitored VMware ESXI 8.0.0 endpoint and detect the output.

Configuration

Wazuh server

Perform the following steps on the Wazuh server.

Add the following block to the /var/ossec/etc/ossec.conf configuration file. This configuration runs a command to print the content of the /tmp/newfile.txt file every 2 minutes. It also detects the difference between the outputs each time the command is run. Replace user@example.net with the username and the hostname or IP address of your VMware ESXI endpoint.
```
<agentless>
  <type>ssh_generic_diff</type>
  <frequency>200</frequency>
  <host>user@example.net</host>
  <state>periodic_diff</state>
  <arguments>cat /tmp/newfile.txt</arguments>
</agentless>
```
Restart the Wazuh manager with the following command to apply the changes:
```
systemctl restart wazuh-manager
```

Test the configuration

Perform the following steps on the monitored VMware ESXI endpoint.

Create a file /tmp/newfile.txt:
```
$ touch /tmp/newfile.txt
```
Add the text “new addition” and wait for 3 minutes:
```
$ echo “new addition” > /tmp/newfile.txt
```

Visualize the alert

You can visualize the alert with any of these options

Navigate to the Discover section and open the visualization created in the Visualization section.
Navigate to Threat Hunting on the Wazuh dashboard. Search for agentless.host:* to view the alert generated.

Expand the alert with rule.id:555 to view more information about the event. In the image below, under the full log, you can see the output of the command and the difference between the commands when the file was modified.

Monitor files and directories on an endpoint

In the example, we monitor changes to a specified file and directory on a monitored Linux endpoint using the agentless monitoring capability.

Configuration

Wazuh server

Perform the following steps on the Wazuh server.

Add the block below to the /var/ossec/etc/ossec.conf configuration file. This configuration monitors the /tmp/file.conf file for modification every 2 minutes. Replace user@example.net with the username and the hostname or IP address of your Linux endpoint.
```
<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>120</frequency>
  <host>user@example.net</host>
  <state>periodic</state>
  <arguments>/tmp/file.conf /special_dir</arguments>
</agentless>
```
Restart the Wazuh manager with the following command to apply the changes:
```
systemctl restart wazuh-manager
```

Test the configuration

Perform the following steps on the monitored endpoint.

Create a file /tmp/file.conf:
```
$ touch /tmp/file.conf
```
Modify the /tmp/file.conf:
```
$ echo demo > /tmp/file.conf
```
Make a directory /special_dir:
```
$ mkdir /special_dir
```
Add a file to the monitored directory:
```
$ cd /special_dir
$ touch file1 file2
```
Modify the files by adding the string demo and wait for 2 minutes:
```
echo demo | tee /special_dir/file1 /special_dir/file2
```

Visualize the alert

You can visualize the alert with any of these options:

Navigate to the Discover section and open the visualization created in the Visualization section.
Navigate to Threat Hunting on the Wazuh dashboard. Search for agentless.host:* to view the alert generated.

Select the syscheck.path field to add a column that shows all the monitored files.

Expand one of the alerts with rule.id:550 to find information about the changes made to the file. You can see the file size and checksum have changed in the image below.

Reference

This part of the user manual will cover the configuration files used by Wazuh and define the setting options. Directions are given on how to customize the functionality of Wazuh to the unique environment and specific requirements of each installation.

Contents

Local configuration (ossec.conf)

The ossec.conf file is the main configuration file on the Wazuh manager, and it also plays an important role on the agents. It is located at /var/ossec/etc/ossec.conf both in the manager and agent on Linux machines. On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf. It is recommended to back up this file before making changes to it. A configuration error may prevent Wazuh services from starting up.

The ossec.conf file is in XML format, and all of its configuration options are nested in their appropriate section of the file. In this file, the outermost XML tag is <ossec_config>. There can be more than one <ossec_config> tag.

Here is an example of the proper location of the alerts configuration section:

<ossec_config>
    <alerts>
        <!--
        alerts options here
        -->
    </alerts>
</ossec_config>

The agent.conf file is very similar to ossec.conf but agent.conf is used to centrally distribute configuration information to agents. See more here.

Wazuh can be installed in two ways: as a manager by using the "server/manager" installation type and as an agent by using the "agent" installation type.

Configuration sections	Supported installations
active-response	manager, agent
agentless	manager
agent-upgrade	manager, agent
alerts	manager
anti_tampering	agent
auth	manager
client	agent
client_buffer	agent
cluster	manager
command	manager
database_output	manager
email_alerts	manager
global	manager
github	manager, agent
indexer	manager
integration	manager
labels	manager, agent
localfile	manager, agent
logging	manager, agent
ms-graph	manager, agent
office365	manager, agent
remote	manager
reports	manager
rootcheck	manager, agent
rule_test	manager
ruleset	manager
sca	manager, agent
socket	manager, agent
syscheck	manager, agent
syslog_output	manager
task-manager	manager
vulnerability-detection	manager
wazuh_db	manager
wodle name="agent-key-polling"	manager
wodle name="aws-s3"	manager, agent
wodle name="azure-logs"	manager, agent
wodle name="command"	manager, agent
wodle name="docker-listener"	manager, agent
wodle name="syscollector"	manager, agent
gcp-pubsub	manager, agent
gcp-bucket	manager, agent

All of the above sections must be located within the top-level <ossec_config> tag. In the case of adding another <ossec_config> tag, it may override the values set on the previous tag.

active-response

In the Active Response configuration section, an existing command is bound to one or more rules or rule types along with additional criteria for when to execute the command. There is no limit to the number of active responses that can be used, however, each active response must be configured in its own separate <active-response> section.

Options

disabled

Agent side

repeated_offenders

disabled

Toggles the active-response capability on and off. Setting this option to yes on an agent will disable active-response for that agent only while setting it in the manager ossec.conf file will disable active-response on the manager and all agents.

This field is mandatory in every <active-response> block. You must explicitly set it to either yes or no to ensure the configuration works properly.

Note

This option is available on the server, local, and agent installations.

Allowed values

yes, no

command

Links the active-response to the command. You can find more information at the commands section.

Default value	n/a
Allowed values	Any defined active response command name

location

Indicates which system(s) the command should be executed on.

Default value	n/a
Allowed values	local	This runs the command on the agent that generated the event.
	server	This runs the command on the Wazuh manager.
	defined-agent	This runs the command on a specific agent identified by agent_id.
	all	This runs the command on all agents, not including the manager. Use with caution.

Example:

If the application that interfaces with your edge firewall runs on one of your agents, you might have a firewall-block-edge command that runs a script on that agent to blacklist an offending IP address on the edge firewall.

Note

If it is desired to trigger a particular active response on every agent and the manager as well, two similar configuration blocks can be used setting the option "all" in one of the blocks and "server" on the other.

agent_id

Specifies the ID of the agent on which to execute the active response command (used when defined-agent is set).

Default value	n/a
Allowed values	Any agent id number, as long as defined-agent has been specified as the location.

level

Defines a minimum severity level required for the command to be executed.

Default value	n/a
Allowed values	Any level from 1 to 16

rules_group

Defines the rule group that a rule must belong to for the execution of the command.

Default value	n/a
Allowed values	Any group string. For multiple groups, separate the strings with a pipe character `\|`.

Note

To avoid partial matches, add a comma at the end of the group string. For example, <rules_group>group_a,|group_b,|group_c,</rules_group> Also, check that the rule group in your rule definitions ends with a comma as well. This is usually the case in the Wazuh default ruleset. For example, <group>group_b,</group>.

Not ending the group string with a comma implies that the group string is a substring open for partial matches. For example, the group string authentication matches rule groups authentication, authentication_success, and authentication_failure while the group string authentication, matches only rule group authentication.

rules_id

Limits the command execution to only when one or more listed rules fire.

Default value	n/a
Allowed values	Any rule identification. Multiple IDs can be specified if separated by a comma.

Note

When setting level, rules_group, and rules_id together, the active response will be triggered always that any rule matches with one of these options. In other words, they are accumulative options, not restrictive.

timeout

Specifies how long in seconds before the reverse command is executed. When repeated_offenders is used, timeout only applies to the first offense.

Default value	n/a
Allowed values	A positive number (seconds)

repeated_offenders

Sets timeouts in minutes for repeat offenders. This is a comma-separated list of increasing timeouts that can contain a maximum of 5 entries.

Default value	n/a
Allowed values	A positive number (minutes)

Warning

This option must be configured directly in the ossec.conf file of the agent (currently not supported by agents running on Windows), even when using a manager/agent setup with a centralized configuration of other settings via agent.conf. Apart from that, it has to be defined in the upper <active-response> section found in the configuration file.

Sample Configuration

<!-- On the manager side -->

<active-response>
  <disabled>no</disabled>
  <command>host-deny</command>
  <location>defined-agent</location>
  <agent_id>032</agent_id>
  <level>10</level>
  <rules_group>sshd,|pci_dss_11.4,</rules_group>
  <timeout>1</timeout>
</active-response>

<!-- On the agent side -->
<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,5,10</repeated_offenders>
</active-response>

agentless

Agentless monitoring allows you to run integrity checks on systems without an agent installed.

Options

type
frequency
host
state
arguments

type

Default value	n/a
Allowed values	ssh_integrity_check_bsd	Requires a list of directories in <arguments>. Wazuh will integrity scan the files in the specified directories. The system will alert if these files have changed.
	ssh_integrity_check_linux
	ssh_generic_diff	Supply an <arguments> value that consists of a set of commands to run. Their output is then processed, looking for changes or rule matches.
	ssh_pixconfig_diff	Specifically for checking if the config of a Cisco PIX/router changes. No <arguments> required.

frequency

Controls the number of seconds between each check of the agentless device.

Default value	n/a
Allowed values	An integer in seconds

host

Defines the username and the name of the agentless host.

Default value	n/a
Allowed values	Any username and host (`username@hostname`)

state

Determines whether the type of check is periodic or periodic_diff.

Default value

n/a

Allowed values

periodic

Output from each check is analyzed with the Wazuh ruleset as if a monitored log.

periodic_diff

Output from each agentless check is compared to the output of the previous run.

Changes are alerted on, similar to file integrity monitoring.

arguments

Defines the arguments passed to the agentless check.

Default value	n/a
Allowed values	This is a space-delimited list of files or directories to be monitored.

Sample configuration

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>300</frequency>
  <host>admin@192.168.1.108</host>
  <state>periodic_diff</state>
  <arguments>/etc /usr/bin /usr/sbin</arguments>
</agentless>

agent-upgrade

The agent upgrade module is responsible for carrying out the entire agent upgrade process remotely:

On the manager side, it validates, downloads and/or sends the WPK files to the agents.
On the agent side, it processes the received commands and sends a notification to the manager after an upgrade process has been accomplished.

This configuration section only needs to be defined in order to change the default values.

Options

Manager side

chunk_size
wpk_repository
max_threads

Note

On the manager side, this module will be always enabled and cannot be deactivated.

Agent side

enabled
notification_wait_start
notification_wait_factor
notification_wait_max
ca_verification

Note

On the agent side, this module can be disabled, and doing so will block remote upgrading of that agent.

chunk_size

Size in KB of the chunk that will be used to send the WPK file.

Default value	32768
Allowed values	Any number between 64 and 60000
Required	no

wpk_repository

Repository where the WPK files will be downloaded.

Default value	packages.wazuh.com/5.x/wpk/
Allowed values	Any repository URL that contains the WPK files.
Required	no

max_threads

Maximum number of threads to process upgrades in parallel. Value 0 means the number of CPU cores.

Default value	8
Allowed values	Any number between 0 and 256
Required	no

enabled

Disabling this option will block the agent from upgrading.

Default value	yes
Allowed values	yes, no
Required	no

notification_wait_start

Initial time that the agent will wait to retry sending the upgrade confirmation if the first attempt remains unanswered. Can use second, minute and hour format.

Default value	5m
Allowed values	A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), or h (hours).
Required	no

notification_wait_factor

Time increase factor between successive notifications.

Default value	2.0
Allowed values	Any number greater than 1.0
Required	no

notification_wait_max

Maximum time allowed between successive notifications. Can use second, minute and hour format.

Default value	1h
Allowed values	A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), or h (hours).
Required	no

ca_verification

Configuration block to specify CA certificates to validate WPK files.

enabled	This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to `no` the agent will accept any WPK package coming from the manager.
	Default value	yes
	Allowed values	yes, no
ca_store	Indicates the path to the root CA certificate. The agent needs the certificate with which the WPK was signed in order to be updated.
	Default value	etc/wpk_root.pem
	Allowed values	Path to root CA certificate. It can be referred to a relative path under the Wazuh installation directory or a full path.

Sample Configuration

<!-- On the manager side -->

<agent-upgrade>
  <chunk_size>16384</chunk_size>
  <wpk_repository>packages.wazuh.com/4.x/wpk/</wpk_repository>
  <max_threads>16</max_threads>
</agent-upgrade>

<!-- On the agent side -->
<agent-upgrade>
  <enabled>yes</enabled>
  <notification_wait_start>60s</notification_wait_start>
  <notification_wait_factor>4</notification_wait_factor>
  <notification_wait_max>2h</notification_wait_max>
  <ca_verification>
    <enabled>yes</enabled>
    <ca_store>etc/wpk_root.pem</ca_store>
  </ca_verification>
</agent-upgrade>

alerts

Here is how to configure the severity level threshold for logging or sending alerts and the geolocation feature.

Options

log_alert_level
email_alert_level
use_geoip

log_alert_level

Sets the minimum severity level for alerts that will be stored to alerts.log and/or alerts.json.

Default value	3
Allowed values	Any level from 1 to 16

email_alert_level

Sets the minimum severity level for an alert to generate an email notification.

Warning

This is the minimum level for an alert to trigger an email. This setting overrides granular email alert configuration. Setting this to 10 will prevent the sending of emails for alerts with levels lower than 10, even when there are settings in the granular email configuration referencing levels lower than 10. Individual rules can override this with the alert_by_email option which forces an email alert regardless of global or granular alert level thresholds.

Default value	12
Allowed values	Any level from 1 to 16

use_geoip

Deprecated since version 2.0.

This option has no effect and will result in a parsing error unless compiled with LIBGEOIP_ENABLED.

Default value	n/a
Allowed values	yes, no

Default configuration

<alerts>
  <log_alert_level>3</log_alert_level>
  <email_alert_level>12</email_alert_level>
</alerts>

anti_tampering

You can configure anti-tampering to prevent uninstallation of the Wazuh agent package on Linux without manager validation.

Options

package_uninstallation

package_uninstallation

Enables or disables the validation requirement for a user to uninstall the Wazuh agent package.

Default value	no
Allowed values	yes, no

Configuration example

<!-- Enables validation requirement to uninstall Wazuh agent package -->
<anti_tampering>
  <package_uninstallation>yes</package_uninstallation>
</anti_tampering>

Wazuh server API connection data

Environment variables	Description	Required/Optional
VALIDATION_TOKEN	Token to make a Wazuh server API request.	Either `VALIDATION_TOKEN` or `VALIDATION_LOGIN` is required.
VALIDATION_LOGIN	Wazuh server API username and password to generate a token. Format: `<USER>:<PASSWORD>`	Either `VALIDATION_TOKEN` or `VALIDATION_LOGIN` is required.
VALIDATION_SSL_VERIFY	Enable SSL verification with the Wazuh server API certificate. Format: `true`, `false`	Optional - `true` by default.
VALIDATION_HOST	Host and port where the Wazuh server API is installed. Format: `<HOST>:<PORT>`	Required

You can create a file such as /$(WAZUH_DIR)/etc/uninstall_validation.env to export the environment variables. For example:

#!/bin/sh

export VALIDATION_LOGIN="wazuh:wazuh"
export VALIDATION_HOST="192.168.0.3:55000"
export VALIDATION_SSL_VERIFY="false"

auth

This section shows the options for the registration service.

Options

disabled
remote_enrollment
port
ipv6
use_source_ip
force
purge
use_password
ssl_agent_ca
ssl_verify_host
ssl_manager_cert
ssl_manager_key
ssl_auto_negotiate
ciphers
key_request
agents

disabled

Toggles the execution of the Auth daemon on or off.

Default value	no
Allowed values	yes, no

remote_enrollment

Allow listening for new agents on TLS port (1515 by default).

Default value	yes
Allowed values	yes, no

port

Defines the TCP port number for listening to connections.

Default value	1515
Allowed values	0 - 65535

ipv6

Enables IPv6 support.

Default value	no
Allowed values	yes, no

use_source_ip

Toggles the use of the client's source IP address or the use of "any" to add an agent.

Default value	no
Allowed values	yes, no

force

The agent replacement options are configured inside this tag. All conditions must be satisfied to perform the replacement.

<force>
  <enabled>yes</enabled>
  <disconnected_time enabled="yes">1h</disconnected_time>
  <after_registration_time>1h</after_registration_time>
  <key_mismatch>yes</key_mismatch>
</force>

enabled

Toggles whether or not to force the insertion of an agent if there is a duplicate name or IP address. This will remove the old agent with the same name or IP address.

Default value	yes
Allowed values	yes, no

disconnected_time

This option, when enabled, specifies that the replacement will be performed only for agents that have been disconnected longer than the value configured in the setting. This option should be disabled to replace any agent regardless of its state.

Default value	1h
Allowed values	Any number greater than or equal to zero. Allowed suffixes (s, m, h, d).

Attributes:

enabled	Default value	yes
enabled	Allowed values	yes, no

Value no means to force replacement even for active agents.

Value 0 means to force the replacement of any disconnected agent.

after_registration_time

Specifies that the agent replacement will be performed only when the time passed since the agent registration is greater than the value configured in the setting.

Default value	1h
Allowed values	Any number greater than or equal to zero. Allowed suffixes (s, m, h, d).

Value 0 means to always force replacement.

key_mismatch

This option defines that the agent replacement occurs when the key held by the agent is different from the one registered by the manager.

Default value	yes
Allowed values	yes, no

purge

Toggles the deletion of client keys on or off when agents are removed.

Default value	yes
Allowed values	yes, no

When set to no, removed agents will remain in the client keys file marked as removed. When set to yes, the client keys file will be purged.

use_password

Toggles shared password authentication on or off.

Default value	no
Allowed values	yes, no

When enabled, the shared password will be read from the /var/ossec/etc/authd.pass file.

If this file does not exist, a random password will be generated.

ssl_agent_ca

Specifies the path to the CA certificate used to verify clients. It can be referred to a relative path under the Wazuh installation directory or a full path.

Allowed values

Any valid path

ssl_verify_host

Toggles source host verification on and off when a CA certificate is specified. This means that the client source IP address will be validated using the Common Name field.

Default value	no
Allowed values	yes, no

ssl_manager_cert

Specifies the path to the server SSL certificate. It can be referred to a relative path under the Wazuh installation directory or a full path.

Default value	etc/sslmanager.cert
Allowed values	Any valid path

ssl_manager_key

Specifies the path to the server's SSL key. It can be referred to a relative path under the Wazuh installation directory or a full path.

Default value	etc/sslmanager.key
Allowed values	Any valid path

ssl_auto_negotiate

Toggles whether or not to auto select the SSL/TLS method.

Default value	no
Allowed values	yes, no

By default only TLS v1.2 is allowed. When set to yes the system will negotiate the most secure common method with the client.

In older systems, where the manager does not support TLS v1.2, this option will be enabled automatically.

ciphers

Sets the list of ciphers for network communication using SSL.

Default value

HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH

The format of this parameter is described in SSL ciphers.

key_request

The key request settings are configured inside this tag. Read more about this feature at agent key request.

<key_request>
  <enabled>yes</enabled>
  <exec_path>/usr/bin/python /home/script.py</exec_path>
  <socket>/path/to/socket</socket>
  <timeout>60</timeout>
  <threads>1</threads>
  <queue_size>1024</queue_size>
</key_request>

Configuration options of the key request feature.

enabled

Enable the key request.

Default value	no
Allowed values	yes, no

timeout

Maximum time for waiting a response from the executable.

Default value	60
Allowed values	A positive number in seconds

exec_path

Full path to the executable.

Default value	none
Allowed values	A string indicating the full path

socket

Full path to the Unix domain socket.

Default value	none
Allowed values	A string indicating the full path to a Unix domain socket

threads

Number of threads for dispatching the external keys requests.

Default value	1
Allowed values	A positive number indicating the number of threads [1..32]

queue_size

Indicates the maximum size of the queue for fetching external keys.

Default value	1024
Allowed values	A positive number indicating the queue size [1..220000]

agents

allow_higher_versions

Accept agents with a later version than the current manager.

Default value	no
Allowed values	yes, no

Note

This option only works when connection is set to secure.

Default configuration

<auth>
  <disabled>no</disabled>
  <remote_enrollment>yes</remote_enrollment>
  <port>1515</port>
  <use_source_ip>no</use_source_ip>
  <force>
    <enabled>yes</enabled>
    <disconnected_time enabled="yes">1h</disconnected_time>
    <after_registration_time>1h</after_registration_time>
    <key_mismatch>yes</key_mismatch>
  </force>
  <purge>yes</purge>
  <use_password>no</use_password>
  <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
  <!-- <ssl_agent_ca></ssl_agent_ca> -->
  <ssl_verify_host>no</ssl_verify_host>
  <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
  <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
  <ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>

client

This section explains how to configure the connection to the manager.

Subsections

server
enrollment

server

Configures the connection parameters for each server an agent connects to.

Server subsection options

address
port
interface_index
max_retries
retry_interval

address

Specifies the IP address or the hostname of the Wazuh manager.

Default value	n/a
Allowed values	Any valid IP address or any resolvable hostname is allowed.

port

Specifies the port to send events to the manager. This must match the associated listening port configured on the Wazuh manager.

Default value	1514
Allowed values	Any port number from 1 to 65535 is allowed.

interface_index

The index by which the agent must try to connect to the server when setting link-local IPv6 addresses. If the configured IP address is not link-local IPv6 the interface_index option has no effect.

Default value	n/a
Allowed values	A positive number.

Note

In the case that the interface number changes, you must change this setting mannually.

max_retries

The number of connection retries.

Default value	5
Allowed values	1 to 1.000.000.000

retry_interval

Time interval between connection attempts (seconds).

Default value	10
Allowed values	1 to 1.000.000.000

Options

config-profile
notify_time
time-reconnect
ip_update_interval
auto_restart

config-profile

Specifies the agent.conf profile(s) to be used by the agent.

Default value	n/a
Allowed values	Multiple profiles can be included, separated by a comma and a space.

notify_time

Specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.

Default value	20
Allowed values	A positive number (seconds)

Warning

This setting should always be lower than disconnection time configured for the agents in the manager. This allows them to always notify the manager before it would consider them disconnected.

time-reconnect

Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.

For example, a notify_time setting of 60 combined with a time-reconnect of 300 would mean that agents will attempt to check in once per minute, but if a checkin attempt fails to get a response from the manager, the agent will wait five minutes before trying again. Checkins will resume their normal one-minute interval following a successful connection attempt.

Default value	60
Allowed values	A positive number (seconds)

Warning

Notice that the notify_time value uses an underscore while the time-reconnect value uses a dash. This is an unfortunate legacy naming inconsistency that is easy to mix up.

ip_update_interval

Specifies how often an agent will query the control module for its main IP address.

Any value equal to or lower than the configured notify_time will cause the IP address to be queried on each keep-alive message.

Default value	0
Allowed values	A positive number (seconds)

Note

Most systems won't need to modify this value, but on systems with large routing tables this configuration can help lower CPU usage from wazuh-modulesd.

auto_restart

Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.

Default value	yes
Allowed values	yes, no

Sample configuration

<client>
  <server>
    <address>192.168.1.100</address>
    <port>1514</port>
    <max_retries>5</max_retries>
    <retry_interval>5</retry_interval>
  </server>
  <server>
    <address>example.hostname</address>
  </server>
  <config-profile>webserver, debian8</config-profile>
  <notify_time>30</notify_time>
  <time-reconnect>120</time-reconnect>
  <auto_restart>yes</auto_restart>
</client>

Sample link-local IPv6 configuration

<client>
  <server>
    <address>fe80:0000:0000:0000:a00:27ff:feff:6b0b</address>
    <interface_index>3</interface_index>
    <port>1514</port>
  </server>
  <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
  <notify_time>20</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
</client>

enrollment

Configures the connection parameters for the agent enrollment.

Options

enabled
manager_address
port
interface_index
agent_name
groups
agent_address
ssl_cipher
server_ca_path
agent_certificate_path
agent_key_path
authorization_pass_path
auto_method
delay_after_enrollment
use_source_ip

enabled

Enables/disables agent enrollment.

Default value	yes
Allowed values	yes or no

manager_address

Hostname or IP address of the manager where the agent will be enrolled. If no value is set, the agent will try enrolling to the same manager that was specified for connection.

Default value	n/a
Allowed values	string - Should be valid IP/Hostname

port

Specifies the port on the manager to send enrollment request. This must match the associated listening port configured on the Wazuh manager.

Default value	1515
Allowed values	Any port number from 0 to 65535 is allowed.

interface_index

The index by which the agent must send enrollment requests to the server when setting link-local IPv6 addresses. If the configured IP address is not link-local IPv6 the interface_index option has no effect.

Default value	n/a
Allowed values	A positive number.

Note

In the case that the interface number changes, you must change this setting mannually.

agent_name

Agent name that will be used for enrollment. Only alphanumeric characters, "-", "_" or "." are allowed, and the minimum length is two characters.

Default value	Hostname of the machine.
Allowed values	string - Registration name for the agent.

groups

Groups name to which the agent belongs.

Default value	NULL
Allowed values	string - Name of one or many valid groups.

agent_address

Force IP address from the agent. If this is not set manager will extract the source IP address from the enrollment message.

Default value	src
Allowed values	string - Valid IP address

ssl_cipher

Override SSL used ciphers.

Default value	HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
Allowed values	Any valid ssl cipher.

server_ca_path

Used for manager verification. If no CA certificate is set server will not be verified.

Default value	NULL
Allowed values	Path to a valid CA certificate.

Note

Paths can be referred to as relative paths under the Wazuh installation directory or full paths.

agent_certificate_path

Required when agent verification is enabled in the manager.

Default value	NULL
Allowed values	Path to a valid agent certificate file.

agent_key_path

Required when agent verification is enabled in the manager.

Default value	NULL
Allowed values	Path to a valid agent key file.

authorization_pass_path

Required when enrollment is using password verification.

Default value	Windows: authd.pass Unix: /etc/authd.pass
Allowed values	Path to a valid password file

auto_method

Auto negotiates the most secure common SSL/TLS method with the manager, use "yes" for auto negotiate or "no" for TLS v1.2 only.

Default value	no
Allowed values	yes or no

delay_after_enrollment

Time that agentd should wait after a successful registration.

Default value	20
Allowed values	number of seconds

use_source_ip

Force manager to compute IP address from agent message.

Default value	no
Allowed values	yes or no

Sample configuration

<client>
  <enrollment>
    <enabled>yes</enabled>
    <manager_address>192.168.1.100</manager_address>
    <port>1515</port>
    <agent_name>agent</agent_name>
    <groups>Group1</groups>
    <agent_address>192.168.0.110</agent_address>
    <ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
    <server_ca_path>/path/to/server_ca</server_ca_path>
    <agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
    <agent_key_path>/path/to/agent.key</agent_key_path>
    <authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
    <auto_method>no</auto_method>
    <delay_after_enrollment>20</delay_after_enrollment>
    <use_source_ip>no</use_source_ip>
  </enrollment>
</client>

Sample link-local IPv6 enrollment configuration

<client>
  <enrollment>
    <enabled>yes</enabled>
    <manager_address>fe80:0000:0000:0000:a00:27ff:feff:6b0b</manager_address>
    <interface_index>7</interface_index>
    <port>1515</port>
  </enrollment>
</client>

client_buffer

This section shows how to configure the agent bucket parameters in order to avoid events flooding.

Options

disabled
queue_size
events_per_second

disabled

Toggles the agent buffer on and off. When set to yes, the agent will send events to the manager without any congestion control.

Default value	no
Allowed values	yes, no

Warning

Disabling this functionality in large environments may overwhelm the manager and the network, causing them to fail.

queue_size

Sets the capacity of the agent buffer in number of events.

Default value	5000
Allowed values	Any number between 1 and 100000.

events_per_second

Specifies the number of events that can be sent to the manager per second.

Default value	500
Allowed values	Any number between 1 and 1000.

Default configuration

<client_buffer>
  <!-- Agent buffer options -->
  <disabled>no</disabled>
  <queue_size>5000</queue_size>
  <events_per_second>500</events_per_second>
</client_buffer>

cluster

This section explains how to configure the Wazuh cluster for manager synchronization.

Options

name
node_name
node_type
key
port
bind_addr
nodes
hidden
disabled
haproxy_helper

name

Specifies the name of the cluster this node belongs to.

Default value	wazuh
Allowed values	Any name

node_name

Specifies the name of the current node of the cluster.

Note

Each node of the cluster must have a unique name. If two nodes share the same name, one of them will be rejected.

Default value	node01
Allowed values	Any name

node_type

Specifies the role of the node.

Default value	master
Allowed values	master, worker

Warning

Using client as node_type in configuration is still valid, but a warning message will be shown in logs.

key

Defines the key used to encrypt the communication between the nodes. This key must be 32 characters long. Refer to the configuring-cluster for information on how to generate a key.

Note

This key must be the same for all of the cluster nodes.

Default value	n/a
Allowed values	Any alphanumeric string of 32 characters.

port

Specifies the port to use for the cluster communications.

Default value	1516
Allowed values	Any port number from 1 to 65535.

bind_addr

Specifies which IP address will communicate with the cluster when the node has multiple network interfaces.

Default value	0.0.0.0
Allowed values	Any valid IP address.

nodes

Lists all master nodes in the cluster using the <node> tag for each one.

Default value	NODE_IP
Allowed values	Any valid address (IP or DNS) of a cluster node.

Note

The current cluster only allows one master node. Therefore, this list must have only one element. If more elements are found, the first one will be used as master, and the rest will be ignored.

hidden

Toggles whether or not to show information about the cluster that generated an alert. If this is set to yes, information about the cluster that generated the event won't be included in the alert.

Default value	no
Allowed values	yes, no

disabled

Toggles whether the cluster is enabled or not. If this value is set to yes, the cluster won't start.

Default value	no
Allowed values	yes, no

haproxy_helper

This section explains how to configure the HAProxy helper for agent balancing.

haproxy_disabled

Toggles whether the HAProxy helper is enabled or not. If this value is set to yes, the helper won't start.

Default value	yes
Allowed values	yes, no

haproxy_address

Specifies the address of HAProxy to communicate with.

Default value	n/a
Allowed values	Any valid address (IP or DNS) of a cluster node.

haproxy_user

Specifies the user of HAProxy to connect with.

Default value	n/a
Allowed values	Any valid username.

haproxy_password

Specifies the password of HAProxy to connect with.

Default value	n/a
Allowed values	Any password.

haproxy_port

Specifies the port to use for the HAProxy communication.

Default value	5555
Allowed values	Any port number from 1024 to 65535.

haproxy_protocol

Specifies the protocol to use for the HAProxy communication.

Default value	http
Allowed values	http, https

haproxy_cert

Specifies the location of the HAProxy certificate file.

Default value	n/a
Allowed values	Path to a valid certificate file.

client_cert

Specifies the location of the client-side certificate file.

Default value	n/a
Allowed values	Path to a valid certificate file.

client_cert_key

Specifies the location of the client-side certificate key file.

Default value	n/a
Allowed values	Path to a valid certificate key file.

client_cert_password

Specifies the password for the client-side certificate.

Default value	n/a
Allowed values	Password used for the Client Side Certificate files.

haproxy_backend

Specifies the name of the backend that will be created in HAProxy.

Default value	wazuh_reporting
Allowed values	Any valid name.

haproxy_resolver

Specifies the name of the HAProxy resolver to use.

Default value	n/a
Allowed values	Any valid name.

excluded_nodes

Specifies the cluster nodes to exclude from the agent distribution.

Default value	n/a
Allowed values	Any valid name of a cluster node separated by a comma.

frequency

Specifies the number of seconds to wait until the next check.

Default value	60
Allowed values	Any integer greater than or equal to 10.

agent_chunk_size

Specifies the size of the chunk of agents to reconnect at the same time.

Default value	300
Allowed values	Any integer greater than or equal to 100.

agent_reconnection_time

Specifies the number of seconds to wait between the chunks of agents reconnected.

Default value	5
Allowed values	Any integer greater than or equal to 0.

agent_reconnection_stability_time

Specifies the number of seconds to wait after reconnecting agents to a new worker.

Default value	60
Allowed values	Any integer greater than or equal to 10.

imbalance_tolerance

Specifies a tolerance value to determine when a cluster is unbalanced.

Default value	0.1
Allowed values	Any float between 0 and 1.

remove_disconnected_node_after

Specifies the number of minutes to wait to remove a disconnected worker.

Default value	240
Allowed values	Any integer greater than or equal to 0.

Sample configuration

<cluster>
  <name>wazuh</name>
  <node_name>manager_01</node_name>
  <node_type>master</node_type>
  <key>ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa</key>
  <port>1516</port>
  <bind_addr>0.0.0.0</bind_addr>
  <nodes>
    <node>master</node>
  </nodes>
  <hidden>no</hidden>
  <disabled>no</disabled>
  <haproxy_helper>
    <haproxy_disabled>no</haproxy_disabled>
    <haproxy_address>wazuh-proxy</haproxy_address>
    <haproxy_user>haproxy</haproxy_user>
    <haproxy_password>haproxy</haproxy_password>
    <haproxy_port>5555</haproxy_port>
    <haproxy_protocol>http</haproxy_protocol>
    <haproxy_backend>wazuh_cluster</haproxy_backend>
    <frequency>60</frequency>
    <agent_chunk_size>100</agent_chunk_size>
    <agent_reconnection_time>10</agent_reconnection_time>
    <agent_reconnection_stability_time>60</agent_reconnection_stability_time>
    <imbalance_tolerance>0.1</imbalance_tolerance>
    <remove_disconnected_node_after>10</remove_disconnected_node_after>
  </haproxy_helper>
</cluster>

command

In the command configuration section, a command is defined that will be used by one or more active responses. There is no limit on the number of commands that may be used by an active response, however, each one must be in its own separate <command> section.

Options

name
executable
expect
extra_args
timeout_allowed

name

Specifies the name of the command which is called in the active-response section.

Default value	n/a
Allowed values	Any name
use	Required

executable

Names an executable file to run. It is not necessary to provide the path.

These files are located in /var/ossec/active-response/bin directory in Linux based systems, or in C:\Program Files (x86)\ossec-agent\active-response\bin directory in Windows systems.

Default value	n/a
Allowed values	Any file name
use	Required

expect

Deprecated since version 4.2.

Specifies the lists of extracted fields that are to be passed as parameters to the command. If any of the listed fields were not declared in a certain instance, those field values would be passed as a dash (-) instead of as no value at all. The command requires finding the expected fields in the alert, otherwise, the AR will be skipped.

A good example is the firewall-block command which expects the srcip field in order to know which IP address to block. Multiple expected field names are comma separated.

Default value	n/a
Allowed values	Extracted fields: srcip, user, or filename separated by commas if there is more than one.
use	Not required

extra_args

Allows the user to customize the parameters sent to the active response script living on the agent side.

Default value	n/a
Allowed values	Any extra argument to be read by the active-response scripts.
use	Not required

Note

The content of this setting will be appended to the existent parameters being sent to the agent.

timeout_allowed

Specifies whether the command is stateful or stateless. If yes, the command is stateful, meaning it will undo its original action after the period of time specified in the Active Response.

Default value	no
Allowed values	yes, no

Sample configuration

<!-- For Unix systems -->
<command>
  <name>custom_command</name>
  <executable>custom_script</executable>
  <extra_args>arg1 arg2 arg3</extra_args>
  <timeout_allowed>yes</timeout_allowed>
</command>

<!-- For Windows systems -->
<command>
  <name>win_route-null</name>
  <executable>route-null.exe</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>

database_output

Note

To use this output feature, Wazuh must be compiled with the database type that is to be used. Read this article to learn about how to install and enable it.

MySQL and PostgreSQL database output is supported. The following options below are available to configure it:

Available options

hostname
username
password
database
type

hostname

Specify the IP address of the database server.

Default value	n/a
Allowed values	Any valid IP address

username

Specify the username to access the database.

Default value	n/a
Allowed values	Any valid username

password

Specify the password to access the database.

Default value	n/a
Allowed values	Any password

database

Specify the name of the database in which to store the alerts.

Default value	n/a
Allowed values	Database name

type

Type of database (Mysql or PostgreSQL).

Default value	n/a
Allowed values	mysql/postgresql

Sample configuration

<database_output>
  <hostname>192.168.1.122</hostname>
  <username>MySQLadmin</username>
  <password>secret1234</password>
  <database>Alerts_DB</database>
  <type>mysql</type>
</database_output>

email_alerts

This extends the email options configured in the <global> section.

Note

Global email configuration is necessary to use granular email options.

Options

email_to
level
group
event_location
format
rule_id
do_not_delay
do_not_group

email_to

This specifies a single email address to which to send email alerts. If you want to send alerts to multiple addresses, each address must be listed in a separate <email_to> section. Lists are not allowed.

Default value	n/a
Allowed values	Any valid email address is allowed.
Usage	Required.

level

This is the minimum alert severity level for which emails will be sent.

Note

The level option should be set at or above the email_alert_level in the <alerts> section of the configuration.

Default value	n/a
Allowed values	Any alert level 0 to 16 is allowed.

group

This option sets specific rule groups that alerts must belong to for email notification.

Default value	n/a
Allowed values	Any group string. For multiple groups, separate the strings with a pipe character `\|`.

Note

To avoid partial matches, add a comma at the end of the group string. For example, <rules_group>group_a,|group_b,|group_c,</rules_group>. Not ending the group string with a comma implies that it's a substring open for partial matches. For example, the group string authentication matches rule groups authentication, authentication_success, and authentication_failure while the group string authentication, matches only rule group authentication.

Also, check that the rule group in your rule definitions ends with a comma as well. For example, <group>group_b,</group>. This is usually the case in the Wazuh default ruleset.

event_location

The alert must match this event location to be forwarded. Do not specify this option repeatedly, as only the last instance would be used.

Default value	n/a
Allowed values	Any single agent name, hostname, IP address, or log file is allowed

format

This specifies the email format.

Default value	full
Allowed values	default	Send normal emails.
	full	Send normal emails.
	sms	Use a compact format more suitable for SMS.

rule_id

This limits the sending of emails to only when rules are tripped that have one of the listed rule IDs.

Default value	n/a
Allowed values	One or more rule IDs can be used here, separated by a comma and a space ( ", " ).

do_not_delay

This causes email alerts to be sent right away, rather than to be delayed for the purpose of batching multiple alerts together.

Default value	n/a
Allowed values	XML tag with no value

do_not_group

This disables grouping of multiple alerts into the same email.

Default value	n/a
Allowed values	XML tag with no value

Warning

Notice that do_not_delay and do_not_group are special empty-element XML tags, so they stand alone, not having a starting and ending version of the tag. This is indicated by the tag name containing "/" at the end of the name.

Example of configuration

<email_alerts>
        <email_to>recipient@example.wazuh.com</email_to>
        <email_to>recipient2@example.wazuh.com</email_to>
        <level>12</level>
        <group>sshd,</group>
        <do_not_delay/>
</email_alerts>

global

Global configuration generally applies to features that affect the system as a whole, rather than a specific component.

Options

alerts_log

This toggles the writing of alerts to /var/ossec/logs/alerts/alerts.log.

Default value	yes
Allowed values	yes, no

Warning

Disabling JSON and plain text formatted alerts simultaneously is not compatible with the integrator, syslog client or email features.

email_notification

This toggles the use of email alerting.

Default value	no
Allowed values	yes, no

email_to

This specifies the email recipient for alerts.

Note

A base configuration must be included in the section in order to use granular email configurations.

Default value	n/a
Allowed values	Any valid email address

Note that this section only allows for one email address. In case you want to add more than one, repeat the section as many times as required.

email_from

This specifies the “source” address contained in the email alerts.

Default value	n/a
Allowed values	Any valid email address

email_reply_to

This specifies the “reply-to” address contained in the email alerts.

Default value	n/a
Allowed values	Any valid email address

smtp_server

This option defines what SMTP server to use to deliver alerts.

Default value	n/a
Allowed values	Valid hostname or IP address. Full path to a sendmail-like executable.

helo_server

This option defines how the Wazuh server identifies itself when sending mail.

Default value	notify.ossec.net
Allowed values	Any valid hostname.

email_maxperhour

This sets the maximum number of email alerts that can be sent per hour. All emails beyond this hourly threshold are then queued to be sent together in a single email at the end of the hour.

Note

At the end of the hour, the queued emails will be sent together in one email whether mail grouping is turned on or not.

Default value	12
Allowed values	Any number from 1 to 1000000

email_idsname

The name will be added to the email headers with the specified value.

Default value	n/a
Allowed values	Any name

email_log_source

This selects the alert file to be read from.

Default value	alerts.log
Allowed values	alerts.log or alerts.json

custom_alert_output

The values below may be used with this option to specify the format of the alerts that are written to alerts.log:

Variable name	Description
$TIMESTAMP	The time the event was processed by OSSEC.
$FTELL	Unknown
$RULEALERT	Unknown
$HOSTNAME	Hostname of the system generating the event.
$LOCATION	The file the log messages were saved to.
$RULEID	The rule id of the alert.
$RULELEVEL	The rule level of the alert.
$RULECOMMENT	Unknown
$SRCIP	The source IP specified in the log message.
$DSTUSER	The destination user specified in the log message.
$FULLLOG	The original log message.
$RULEGROUP	The group containing the rule.

stats

This sets the severity level for events that are generated by statistical analysis.

Default value	8
Allowed values	Any level from 0 to 16

logall

This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.log.

Default value	no
Allowed values	yes, no

logall_json

This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.json.

Default value	no
Allowed values	yes, no

memory_size

This sets the memory size for the event correlation engine.

Default value	8192
Allowed values	Any integer, but values less than 2048 will be replaced by 2048.

white_list

This specifies an IPv4/IPv6 address, netblock, or hostname that will not trigger an active response. Only one of those values may be specified for each <while_list> tag, but several values may be used by including multiple <white_list> tags. This configuration is compared against the extracted srcip field in the alert.

Default value	n/a
Allowed values	Any IPv4/IPv6 address, netblock (i.e.: 192.168.0.0/16) or hostname

Note

This option is only valid in server and local installs.

host_information

This sets the severity level for events generated by the host change monitor.

Default value	8
Allowed values	Can be used any level from 0 to 16

jsonout_output

This toggles the writing of JSON-formatted alerts to /var/ossec/logs/alerts/alerts.json which would include the same events that would be sent to alerts.log, only in JSON format.

Warning

Disabling jsonout_output disrupts the alerts indexing process. In a default installation, Filebeat reads the alerts.json file and sends this information to the Wazuh indexer. If the writing to this file stops, alerts are no longer indexed.

Default value	yes
Allowed values	yes, no

prelude_output

This toggles Prelude output.

Default value	no
Allowed values	yes, no

prelude_log_level

The minimum alert level required to trigger prelude output.

Default value	0
Allowed values	Any integer from 0 to 16 inclusive

prelude_profile

The prelude client analyzer name.

Default value	OSSEC
Allowed values	Any valid prelude client analyzer.

zeromq_output

This enables ZeroMQ output.

Default value	n/a
Allowed values	yes, no

zeromq_uri

This specifies the ZeroMQ URI for the publisher socket to bind to.

Default value	n/a
Allowed values	This URI format is defined by the ZeroMQ project.

For example:

This will listen for ZeroMQ subscribers on IP address 127.0.0.1:11111.

<zeromq_uri>tcp://localhost:11111/</zeromq_uri>

This will listen on port 21212 for ZeroMQ subscribers, binding to the IP address assigned to eth0.

<zeromq_uri>tcp://eth0:21212/</zeromq_uri>

This will listen for ZeroMQ on the Unix Domain socket /alerts-zmq.

<zeromq_uri>ipc:///alerts-zmq</zeromq_uri>

geoipdb

This indicates the full path of the MaxMind GeoIP IPv4 database file.

Default value	n/a
Allowed values	Path to the GeoIP IPv4 database file location

For example:

<geoipdb>/etc/GeoLiteCity.dat</geoipdb>

rotate_interval

This option sets the interval between file rotation. The range of possible values is from 10m (10 minutes) to 1d (1 day).

Default value	0 (disabled)
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days)

Note

The default minimum value 10m is set in the analysisd.min_rotate_interval option found in the internal configuration file /var/ossec/etc/internal_options.conf.

Example:

<rotate_interval>10h</rotate_interval>

max_output_size

This sets the size limit of alert files with a maximum allowed value of 1TiB and a minimum allowed value of 1MiB.

Default value	0 (disabled)
Allowed values	A positive number that should contain a suffix character indicating a size unit, such as M (mebibyte) and G (gibibyte).

Example:

<max_output_size>20M</max_output_size>

agents_disconnection_time

This sets the time after which the manager considers an agent as disconnected since its last keepalive.

Default value	15m
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days). The minimum allowed is 1s.

Warning

This setting should always be greater than notify-time configured in the agents. This allows them to always notify the manager before it would consider them disconnected.

Example:

<agents_disconnection_time>1m</agents_disconnection_time>

agents_disconnection_alert_time

This sets the time after which an alert is generated since an agent was considered as disconnected. As this is a time-lapse after an agent is considered as disconnected because of the disconnection time, the minimum time frame to produce an alert taking the default values is 2m and 20s.

Default value	0s
Allowed values	A positive number that should end with a character indicating a time unit, such as: s (seconds), m (minutes), h (hours), d (days). The minimum allowed is 0s in order to generate an alert as soon as an agent is considered as disconnected.

Example:

<agents_disconnection_alert_time>1h</agents_disconnection_alert_time>

limits

This block configures the limits section.

limits\eps

Options
limits\eps

limits\eps

This block configures the events per second limitation functionality.

limits\eps\maximum
limits\eps\timeframe

Options	Allowed values
limits\eps\maximum	Zero or a positive number
limits\eps\timeframe	A positive number

Events per second limits example block:

<limits>
  <eps>
    <maximum>500</maximum>
    <timeframe>10</timeframe>
  </eps>
</limits>

limits\eps\maximum

Maximum number of events per second allowed to be processed by decoders.

Default value	0
Allowed values	A number between 0 and 100000. Zero to disable the functionality

limits\eps\timeframe

A positive number expressed in seconds that indicates the time period where the events per second processed are increased and restored.

Default value	10
Allowed values	A positive number between 1 and 3600

update_check

This setting toggles whether to query the external Wazuh Cyber Threat Intelligence (CTI) service for any available Wazuh updates.

Default value	yes
Allowed values	yes, no

forward_to

Specifies the name of the socket where the output will be redirected. The socket must be defined previously.

Default value	None
Allowed values	Any defined socket under `/var/ossec`

Example:

<socket>
  <name>custom_socket</name>
  <location>/var/ossec/custom.sock</location>
  <mode>tcp</mode>
</socket>

<forward_to>custom_socket</forward_to>

Configuration example

<global>
  <jsonout_output>yes</jsonout_output>
  <alerts_log>yes</alerts_log>
  <logall>no</logall>
  <logall_json>no</logall_json>
  <email_notification>no</email_notification>
  <smtp_server>smtp.example.wazuh.com</smtp_server>
  <email_from>wazuh@example.wazuh.com</email_from>
  <email_to>recipient@example.wazuh.com</email_to>
  <email_maxperhour>12</email_maxperhour>
  <email_log_source>alerts.log</email_log_source>
  <agents_disconnection_time>15m</agents_disconnection_time>
  <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  <update_check>yes</update_check>
</global>

github

Note

This module only works on Windows, Linux and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.

Configuration options of the GitHub module.

Options

enabled
only_future_events
interval
time_delay
curl_max_size
api_auth
api_auth\org_name
api_auth\api_token
api_parameters\event_type

Options	Allowed values
enabled	yes, no
only_future_events	yes, no
interval	A positive number + suffix
time_delay	A positive number + suffix
curl_max_size	A positive number + suffix
api_auth	N/A
api_auth\org_name	Any string
api_auth\api_token	Any string
api_parameters	N/A
api_parameters\event_type	web, git, all

enabled

Enabled the GitHub wodle.

Default value	yes
Allowed values	yes, no

only_future_events

Set it to yes to collect events generated since the Wazuh manager was started.

By default, when Wazuh starts it will only read all log content from GitHub since the manager started.

Default value	yes
Allowed values	yes, no

interval

The interval between Wazuh wodle executions.

Note

When Wazuh starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.

Default value	10m
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

time_delay

Specifies the delay time of the scan respect to the current time, by default it is 30 seconds.

Note

This parameter represents how close to the current time the module will collect events, the smaller the value, the closer to real time the collection will be. The problem is that sometimes the GitHub delay increases the chance of missing events. It is recommended to use values greater than 30 seconds.

Default value	30s
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

curl_max_size

Specifies the maximum size allowed for the GitHub API response.

Default value	1M
Allowed values	A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes).

api_auth

This block configures the credential for the authentication with the GitHub REST API.

api_auth\org_name
api_auth\api_token

Warning

In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.

Options	Allowed values
api_auth\org_name	Any string
api_auth\api_token	Any string

api_auth\org_name

Name of your organization in GitHub.

Default value	N/A
Allowed values	Any string

api_auth\api_token

Personal access token to authenticate with the GitHub API.

Default value	N/A
Allowed values	Any string

Note

This block can be repeated to give the possibility to connect with more than one organization on GitHub.

api_parameters

This block configures the internal options in the GitHub REST API.

api_parameters\event_type

Options	Allowed values
api_parameters\event_type	Any string

api_parameters\event_type

The event types to include:

web: returns web (non-Git) events.
git: returns Git events.
all: returns both web and Git events.

Default value	all
Allowed values	web, git, all

Example of configuration

<github>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <time_delay>30s</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <org_name>dummy</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_parameters>
        <event_type>all</event_type>
    </api_parameters>
</github>

Example of multiple organizations

<github>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <time_delay>1m</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>no</only_future_events>
    <api_auth>
        <org_name>dummy1</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_auth>
        <org_name>dummy2</org_name>
        <api_token>ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg</api_token>
    </api_auth>
    <api_parameters>
        <event_type>git</event_type>
    </api_parameters>
</github>

indexer

Configure these options to forward inventory data to the Wazuh indexer.

Options

enabled

Enables forwarding inventory data to the Wazuh indexer.

Default	`yes`
Allowed values	`yes`, `no`

hosts

Wazuh indexer nodes to connect to. Use the host option for setting up each node connection.

host

Wazuh indexer node URL or IP address to connect to. For example, http://172.16.1.11 or 192.168.3.2:9230.

Default	`https://0.0.0.0:9200`
Allowed values	Any valid URL or IP address

ssl

Configuration options for the SSL parameters.

certificate_authorities

List of root certificate file paths for verification. Use the ca option for setting up each CA certificate file path.

ca

CA certificate file path.

Default value	`/etc/filebeat/certs/root-ca.pem`
Allowed values	Any valid file path

certificate

The end-entity (leaf) certificate.

Default value	`/etc/filebeat/certs/filebeat.pem`
Allowed values	Any valid file path

key

The certificate key used for authentication.

Default value	`/etc/filebeat/certs/filebeat-key.pem`
Allowed values	Any valid file path

Configuration example

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

integration

This configures the manager to connect Wazuh to external APIs and alerting tools such as Slack, PagerDuty, VirusTotal, Shuffle, and Maltiverse.

Integration options

name

This indicates the service to integrate with.

Default value	n/a
Allowed values	slack, pagerduty, virustotal, shuffle, maltiverse, any string that begins with 'custom-'

Note

In the case of custom external integration, name must begin with custom- for example: custom-myintegration. Read the How to integrate external software using Integrator document for more information.

hook_url

This is the URL that is used for communication with the software being integrated. It's mandatory for the Slack, Shuffle, and Maltiverse integrations.

Default value	n/a
Allowed values	Slack URL, Shuffle URL, Maltiverse URL

api_key

This is the key that you would have retrieved from the PagerDuty, VirusTotal, or Maltiverse API. This is mandatory for PagerDuty, VirusTotal, and Maltiverse.

Default value	n/a
Allowed values	PagerDuty/VirusTotal/Maltiverse Api key

alert_format

This writes the alert file in the JSON format, which the Integrator uses to fetch fields values.

Default value	n/a
Allowed values	json

Note

Set this option as json for Slack, VirusTotal, Shuffle, and Maltiverse integrations.

Optional filters

level

This filters alerts by rule level so that only alerts with the specified level or above are pushed.

Default value	n/a
Allowed values	Any alert level from 0 to 16

rule_id

This filters alerts by rule ID.

Default value	n/a
Allowed values	Comma-separated rule IDs

group

This filters alerts by rule group. For the VirusTotal integration, only rules from the syscheck group are available.

Default value	n/a
Allowed values	Any rule group or comma-separated rule groups.

event_location

This filters alerts by where the event originated.

Default value	n/a
Allowed values	Any sregex expression.

Optional settings

max_log

The maximum length of an alert snippet that will be sent to the Integrator. Longer strings will be truncated with ...

Default value	165
Allowed values	Any integer from 165 to 1024 inclusive.

Note

This option only applies if alert_format is not set to json.

options

This overwrites the previous fields or adds customization fields according to the information provided in the JSON object.

Default value	n/a
Allowed values	json

timeout

The timeout (in seconds) to wait for a valid response from the external integration server.

Default value	10
Allowed values	Any positive integer.

retries

On timeout, the maximum number of retry attempts for a request to the external integration server.

Default value	3
Allowed values	Any positive integer.

Configuration example

<!-- Integration with Slack -->
<integration>
  <name>slack</name>
  <hook_url>https://hooks.slack.com/services/...</hook_url> <!-- Replace with your Slack hook URL -->
  <level>10</level>
  <group>multiple_drops,authentication_failures</group>
  <alert_format>json</alert_format>
  <options>{"pretext": "Custom Title"}</options> <!-- Replace with your custom JSON object -->
</integration>

<!-- Integration with PagerDuty -->
<integration>
  <name>pagerduty</name>
  <api_key>API_KEY</api_key> <!-- Replace with your PagerDuty API key -->
  <options>{"pretext": "Custom title"}</options> <!-- Replace with your custom JSON object -->
  <alert_format>json</alert_format> <!-- With the new script this is mandatory -->
</integration>

<!-- Integration with VirusTotal -->
<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
  <group>syscheck</group>
  <alert_format>json</alert_format>
  <timeout>30</timeout>
  <retries>5</retries>
</integration>

<!-- Integration with Shuffle -->
<integration>
  <name>shuffle</name>
  <hook_url>http://IP:3001/api/v1/hooks/HOOK_ID</hook_url> <!-- Replace with your Shuffle hook URL -->
  <level>3</level>
  <alert_format>json</alert_format>
  <options>{"data": {"title": "Custom title"}}</options> <!-- Replace with your custom JSON object -->
</integration>

<!-- Integration with Maltiverse -->
<integration>
  <name>maltiverse</name>
  <hook_url>https://api.maltiverse.com</hook_url>
  <api_key>API_KEY</api_key> <!-- Replace with your Maltiverse API key -->
  <alert_format>json</alert_format>
</integration>

<!--Custom external Integration -->
<integration>
  <name>custom-integration</name>
  <hook_url>WEBHOOK</hook_url>
  <level>10</level>
  <group>multiple_drops,authentication_failures</group>
  <api_key>APIKEY</api_key> <!-- Replace with your external service API key -->
  <alert_format>json</alert_format>
  <options>{"data": "Custom data"}</options> <!-- Replace with your custom JSON object -->
</integration>

labels

The labels section of ossec.conf allows additional user-defined information about agents to be included in alerts. When email notifications are enabled, this additional data is also contained in the email alerts without any further configuration.

Options

label

label

This option specifies the additional information that will appear in alerts. Labels can be nested in JSON formatted alerts by separating the "key" terms by a period.

Attributes:

key	The title that will describe the information of the label.
	Allowed value	Any string that does not start with an underscore ( _ )
hidden	For labels that are hidden by default.
	Default value	no
	Allowed value	yes,no

Note

In internal_options.conf, hidden labels can be set to be displayed in alerts.

Note

Keys starting with an underscore character are reserved for the system labels. These labels are invisible and contain internal information of the agents.

Example of configuration

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

localfile

This configuration section is used to configure the collection of log data from files, Windows events, and from the output of commands.

Options

location
command
alias
frequency
only-future-events
query
label
target
log_format
out_format
ignore_binaries
age
exclude
reconnect_time
multiline_regex
ignore
restrict
filter

location

The location field specifies where the log data comes from. It includes the following options.

A path to a log file
A Windows event channel
The macOS ULS
The journald system

Default value	n/a
Allowed values	File path, Event channel, `macos`, `journald`

Note

To collect logs from the macOS ULS, you must set both location and log_format to macos.
To collect logs from the journald system, you must set both location and log_format to journald.

For log file names, you can use strftime format strings. For example, you can reference a log file named file.log-2024-04-26 by file.log-%Y-%m-%d.

Wildcards can be used on Linux and Windows systems, if the log file doesn't exist at wazuh-logcollector start time, such log will be re-scanned after logcollector.vcheck_files seconds.

The location field is also valid to filter by channel in case of using an eventchannel supporting Windows.

In the following example we can see two configurations showing a channel filtering for firewall and Sysmon events.

<localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
</localfile>

<localfile>
    <location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>
    <log_format>eventchannel</log_format>
</localfile>

Below we have some Windows wildcard examples.

<localfile>
    <location>C:\Users\wazuh\myapp\*</location>
    <log_format>syslog</log_format>
</localfile>

<localfile>
    <location>C:\xampp\apache\logs\*.log</location>
    <log_format>syslog</log_format>
</localfile>

<localfile>
    <location>C:\logs\file-%Y-%m-%d.log</location>
    <log_format>syslog</log_format>
</localfile>

Note

strftime format strings and wildcards cannot be used on the same entry.
On Windows systems, only character * is supported as a wildcard. For instance *ANY_STRING*, will match all files that have ANY_STRING inside its name, another example is *.log this will match any log file.
The maximum amount of files monitored at same time is limited to 1000.

command

Given a command output, it will be read as one or more log messages depending on command or full_command is used.

Default value	n/a
Allowed values	Any command line, optionally including arguments

alias

Change a command name in the log message.

For example <alias>usb-check</alias> would replace:

ossec: output: 'reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR':

with:

ossec: output: 'usb-check':

Default value	n/a
Allowed values	any string

frequency

Defines the interval (in seconds) between executions of the command. This option applies to both command and full_command.

Default value	360
Allowed values	any positive number of seconds

only-future-events

It allows to read new log content since wazuh-logcollector was stopped.

By default, when wazuh-logcollector is started it reads the logs generated since that moment. Set it to no to collect events generated since wazuh-logcollector was stopped.

Default value	yes
Allowed values	yes or no

The attributes below are optional.

Attribute

Description

Value range

Default value

max-size

Allows to skip reading old events from the last read if the length of them exceeds a certain value in bytes.

Positive number followed by B, KB, MB and GB units are supported

0 to 2GB

10MB

Warning

If collecting logs with <log_format> set as macos, then max-size is ignored.

Note

If the log rotates while wazuh-logcollector is stopped and only-future-events is set to no, it will start reading from the beginning of the log.

query

This label can be used to filter Windows eventchannel events or macOS ULS logs (macos) that Wazuh will process.

To filter Windows eventchannel events, XPATH format is used to make the queries following the event schema.

Example:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event[System/EventID = 4624 and (EventData/Data[@Name='LogonType'] = 2 or EventData/Data[@Name='LogonType'] = 10)]</query>
</localfile>

To filter macOS ULS logs (macos), Predicates format is used to make the queries.

Example:

<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="log,trace" level="debug">process == "sshd" OR message CONTAINS "invalid"</query>
</localfile>

Default value	n/a
Allowed values	Windows Eventchannel	XPATH query format, follows the event schema
Allowed values	macOS ULS	Predicate query format, see How to collect macOS ULS logs

The attributes below are optional and only valid for macOS ULS (macos).

Attribute	Description	Value range	Default value
level	Indicates the level of verbosity, default is the less verbose and debug is the most verbose.	default	default
		info
		debug
type	Limits the type of logs that are intended to be acquired to the ones listed and sepparated by commas.	activity	all
		log
		trace

label

Used to add custom data in JSON events. Set log_format to json to use it.

Labels can be nested in JSON alerts by separating the "key" terms by a period.

Here is an example of how to identify the source of each log entry when monitoring several files simultaneously:

<localfile>
  <location>/var/log/myapp/log.json</location>
  <log_format>json</log_format>
  <label key="@source">myapp</label>
  <label key="agent.type">webserver</label>
</localfile>

This is a sample JSON object from the log file:

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01"
  }
}

The additional fields configured above would appear in the resulting event as below:

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01",
    "type": "webserver"
  },
  "@source": "myapp"
}

Note

If a label key already exists in the log data, the configured field value will not be included. It is recommended that a unique label key is defined by using a symbol prior to the key name as in @source.

target

Target specifies the name of the socket where the output will be redirected. The socket must be defined previously.

Default value	agent
Allowed values	any defined socket

log_format

Specifies the format of the log to be read. This field is required.

Note

For most text log files with one entry per line, use the syslog format.

Default value	n/a
Allowed values	apache	Used for Apache web server access and error logs.
	audit	Used for Auditd events. Chains consecutive logs with the same ID into a single event.
	command	Executes a command as root and treats each line of output as a separate log entry. Requires `logcollector.remote_commands=1` in internal options.
	djb-multilog	Reads files in the format produced by the daemontools multi-log service logger.
	eventchannel	Used for Microsoft Windows event channels (Vista+). Monitors specified channels and includes all fields in JSON format. Supports standard Windows logs and Application/Service logs.
	eventlog	Used for the classic Microsoft Windows event log format.
	full_command	Executes a command as root and treats the entire output as a single log entry. Requires `logcollector.remote_commands=1` in internal options.
	generic	Used for generic text log files.
	iis	Used for Microsoft Internet Information Services (IIS) web server logs.
	journald	Used for systemd-journal events. Events are collected in syslog format.
	json	Used for single-line JSON files. Supports custom labels via the label tag.
	macos	Used for macOS Unified Logging System (ULS) logs in syslog format. Monitors logs matching the query filter. See how to collect macOS ULS logs.
	multi-line	Used for applications that log multiple fixed lines per event. Format: `multi-line: <NUMBER>`. Combines lines until the specified count is reached.
	multi-line-regex	Used for applications with variable numbers of lines per event. Behavior depends on the multiline_regex option.
	mysql_log	Used for MySQL database logs. Does not support multi-line logs.
	mssql_log	Used for Microsoft SQL Server logs.
	nmapg	Used for grep-able output from the Nmap security scanner.
	ossecalert	Used for OSSEC alert logs.
	postgresql_log	Used for PostgreSQL database logs. Does not support multi-line logs.
	snort-fast	Used for Snort intrusion detection system fast-output format.
	snort-full	Used for Snort intrusion detection system full-output format.
	squid	Used for Squid proxy server logs.
	syslog	Used for plain text files in syslog-like format (one entry per line).
	syslog-pipe	Used for reading from named pipes in syslog format.

Warning

Only one configuration block with log_format set to macos is allowed. If multiple blocks are present, only the last one is used.

Warning

The eventchannel format is not supported on Windows versions prior to Vista, as they do not support event channels.

Warning

Agents ignore command and full_command log sources unless logcollector.remote_commands=1 is set in /var/ossec/etc/internal_options.conf or /var/ossec/etc/local_internal_options.conf. This prevents the manager from executing arbitrary commands on agents with root privileges.

Sample of multi-line log message in the original log file:

Aug 9 14:22:47 hostname log line one
Aug 9 14:22:47 hostname log line two
Aug 9 14:22:47 hostname log line four
Aug 9 14:22:47 hostname log line three
Aug 9 14:22:47 hostname log line five

Sample of log message as processed by wazuh-analysisd:

Aug 9 14:22:47 hostname log line one Aug 9 14:22:47 hostname log line two Aug 9 14:22:47 hostname log line three Aug 9 14:22:47 hostname log line four Aug 9 14:22:47 hostname log line five

out_format

This option allows formatting logs from Logcollector using field substitution.

The list of available parameters is:

Parameter	Description
`log`	Message from the log.
`json_escaped_log`	Message from the log, escaping JSON reserver characters.
`base64_log`	Message from the log, encoded in base64.
`output`	Output from a command. Alias of `log`.
`location`	Path to the source log file.
`command`	Command line or alias defined for the command. Alias of `location`.
`timestamp`	Current timestamp (when the log is sent), in RFC3164 format.
`timestamp <FORMAT>`	Custom timestamp, in `strftime` string format.
`hostname`	System's host name.
`host_ip`	Host's primary IP address.

Attributes:

target	This option selects a defined target to apply the output format.
	Allowed values	Any target defined in the option `<target>`.
	Default value	Select all targets defined in the `<localfile>` stanza.

ignore_binaries

This specifies to ignore binary files, testing if the file is UTF8 or ASCII.

If this is set to yes and the file is, for example, a binary file, it will be discarded.

Default value	n/a
Allowed values	yes or no

<localfile>
    <log_format>syslog</log_format>
    <location>/var/logs/*</location>
    <ignore_binaries>yes</ignore_binaries>
</localfile>

Note

On Windows agents, it will also check if the file is encoded with UCS-2 LE BOM or UCS-2 BE BOM.

age

This specifies to read-only files that have been modified before the specified age.

For example, if the age is set to 1 day, all files that have not been modified since 1 day will be ignored.

<localfile>
    <log_format>syslog</log_format>
    <location>/var/logs/*</location>
    <age>1d</age>
</localfile>

Default value	n/a
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days).

exclude

This indicates the location of a wild-carded group of logs to be excluded.

For example, we may want to read all the files from a directory, but exclude those files whose name starts with an e.

<localfile>
    <log_format>syslog</log_format>
    <location>/var/logs/*</location>
    <exclude>/var/logs/e*</exclude>
</localfile>

Default value	n/a
Allowed values	Any log file or wildcard

reconnect_time

Defines the interval of reconnection attempts when the Windows Event Channel service is down.

Default value	5s
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks)

Note

This option only applies when the log_format is eventchannel.

multiline_regex

This specifies a regular expression, match criteria and replace option for logs with a variable amount of lines.

Default value	n/a
Allowed values	Any PCRE2 regular expression

The attributes below are optional.

Attribute	Description	Value range	Default value
match	Allows to set how regex will handle regex match.	start	start
		end
		all
replace	Allows to replace or remove end-of-line.	no-replace	no-replace
		wspace
		tab
		none
timeout	Allows to set max waiting time in seconds to receive a new line	1 to 120	5

Note

This option only applies when the log_format is multi-line-regex.

Note

The value of timeout attribute cannot be bigger than the value of the age option.

The behavior of the match attribute is as follows

Match

Description

start

Group as one event the content between two lines that matches the regex.

The grouped event does not include the last matching line.

end

Group as one event the content until a line that matches the regex.

all

Group as one event the content until whole event match the regex.

Note

start and end value for match attribute try to match the regex with a single line.

For example, we may want to read a Python Traceback output as one single log, replacing newline with spaces

<localfile>
    <log_format>multi-line-regex</log_format>
    <location>/var/logs/my_python_app.log</location>
    <multiline_regex replace="wspace">^Traceback</multiline_regex>
 </localfile>

ignore

Specify a regular expression to ignore log lines or command outputs when matching. Whether several ignore labels are defined, entries are ignored when matching any of the specified ones.

Default Value	n/a
Allowed values	Any regex, sregex or PCRE2 expression.

Use the type attribute to define the regular expression type. By default, PCRE2 is applied.

type	Allows to set regular expression type
	Default value	PCRE2
	Allowed values	osregex, osmatch, PCRE2

For example, to ignore events related to configuration changes in the audit log:

<localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
    <ignore type="PCRE2">type=.+_CHANGE</ignore>
    <ignore type="osregex">type=CONFIG_\.+</ignore>
</localfile>

restrict

Specify a regular expression to restrict processed log lines or command outputs. Whether several restrict labels are defined, entries are processed when matching all of them.

Default Value	n/a
Allowed values	Any regex, sregex or PCRE2 expression.

Use the type attribute to define the regular expression type. By default, PCRE2 is applied.

type	Allows to set regular expression type
	Default value	PCRE2
	Allowed values	osregex, osmatch, PCRE2

For example, to restrict syslog events related to a particular user name:

<localfile>
    <log_format>syslog</log_format>
    <location>/custom/file/path</location>
    <restrict type="PCRE2">username_\d?</restrict>
    <restrict type="osregex">Jun\.+</restrict>
</localfile>

Note

For formats that group multiple lines, the entire group is treated as a single log when evaluating the regex.

Note

Whether the same log entry matches an ignore and also a restrict configured for the same localfile, the entry is discarded. In other words, the ignore has precedence over restrict. Said that, if the same expression is defined in both ignore and restrict, no log will be processed for that localfile.

Note

The eventchannel format already provides a way to filter logs through queries. Therefore, ignore and restrict settings don't apply to this format.

filter

Collects journald logs selectively by filtering specific fields.

Specify a PCRE2 regular expression as the filter. Use the field attribute to select the journald field to match.

Default value	n/a
Allowed values	Any PCRE2 expression.

Use the ignore_if_missing attribute to control logs that lack the specified field:

yes: Wazuh ignores the filter and accepts logs even if the field is missing.
no: Logs without the field do not match the filter and are filtered out.

ignore_if_missing	Default value	no
ignore_if_missing	Allowed values	no, yes

Multiple <localfile> blocks combine with OR logic.

Filters inside the same <localfile> block combine with AND logic. A log entry must match all filters in that block to be collected.

In the following example, Wazuh collects journald logs if any of these conditions hold:

The field _SYSTEMD_UNIT equals ssh.service.
The field _SYSTEMD_UNIT equals cron.service and either:
- The field PRIORITY matches 0, 1, 2, or 3, or
- the PRIORITY field is missing.

This configuration captures:

All SSH logs
High-severity cron messages and anomalous cron entries that lack priority information.

<!-- For monitoring log files -->
<localfile>
  <location>journald</location>
  <log_format>journald</log_format>
  <filter field="_SYSTEMD_UNIT">^ssh.service$</filter>
</localfile>

<localfile>
  <location>journald</location>
  <log_format>journald</log_format>
  <filter field="_SYSTEMD_UNIT">^cron.service$</filter>
  <filter field="PRIORITY" ignore_if_missing="yes">[0-3]</filter>
</localfile>

When multiple journald blocks are present:

If no block has filters, Wazuh collects all journald logs.
If at least one block has filters, Wazuh applies filters only from blocks that include them. Blocks without filters are ignored. This lets restrictive blocks override the default 'collect everything' behavior.

Configuration examples

Linux configuration:

<!-- For monitoring log files -->
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/syslog</location>
</localfile>

<!-- For monitoring command output -->
<localfile>
  <log_format>command</log_format>
  <command>df -P</command>
  <frequency>360</frequency>
</localfile>

<!-- To use a custom target or format -->
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
  <target>agent,custom_socket</target>
  <out_format target="custom_socket">$(timestamp %Y-%m-%d %H:%M:%S): $(log)</out_format>
</localfile>

Windows configuration:

<!-- For monitoring Windows eventchannel -->
<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <only-future-events>yes</only-future-events>
  <query>Event/System[EventID != 5145 and EventID != 5156]</query>
  <reconnect_time>10s</reconnect_time>
</localfile>

macOS configuration:

<!-- For monitoring macOS ULS Logs -->
<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">process == "sshd" OR message CONTAINS "invalid"</query>
</localfile>

logging

This section shows how to configure the format of the internal log file ("ossec.log").

Options

log_format

log_format

Specifies the log format between JSON output (.json) or plain text (.log). It also can be set to output both formats at the same time, when both are formats are entered, separated by a comma.

Depending on the given format, the output file will be /var/ossec/logs/ossec.log, /var/ossec/logs/ossec.json or both of them.

Default value	plain
Allowed values	plain json plain, json

Default configuration

<!-- Choose between plain or json format (or both) for internal log file -->
<logging>
  <log_format>plain</log_format>
</logging>

ms-graph

Note

This module only works on Windows, Linux, and macOS. It is recommended to have it enabled on a single manager/agent to avoid log duplication.

Configuration options of the Microsoft Graph module.

Options

enabled
only_future_events
interval
curl_max_size
page_size
time_delay
run_on_start
version
api_auth
api_auth\tenant_id
api_auth\client_id
api_auth\secret_value
api_auth\api_type
resource
resource\name
resource\relationship

Options	Allowed values
enabled	yes, no
only_future_events	yes, no
interval	A positive number + suffix
curl_max_size	A positive number + suffix
page_size	A positive number between 1–50
time_delay	A positive number + suffix
run_on_start	yes, no
version	beta, v1.0
api_auth	N/A
api_auth\tenant_id	Any string
api_auth\client_id	Any string
api_auth\secret_value	Any string
api_auth\api_type	global, gcc-high, dod
resource	N/A
resource\name	Any string
resource\relationship	Any string

enabled

Enables the Microsoft Graph module.

Default value	yes
Allowed values	yes, no

only_future_events

Set it to yes to collect events generated since the Wazuh manager was started.

By default, the Microsoft Graph module will only read logs from when the module was started onward.

Default value	yes
Allowed values	yes, no

interval

The length of time the module will wait before searching for logs.

Note

When Wazuh starts, the module will wait for the duration of the configured time interval before running the first scan unless run_on_start is set to yes.

Default value	1d
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).

curl_max_size

Specifies the maximum size allowed for the Microsoft Graph API response.

Default value	1M
Allowed values	A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes). Minimum value of 1M.

page_size

Controls the page size by limiting the items returned per page on every API request.

Default value	50
Allowed values	A positive number between 1–50.

time_delay

Adds time_delay setting. Its value must be greater than or equal to 0. By default, its value is 30s. This setting allows time suffixes s (seconds), m (minutes), h (hours), d (days), and w (weeks).

Default value	30s
Allowed values	A positive number that must contain a suffix character indicating a time unit, such as `s` (seconds), `m` (minutes), `h` (hours), `d` (days), and `w` (weeks).

run_on_start

Overrides the interval option and forces a run of the module on startup.

Default value	yes
Allowed values	yes, no

version

Specifies the version of the Microsoft Graph API to use. For production use, v1.0 should be preferred.

Default value	v1.0
Allowed values	beta, v1.0

api_auth

This block configures the credentials used for authenticating with the Microsoft Graph REST API.

api_auth\tenant_id
api_auth\client_id
api_auth\secret_value
api_auth\api_type

Warning

In the case of an invalid configuration, a warning message will be generated in the log file.

Options	Allowed values
api_auth\tenant_id	Any string
api_auth\client_id	Any string
api_auth\secret_value	Any string
api_auth\api_type	global, gcc-high, dod

api_auth\tenant_id

Tenant ID of the application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\client_id

Client ID of the application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\secret_value

Secret associated with the application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\api_type

Type of Microsoft 365 subscription plan used by the tenant. global refers to either a commercial or GCC tenant.

Default value	N/A
Allowed values	global, gcc-high, dod

resource

This block configures which logging sources to pull from the Microsoft Graph REST API.

resource\name
resource\relationship

Options	Allowed values
resource\name	Any string
resource\relationship	Any string

resource\name

The name of the resource (i.e., specific API endpoint) to query for logs. Additional information on the Microsoft Graph REST API endpoints can be found at the Microsoft Graph REST API v1.0 endpoint reference.

Default value	N/A
Allowed values	Any string

resource\relationship

This section configures the relationships content type from which to obtain logs.

For the identityProtection resource, the configuration includes the following relationship:

riskDetections: Retrieves details of user risk, user and application sign-in risk detections from Microsoft Entra ID.

For the security resource, the configuration includes the following relationships:

alerts: Legacy alert from supported Azure and Microsoft 365 Defender security providers.
alerts_v2: An enriched version of alerts that contains additional information on suspicious activities and related collections of alerts.
incidents: Correlated alerts and associated data that make up the story of an attack (part of Microsoft 365 Defender).
secureScores: The tenant's security score per day, at the tenant and control level.
cases/eDiscoveryCases: Contains custodians, searches, and review sets from Microsoft Purview eDiscovery Premium.

For the deviceManagement resource, the configuration includes the following relationships:

auditEvents: Audit logs include a record of activities that generate a change in Microsoft Intune.
managedDevices: List of devices managed by Microsoft Intune.
detectedApps: List of applications managed by Microsoft Intune. The results will also include a list of devices where each app is installed.

Default value	N/A
Allowed values	Any string

Note

Resource blocks can be repeated to give the possibility to connect with more than one API within a tenant.

Example of configuration

<ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>10M</curl_max_size>
    <run_on_start>yes</run_on_start>
    <interval>5m</interval>
    <version>v1.0</version>
    <api_auth>
      <client_id>your_client_id</client_id>
      <tenant_id>your_tenant_id</tenant_id>
      <secret_value>your_secret_value</secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>security</name>
      <relationship>alerts_v2</relationship>
      <relationship>incidents</relationship>
    </resource>
    <resource>
      <name>auditLogs</name>
      <relationship>signIns</relationship>
    </resource>
    <resource>
      <name>deviceManagement</name>
      <relationship>auditEvents</relationship>
    </resource>
    <resource>
      <name>identityProtection</name>
      <relationship>riskDetections</relationship>
    </resource>
</ms-graph>

office365

Note

This module only works on Windows, Linux, and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.

Configuration options of the Office365 module.

Options

enabled
only_future_events
interval
curl_max_size
api_auth
api_auth\tenant_id
api_auth\client_id
api_auth\client_secret_path
api_auth\client_secret
api_auth\api_type
subscriptions
subscriptions\subscription

Options	Allowed values
enabled	yes, no
only_future_events	yes, no
interval	A positive number + suffix
curl_max_size	A positive number + suffix
api_auth	N/A
api_auth\tenant_id	Any string
api_auth\client_id	Any string
api_auth\client_secret_path	Any string
api_auth\client_secret	Any string
api_auth\api_type	commercial, gcc, gcc-high
subscriptions	N/A
subscriptions\subscription	Any string

enabled

Enabled the Office365 wodle.

Default value	yes
Allowed values	yes, no

only_future_events

Set it to yes to collect events generated since the Wazuh manager was started.

By default, when Wazuh starts it will only read all log content from Office365 since the manager started.

Default value	yes
Allowed values	yes, no

interval

The interval between Wazuh wodle executions.

Note

When Wazuh starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.

Default value	10m
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

curl_max_size

Specifies the maximum size allowed for the Office365 API response.

Default value	1M
Allowed values	A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes).

api_auth

This block configures the credential for the authentication with the Office365 REST API.

api_auth\tenant_id
api_auth\client_id
api_auth\client_secret_path
api_auth\client_secret
api_auth\api_type

Warning

In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.

Options	Allowed values
api_auth\tenant_id	Any string
api_auth\client_id	Any string
api_auth\client_secret_path	Any string
api_auth\client_secret	Any string
api_auth\api_type	commercial, gcc, gcc-high

api_auth\tenant_id

Tenant id of your application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\client_id

Client id of your application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\client_secret_path

Path of the file that contains the client secret value of your application registered in Azure. Incompatible with client_secret option.

Default value	N/A
Allowed values	Any string

api_auth\client_secret

Client secret value of your application registered in Azure.

Default value	N/A
Allowed values	Any string

api_auth\api_type

Type of Microsoft 365 subscription plan used by the tenant.

Default value	commercial
Allowed values	commercial, gcc, gcc-high

Note

This block can be repeated to give the possibility to connect with more than one tenant on Office 365.

subscriptions

This block configures the internal options in the Office365 REST API.

subscriptions\subscription

Options	Allowed values
subscriptions\subscription	Any string

subscriptions\subscription

This section configures the content types from which to collect audit logs. These are the subscription types that can be configured:

Audit.AzureActiveDirectory: User identity management.
Audit.Exchange: Mail and calendaring server.
Audit.SharePoint: Web-based collaborative platform.
Audit.General: Includes all other workloads not included in the previous content types.
DLP.All: Data loss prevention workloads.

Default value	N/A
Allowed values	Any string

Example of configuration

<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>your_tenant_id</tenant_id>
        <client_id>your_client_id</client_id>
        <client_secret>your_client_secret</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
</office365>

Example of multiple tenants

<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>your_tenant_id</tenant_id>
        <client_id>your_client_id</client_id>
        <client_secret>your_client_secret</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <api_auth>
        <tenant_id>your_tenant_id_2</tenant_id>
        <client_id>your_client_id_2</client_id>
        <client_secret>your_client_secret_2</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
</office365>

remote

Configuration of manager to listen for events from the agents.

Options

connection
port
protocol
allowed-ips
denied-ips
local_ip
ipv6
queue_size
rids_closing_time
connection_overtake_time
agents

connection

Specifies a type of incoming connection to accept: secure or syslog.

Default value	secure
Allowed values	secure, syslog

port

Specifies the port to use to listen for events.

Default value	1514 if secure, 514 if syslog
Allowed values	Any port number from 1 to 65535

protocol

Specifies the protocol to use. It is available for secure connections and syslog events.

Default value	tcp
Allowed values	udp, tcp

It is now possible to configure both UDP and TCP protocols to work simultaneously in the secure connections, this can be achieved by writing in the same configuration block the accepted protocols separated with a comma. For syslog connections, multiple protocols support require multiple configuration blocks since only one protocol per block is allowed.

allowed-ips

List of IP addresses that are allowed to send syslog messages to the server (one per line).

Default value	n/a
Allowed values	Any IP address or network

Note

It is necessary to list at least one IP address when using the syslog connection type.

denied-ips

List of IP addresses that are not allowed to send syslog messages to the server (one per line).

Default value	n/a
Allowed values	Any IP address or network

local_ip

Local ip address to use to listen for connections.

Default value	All interfaces
Allowed values	Any internal ip address

ipv6

Enables IPv6 support.

Default value	no
Allowed values	yes, no

queue_size

Sets the capacity of the remote daemon queue in number of agent events.

Default value	131072
Allowed values	Any number between 1 and 262144.

Note

The remote queue is only available for agent events, not syslog events. This option only works when the connection is set to secure.

rids_closing_time

Sets the time to close the RIDS files for agents that don't report new events in that time interval.

Default value	5m
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days).

connection_overtake_time

Sets the time to wait before considering a connection with a TCP client down when a new connection with the same key arrives. A value of 0 disables this assessment of connection activity.

Warning

The connection_overtake_time must be higher than the agent notify-time.

Default value	60
Allowed values	A number between 0 and 3600 (seconds).

Note

connection_overtake_time doesn't apply to connections with UDP clients.

agents

allow_higher_versions

Accept agents with a later version than the current manager.

Default value	no
Allowed values	yes, no

Note

This option only works when connection is set to secure.

Example of configuration

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <local_ip>192.168.1.5</local_ip>
</remote>

<remote>
  <connection>secure</connection>
  <port>1514</port>
  <protocol>tcp,udp</protocol>
  <queue_size>16384</queue_size>
  <rids_closing_time>5m</rids_closing_time>
  <connection_overtake_time>600</connection_overtake_time>
  <agents>
    <allow_higher_versions>no</allow_higher_versions>
  </agents>
</remote>

reports

In this section are listed the different options for the configuration of daily reports based on alerts.

Note

Any number of <reports> blocks can be declared in the same ossec.conf file.

Options

group
category
rule
level
location
srcip
user
title
email_to
showlogs

group

Filter by group/category. It only accepts one group/category.

Default value	n/a
Allowed values	Any group used is allowed.

rule

Rule ID to filter for.

Default value	n/a
Allowed values	Any Rule ID in Wazuh Rules is allowed.

level

Alert level to filter for. The report will include all levels above and including level specified.

Default value	n/a
Allowed values	Any Alert level from 1 to 16 can be used.

location

Filter by the log location or agent name.

Default value	n/a
Allowed values	Any file path, hostname or network is allowed. Any sregex expression

srcip

Filter by the source IP address of the event.

Default value	n/a
Allowed values	Any IP address.

user

Filter by the user or dstuser name.

Default value	n/a
Allowed values	Any username.

title

Name of the report. This is a required field.

Default value	n/a
Allowed values	Any text

email_to

The email address to send the completed report. This is a required field.

Default value	n/a
Allowed values	Any email address

showlogs

Enable or disable the inclusion of logs when creating the report.

Default value	no
Allowed values	yes, no

Example of configuration

<reports>
  <title>Auth_Report</title>
  <group>authentication_failed,</group>
  <srcip>192.168.1.10</srcip>
  <email_to>recipient@example.wazuh.com</email_to>
  <showlogs>yes</showlogs>
</reports>

<reports>
  <title>List of logged users</title>
  <rule>535</rule>
  <email_to>recipient@example.wazuh.com</email_to>
  <srcip>192.168.1.10</srcip>
  <showlogs>yes</showlogs>
</reports>

rootcheck

Configuration options for policy monitoring and anomaly detection.

Options

base_directory
ignore
scanall
readall
frequency
disabled
check_dev
check_if
check_pids
check_ports
check_sys
skip_nfs

base_directory

The base directory that will be prefixed to the following options:

Check rootkits
Check trojans
Scan the /dev directory
Check the hidden files using system calls

Default value (UNIX)	/
Default value (Windows)	C:\
Allowed values	Path to a directory

ignore

List of files or directories to be ignored (one entry per line). Multiple lines may be entered to include multiple files or directories. These files and directories will be ignored during scans.

Allowed values	sregex
Valid for	check_sys, check_dev

Attributes:

type	Simple regex expression to ignore files and directories.
	Allowed values	sregex

scanall

Tells rootcheck to scan the entire system. This option may lead to some false positives.

Default value	no
Allowed values	yes, no

readall

Allow Rootcheck read all system files and compare the bytes read with files size. With readall set to no, only these folders are checked: /bin, /sbin, /usr/bin, /usr/sbin, /dev, /lib, /etc, /root, /var/log, /var/mail, /var/lib, /var/www, /usr/lib, /usr/include, /tmp, /boot, /usr/local, /var/tmp and /sys.

Default value	no
Allowed values	yes, no

frequency

Frequency that the rootcheck is going to be executed (in seconds).

Default value	43200
Allowed values	A positive number (seconds)

disabled

Disables the execution of rootcheck.

Default value	no
Allowed values	yes, no

check_dev

Enable or disable the checking of /dev.

Default value	yes
Allowed values	yes, no

check_if

Enable or disable the checking of network interfaces.

Default value	yes
Allowed values	yes, no

check_pids

Enable or disable the checking of process ID's.

Default value	yes
Allowed values	yes, no

check_ports

Enable or disable the checking of network ports.

Default value	yes
Allowed values	yes, no

check_sys

Enable or disable checking for anomalous file system objects.

Default value	yes
Allowed values	yes, no

skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value	yes
Allowed values	yes, no

Default Unix configuration

<!-- Policy monitoring -->
<rootcheck>
  <disabled>no</disabled>
  <check_dev>yes</check_dev>
  <check_sys>yes</check_sys>
  <check_pids>yes</check_pids>
  <check_ports>yes</check_ports>
  <check_if>yes</check_if>
  <ignore type="sregex">^/etc/</ignore>

  <!-- Frequency that rootcheck is executed - every 12 hours -->
  <frequency>43200</frequency>

  <skip_nfs>yes</skip_nfs>
</rootcheck>

sca

This section covers the configuration for the Security Configuration Assessment module.

Settings to run Security Configuration Assessment scans.

Options

Main options

enabled
skip_nfs
policies
max_eps
synchronization

Main options	Allowed values
enabled	yes, no
skip_nfs	yes, no
policies	N/A
max_eps	Integer (0-1,000,000)
synchronization	N/A

Scheduling options

scan_on_start
interval
day
wday
time

Scheduling options	Allowed values
scan_on_start	yes, no
interval	A positive number + suffix
day	A day of the month
wday	A day of the week
time	A time of the day [hh:mm]

Interval suffixes	Time scale
s	seconds
m	minutes
d	days
w	weeks
M	months

Some examples of usage of these options are included in the SCA documentation.

enabled

Enables the module.

Default value	yes
Allowed values	yes, no

skip_nfs

Deprecated since version 5.0.0.

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value	yes
Allowed values	yes, no

policies

Between <policy> tags, in this section it can be included policy files to run assessments.

Default value	n/a
Allowed values	Any YAML policy file

Attributes

enabled

Offers the possibility to disable a policy when it has been enabled previously.

Note

Since Wazuh v3.10.0, although this section is missing, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.

Warning

Since Wazuh v4.2.0, when a policy is defined by a relative path, this path is relative to the Wazuh installation directory. If the policy is located outside the installation directory, a full path can be used.

Example

<policies>
  <policy>etc/shared/cis_debian10.yml</policy>
  <policy>/path/to/my/policy.yml</policy>
</policies>

max_eps

Sets the maximum throughput for event reporting. Events are messages that generate alerts.

Default value	50
Allowed values	Integer between 0 and 1,000,000. 0 disables it.

Example:

<max_eps>50</max_eps>

synchronization

Database synchronization settings go inside this tag.

<!-- Database synchronization settings -->
<synchronization>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <response_timeout>30</response_timeout>
  <max_eps>10</max_eps>
  <integrity_interval>24h</integrity_interval>
</synchronization>

enabled

Enables periodic inventory synchronization.

Default value	yes
Allowed values	yes, no

interval

Specifies the initial time between inventory synchronizations.

Default value	5m
Allowed values	Any number greater than or equal to 0. Allowed suffixes: s, m, h, d.

response_timeout

Waiting time in seconds between a sync message and the next synchronization.

Default value	30
Allowed values	Any number between 0 and the value of `interval`.

max_eps

Sets the maximum throughput for synchronization messages.

Default value	10
Allowed values	Integer between 0 and 1,000,000. 0 disables it.

integrity_interval

Sets the time interval for periodic database integrity validation.

Default value	`24h`
Allowed values	Any non-negative integer (seconds).

scan_on_start

The SCA module will perform the scan immediately when started.

Default value	yes
Allowed values	yes, no

interval

The interval between module executions.

Default value	12h
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

day

Day of the month to run the scan.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Configuration example

<sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <time>04:00</time>
  <skip_nfs>yes</skip_nfs>
  <!-- Maximum output throughput -->
  <max_eps>50</max_eps>

  <policies>
    <policy>etc/shared/cis_debian10.yml</policy>
    <policy enabled="no">ruleset/sca/cis_debian9.yml</policy>
    <policy>/my/custom/policy/path/my_policy.yaml</policy>
  </policies>

  <!-- Database synchronization settings -->
  <synchronization>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <response_timeout>30</response_timeout>
    <max_eps>10</max_eps>
    <integrity_interval>24h</integrity_interval>
  </synchronization>
</sca>

rule_test

Here is how to configure the Wazuh-Logtest solution. It allows to test rules and decoders from Wazuh API and wazuh-logtest tool

Options

enabled
threads
max_sessions
session_timeout

enabled

Enables the module.

Default value	yes
Allowed values	yes/no

threads

Number of Wazuh-Logtest solution threads.

Default value	1
Allowed values	a number between 1 and 128, or auto to create one thread per CPU

max_sessions

Max number of users connected simultaneously.

Default value	1
Allowed values	A number between 1 and 500

session_timeout

Time required to delete a session and its resources after the last user interaction.

Default value	15m
Allowed values	A number to represent seconds, to represent suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours). The max value is 365 days

Default configuration

<rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
</rule_test>

ruleset

Configuration options for enabling or disabling rules and decoders.

Options

rule_include
rule_dir
rule_exclude
decoder_include
decoder_dir
decoder_exclude
list

rule_include

Load a single rule file.

Default value	n/a
Allowed values	Path and filename of rule to load

rule_dir

Load a directory of rules. The files will be loaded in alphabetical order, and any duplicate filenames will be skipped.

Default value	ruleset/rules
Allowed values	Path to a directory of rule files.

rule_exclude

Exclude a single rule file.

Default value	n/a
Allowed values	Path and filename of rule to exclude

decoder_include

Load a single decoder file.

Default value	n/a
Allowed values	Path and filename of decoder to load

decoder_dir

Load a directory of decoders. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.

Default value	ruleset/decoders
Allowed values	Path to a directory of decoder files

decoder_exclude

Exclude a single decoder file.

Default value	n/a
Allowed values	Path and filename of decoder to exclude

list

Load a single CDB reference for use by other rules.

Default value	n/a
Allowed values	Path to a list file to be loaded and compiled.

Note

Do not include the file extension. Since Wazuh v3.11.0, Wazuh will build and load the CDB lists automatically when the analysis engine starts.

Example of configuration

<ruleset>
  <rule_include>ruleset/rules/my_rules.xml</rule_include>
  <rule_dir pattern="_rules.xml$">ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <decoder_include>ruleset/decoders/my_decoder.xml</decoder_include>
  <decoder_dir pattern=".xml$">ruleset/decoders</decoder_dir>
  <decoder_exclude>ruleset/decoders/my_decoder.xml</decoder_exclude>
  <list>etc/lists/blocked_hosts</list>
</ruleset>

socket

Configuration options for defining output sockets.

Options

name
location
mode
prefix

name

Name of the socket. This is a required field.

Default value	n/a
Allowed values	Any name is allowed except agent

location

Path of the socket. This is a required field.

Default value	n/a
Allowed values	Any path is allowed.

mode

UNIX socket communication protocol.

Default value	udp
Allowed values	tcp, udp

prefix

The prefix is placed before the message.

Default value	n/a
Allowed values	Any string

Example of configuration

<socket>
  <name>custom_socket</name>
  <location>/var/run/custom.sock</location>
  <mode>tcp</mode>
  <prefix>custom_syslog: </prefix>
</socket>

syscheck

Configuration options for file integrity monitoring:

alert_new_files

Specifies if FIM should alert when new files are created.

Default value	yes
Allowed values	yes, no

Example:

<alert_new_files>yes</alert_new_files>

Note

This setting is applied in the manager configuration, but it only takes effect on agents with versions lower than 3.12.

directories

List of directories to be monitored. The directories can be comma-separated or multiple lines may be entered to include multiple directories.

All files and subdirectories within the noted directories will also be monitored.

Drive letters without directories are valid. It's possible to configure them by removing the last backslash, for example D:.

This is to be set on the system to be monitored (or in the agent.conf, if appropriate).

There is a limit of 64 directories, comma-separated, that can be written in one line .

Wildcard characters (? and *) can be used to monitor paths that fulfill the given pattern. These wildcards will be reloaded every time a scheduled scan is run.

Default value

/etc,/usr/bin,/usr/sbin,/bin,/sbin

Allowed values

Any directory

Any environment variable

Attributes:

realtime	This will enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. Real time only works with directories, not individual files.

	Default value	no
	Allowed values	yes, no
whodata	This will enable who-data monitoring on Linux and Windows systems.
	Default value	no
	Allowed values	yes, no
report_changes	Report file changes. This is limited to text files at this time.
	Default value	no
	Allowed values	yes, no
diff_size_limit	Limit the maximum size of the file which will report diff information with `report_changes` enabled. Files bigger than this value will not report diff information.

	Default value	50MB
	Allowed values	Any positive number followed by KB/MB/GB
check_all	It modifies the value of all attributes with the prefix `check_`.
	Default value	yes
	Allowed values	yes, no
check_sum	Check the MD5, SHA-1 and SHA-256 hashes of the files. Same as using `check_md5sum="yes"`, `check_sha1sum="yes"` and `check_sha256sum="yes"` at the same time.

	Default value	yes
	Allowed values	yes, no
check_sha1sum	Check only the SHA-1 hash of the files.
	Default value	yes
	Allowed values	yes, no
check_md5sum	Check only the MD5 hash of the files.
	Default value	yes
	Allowed values	yes, no
check_sha256sum	Check only the SHA-256 hash of the files.
	Default value	yes
	Allowed values	yes, no
check_size	Check the size of the files.
	Default value	yes
	Allowed values	yes, no
check_owner	Check the owner of the files. On Windows, uid will always be 0.
	Default value	yes
	Allowed values	yes, no
check_group	Check the group owner of the files/directories. Available for UNIX. On Windows, gid will always be 0 and the group name will be blank.

	Default value	yes
	Allowed values	yes, no
check_perm	Check the permission of the files/directories. On Windows, a list of denied and allowed permissions will be given for each user or group since version 3.8.0. Only works on NTFS partitions on Windows systems.


	Default value	yes
	Allowed values	yes, no
check_attrs	Check the attributes of the files. Available for Windows.
	Default value	yes
	Allowed values	yes, no
check_mtime	Check the modification time of a file.
	Default value	yes
	Allowed values	yes, no
check_inode	Check the file inode. Available for UNIX. On Windows, inode will always be 0.
	Default value	yes
	Allowed values	yes, no
check_device	Check the file device. Available for UNIX.
	Default value	yes
	Allowed values	yes, no
restrict	Limit checks to files containing the entered string in the file name. Any directory or file path is allowed.

	Default value	N/A
	Allowed value	sregex
tags	Add tags to alerts for monitored directories.
	Default value	N/A
	Allowed values	Tags list separated by commas
recursion_level	Limits the maximum level of recursion allowed.
	Default value	256
	Allowed values	Any integer between 0 and 320
follow_symbolic_link	The setting is available for UNIX systems and only applies when a symbolic link is set in the configuration directly. When this flag is enabled, the link is followed and its content is monitored. Otherwise, the own link is monitored.

	Default value	no
	Allowed values	yes, no

When there is a conflict between options that modify the same attribute, the last one configured overrides. For instance:

<directories check_all="no" check_sha256="yes">/etc</directories>

The configuration above, set the option check_sha256 to YES.

<directories check_sha256="yes" check_all="no">/etc</directories>

Nevertheless, the second one disables the SHA-256 hash check.

If there is a conflict between a block with wildcards and another without them, the block without wildcards will be used for the specific case. As an example:

<directories>C:\Users\*\Downloads</directories>

The above block will set the Downloads folder of all users to be monitored in scheduled mode.

<directories realtime="yes">C:\Users\vagrant\Downloads</directories>

Even though the above block is included in the previous one, C:\Users\vagrant\Downloads will be monitored in real time because it has no wildcards.

disabled

Indicates if the syscheck scan is disabled or not.

Default value	no
Allowed values	yes, no

Example:

<disabled>no</disabled>

frequency

Frequency that the syscheck will be run. Given in seconds.

Default value	43200
Allowed values	A positive number, time in seconds.

Example:

<frequency>43200</frequency>

ignore

List of files or directories to be ignored. Introduced as one entry per line. Multiple lines may be entered to include multiple files or directories. Ignored files and directories are still scanned, but the results are not reported.

Default value	The default configuration may vary depending on the operating system.
Allowed values	Any directory or file name.

Attributes:

type	This is a simple regex pattern to filter out files, so alerts are not generated.
	Allowed values	sregex

Example:

<ignore>/etc/mtab</ignore>
<ignore type="sregex">.log$|.swp$</ignore>

max_eps

Sets the maximum event reporting throughput. Events are messages that will produce an alert.

Default value	50
Allowed values	Integer number between 0 and 1000000. 0 means disabled.

Example:

<max_eps>50</max_eps>

max_files_per_second

Sets the maximum number of files scanned per second. If this option is set to 0, there will be no limit on the number of files scanned per second.

Default value	0
Allowed values	Integer positive number. 0 means no limit.

Example:

<max_files_per_second>100</max_files_per_second>

notify_first_scan

Specifies whether the first scan reports stateless events.

Default value	no
Allowed values	yes, no

Example:

<notify_first_scan>no</notify_first_scan>

process_priority

Sets the nice value for Syscheck process.

Default value	10
Allowed values	Integer number between -20 and 19.

The "niceness" scale in Linux goes from -20 to 19, whereas -20 is the highest priority and 19 the lowest priority.

For Windows the scale is translated as described in the following table:

-20 to -10	THREAD_PRIORITY_HIGHEST
-9 to -5	THREAD_PRIORITY_ABOVE_NORMAL
-4 to 0	THREAD_PRIORITY_NORMAL
1 to 5	THREAD_PRIORITY_BELOW_NORMAL
6 to 10	THREAD_PRIORITY_LOWEST
11 to 19	THREAD_PRIORITY_IDLE

Example:

<process_priority>10</process_priority>

registry_ignore

List of registry entries to be ignored. One entry per line. Multiple lines may be entered to include multiple registry entries.

Default value	The default configuration may vary depending on the operating system.
Allowed values	Any registry entry.

Attributes:

arch	Select the Registry to ignore depending on the architecture.
	Default value	32bit
	Allowed values	32bit, 64bit, both
type	This is a simple regex pattern to filter out files so alerts are not generated.
	Allowed values	sregex

Example:

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>

scan_day

Day of the week to run the scans, one entry per line.

Default value	n/a
Allowed values	Day of the week.

Example:

<scan_day>thursday</scan_day>

scan_time

Time to run the scans. Times may be represented as 9pm or 8:30.

Default value	n/a
Allowed values	Time of day.

Example:

<scan_time>8:30</scan_time>

Note

This may delay the initialization of real-time scans.

skip_dev

Specifies if syscheck should scan the /dev directory. This option works on Linux and FreeBSD systems.

Default value	yes
Allowed values	yes, no

Example:

<skip_dev>yes</skip_dev>

skip_nfs

Specifies if syscheck should scan network mounted filesystems. This option works on Linux and FreeBSD systems. Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value	yes
Allowed values	yes, no

Example:

<skip_nfs>yes</skip_nfs>

skip_proc

Specifies if syscheck should scan the /proc directory. This option works on Linux and FreeBSD systems.

Default value	yes
Allowed values	yes, no

Example:

<skip_proc>yes</skip_proc>

skip_sys

Specifies if syscheck should scan the /sys directory. This option works on Linux systems.

Default value	yes
Allowed values	yes, no

Example:

<skip_sys>yes</skip_sys>

file_limit

Specifies a limit on the number of files that FIM monitors. It ignores files added once the database reached the limit.

<!-- Maximum number of files to be monitored -->
<file_limit>
  <enabled>yes</enabled>
  <entries>100000</entries>
</file_limit>

enabled

Specifies if the number of monitored entries has a limit.

Default value	yes
Allowed values	yes/no

entries

Specifies the maximum number of files to monitor.

Default value	100000
Allowed values	Integer number between 1 and 2147483647.

registry_limit

Note

This section only applies to Windows agents.

Specifies a limit on the number of registry entries that FIM monitors. It ignores registry values created once the database reached the limit.

<!-- Maximum number of registries to be monitored -->
<registry_limit>
  <enabled>yes</enabled>
  <entries>100000</entries>
</registry_limit>

enabled

Specifies if the number of monitored entries has a limit.

Default value	yes
Allowed values	yes/no

entries

Specifies the maximum number of registry entries to monitor.

Default value	100000
Allowed values	Integer number between 1 and 2147483647.

synchronization

The database synchronization settings are configured inside this tag.

<!-- Database synchronization settings -->
<synchronization>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <response_timeout>60</response_timeout>
  <max_eps>10</max_eps>
  <integrity_interval>86400</integrity_interval>
</synchronization>

enabled

Specifies performing periodic inventory synchronizations.

Default value	yes
Allowed values	yes/no

interval

Specifies the initial time interval between every inventory synchronization.

Default value	5 m
Allowed values	Any number greater than or equal to 0. Allowed suffixes (s, m, h, d).

response_timeout

Waiting time in seconds since a sync message is sent or received for the next synchronization activity.

Default value	60
Allowed values	Any number between 0 and `interval`.

max_eps

Sets the maximum synchronization message throughput.

Default value	10
Allowed values	Integer number between 0 and 1000000. 0 means disabled.

integrity_interval

Defines how often the agent performs a periodic integrity validation for FIM databases. When the interval elapses, the agent calculates checksums and compares them with the manager. On mismatch, the agent triggers a recovery mechanism to resolve synchronization inconsistencies.

Default value	`86400` (24 hours)
Allowed values	Any non-negative integer (seconds).

diff

The diff settings will be configured inside this tag.

<diff>
  <disk_quota>
    <enabled>yes</enabled>
    <limit>1GB</limit>
  </disk_quota>
  <file_size>
    <enabled>yes</enabled>
    <limit>50MB</limit>
  </file_size>

  <nodiff>/etc/ssl/private.key</nodiff>
</diff>

disk_quota

This option can be used to limit the size of the queue/diff/local folder where Wazuh stores the compressed files used to perform the diff operation when report_changes is enabled. After reaching this size, alerts will not show the diff information until the size is smaller than the configured limit.

enabled

Set the disk quota limit option to enabled or disabled.

Default value	yes
Allowed values	yes/no

limit

Specifies the limit for the size of the queue/diff/local folder.

Default value	1GB
Allowed values	Any positive number followed by KB/MB/GB

file_size

This option can be used to limit the size of the file which will report diff information with report_changes enabled. Files bigger than this limit will not report diff information until the size is smaller than the configured limit again.

enabled

Set the size limit of a file to enabled or disabled.

Default value	yes
Allowed values	yes/no

limit

Specifies the limit for the size of files monitored with report_changes.

Default value	50MB
Allowed values	Any positive number followed by KB/MB/GB

nodiff

List of files to not compute the diff (one entry per line). It could be used for sensitive files like a private key, credentials stored in a file, or database configuration, avoiding data leaking by sending the file content changes through alerts.

Allowed values	Any file name.
Example	/etc/ssl/private.key

Attributes:

type	This is a simple regex pattern to filter out files so alerts are not generated.
	Allowed values	sregex

registry_nodiff

List of values to not compute the diff (one entry per line).

Allowed values	Any registry path, with value_name added.
Example	HKEY_LOCAL_MACHINE\SOFTWARE\test_key\value_name

Attributes:

type	This is a simple regex pattern to filter out files so alerts are not generated.
	Allowed values	sregex

whodata

The Whodata options will be configured inside this tag.

<!-- Whodata options -->
<whodata>
    <provider>audit</provider>
    <restart_audit>yes</restart_audit>
    <audit_key>auditkey1,auditkey2</audit_key>
    <startup_healthcheck>yes</startup_healthcheck>
    <queue_size>100000</queue_size>
</whodata>

provider

Specifies the who-data mode used by the FIM module. If the <provider> tag is not configured, the FIM module defaults to the ebpf mode. If ebpf is not supported due to kernel version incompatibility, you must configure audit mode. This option is only available for Linux endpoints.

Default value	`ebpf`
Allowed values	`ebpf`, `audit`

restart_audit

Allows the system to restart Auditd after installing the plugin. Note that by setting this field to no the new whodata rules won't be applied automatically.

Default value	yes
Allowed values	yes, no

audit_key

Sets up the FIM engine to collect the Audit events using keys with audit_key. Wazuh will include in its FIM baseline those events being monitored by Audit using audit_key. For those systems where Audit is already set to monitor folders for other purposes, Wazuh can collect events generated as a key from audit_key. This option is only available for Linux systems with Audit.

Default value	Empty
Allowed values	Any string separated by commas

Note

Audit allow inserting spaces inside the keys, so the spaces inserted inside the field <audit_key> will be part of the key.

startup_healthcheck

Allows disabling the Audit health check during the Whodata engine starting. This option is only available for Linux systems with Audit.

Default value	yes
Allowed values	yes, no

Warning

The health check ensures that the rules required by Whodata can be set in Audit correctly and also that the generated events can be obtained. Disabling the health check may cause functioning problems in Whodata and loss of FIM events.

queue_size

Sets the maximum capacity of the queue that stores the audit dispatcher events. This option applies to Linux systems with Audit.

Default value	16384
Allowed values	Any number from 10 to 1048576

Warning

If the queue fills up, some audit events may be lost. However, the next scheduled scan will generate the missing alerts without the audit information.

For more information, please read auditing who-data

windows_audit_interval

Sets the frequency in seconds with which the Windows agent checks that the Local Audit Policies and the SACLs of the directories monitored in whodata mode are correct.

Default value	300 seconds
Allowed values	Any number from 1 to 9999

Example:

<windows_audit_interval>300</windows_audit_interval>

windows_registry

List of registry entries to be monitored. One entry per line. Multiple lines may be entered to include multiple registry entries.

To scan paths matching a pattern, you can use the wildcard characters ? and *. For example HKEY_LOCAL_MACHINE\SOFTWARE\*. FIM uses these wildcards during scheduled scan.

Default value	The default configuration may vary depending on the operating system.
Allowed values	Any registry entry.

Attributes:

arch	Select the Registry view depending on the architecture.
	Default value	32bit
	Allowed values	32bit, 64bit, both
tags	Add tags to alerts for monitored registry entries.
	Allowed values	Tags list separated by commas
report_changes	Report registry value changes. This is limited to REG_SZ, REG_MULTI_SZ, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_QWORD value.

	Default value	no
	Allowed values	yes, no
diff_size_limit	Limit the maximum size of the value which will report diff information with `report_changes` enabled. Values bigger than this size will not report diff information.

	Default value	50MB
	Allowed values	Any positive number followed by KB/MB/GB
check_all	It modifies the value of all attributes with the prefix `check_`.
	Default value	yes
	Allowed values	yes, no
check_sum	Check the MD5, SHA-1 and SHA-256 hashes of the registry. Same as using `check_md5sum="yes"`, `check_sha1sum="yes"` and `check_sha256sum="yes"` at the same time.

	Default value	yes
	Allowed values	yes, no
check_sha1sum	Check only the SHA-1 hash of the registries.
	Default value	yes
	Allowed values	yes, no
check_md5sum	Check only the MD5 hash of the registries.
	Default value	yes
	Allowed values	yes, no
check_sha256sum	Check only the SHA-256 hash of the registries.
	Default value	yes
	Allowed values	yes, no
check_size	Check the size of the registries.
	Default value	yes
	Allowed values	yes, no
check_owner	Check the owner of the registries.
	Default value	yes
	Allowed values	yes, no
check_group	Check the group owner of the registries. Just gid will be checked, group name will be blank.

	Default value	yes
	Allowed values	yes, no
check_perm	Check the permission of the registries. A list of denied and allowed permissions will be given for each user or group.

	Default value	yes
	Allowed values	yes, no
check_mtime	Check the modification time of a registry.
	Default value	yes
	Allowed values	yes, no
check_type	Check the type of a value. It is used to notify changes in the values of the monitored registry. This is limited to REG_NONE, REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, REG_RESOURCE_REQUIREMENTS_LIST, REG_QWORD.


	Default value	yes
	Allowed values	yes, no
restrict_key	Limit checks to registries containing the entered sregex in the registry name. Any registry is allowed.

	Default value	N/A
	Allowed value	sregex
restrict_value	Limit checks to registry values containing the entered sregex in the value name. Any registry value is allowed.

	Default value	N/A
	Allowed value	sregex
recursion_level	Limits the maximum level of recursion allowed.
	Default value	512
	Allowed values	Any integer between 0 and 512

Example:

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both" restrict_value="^some_value_name$">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry tags="services-registry">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry arch="both" check_sum="no">HKEY_LOCAL_MACHINE\SOFTWARE\test_key</windows_registry>
<windows_registry arch="64bit" recursion_level="3">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>

Configurations with specific registry keys take precedence over those that use wildcards. The following configuration block provides an example. The first settings line enables scanning the SOFTWARE keys of all users without checking any hashes.

<windows_registry arch="both" check_sum="no">HKEY_LOCAL_MACHINE\SOFTWARE\*</windows_registry>
<windows_registry arch="both" check_sum="yes">HKEY_LOCAL_MACHINE\SOFTWARE\TEST_KEY</windows_registry>

However, the second line does enable hash checking for TEST_KEY. This is a specific key and this setting takes precedence here.

<windows_registry arch="both" check_sum="no">HKEY_LOCAL_MACHINE\SOFTWARE\*</windows_registry>
<windows_registry arch="both" check_sum="yes">HKEY_LOCAL_MACHINE\SOFTWARE\TEST_KEY</windows_registry>

Default syscheck configuration:

<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <!-- Generate alert when new file detected -->
 <alert_new_files>yes</alert_new_files>
 <!-- Don't ignore files that change more than 'frequency' times -->
 <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin,/boot</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>50</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>

<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin,/boot</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>50</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>

<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <!-- Default files to be monitored. -->
 <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
 <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
 <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
 <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
 <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
 <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
 <!-- 32-bit programs. -->
 <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
 <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
 <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
 <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
 <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
 <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
 <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
 <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 <!-- Windows registry entries to monitor. -->
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 <!-- Windows registry entries to ignore. -->
 <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
 <registry_ignore type="sregex">\Enum$</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
 <!-- Frequency for ACL checking (seconds) -->
 <windows_audit_interval>60</windows_audit_interval>
 <!-- Nice value for Syscheck module -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>50</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>

<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>50</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>

syslog_output

Configuration options for sending alerts to a syslog server.

Options

server
port
level
group
rule_id
location
use_fqdn
format

server

The IP Address or hostname of the syslog server.

Default value	n/a
Allowed values	Any valid IP address

port

The port to forward alerts to.

Default value	514
Allowed values	Any valid port

level

The minimum level of the alerts to be forwarded.

Default value	n/a
Allowed values	Any level from 1 to 16

group

Rule group of the alerts to be forwarded.

Default value	n/a
Allowed values	Any valid group. Separate multiple groups with the pipe ("\|") character.

Note

Observe that all groups must be finished with a comma.

rule_id

The rule_id of the alerts to be forwarded.

Default value	n/a
Allowed values	Any valid rule_id

location

The location field refers to the origin of the alert, it could be:

syscheck
rootcheck
File path
Command or its alias
command_tag (wodle)
aws-cloudtrail
vulnerability-detector
syscollector

Default value	n/a
Allowed values	Any valid location

use_fqdn

Toggle for full or truncated hostname configured on the server. By default, ossec truncates the hostname at the first period ('.') when generating syslog messages.

Default value	no
Allowed values	yes, no

format

Format of alert output. When jsonout_output in global section is enabled, alerts are read from alerts.json instead of alerts.log for JSON format.

Default value	default
Allowed values	default
	cef	will output data in the ArcSight Common Event Format.
	splunk	will output data in a Splunk-friendly format.
	json	will output data in the JSON format that can be consumed by a variety of tools.

Example of configuration

<syslog_output>
  <server>192.168.1.3</server>
  <level>7</level>
  <format>json</format>
</syslog_output>

task-manager

The task manager module is responsible for managing all the tasks that run on the agents.

This module is only available on the manager side, on a stand-alone manager, or on a master node in a cluster configuration.

This configuration section only needs to be defined in order to change the default values.

Options

cleanup_time
task_timeout

Note

This module will always be enabled and cannot be deactivated.

cleanup_time

Maximum time that the task information will remain stored in the task database.

Default value	7d
Allowed values	A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
Required	no

Note

The cleanup_time must be greater than or equal to the task_timeout parameter.

task_timeout

Maximum time that a task with the status "In progress" will be kept before changing its state to "Timeout".

Default value	15m
Allowed values	A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
Required	no

Sample configuration

<task-manager>
  <cleanup_time>2d</cleanup_time>
  <task_timeout>1h</task_timeout>
</task-manager>

gcp-pubsub

This configuration section is used to configure the Google Cloud Pub/Sub module.

Note

The Wazuh GCP module supports only one gcp-pubsub section per Wazuh configuration file. To configure more than one service, you need to deploy multiple agents.

Main options

enabled

Enables or disables the module.

Default value	n/a
Allowed values	yes, no

project_id

Google Cloud project ID.

Default value	n/a
Allowed values	Any string indicating the project ID

For example <project_id>wazuh-dev</project_id>.

subscription_name

Name of the subscription to read from.

Default value	n/a
Allowed values	Any string

For example <subscription_name>wazuh-name</subscription_name>.

credentials_file

Path to the Google Cloud credentials file. It can be absolute path or relative to WAZUH_HOME.

Default value	n/a
Allowed values	Any path to a credentials file

For example, <credentials_file>wodles/gcp-pubsub/credentials.json</credentials_file>.

max_messages

Maximum number of messages pulled in each iteration. This value does not depend on the number of threads used.

Default value	100
Allowed values	Any integer

num_threads

Number of threads used to pull in each iteration. The maximum number of messages is divided between all the configured threads.

Default value	1
Allowed values	Any integer

Note

The number of threads will be truncated to the maximum allowed, depending on the number of CPU cores. The maximum value is number_of_physical_cores * 5.

logging

Deprecated since version 4.4.

This option has no effect. The module now uses the wazuh_modules.debug level to set its logging level.

Scheduling options

pull_on_start

Pull logs on Wazuh agent start or restart.

Default value	yes
Allowed values	yes, no

interval

Time interval between module executions.

Default value	1h
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

day

Day of the month to retrieve logs from GCP.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to retrieve logs from GCP. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to retrieve logs from GCP. It has to be represented in the format hh:mm. This option is compatible with day or wday options.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Configuration example

Linux configuration:

<gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id>wazuh-dev</project_id>
    <subscription_name>wazuhdns</subscription_name>
    <credentials_file>wodles/gcp-pubsub/credentials.json</credentials_file>
</gcp-pubsub>

gcp-bucket

Main options

enabled

Enables or disables the module.

Default value	n/a
Allowed values	yes, no

logging

Deprecated since version 4.4.

This option has no effect. The module now uses the wazuh_modules.debug level to set its logging level.

bucket

Defines a bucket to process. It must have its type attribute defined. It supports multiple instances of this option.

<bucket type="access_logs">

</bucket>

Bucket options

Options	Allowed values	Mandatory/Optional
name	Any valid bucket name	Mandatory
credentials_file	Path to a credentials file. It can be absolute or relative to `WAZUH_HOME`	Mandatory
path	Any valid path	Optional
only_logs_after	Valid date in YYYY-MM-DD format	Optional
remove_from_bucket	A value to determine if each log file is deleted once it has been collected by the module	Optional

type (attribute)

Specifies the type of bucket.

Default value	N/A
Allowed values	access_logs

name

Name of the Google Cloud Storage bucket from which logs are read.

Default value	N/A
Allowed values	Any valid bucket name

credentials_file

Path to the Google Cloud credentials file. It can be an absolute path or relative to WAZUH_HOME.

Default value	n/a
Allowed values	Any path to a credentials file

For example <credentials_file>wodles/gcp-bucket/credentials.json</credentials_file>.

path

Bucket path or prefix.

Default value	N/A
Allowed values	Valid path

only_logs_after

Parse logs from a specific date onwards. It must follow the YYYY-MM-DD format.

Default value	Date of execution at `00:00:00`
Allowed values	Valid date [YYYY-MM-DD]

remove_from_bucket

Remove the logs from the Google Cloud Storage bucket once the module reads them.

Default value	no
Allowed values	yes, no

Scheduling options

run_on_start

Run the module on Wazuh service start or restart.

Default value	yes
Allowed values	yes, no

interval

Time interval between module executions.

Default value	1h
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

day

Day of the month to retrieve logs from GCP.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to retrieve logs from GCP. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to retrieve logs from GCP. It has to be represented in the format hh:mm. This option is compatible with day or wday options.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Configuration example

Linux configuration:

<gcp-bucket>
    <run_on_start>yes</run_on_start>
    <interval>1m</interval>
    <bucket type="access_logs">
        <name>wazuh-test-bucket</name>
        <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
        <only_logs_after>2021-JUN-01</only_logs_after>
        <path>access_logs/</path>
        <remove_from_bucket>no</remove_from_bucket>
    </bucket>
</gcp-bucket>

vulnerability-detection

This section covers the configuration for the Vulnerability detection module.

Options

Options	Allowed values
enabled	`yes`, `no`
feed-update-interval	Positive number + Time unit suffix
index-status	`yes`, `no`
offline-url	`file://</ABSOLUTE_PATH_TO/OFFLINE_CONTENT>`, `http[s]://<CONTENT_URL>`

enabled

Enables the vulnerability detection module.

Default	`yes`
Allowed values	`yes`, `no`

feed-update-interval

Time interval for periodic feed updates.

Default	`60m`
Allowed values	A positive number containing a time unit suffix character. For example `2h` for 2 hours

index-status

Enables indexing of vulnerability inventory data.

Default	`yes`
Allowed values	`yes`, `no`

offline-url

File path or URL for offline content access.

Default	Empty
Allowed values	`file://</ABSOLUTE_PATH_TO/OFFLINE_CONTENT>`, `http[s]://<CONTENT_URL>`

Where:

file://</ABSOLUTE_PATH_TO/OFFLINE_CONTENT>: File path pointing to offline content. For example, file:///path/to/the/cves.file.zip
http[s]://<CONTENT_URL>: URL starting with either http:// or https://, pointing to local network content or online content accessible via the internet.

interval

Deprecated since version 4.8.0.

run_on_start

Deprecated since version 4.8.0.

retry_interval

Deprecated since version 4.8.0.

provider

Deprecated since version 4.8.0.

Example of configuration

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url>file:///path/to/the/cves.file.zip</offline-url> <!-- Optional -->
</vulnerability-detection>

Note

Supported compression formats include zip, xz, and gzip. The module also accepts raw JSON content in plain text files.

wodle name="command"

Configuration options of the Command wodle.

Options

Main options

disabled
tag
command
ignore_output
timeout
verify_md5
verify_sha1
verify_sha256
skip_verification

Main options	Allowed values
disabled	yes, no
tag	A descriptive name
command	Command to be executed
ignore_output	yes, no
timeout	A positive number (seconds)
verify_md5	MD5 checksum
verify_sha1	SHA1 checksum
verify_sha256	SHA256 checksum
skip_verification	yes, no

Scheduling options

run_on_start
interval
day
wday
time

disabled

Disable the Command wodle.

Default value	no
Allowed values	yes, no

tag

Descriptive name for the command.

Default value	N/A
Allowed values	Characters set

command

Path and arguments of the command to be executed.

Default value	N/A
Allowed values	An existing command Path to a binary Path to a script

ignore_output

Ignore the command output when executed.

Default value	no
Allowed values	yes, no

timeout

Timeout for each command to wait for the end of the execution. Whether this parameter is set to 0, it will wait indefinitely for the end of the process. However, if the timeout is other than 0, the execution will finish if it expires.

Default value	n/a
Allowed values	A positive number (seconds)

verify_md5

Verify the MD5 sum of the binary or the script specified on the command option.

Default value	n/a
Allowed values	MD5 checksum

verify_sha1

Verify the SHA1 sum of the binary or the script specified on the command option.

Default value	n/a
Allowed values	SHA1 checksum

verify_sha256

Verify the SHA256 sum of the binary or the script specified on the command option.

Default value	n/a
Allowed values	SHA256 checksum

skip_verification

Run the command defined, although the checksum does not match. In this case, the agent will log that the checksum verification failed but will run the application.

Default value	no
Allowed values	yes, no

run_on_start

Run command immediately when service is started.

Default value	yes
Allowed values	yes, no

interval

Time between commands executions.

Default value	2s
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), M (months).

day

Day of the month to run the scan.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Centralized configuration

You can specify remote commands in the centralized configuration. However, they are disabled by default due to security reasons.

When setting commands in a shared agent configuration, you must enable remote commands for Agent Modules.

This is enabled by adding the following line to the file etc/local_internal_options.conf in the agent:

wazuh_command.remote_commands=1

Example of configuration

<wodle name="command">
  <disabled>no</disabled>
  <tag>test</tag>
  <command>/bin/bash /root/script.sh</command>
  <interval>1d</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
  <verify_md5>5aada3704685dad6fd27beb58e6687de</verify_md5>
  <verify_sha1>da39a3ee5e6b4b0d3255bfef95601890afd80709</verify_sha1>
  <verify_sha256>292a188e498caea5c5fbfb0beca413c980e7a5edf40d47cf70e1dbc33e4f395e</verify_sha256>
</wodle>

wodle name="aws-s3"

After adding an aws-s3 section, it is mandatory to define at least one bucket, service or subscriber. It is possible to configure multiple buckets, services and subscribers inside the same aws-s3 section.

The options available to use inside the aws-s3 section are the following:

disabled

Disables the AWS-S3 wodle.

Default value	no
Allowed values	yes, no
Mandatory	yes

skip_on_error

When unable to process and parse a log, skip it and continue processing. If set to no, the module will abort the execution once it encounters an error.

Default value	yes
Allowed values	yes, no
Mandatory	no

run_on_start

Run the module immediately after the Wazuh service starts.

Default value	yes
Allowed values	yes, no
Mandatory	no

interval

The amount of time the module will wait for before running again.

Default value	10m
Allowed values	A positive number that must contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), M (months).
Mandatory	no

day

Day of the month to run the scan.

Default value	N/A
Allowed values	Day of the month [1..31]
Mandatory	no

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value	N/A
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat
Mandatory	no

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be in the hh:mm format.

Default value	N/A
Allowed values	Time of day [hh:mm]
Mandatory	no

Note

If only the time option is set, the interval value must be a multiple of days, weeks, or months. By default, the interval is set to a day.

Buckets

It is necessary to specify the type as an attribute of the bucket tag to indicate the service configured. More information about the supported services and their associated types on AWS supported services.

<bucket type="cloudtrail">

</bucket>

The available types are: cloudtrail, guardduty, vpcflow, config, custom, cisco_umbrella, waf, alb, clb, nlb, and server_access.

Options	Allowed values	Mandatory/Optional
name	Any valid bucket name	Mandatory
aws_account_id	Comma-separated list of AWS Accounts	Optional (only works with CloudTrail buckets)
aws_account_alias	Any string	Optional
access_key	Alphanumerical key	Optional
secret_key	Alphanumerical key	Optional
aws_profile	Any string	Optional
iam_role_arn	IAM role ARN	Optional
iam_role_duration	Number of seconds between 900 and 3600	Optional (if set, it requires an iam_role_arn to be provided)
path	Prefix for S3 bucket key	Optional
path_suffix	Suffix for S3 bucket key	Optional
only_logs_after	Date (YYYY-MMM-DDD, for example 2018-AUG-21)	Optional
regions	Comma-separated list of AWS regions	Optional (only works with CloudTrail buckets)
aws_organization_id	Name of AWS organization	Optional (only works with CloudTrail buckets)
discard_regex	A regex to determine if an event must be discarded	Optional
remove_from_bucket	A value to determine if each log file is deleted once it has been collected by the module	Optional
sts_endpoint	The AWS Security Token Service VPC endpoint URL	Optional
service_endpoint	The AWS S3 endpoint URL	Optional

name

Name of the S3 bucket from where logs are read.

Default value	N/A
Allowed values	Any valid bucket name

aws_account_id

The AWS Account ID for the bucket logs. Only works with CloudTrail buckets.

Default value	All accounts
Allowed values	Comma-separated list of 12 digit AWS Account IDs

aws_account_alias

A user-friendly name for the AWS account.

Default value	N/A
Allowed values	Any string

access_key

Deprecated since version 4.4.0.

The access key ID for the IAM user with the permission to read logs from the bucket.

Default value	N/A
Allowed values	Any alphanumerical key

secret_key

Deprecated since version 4.4.0.

The secret key created for the IAM user with the permission to read logs from the bucket.

Default value	N/A
Allowed values	Any alphanumerical key

aws_profile

A valid profile name from a Shared Credential File or AWS Config File with the permission to read logs from the bucket.

Default value	N/A
Allowed values	Valid profile name

iam_role_arn

A valid role ARN with permission to read logs from the bucket.

Default value	N/A
Allowed values	Valid role ARN

iam_role_duration

A valid number of seconds that defines the duration of the session assumed when using the provided iam_role_arn.

Default value	N/A
Allowed values	Number of seconds between 900 and 3600

path

If defined, the path or prefix for the bucket.

Default value	N/A
Allowed values	Valid path

path_suffix

If defined, the suffix for the bucket. Only works with buckets that contain the folder named AWSLogs (Cloudtrail, VPC, and Macie).

Default value	N/A
Allowed values	Valid path

only_logs_after

A valid date, in YYYY-MMM-DD format. Only logs from that date onwards will be parsed.

Default value	Date of execution at `00:00:00`
Allowed values	Valid date

regions

A comma-separated list of regions to limit parsing of logs. Only works with CloudTrail buckets.

Default value	All regions
Allowed values	Comma-separated list of valid regions

aws_organization_id

Name of AWS organization. Only works with CloudTrail buckets.

Default value	N/A
Allowed values	Valid AWS organization name

discard_regex

A regular expression to determine if an event must be discarded. It requires a mandatory field attribute. If the field is present in the event log, the regex is applied to it. For example, userIdentity.principalID for the following AWS CloudTrail log example:

{
   "eventVersion": "1.09",
   "userIdentity": {
       "type": "IAMUser",
       "principalId": "EXAMPLE6E4XEGITWATV6R",
       "arn": "arn:aws:iam::123456789012:user/Mary_Major",
       "accountId": "123456789012",
       "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
       "userName": "Mary_Major",
       "sessionContext": {
           "attributes": {
               "creationDate": "2023-07-19T21:11:57Z",
               "mfaAuthenticated": "false"
           }
       }
   },
   "eventTime": "2023-07-19T21:33:41Z",
   "eventSource": "cloudtrail.amazonaws.com",
   "eventName": "StartLogging",
   "awsRegion": "us-east-1",
   "sourceIPAddress": "192.0.2.0",
   "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-logging",
   "requestParameters": {
       "name": "myTrail"
   },
   "responseElements": null,
   "requestID": "9d478fc1-4f10-490f-a26b-EXAMPLE0e932",
   "eventID": "eae87c48-d421-4626-94f5-EXAMPLEac994",
   "readOnly": false,
   "eventType": "AwsApiCall",
   "managementEvent": true,
   "recipientAccountId": "123456789012",
   "eventCategory": "Management",
   "tlsDetails": {
       "tlsVersion": "TLSv1.2",
       "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
       "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
   },
   "sessionCredentialFromConsole": "true"
}

Note

This log is the raw event log fetched from the AWS Bucket.

Default value	N/A
Allowed values	Any regex or sregex expression

Attributes:

field	The event field where to apply the regex
	Default value	N/A
	Allowed values	A str containing the full field name path

Usage example for the cloudtrail bucket type:

<discard_regex field="userIdentity.principalID">EXAMPLE6E4XEGITWATV6R</discard_regex>

remove_from_bucket

A value to determine if each log file is deleted once it has been collected by the module.

Default value	no
Allowed values	yes, no

sts_endpoint

The AWS Security Token Service VPC endpoint URL to be used when an IAM role is provided as the authentication method. Check the Considerations for configuration page to learn more about VPC endpoints.

Default value	N/A
Allowed values	Any valid VPC endpoint URL for STS

service_endpoint

The AWS S3 endpoint URL to be used to download the data from the bucket. Check the Considerations for configuration page to learn more about VPC and FIPS endpoints.

Default value	N/A
Allowed values	Any valid endpoint URL for S3

Services

It is necessary to specify the type as an attribute of the service tag to indicate the service configured. More information about the supported services and their associated types on AWS supported services.

<service type="cloudwatchlogs">

</service>

The available types are: cloudwatchlogs, and inspector.

Options	Allowed values	Mandatory/Optional
aws_account_id	Comma-separated list of 12 digit AWS Account IDs	Optional
aws_account_alias	Any string	Optional
aws_log_groups	Comma-separated list of valid log group names	Mandatory for CloudWatch Logs
access_key	Any alphanumerical key	Optional
secret_key	Any alphanumerical key	Optional
aws_profile	Valid profile name	Optional
discard_regex	A regex to determine if an event must be discarded	Optional
iam_role_arn	Valid role ARN	Optional
iam_role_duration	Number of seconds between 900 and 3600	Optional (if set, it requires an iam_role_arn to be provided)
only_logs_after	Valid date in YYYY-MMM-DD format	Optional
regions	Comma-separated list of valid regions	Optional
remove_log_streams	yes, no	Optional
sts_endpoint	Any valid VPC endpoint URL for STS	Optional
service_endpoint	Any valid endpoint URL for the AWS Service	Optional

aws_account_id

The AWS Account ID for accessing the service.

Default value	All accounts
Allowed values	Comma-separated list of 12 digit AWS Account IDs

aws_account_alias

A user-friendly name for the AWS account.

Default value	N/A
Allowed values	Any string

access_key

The access key ID for the IAM user with the permission to access the service.

Default value	N/A
Allowed values	Any alphanumerical key

aws_log_groups

A comma-separated list of log group names from where the logs should be extracted. This option is mandatory for CloudWatch Logs, and only works with that service.

Default value	N/A
Allowed values	Comma-separated list of valid log group names

secret_key

The secret key created for the IAM user with the permission to access the service.

Default value	N/A
Allowed values	Any alphanumerical key

aws_profile

A valid profile name from a Shared Credential File or AWS Config File with the permission to access the service.

Default value	N/A
Allowed values	Valid profile name

discard_regex

A regular expression to determine if an event must be discarded.

For inspector, it requires a mandatory field attribute which must be present in the fetched event. The regex is applied to the event field specified with this attribute.
For cloudwatchlogs, the field attribute is optional. You can omit it, for example, when monitoring Cloudwatch logs in JSON format and plain text.

Default value	N/A
Allowed values	Any regex or sregex expression

Attributes:

field	The event field where to apply the regex
	Default value	N/A
	Allowed values	A str containing the full field name path

Usage example for the inspector service type:

<discard_regex field="assetAttributes.agentId">i-instanceID</discard_regex>

Usage example only for cloudwatchlogs:

<discard_regex>.*Log:.*</discard_regex>

iam_role_arn

A valid role ARN with permission to access the service.

Default value	N/A
Allowed values	Valid role ARN

iam_role_duration

A valid number of seconds that defines the duration of the session assumed when using the provided iam_role_arn.

Default value	N/A
Allowed values	Number of seconds between 900 and 3600

only_logs_after

A valid date, in YYYY-MMM-DD format. Only logs from that date onwards will be parsed. This option is only available for the CloudWatch Logs service.

Default value	Date of execution at `00:00:00`
Allowed values	Valid date in YYYY-MMM-DD format

regions

A comma-separated list of regions to limit parsing of logs.

Default value	All regions
Allowed values	Comma-separated list of valid regions

remove_log_streams

Define whether or not to remove the log streams from the log groups after they are read by the module. Only works for CloudWatch Logs service.

Default value	no
Allowed values	yes, no

sts_endpoint

Default value	N/A
Allowed values	Any valid VPC endpoint URL for STS

service_endpoint

The endpoint URL for the required AWS Service to be used to download the data from it. Check the Considerations for configuration page to learn more about VPC and FIPS endpoints.

Default value	N/A
Allowed values	Any valid endpoint URL for the AWS Service

Subscribers

It is necessary to specify the type as an attribute of the subscriber tag to indicate the service configured. More information about the supported services and their associated types on AWS supported services.

<subscriber type="security_lake">

</subscriber>

The currently available types are:

security_lake
buckets
security_hub

Options	Allowed values	Mandatory/Optional
sqs_name	Any valid SQS name	Mandatory
iam_role_arn	Valid role ARN	Mandatory for Amazon Security Lake Subscription
external_id	Valid external ID	Mandatory for Amazon Security Lake Subscription (not available for Custom Logs Buckets and Amazon Security Hub)
aws_profile	Valid profile name	Optional
iam_role_duration	Number of seconds between 900 and 3600	Optional (if set, it requires an iam_role_arn to be provided)
discard_regex	A regex value to determine if an event must be discarded	Optional (only available for Custom Logs Buckets and Amazon Security Hub)
sts_endpoint	Any valid VPC endpoint URL for STS	Optional
service_endpoint	Any valid endpoint URL for S3	Optional

sqs_name

Name of the SQS from where notifications are pulled.

Default value	N/A
Allowed values	Any valid SQS name

external_id

External ID to use when assuming the role.

Default value	N/A
Allowed values	Valid external ID

iam_role_arn

A valid role ARN with permission to access the service.

Default value	N/A
Allowed values	Valid role ARN

iam_role_duration

A valid number of seconds that defines the duration of the session assumed when using the provided iam_role_arn.

Default value	N/A
Allowed values	Number of seconds between 900 and 3600

aws_profile

A valid profile name from a Shared Credential File or AWS Config File with the permission to access the service.

Default value	N/A
Allowed values	Valid profile name

discard_regex

A regular expression to determine if an event must be discarded. JSON and CSV logs require a mandatory field attribute. If the field is present in the event log, the regex is applied to it. For example, userIdentity.principalID for the following AWS CloudTrail log example:

{
   "eventVersion": "1.09",
   "userIdentity": {
       "type": "IAMUser",
       "principalId": "EXAMPLE6E4XEGITWATV6R",
       "arn": "arn:aws:iam::123456789012:user/Mary_Major",
       "accountId": "123456789012",
       "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
       "userName": "Mary_Major",
       "sessionContext": {
           "attributes": {
               "creationDate": "2023-07-19T21:11:57Z",
               "mfaAuthenticated": "false"
           }
       }
   },
   "eventTime": "2023-07-19T21:33:41Z",
   "eventSource": "cloudtrail.amazonaws.com",
   "eventName": "StartLogging",
   "awsRegion": "us-east-1",
   "sourceIPAddress": "192.0.2.0",
   "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-logging",
   "requestParameters": {
       "name": "myTrail"
   },
   "responseElements": null,
   "requestID": "9d478fc1-4f10-490f-a26b-EXAMPLE0e932",
   "eventID": "eae87c48-d421-4626-94f5-EXAMPLEac994",
   "readOnly": false,
   "eventType": "AwsApiCall",
   "managementEvent": true,
   "recipientAccountId": "123456789012",
   "eventCategory": "Management",
   "tlsDetails": {
       "tlsVersion": "TLSv1.2",
       "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
       "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
   },
   "sessionCredentialFromConsole": "true"
}

Note

This log is the raw event log fetched from the AWS Bucket.

Default value	N/A
Allowed values	Any regex or sregex expression

Attributes:

field	The event field where to apply the regex
	Default value	N/A
	Allowed values	A str containing the full field name path

Usage example for Cloudtrail fetched events:

<discard_regex field="userIdentity.principalID">EXAMPLE6E4XEGITWATV6R</discard_regex>

Usage example only for plain text logs:

<discard_regex>.*Log:.*</discard_regex>

sts_endpoint

Default value	N/A
Allowed values	Any valid VPC endpoint URL for STS

service_endpoint

The AWS S3 endpoint URL to be used to download the data from the bucket. Check the Considerations for configuration page to learn more about VPC and FIPS endpoints.

Default value	N/A
Allowed values	Any valid endpoint URL for S3

Example of configuration

<wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>10m</interval>
    <run_on_start>no</run_on_start>
    <skip_on_error>no</skip_on_error>
    <bucket type="cloudtrail">
        <name>s3-dev-bucket</name>
        <aws_profile>default</aws_profile>
        <only_logs_after>2018-JUN-01</only_logs_after>
        <regions>us-east-1,us-west-1,eu-central-1</regions>
        <path>/dev1/</path>
        <aws_account_id>123456789012</aws_account_id>
        <aws_account_alias>dev1-account</aws_account_alias>
        <discard_regex field="userIdentity.userName">john.doe</discard_regex>
        <remove_from_bucket>yes<remove_from_bucket>
    </bucket>
    <bucket type="cloudtrail">
        <name>s3-dev-bucket</name>
        <aws_profile>default</aws_profile>
        <only_logs_after>2018-JUN-01</only_logs_after>
        <regions>us-east-1,us-west-1,eu-central-1</regions>
        <path>/dev2/</path>
        <aws_account_id>112233445566</aws_account_id>
        <aws_account_alias>dev2-account</aws_account_alias>
        <discard_regex field="userIdentity.userName">john.smith</discard_regex>
        <service_endpoint>https://bucket.xxxxxx.s3.us-east-2.vpce.amazonaws.com</service_endpoint>
    </bucket>
    <bucket type="custom">
        <name>s3-stage-bucket</name>
        <aws_profile>stage-creds</aws_profile>
        <aws_account_id>111222333444</aws_account_id>
        <aws_account_alias>stage-account</aws_account_alias>
        <discard_regex field="detail.check-item-detail.Status">Green</discard_regex>
    </bucket>
    <bucket type="custom">
        <name>s3-prod-bucket</name>
        <iam_role_arn>arn:aws:iam::010203040506:role/ROLE_SVC_Log-Parser</iam_role_arn>
        <iam_role_duration>1300</iam_role_duration>
        <aws_account_id>11112222333</aws_account_id>
        <aws_account_alias>prod-account</aws_account_alias>
        <discard_regex field="detail.status">OK</discard_regex>
        <remove_from_bucket>yes<remove_from_bucket>
    </bucket>
    <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>log_group1,log_group2</aws_log_groups>
        <only_logs_after>2018-JUN-01</only_logs_after>
        <regions>us-east-1,us-west-1,eu-central-1</regions>
        <discard_regex>.*Log Hostname1:.*</discard_regex>
    </service>
    <subscriber type="security_lake">
      <sqs_name>sqs-security-lake-main-queue</sqs_name>
      <external_id>wazuh-external-id-value</external_id>
      <iam_role_arn>arn:aws:iam::010203040506:role/ASL-Role</iam_role_arn>
    </subscriber>
    <subscriber type="buckets">
      <sqs_name>sqs-custom-logs-queue</sqs_name>
      <aws_profile>dev</aws_profile>
    </subscriber>
    <subscriber type="security_hub">
      <sqs_name>sqs-custom-logs-queue</sqs_name>
      <aws_profile>dev</aws_profile>
    </subscriber>
</wodle>

wodle name="syscollector"

Configuration options of the Syscollector wodle for system inventory.

Options

disabled
interval
scan_on_start
hardware
os
network
packages
ports
hotfixes
users
groups
services
browser_extensions
synchronization

Options	Allowed values
disabled	yes, no
interval	A positive number (seconds)
scan_on_start	yes, no
hardware	yes, no
os	yes, no
network	yes, no
packages	yes, no
ports	yes, no
processes	yes, no
hotfixes	yes, no
users	yes, no
groups	yes, no
services	yes, no
browser_extensions	yes, no

disabled

Disable the Syscollector wodle.

Default value	no
Allowed values	yes, no

interval

Time between system scans.

Default value	1h
Allowed values	A positive number with a suffix character for the time unit. Use `s` for seconds, `m` for minutes, `h` for hours, and `d` for days. If the configured value is lower than 60 seconds, it automatically adjusts it to 60 seconds.

scan_on_start

Run a system scan immediately when the service is started.

Default value	yes
Allowed values	yes, no

hardware

Enables the hardware scan.

Default value	yes
Allowed values	yes, no

os

Enables the OS scan.

Default value	yes
Allowed values	yes, no

network

Enables the network scan.

Default value	yes
Allowed values	yes, no

packages

Enables the scan of the packages.

Default value	yes
Allowed values	yes, no

ports

Enables the ports scan.

Default value	yes
Allowed values	yes, no

With option all='no' it will only scan listening ports.

Options	Allowed values
all	yes, no

processes

Enables the scan of the processes.

Default value	yes
Allowed values	yes, no

hotfixes

Enables the hotfixes scan. It reports the Windows updates installed.

Default value	yes
Allowed values	yes, no

Note

This option is enabled by default but not included in the initial configuration.

users

Enables the user account information scan

Default value	yes
Allowed values	yes, no

groups

Enables the user account groups scan

Default value	yes
Allowed values	yes, no

services

Enables the services scan

Default value	yes
Allowed values	yes, no

browser_extensions

Enables the browser extensions scan

Default value	yes
Allowed values	yes, no

synchronization

The database synchronization settings are configured inside this tag.

<wodle name="syscollector">
  <synchronization>
    <max_eps>10</max_eps>
    <integrity_interval>24h</integrity_interval>
  </synchronization>
</wodle>

max_eps

Sets the maximum event reporting throughput.

Default value	10
Allowed values	Integer number between 0 and 1000000. 0 means default value.

integrity_interval

Sets the time interval for periodic database integrity validation.

Default value	`24h`
Allowed values	Any non-negative integer (seconds).

Example of configuration

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <users>yes</users>
  <groups>yes</groups>
  <services>yes</services>
  <browser_extensions>yes</browser_extensions>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
    <integrity_interval>24h</integrity_interval>
  </synchronization>
</wodle>

wazuh-db

Configuration options for the wazuh-db daemon.

Options

backup

backup

Configuration block to define the wazuh-db databases backup behavior.

Allowed tags	database	Defines the database to backup.
		Allowed values	global
Allowed values	enabled	Enables the regular backup of this particular database.
		Default value	yes
		Allowed values	yes, no
	interval	How often the backup is created.
		Default value	1d
		Allowed values	A positive number that should contain a suffix character indicating a time unit: s (seconds), m (minutes), h (hours) or d (days).
	max_files	The maximum number of simultaneous backups to store before deleting the oldest ones.
		Default value	3
		Allowed values	A positive number.

Example of configuration

The following configuration will generate a backup of the global.db every day, with a maximum of 3 simultaneous files

<wdb>
    <backup database='global'>
        <enabled>yes</enabled>
        <interval>1d</interval>
        <max_files>3</max_files>
    </backup>
</wdb>

wodle name="docker-listener"

Configuration options of the Docker wodle.

Options

Main options

attempts
disabled

Main options	Allowed values
attempts	A positive number
disabled	yes, no

Scheduling options

run_on_start
interval
day
wday
time

attempts

Number of attempts to execute the wodle.

Default value	5
Allowed values	A positive number

disabled

Disable the Docker wodle.

Default value	no
Allowed values	yes, no

run_on_start

Run command immediately when service is started.

Default value	yes
Allowed values	yes, no

interval

Waiting time to rerun the wodle in case it fails.

Default value	1m
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), M (months).

day

Day of the month to run the scan.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Example of configuration

<wodle name="docker-listener">
    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>no</run_on_start>
    <disabled>no</disabled>
</wodle>

wodle name="azure-logs"

Configuration options of the Azure-Logs wodle.

Options

Options	Allowed values
disabled	yes, no
interval	A positive number + suffix
run_on_start	yes, no
day	A day of the month
wday	A day of the week
time	A time of the day [hh:mm]
timeout	A positive number (seconds)
log_analytics	N/A
log_analytics\application_id	Any string
log_analytics\application_key	Any string
log_analytics\auth_path	File path
log_analytics\tenantdomain	Any string
log_analytics\request	N/A
log_analytics\request\tag	Any string
log_analytics\request\query	Any string without double quotes
log_analytics\request\workspace	Any string
log_analytics\request\timeout	A positive number (seconds)
log_analytics\request\time_offset	A positive number + suffix
graph	N/A
graph\application_id	Any string
graph\application_key	Any string
graph\auth_path	File path
graph\tenantdomain	Any string
graph\request	N/A
graph\request\tag	Any string
graph\request\query	Any string
graph\request\timeout	A positive number (seconds)
graph\request\time_offset	A positive number + suffix
storage	N/A
storage\account_name	Any string
storage\account_key	Any string
storage\auth_path	File path
storage\tag	Any string
storage\container	N/A
storage\container name	Any string
storage\container\blobs	Extension
storage\container\content_type	text, json_file or json_inline
storage\container\timeout	A positive number (seconds)
storage\container\time_offset	A positive number + suffix
storage\container\path	Any string

disabled

Disables the Azure-Logs wodle.

Default value	no
Allowed values	yes, no

interval

The interval between Azure-Logs executions.

Default value	1d
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

run_on_start

Run evaluation immediately when the service is started.

Default value	yes
Allowed values	yes, no

day

Day of the month to run the Azure-Logs.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the Azure-Logs. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the Azure-Logs. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

timeout

Timeout for each evaluation. In case the execution takes longer than the specified timeout, it stops.

Default value	0
Allowed values	A positive number (seconds)

log_analytics

Defines the use of the Azure Log Analytics REST API to get the desired logs.

This block configures the integration with Azure Log Analytics REST API.

log_analytics\application_id
log_analytics\application_key
log_analytics\auth_path
log_analytics\tenantdomain
log_analytics\request

Options	Allowed values
log_analytics\application_id	Any string
log_analytics\application_key	Any string
log_analytics\auth_path	File path
log_analytics\tenantdomain	Any string
log_analytics\request	N/A

log_analytics\application_id

Identifier of the application that we will use for the authentication and to be able to use the Azure Log Analytics API. It must be used next to the application_key option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

log_analytics\application_key

Key to the application we will use for authentication and to be able to use the Azure Log Analytics API. It must be used next to the application_id option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

log_analytics\auth_path

Path of the file that contains the application identifier and the application key for authentication in order to use the Azure Log Analytics API. Incompatible with application_id and application_key options.

Default value	N/A
Allowed values	File path

File example:

application_id = 8b7...c14
application_key = w22...91x

log_analytics\tenantdomain

A tenant is simply a dedicated instance of Microsoft Entra ID (ME-ID). The Azure Log Analytics API uses the Microsoft Entra ID authentication scheme.

Default value	N/A
Allowed values	Any String

log_analytics\request

This option includes all the other options needed to make a query. We can have more than one request entry.

request options

Options	Allowed values
log_analytics\request\tag	Any string
log_analytics\request\query	Any string without double quotes
log_analytics\request\workspace	Any string
log_analytics\request\timeout	A positive number (seconds)
log_analytics\request\time_offset	A positive number + suffix

log_analytics\request\tag

Defines a tag that we will add to the query. This entry is optional and can be used to facilitate searches for events that are tagged or to create custom rules.

Default value	N/A
Allowed values	Any String

log_analytics\request\query

This is the query made to the Azure Log Analytics API. This option is compatible with any valid query accepted by the Log Analytics portal, as long as it does not contains double quotes ("). If you need to use double quotes, you must replace them with single ones (') or escape them by using the backslash character (\").

Here are some examples of valid queries:

AuditLogs | where OperationVersion contains '1'
AuditLogs | where OperationVersion contains \"1\"

For more information on Log Analytics query's language, check the Azure documentation.

Default value	N/A
Allowed values	Any String without double quotes

log_analytics\request\workspace

Defines the workspace where we will perform the queries.

Default value	N/A
Allowed values	Any String

log_analytics\request\timeout

Timeout for each request evaluation. This option overwrites the general timeout option. In case the execution takes longer than the specified timeout, it stops.

Default value	0
Allowed values	A positive number (seconds)

log_analytics\request\time_offset

This option sets the time delay in which we will perform the query. For example, if we establish this option with the value "1d", the integration will perform the query on the events that have been generated in the interval of time defined between the current date of the system minus one day (1d) and the current date of the system.

Default value	Date of execution at `00:00:00`
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, m (minutes), h (hours), d (days)

Example of log_analytics configuration

<wodle name="azure-logs">

    <disabled>no</disabled>
    <day>15</day>
    <time>02:00</time>
    <run_on_start>yes</run_on_start>

    <log_analytics>

        <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>azure-activity</tag>
            <query>AzureActivity | where SubscriptionId == 2d7...61d </query>
            <workspace>d6b...efa</workspace>
            <time_offset>36h</time_offset>
        </request>

    </log_analytics>

</wodle>

graph

This block configures the integration with Azure Active Directory Graph REST API.

graph\application_id
graph\application_key
graph\auth_path
graph\tenantdomain
graph\request

Options	Allowed values
graph\application_id	Any string
graph\application_key	Any string
graph\auth_path	File path
graph\tenantdomain	Any string
graph\request	N/A

graph\application_id

Identifier of the application that we will use for the authentication and to be able to use the Azure Active Directory Graph API. It must be used next to the application_key option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

graph\application_key

Key to the application we will use for authentication and to be able to use the Azure Active Directory Graph API. It must be used next to the application_id option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

graph\auth_path

Path of the file that contains the application identifier and the application key for authentication in order to use the Azure Active Directory Graph API. Incompatible with the application_id and application_key options. Check the credentials reference for more information about this topic.

Default value	N/A
Allowed values	File path

graph\tenantdomain

A tenant is simply a dedicated instance of Microsoft Entra ID (ME-ID) because it uses the Microsoft Entra ID authentication scheme.

Default value	N/A
Allowed values	Any String

graph\request

This option includes all the other options needed to make a query. We can have more than one request entry.

request options

Options	Allowed values
graph\request\tag	Any string
graph\request\query	Any string containing `auditLogs/directoryaudits`, `auditLogs/signIns` or `auditLogs/provisioning` plus any optional query parameter
graph\request\timeout	A positive number (seconds)
graph\request\time_offset	A positive number + suffix

graph\request\tag

Defines a tag that we will add to the query. This entry is optional and can be used to facilitate searches for events that are tagged or to create custom rules.

Default value	N/A
Allowed values	Any String

graph\request\query

The query used to obtain the logs from the Microsoft Graph API. The query value must be auditLogs/directoryaudits, auditLogs/signIns, or auditLogs/provisioning in conjunction with the desired optional parameters and filters available for these report types. Check this Microsoft Activity reports reference page to learn more about how the activity reports work and the available query parameters for each one.

Default value	N/A
Allowed values	Any string containing `auditLogs/directoryaudits`, `auditLogs/signIns` or `auditLogs/provisioning` plus any optional query parameter

graph\request\timeout

Timeout for each request evaluation. This option overwrites the general timeout option. In case the execution takes longer than the specified timeout, it stops.

Default value	0
Allowed values	A positive number (seconds)

graph\request\time_offset

This option sets the time-lapse that the query will request. For example, if this option is set to the value "1d", the integration will request the events generated in the interval of time defined between the current system's date minus one day (1d) and the current system's date.

Default value	Date of execution at `00:00:00`
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, m (minutes), h (hours), d (days)

Example of graph configuration

<wodle name="azure-logs">

    <disabled>no</disabled>
    <wday>Friday</wday>
    <time>12:00</time>
    <run_on_start>no</run_on_start>
    <timeout>1800</timeout>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>microsoft-entra_id</tag>
            <query>activities/audit?api-version=beta</query>
            <time_offset>1d</time_offset>
        </request>

    </graph>

</wodle>

storage

This block configures the integration with Azure Storage.

storage\account_name
storage\account_key
storage\auth_path
storage\tag
storage\container

Options	Allowed values
storage\account_name	Any string
storage\account_key	Any string
storage\auth_path	File path
storage\tag	Any string
storage\container	N/A

storage\account_name

Identifier of the account name that we will use for the authentication- It must be used next to the account_key option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

storage\account_key

Identifier of the account key that we will use for the authentication- It must be used next to the account_name option obligatorily. Incompatible with auth_path option.

Default value	N/A
Allowed values	Any string

storage\auth_path

Path of the file that contains the account name and the account key for authentication. Incompatible with account_name and account_key options.

Default value	N/A
Allowed values	File path

storage\tag

Defines a tag that we will add to the query. This entry is optional and can be used to facilitate searches for events that are tagged or to create custom rules.

Default value	N/A
Allowed values	Any String

storage\container

Options	Allowed values
storage\container name	Any string
storage\container\blobs	Extension
storage\container\content_type	text, json_file or json_inline
storage\container\timeout	A positive number (seconds)
storage\container\time_offset	A positive number + suffix
storage\container\path	Any string

storage\container name

Specifies the name of the container. Enter * to access all account containers.

Default value	N/A
Allowed values	Any String/"*"

storage\container\blobs

Specifies the extension of the blobs like .json. Enter * to access all the containers blobs.

Note

This option is related to option content_type, because if any blob has a different content to the one we have indicated, it will not be read correctly. Therefore, we need to be aware of what content we are trying to obtain and take it into consideration when using this option with "*".

Default value	*
Allowed values	Extension/"*"

storage\container\content_type

This parameter indicates the format of the blobs' content. The available values are:

text. Plain text. Each line is a log.
json_file. The blob contains records of logs in standard json format.
json_inline. Each line is a log in json format.

The format of logs stored in Azure accounts is inline JSON.

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

Default value	json_inline
Allowed values	text/json_file/json_inline

storage\container\timeout

Timeout for each request evaluation. This option overwrites the general timeout option. In case the execution takes longer than the specified timeout, it stops.

Default value	0
Allowed values	A positive number (seconds)

storage\container\time_offset

Default value	Date of execution at `00:00:00`
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, m (minutes), h (hours), d (days)

storage\container\path

Defines, for the container, a path to search for logs. If it isn't present, the module retrieves all the blobs starting from the root level.

Default value	N/A
Allowed values	Valid path

Example of storage configuration

<wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <storage>

        <auth_path>/var/ossec/wodles/credentials/storage_credentials</auth_path>
        <tag>azure-activity</tag>

        <container name="insights-operational-logs">
            <blobs>.json</blobs>
            <content_type>json_inline</content_type>
            <time_offset>24h</time_offset>
            <path>info-logs</path>
        </container>

        <container name="audit-logs"/>

    </storage>
</wodle>

Example of all integration

<wodle name="azure-logs">

    <disabled>no</disabled>
    <day>15</day>
    <time>02:00</time>
    <run_on_start>yes</run_on_start>

    <log_analytics>

        <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>azure-activity</tag>
            <query>AzureActivity | where SubscriptionId == 2d7...61d </query>
            <workspace>d6b...efa</workspace>
            <time_offset>36h</time_offset>
        </request>

    </log_analytics>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>

        <request>
            <tag>microsoft-entra_id</tag>
            <query>activities/audit?api-version=beta</query>
            <timeout>7200</timeout>
            <time_offset>1d</time_offset>
        </request>

    </graph>

    <storage>

        <auth_path>/var/ossec/wodles/credentials/storage_credentials</auth_path>
        <tag>azure-activity</tag>

        <container name="insights-operational-logs">
            <blobs>.json</blobs>
            <content_type>json_inline</content_type>
            <time_offset>24h</time_offset>
            <path>info-logs</path>
        </container>

        <container name="audit-logs"/>

    </storage>
</wodle>

wodle name="agent-key-polling"

Deprecated since version 4.4.0.

Note

The agent-key-polling wodle is deprecated in favor of the agent key request feature. Although this configuration block is still usable, we highly recommend to use the agent key request dedicated block in auth.

Configuration options of the key polling wodle.

Options

enabled
timeout
exec_path
socket
threads
queue_size
force_insert

Options	Allowed values
enabled	yes, no
timeout	A positive number (seconds)
exec_path	Full path to executable
socket	Full path to Unix socket
threads	A positive number
queue_size	A positive number
force_insert	yes, no

enabled

Enable the key polling wodle.

Default value	yes
Allowed values	yes, no

timeout

Maximum time for waiting a response from the executable.

Default value	60
Allowed values	A positive number in seconds

exec_path

Full path to the executable.

Default value	none
Allowed values	A string indicating the full path

socket

Full path to the Unix domain socket.

Default value	none
Allowed values	A string indicating the full path to a Unix domain socket

threads

Number of threads for polling external keys.

Default value	1
Allowed values	A positive number indicating the number of threads [1..32]

queue_size

Indicates the maximum size of the queue for polling external keys.

Default value	1024
Allowed values	A positive number indicating the queue size [1..220000]

force_insert

Defines whether the module must insert the agent, even if another agent with the same ID or IP address already exists. If enabled, the existing agent will be removed.

Default value	yes
Allowed values	yes, no

Example of configuration

<wodle name="agent-key-polling">
  <enabled>yes</enabled>
  <timeout>60</timeout>
  <exec_path>/usr/bin/python /home/script.py</exec_path>
  <threads>1</threads>
  <queue_size>1024</queue_size>
  <force_insert>yes</force_insert>
</wodle>

Verifying configuration

Configuration section	command
Syscheck/Rootcheck	/var/ossec/bin/wazuh-syscheckd -t
local files	/var/ossec/bin/wazuh-logcollector -t
Wodles	/var/ossec/bin/wazuh-modulesd -t
global/rules/decoders (manager only)	/var/ossec/bin/wazuh-analysisd -t
Client (agent only)	/var/ossec/bin/wazuh-agentd -t

Centralized configuration (agent.conf)

Introduction

Agents can be configured remotely by using the agent.conf file. The following capabilities can be configured remotely:

File Integrity monitoring (syscheck)
Rootkit detection (rootcheck)
Log data collection (localfile)
Remote commands (wodle name="command")
Labels for agent alerts (labels)
Security Configuration Assessment (sca)
System inventory (syscollector)
Avoid events flooding (client_buffer)

Note

When setting up remote commands in the shared agent configuration, you must enable remote commands for Agent Modules. This is enabled by adding the following line to the /var/ossec/etc/local_internal_options.conf file in the agent:

wazuh_command.remote_commands=1

Agent groups

Agents can be grouped together in order to send them a unique centralized configuration that is group specific. Each agent can belong to more than one group, and unless otherwise configured, all agents belong to a group called default.

Note

Check the agent_groups manual to learn how to add groups and assign agents to them.

The manager pushes all files included in the group folder to the agents belonging to this group. For example, all files in /var/ossec/etc/shared/default will be pushed to all agents belonging to the default group.

In case an agent is assigned to multiple groups, all the files contained in each group folder will be merged into one, and subsequently sent to the agents, being the last one the group with the highest priority.

The file ar.conf (Active Response status) will always be sent to agents even if it is not present in the group folder.

The agent will store the shared files in /var/ossec/etc/shared, not in a group folder.

Below are the files that would be found in this folder on an agent assigned to the debian group. Notice that these files are pushed to the agent from the manager /var/ossec/etc/shared/debian folder.

Manager

Agent (Group: 'debian')

/var/ossec/etc/shared/
├── ar.conf
├── debian
│   ├── agent.conf
│   ├── cis_debian_linux_rcl.txt
│   ├── cis_rhel6_linux_rcl.txt
│   ├── cis_rhel7_linux_rcl.txt
│   ├── cis_rhel_linux_rcl.txt
│   ├── cis_sles12_linux_rcl.txt
│   ├── custom_rootcheck.txt
│   ├── debian_ports_check.txt
│   ├── debian_test_files.txt
│   └── merged.mg
└── default
    ├── agent.conf
    ├── cis_debian_linux_rcl.txt
    ├── cis_rhel6_linux_rcl.txt
    ├── cis_rhel7_linux_rcl.txt
    ├── cis_rhel_linux_rcl.txt
    ├── cis_sles12_linux_rcl.txt
    └── merged.mg

/var/ossec/etc/shared/
├── ar.conf
├── agent.conf
├── cis_debian_linux_rcl.txt
├── cis_rhel6_linux_rcl.txt
├── cis_rhel7_linux_rcl.txt
├── cis_rhel_linux_rcl.txt
├── cis_sles12_linux_rcl.txt
├── custom_rootcheck.txt
├── debian_ports_check.txt
├── debian_test_files.txt
└── merged.mg

The proper syntax of agent.conf is shown below along with the process for pushing the configuration from the manager to the agent.

agent.conf

The agent.conf is only valid on server installations.

The agent.conf may exist in each group folder at /var/ossec/etc/shared.

For example, for the group1 group, it is in /var/ossec/etc/shared/group1. Each of these files should be readable by the wazuh user.

Options

name	Assigns the block to agents with specific names.
	Allowed values	Any regular expression that matches the agent name.
os	Assigns the block to agents on specific operating systems.
	Allowed values	Any regular expression that matches the agent OS information.
profile	Assigns the block to agents with specific profiles as defined in client configuration.
	Allowed values	Any regular expression that matches the agent profile.

Example

<agent_config name=”^agent01|^agent02”>
...
<agent_config os="^Linux">
...
<agent_config profile="^UnixHost">

To get the agent name and operating system information, you can run the agent_control utility.

agent_control -i <AGENT_ID>

Where <AGENT_ID> corresponds to the agent ID of the endpoint.

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: agent01
   IP address: any
   Status:     Active

   Operating system:    Linux |centos9 |5.14.0-391.el9.x86_64 |#1 SMP PREEMPT_DYNAMIC Tue Nov 28 20:35:49 UTC 2023 |x86_64
   Client version:      Wazuh v4.12.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    cb5dc59d195320bb20b6039a519a8c0e
   Last keep alive:     1755529825

   Syscheck last started at:  Mon Aug 18 15:03:05 2025
   Syscheck last ended at:    Mon Aug 18 15:03:07 2025

Centralized configuration process

Creating and validating the configuration

Create or edit the configuration file in the group directory.

Use a temporary filename such as agent.conf.tmp during editing to prevent the manager from distributing an incomplete or invalid configuration. For example, run these commands for the default group.
```
# touch /var/ossec/etc/shared/default/agent.conf.tmp
# chown wazuh:wazuh /var/ossec/etc/shared/default/agent.conf.tmp
# chmod 660 /var/ossec/etc/shared/default/agent.conf.tmp
```

Define one or more configuration blocks. Use filters such as name, os, and profile to target specific agents:

<agent_config name="agent_name">
    <localfile>
        <location>/var/log/my.log</location>
        <log_format>syslog</log_format>
    </localfile>
</agent_config>

<agent_config os="Linux">
    <localfile>
        <location>/var/log/linux.log</location>
        <log_format>syslog</log_format>
    </localfile>
</agent_config>

<agent_config profile="database">
    <localfile>
        <location>/var/log/database.log</location>
        <log_format>syslog</log_format>
    </localfile>
</agent_config>

Note

The profile option uses values defined in the config-profile setting of the <client> configuration.

Use the verify-agent-conf tool to validate the temporary configuration before making it active. For example:
```
# /var/ossec/bin/verify-agent-conf -f /var/ossec/etc/shared/default/agent.conf.tmp
```
Fix any issues before continuing.

Rename the validated file to make it active. For example:

# mv /var/ossec/etc/shared/default/agent.conf.tmp /var/ossec/etc/shared/default/agent.conf

The manager will automatically detect the new configuration and distribute it to all agents in the group.

Note

Restarting the manager helps distribute the new agent.conf file to the agents more quickly.

Confirming that the configuration was applied

Agents automatically reload the configuration after receiving it. The agent maintains its connection to the manager, since the agentd daemon is not restarted.

With every agent keepalive (10 seconds default), the agent sends the checksum of its merge.md file to the manager. If the checksums differ, the manager pushes the updated file to the agent. The agent applies the new configuration immediately after receiving it. No manual restart is required, regardless of the auto_restart setting.

If the configuration is successfully applied, the agent log includes entries similar to the following:

2025/07/11 08:42:24 wazuh-agentd: INFO: Agent is reloading due to shared configuration changes.
2025/07/11 08:42:34 wazuh-agentd: INFO: SIGNAL [(30)-(User defined signal 1: 30)] Received. Reload agentd.
2025/07/11 08:42:34 wazuh-agentd: INFO: Buffer agent.conf updated, enable: 1 size: 30000
2025/07/11 08:42:34 wazuh-agentd: INFO: Client buffer resized from 20000 to 30000 elements.

Use the Wazuh server API endpoint GET /agents or the agent_groups tool to check the synchronization status of the group configuration on the agent. For example, for agent ID 001:

Wazuh server API

# curl -k -X GET "https://localhost:55000/agents?agents_list=001&select=group_config_status&pretty=true" -H  "Authorization: Bearer $TOKEN"

{
   "data": {
      "affected_items": [
         {
            "group_config_status": "synced",
            "id": "001"
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All selected agents information was returned",
   "error": 0
}

agent_groups tool

# /var/ossec/bin/agent_groups -S -i 001

Agent '001' is synchronized.

Precedence

It's important to understand which configuration file takes precedence between ossec.conf and agent.conf when the central configuration is used. When this configuration is utilized, the local and the shared configuration are merged, however, the ossec.conf file is read before the shared agent.conf and the last configuration of any setting will overwrite the previous. Also, if a file path for a particular setting is set in both of the configuration files, both paths will be included in the final configuration.

For example:

Let's say we have this configuration in the ossec.conf file:

<sca>
  <enabled>no</enabled>
  <scan_on_start>yes</scan_on_start>
  <interval>12h</interval>
  <skip_nfs>yes</skip_nfs>

  <policies>
    <policy>system_audit_rcl.yml</policy>
    <policy>system_audit_ssh.yml</policy>
    <policy>system_audit_pw.yml</policy>
  </policies>
</sca>

and this configuration in the agent.conf file.

<sca>
  <enabled>yes</enabled>

  <policies>
    <policy>cis_debian_linux_rcl.yml</policy>
  </policies>
</sca>

The final configuration will enable the Security Configuration Assessment module. In addition, it will add the cis_debian_linux_rcl.yml to the list of scanned policies. In other words, the configuration located at agent.conf will overwrite the one of the ossec.conf.

How to ignore shared configuration

Whether for any reason you don't want to apply the shared configuration in a specific agent, it can be disabled by adding the following line to the /var/ossec/etc/local_internal_options.conf file in that agent:

agent.remote_conf=0

Download configuration files from remote location

The Wazuh manager can download configuration files such as merged.mg and other files to be merged for selected groups.

To use this feature, we need to put a yaml file named files.yml under the directory /var/ossec/etc/shared/. When the manager starts, it will read and parse the file.

The files.yml has the following structure as shown in the following example:

groups:
    my_group_1:
        files:
            agent.conf: https://example.com/agent.conf
            rootcheck.txt: https://example.com/rootcheck.txt
            merged.mg: https://example.com/merged.mg
        poll: 15

    my_group_2:
        files:
            agent.conf: https://example.com/agent.conf
        poll: 200

The groups block defines the group name from which to download the files.

If the group doesn't exist, it will be created.

If a file has the name merged.mg, only this file will be downloaded. Then it will be validated.

The poll label indicates the download rate in seconds of the specified files.

This configuration can be changed on the fly. The manager will reload the file and parse it again so there is no need to restart the manager every time.

The information about the parsing is shown on the /var/ossec/logs/ossec.log file. For example:

Parsing is successful:

INFO: Successfully parsed of yaml file: /etc/shared/files.yml

File has been changed:

INFO: File '/etc/shared/files.yml' changed. Reloading data

Parsing failed due to bad token:

INFO: Parsing file '/etc/shared/files.yml': unexpected identifier: 'group'

Download of file failed:

ERROR: Failed to download file from url: https://example.com/merged.mg

Downloaded merged.mg file is corrupted or not valid:

ERROR: The downloaded file '/var/download/merged.mg' is corrupted.

Internal configuration

The main configuration is located in the ossec.conf file, however some internal configuration features are located in the /var/ossec/etc/internal_options.conf file.

Generally, this file is reserved for debugging issues and for troubleshooting. Any error in this file may cause your installation to malfunction or fail to run.

Warning

This file will be overwritten during upgrades. In order to maintain custom changes, you must use the /var/ossec/etc/local_internal_options.conf file.

Agent

agent.tolerance	Description	Number of seconds the agent is full before triggering a flooding alert.
	Default value	15
	Allowed value	Any integer between 0 and 600.
agent.warn_level	Description	Percentage of occupied capacity in agent buffer to trigger a warning alert.
	Default value	90
	Allowed value	Any integer between 1 and 100.
agent.normal_level	Description	Percentage of occupied capacity in agent buffer to return to normal state.
	Default value	70
	Allowed value	Any integer between 0 and agent.warn_level - 1.
agent.min_eps	Description	Minimum events per second permitted in `<client_buffer>` configuration.
	Default value	50
	Allowed value	Any integer between 1 and 1000.
agent.recv_timeout	Description	Maximum number of seconds to wait for server response from the TCP client socket.
	Default value	60
	Allowed value	Any integer between 1 and 600.
agent.state_interval	Description	The interval between the updates of the agent status file in seconds.
	Default value	5
	Allowed values	0: Disable status file
	Allowed values	Any other integer between 1 and 86400
agent.debug	Description	Run the Unix agent processes in debug mode.
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.
agent.remote_conf	Description	Apply or refuse remote configuration.
	Default value	1
	Allowed value	0: Remote configuration is disabled.
	Allowed value	1: Remote configuration is enabled.

Analysisd

analysisd.default_timeframe	Description	Default rule time-frame.
	Default value	360
	Allowed value	Any integer between 60 and 360.
analysisd.stats_maxdiff	Description	Stats maximum diff.
	Default value	999000
	Allowed value	Any integer between 10 and 999999.
analysisd.stats_mindiff	Description	Stats minimum diff.
	Default value	1250
	Allowed value	Any integer between 10 and 999999.
analysisd.stats_percent_diff	Description	Stats percentage (how much to differ from average).
	Default value	150
	Allowed value	Any integer between 5 and 9999.
analysisd.fts_list_size	Description	FTS list size.
	Default value	32
	Allowed value	Any integer between 12 and 512.
analysisd.fts_min_size_for_str	Description	FTS minimum string size.
	Default value	14
	Allowed value	Any integer between 6 and 128.
analysisd.log_fw	Description	Toggles firewall log on and off (at logs/firewall/firewall.log).
	Default value	1
	Allowed value	0, 1
analysisd.decoder_order_size	Description	Maximum number of fields in a decoder (order tag).
	Default value	256
	Allowed value	Any integer between 32 and 1024.
analysisd.geoip_jsonout	Description	Toggle to turn on or off the output of GeoIP data in JSON alerts.
	Default value	0
	Allowed value	0, 1
analysisd.label_cache_maxage	Description	Number of in seconds without reloading labels in cache from agents.
	Default value	10
	Allowed value	Any integer between 0 and 60.
analysisd.show_hidden_labels	Description	Make hidden labels visible in alerts.
	Default value	0
	Allowed value	0, 1
analysisd.rlimit_nofile	Description	Maximum number of file descriptors that Analysisd can open.
	Default value	458752
	Allowed value	Any integer between 1024 and 1048576.
analysisd.debug	Description	Debug level (manager installations).
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.
analysisd.min_rotate_interval	Description	Minimum interval between log rotations. Supersedes max_output_size option.
	Default value	600
	Allowed value	Any integer between 10 and 86400.
analysisd.event_threads	Description	Number of event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.syscheck_threads	Description	Number of syscheck event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.syscollector_threads	Description	Number of Syscollector event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.rootcheck_threads	Description	Number of Rootcheck event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.sca_threads	Description	Number of SCA event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.hostinfo_threads	Description	Number of hostinfo event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.rule_matching_threads	Description	Number of rule matching threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.dbsync_threads	Description	Number of database synchronization dispatcher threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.winevt_threads	Description	Number of Windows event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.decode_event_queue_size	Description	Sets the decode event queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_syscheck_queue_size	Description	Sets the decode Syscheck queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_syscollector_queue_size	Description	Sets the decode Syscollector queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_rootcheck_queue_size	Description	Sets the decode Rootcheck queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_sca_queue_size	Description	Sets the decode SCA queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_hostinfo_queue_size	Description	Sets the decode hostinfo queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_output_queue_size	Description	Sets the decode output queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.decode_winevt_queue_size	Description	Sets the Windows event decode queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.archives_queue_size	Description	Sets the archives log queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.statistical_queue_size	Description	Sets the statistical log queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.alerts_queue_size	Description	Sets the alerts log queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.firewall_queue_size	Description	Sets the firewall log queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.fts_queue_size	Description	Sets the fts log queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.dbsync_queue_size	Description	Sets the database synchronization message queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.upgrade_queue_size	Description	Sets the upgrade message queue size.
	Default value	16384
	Allowed value	Any integer between 128 and 2000000.
analysisd.state_interval	Description	Sets the Analysisd interval for updating the state file in seconds.
	Default value	5
	Allowed value	Any integer between 0 and 86400.

Authd

authd.debug	Description	Debug level.
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output
auth.timeout_seconds	Description	Network timeout to automatically close connections (second part).
	Default value	1
	Allowed value	Any integer between 1 and 2147483647.
auth.timeout_microseconds	Description	Network timeout to automatically close connections (microsecond part).
	Default value	0
	Allowed value	Any integer between 0 and 999999.

DBD

dbd.reconnect_attempts	Description	Number of times wazuh-dbd will attempt to reconnect to the database.
	Default value	10
	Allowed value	Any integer between 1 and 9999.

Execd

execd.request_timeout	Description	Timeout in seconds to execute remote requests.
	Default Value	60
	Allowed Value	Any integer between 1 and 3600.
execd.max_restart_lock	Description	Maximum timeout that the agent cannot restart while updating.
	Default Value	600
	Allowed Value	Any integer between 0 and 3600.
execd.debug	Description	Debug level
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output

Integrator

integrator.debug	Description	Debug level.
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output

Logcollector

logcollector.loop_timeout	Description	File polling interval.
	Default value	2
	Allowed value	Any integer between 1 and 120
logcollector.open_attempts	Description	Number of attempts to open a log file. The value 0 means that the number of attempts is infinite.
	Default value	8
	Allowed value	Any integer between 0 and 998
logcollector.remote_commands	Description	Toggles Logcollector to accept remote commands from the manager or not.
	Default value	0
	Allowed value	0: Disable remote commands
	Allowed value	1: Enable remote commands
logcollector.vcheck_files	Description	File checking interval, in seconds.
	Default value	64
	Allowed value	Any integer between 0 and 1024
logcollector.max_lines	Description	Maximum number of logs read from the same file in each iteration.
	Default value	10000
	Allowed value	Any integer between 100 and 100000
logcollector.sample_log_length	Description	Sample log length limit for errors about large input logs.
	Default value	64
	Allowed value	Any integer between 1 and 4096
logcollector.debug	Description	Debug level (used in manager or Unix agent installations)
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output
logcollector.input_threads	Description	Number of input threads reading files
	Default value	4
	Allowed value	Any integer between 1 and 128
logcollector.queue_size	Description	Queue size for each type of socket
	Default value	1024
	Allowed value	Any integer between 128 and 220000
logcollector.max_files	Description	Maximum number of files to be monitored
	Default value	1000
	Allowed value	Any integer between 1 and 100000
logcollector.sock_fail_time	Description	Time to reattempt a socket connection after a failure, in seconds.
	Default value	300
	Allowed value	Any integer between 1 and 3600
logcollector.rlimit_nofile	Description	Maximum number of file descriptors that Logcollector can open. This value must be greater than or equal to (logcollector.max_files + 100).
	Default value	1100
	Allowed value	Any integer between 1024 and 1048576.
logcollector.force_reload	Description	Force file handler reloading: close and reopen monitored files.
	Default value	0
	Allowed value	0: Disabled
	Allowed value	1: Enabled
logcollector.reload_interval	Description	File reloading interval, in seconds. This parameter only applies if `logcollector.force_reload` is set to `1`.
	Default value	64
	Allowed value	Any integer between 1 and 86400.
logcollector.reload_delay	Description	File reloading delay (between close and open), in milliseconds. This parameter only applies if `logcollector.force_reload` is set to `1`.
	Default value	1000
	Allowed value	Any integer between 0 and 30000.
logcollector.exclude_files_interval	Description	Excluded files refresh interval, in seconds
	Default value	86400
	Allowed value	Any integer between 1 and 172800
logcollector.state_interval	Description	Statistics generation interval, in seconds
	Default value	60
	Allowed values	0: Disable statistics file generation. Statistics information will continue to be available through the API
	Allowed values	Any other integer between 1 and 3600.
logcollector.ip_update_interval	Description	IP update interval, in seconds. This specifies how often the system IP is obtained when the out_format option is used.
	Default value	60
	Allowed values	0: Disable. Host IP address collection is disabled. The agent doesn't periodically obtain the system IP address.
	Allowed values	Any other integer between 1 and 3600. Warning: Systems with extensive routing tables can suffer from high CPU usage.

Maild

maild.strict_checking	Description	Toggle to enable or disable strict checking.
	Default value	1
	Allowed value	0, 1
maild.grouping	Description	Toggle to enable or disable grouping of alerts into a single email.
	Default value	1
	Allowed value	0, 1
maild.full_subject	Description	Toggle to enable or disable full subject in alert emails.
	Default value	0
	Allowed value	0, 1
maild.geoip	Description	Toggle to enable or disable GeoIP data in alert emails.
	Default value	1
	Allowed value	0, 1

Monitord

monitord.day_wait	Description	Number of seconds to wait before compressing or signing the files.
	Default value	10
	Allowed value	Any integer between 0 and 600.
monitord.compress	Description	Toggle to enable or disable log file compression.
	Default value	1
	Allowed value	0, 1
monitord.sign	Description	Toggle to enable or disable signing the log files.
	Default value	1
	Allowed value	0, 1
monitord.monitor_agents	Description	Toggle to enable or disable monitoring of agents.
	Default value	1
	Allowed value	0, 1
monitord.rotate_log	Description	Toggle to enable or disable daily rotation of internal logs.
	Default value	1
	Allowed value	0, 1
monitord.keep_log_days	Description	Number of days to keep rotated internal logs.
	Default value	31
	Allowed value	Any integer between 0 and 500.
monitord.size_rotate	Description	Maximum size in Megabytes of internal logs to trigger rotation.
	Default value	512
	Allowed value	Any integer between 0 and 4096.
monitord.daily_rotations	Description	Maximum number of rotations per day for internal logs.
	Default value	12
	Allowed value	Any integer between 1 and 256.
monitord.debug	Description	Debug level
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output
monitord.delete_old_agents	Description	Number of minutes before deleting an old disconnected agent. This is a time-lapse after the agent is considered as disconnected because of the disconnection time.
	Default value	0
	Allowed value	Any integer between 0 and 9600.

Remoted

remoted.recv_counter_flush	Description	Flush rate for the receive counter.
	Default value	128
	Allowed value	Any integer between 10 and 999999.
remoted.comp_average_printout	Description	Compression averages printout.
	Default value	19999
	Allowed value	Any integer between 10 and 999999.
remoted.verify_msg_id	Description	Toggle to enable or disable verification of msg id. This setting doesn't work with multiple threads (worker_pool > 1).
	Default value	0
	Allowed value	0, 1
remoted.pass_empty_keyfile	Description	Toggle to enable or disable acceptance of empty client.keys.
	Default value	1
	Allowed value	0, 1
remoted.sender_pool	Description	Number of parallel threads to send the shared file.
	Default Value	8
	Allowed Value	Any integer between 1 and 64.
remoted.request_pool	Description	Limit of parallel threads to dispatch requests.
	Default Value	1024
	Allowed Value	Any integer between 1 and 4096.
remoted.request_timeout	Description	Time (in seconds) the remote request listener rejects a new request.
	Default Value	10
	Allowed Value	Any integer between 1 and 600.
remoted.response_timeout	Description	Time (in seconds) the remote request listener rejects a request response.
	Default Value	60
	Allowed Value	Any integer between 1 and 3600.
remoted.request_rto_sec	Description	Re-transmission timeout in seconds for UDP.
	Default Value	1
	Allowed Value	Any integer between 0 and 60.
remoted.request_rto_msec	Description	Re-transmission timeout in milliseconds for UDP.
	Default Value	0
	Allowed Value	Any integer between 0 and 999.
remoted.max_attempts	Description	Maximum number of sending attempts.
	Default Value	4
	Allowed Value	Any integer between 1 and 16.
remoted.merge_shared	Description	Merge shared configuration to be broadcast to agents.
	Default Value	1 (Enabled)
	Allowed Value	1 (Enabled), 0 (Disabled)
remoted.disk_storage	Description	Store the temporary shared configuration file on disk.
	Default Value	0 (No, store in memory)
	Allowed Value	1 (Yes, store on disk), 0 (No, store in memory)
remoted.shared_reload	Description	Number of seconds between reloading of shared files.
	Default Value	10
	Allowed Value	Any integer between 1 and 18000.
remoted.rlimit_nofile	Description	Maximum number of file descriptors that Remoted can open.
	Default value	16384
	Allowed value	Any integer between 1024 and 1048576.
remoted.recv_timeout	Description	Maximum number of seconds to wait for client response in TCP.
	Default value	1
	Allowed value	Any integer between 1 and 60.
remoted.debug	Description	Debug level (manager installation)
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.
remoted.keyupdate_interval	Description	Keys file reloading latency (seconds)
	Default value	10
	Allowed value	Any integer between 1 and 3600
remoted.worker_pool	Description	Number of threads that process the payload reception
	Default value	4
	Allowed value	Any integer between 1 and 16
remoted.state_interval	Description	Interval between the updates of the status file in seconds.
	Default value	5
	Allowed values	0: Disable status file
	Allowed values	Any other integer between 1 and 86400
remoted.guess_agent_group	Description	Toggle to enable or disable the guessing of the group to which the agent belongs when registering it again. Note Since version 4.4.0, in a cluster architecture, this setting only applies to the master node.
	Default value	0
	Allowed values	0, 1
remoted.receive_chunk	Description	Reception buffer size for TCP (bytes). Amount of data that Remoted can receive per operation.
	Default value	4096
	Allowed value	Any other integer between 1024 and 16384. Powers of two are suggested.
remoted.send_chunk	Description	Send buffer size for TCP (bytes). Amount of data that Remoted can send per operation.
	Default value	4096
	Allowed value	Any other integer between 512 and 16384. Powers of two are suggested.
remoted.send_buffer_size	Description	Send queue size for TCP (bytes). Amount of data that Remoted can queue to send (one queue per agent).
	Default value	131072
	Allowed value	Any other integer between 65536 and 1048576. Powers of two are suggested.
remoted.ctrl_msg_queue_size	Description	Maximum number of control messages that can be queued for processing. When the queue reaches this limit, backpressure is applied to prevent memory exhaustion.
	Default value	16384
	Allowed value	Any integer between 1024 and 1048576.
remoted.send_timeout_to_retry	Description	Maximum number of seconds to wait before retrying to queue a packet to send in TCP.
	Default value	1
	Allowed value	Any integer between 1 and 60.
remoted.buffer_relax	Description	Method for memory deallocation after accepting input data. This option applies in TCP mode only.
	Default value	1
	Allowed values	0: Keep the memory for each TCP session.
		1: Shrink memory back to `receive_chunk`.
		2: Fully deallocate memory after usage.
remoted.tcp_keepidle	Description	Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes.
	Default value	30
	Allowed value	Any integer between 1 and 7200.
remoted.tcp_keepintvl	Description	The time (in seconds) between individual keepalive probes.
	Default value	10
	Allowed value	Any integer between 1 and 100.
remoted.tcp_keepcnt	Description	Maximum number of keepalive probes TCP should send before dropping the connection.
	Default value	3
	Allowed value	Any integer between 1 and 50.

Syscheck

syscheck.rt_delay	Description	Time in milliseconds for delay between alerts in real-time.
	Default value	10
	Allowed value	Any integer between 1 and 1000
syscheck.max_fd_win_rt	Description	Maximum numbers of directories can be configured in ossec.conf for Windows in realtime and whodata mode.
	Default value	256
	Allowed value	Any integer between 1 and 1024
syscheck.max_audit_entries	Description	Maximum number of directories monitored for who-data on Linux.
	Default value	256
	Allowed value	Any integer between 1 and 4096
syscheck.default_max_depth	Description	Maximum level of recursion allowed while reading directories.
	Default value	256
	Allowed value	Any integer between 1 and 320
syscheck.symlink_scan_interval	Description	Check interval of the symbolic links configured in the directories section.
	Default value	600
	Allowed value	Any integer between 1 and 2592000
syscheck.file_max_size	Description	Maximum file size for calculating integrity hashes (in mebibytes).
	Default value	1024
	Allowed value	0: Unlimited
	Allowed value	Any integer between 0 and 4095
syscheck.debug	Description	Debug level (used in manager and Unix agent installations).
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output

Rootcheck

rootcheck.sleep	Description	Number of milliseconds to sleep after reading one PID or suspicious port.
	Default value	50
	Allowed values	Any integer between 0 and 1000.

Security Configuration Assessment

sca.request_db_interval	Description	In case of integrity fail, this is the maximum interval (minutes) to resend the scan information to the manager.
	Default value	5
	Allowed values	Any integer between 1 and 60.
sca.remote_commands	Description	Enable the execution of commands in policy files received from the manager (Files in etc/shared).
	Default value	0
	Allowed values	1 (enabled) or 0 (disabled).
sca.commands_timeout	Description	Timeout for the commands execution.
	Default value	30 (seconds)
	Allowed values	Any integer between 1 and 300.

Vulnerability Detection

vulnerability-detection.translation_lru_size	Description	LRU cache size assigned for package translation process (in number of elements).
	Default value	2048
	Allowed values	Any integer between 1 and 100000
vulnerability-detection.osdata_lru_size	Description	LRU cache size assigned for agents' OS data (in number of elements).
	Default value	1000
	Allowed values	Any integer between 1 and 100000
vulnerability-detection.remediation_lru_size	Description	LRU cache size assigned for vulnerability remediation (in number of elements).
	Default value	2048
	Allowed values	Any integer between 1 and 100000

Wazuh

wazuh.thread_stack_size	Description	Stack size assigned for child threads created in Wazuh (in KiB).
	Default value	8192
	Allowed values	Any integer between 2048 and 65536

Wazuh Clusterd

wazuh_clusterd.debug	Description	Debug level.
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.

Wazuh Database

The Wazuh Database Synchronization Module starts automatically on the server and local profiles and requires no configuration, however, some optional settings are available.

The module uses inotify from Linux to monitor changes to every log file in real-time. Databases will be updated as soon as possible when a change is detected. If inotify is not supported, (for example, on operating systems other than Linux) every log file will be scanned continuously, looking for changes, with a default delay of one minute between scans.

How to disable the module

To disable the Wazuh Database Synchronization Module, the sync directives must be set to 0 in the etc/local_internal_options.conf file as shown below:

wazuh_database.sync_agents=0

Once these settings have been adjusted, the file must be saved followed by a restart of Wazuh. With the above settings, the Database Synchronization Module will not be loaded when Wazuh starts.

wazuh_database.sync_agents	Description	Toggles synchronization of agent database with client.keys on or off.
	Default value	1
	Allowed value	0, 1
wazuh_database.real_time	Description	Toggles synchronization of data in real-time (supported on Linux only) on and off.
	Default value	1
	Allowed value	0, 1
wazuh_database.interval	Description	Interval to sleep between cycles. (Only used if real time sync is disabled).
	Default value	60
	Allowed value	Any integer between 0 and 86400 (seconds).
wazuh_database.max_queued_events	Description	Maximum number of queued events (only used if inotify is available).
	Default value	0 (use system default value).
	Allowed value	Any integer between 0 and 2147483647.

Wazuh Modules

wazuh_modules.task_nice	Description	Indicates the priority of the tasks. The lower the value, the higher the priority.
	Default value	10
	Allowed value	Any integer between -20 and 19.
wazuh_modules.rlimit_nofile	Description	Maximum number of file descriptor that Wazuh modules can open.
	Default value	8192
	Allowed value	Any integer between 1024 and 1048576
wazuh_modules.max_eps	Description	Maximum number of events per second sent by all Wazuh Module.
	Default value	100
	Allowed value	Any integer between 1 and 1000
wazuh_modules.kill_timeout	Description	Time for a process to quit before being killed during Modulesd exiting, in seconds.
	Default value	10
	Allowed value	0: Kill immediately
	Allowed value	Any integer between 1 and 3600
wazuh_modules.debug	Description	Debug level.
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.

Wazuh Command

wazuh_command.remote_commands	Description	Toggles whether Command Module should accept commands defined in the shared configuration or not.
	Default value	0
	Allowed value	0: Disable remote commands.
	Allowed value	1: Enable remote commands.

Wazuh-db

wazuh_db.worker_pool_size	Description	Number of worker threads
	Default value	8
	Allowed value	Any integer between 1 and 32
wazuh_db.open_db_limit	Description	Maximum number of allowed open databases before closing
	Default value	64
	Allowed value	Any integer between 1 and 4096
wazuh_db.rlimit_nofile	Description	Maximum number of file descriptors that Wazuh-DB can open.
	Default value	65536
	Allowed value	Any integer between 1024 and 1048576.
wazuh_db.commit_time_min	Description	Minimum time margin before committing.
	Default value	10
	Allowed value	Any integer between 1 and 3600.
wazuh_db.commit_time_max	Description	Maximum time margin before committing.
	Default value	60
	Allowed value	Any integer between 1 and 3600.
wazuh_db.max_fragmentation	Description	Maximum fragmentation allowed for a database.
	Default value	90
	Allowed value	Any integer between 0 and 100.
wazuh_db.fragmentation_threshold	Description	Indicates the allowed fragmentation threshold.
	Default value	75
	Allowed value	Any integer between 0 and 100.
wazuh_db.fragmentation_delta	Description	Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
	Default value	5
	Allowed value	Any integer between 0 and 100.
wazuh_db.free_pages_percentage	Description	Indicates the minimum percentage of free pages present in a database that can trigger a vacuum.
	Default value	0
	Allowed value	Any integer between 0 and 99.
wazuh_db.check_fragmentation_interval	Description	Interval for database fragmentation check, in seconds.
	Default value	7200
	Allowed value	Any integer between 1 and 30758400.
wazuh_db.debug	Description	Debug level
	Default value	0
	Allowed value	0: No debug output
		1: Standard debug output
		2: Verbose debug output

Wazuh-download

wazuh_download.enabled	Description	Enable download module
	Default value	1
	Allowed value	0: Disable download module.
	Allowed value	1: Enable download module.

Windows

windows.debug	Description	Debug level (used in windows agent installations).
	Default value	0
	Allowed value	0: No debug output.
		1: Standard debug output.
		2: Verbose debug output.

Daemons

Daemons	Descriptions	Supported installations
wazuh-agentd	Client side daemon that communicates with the server.	agent
wazuh-analysisd	Receives log messages and compares them to the rules	manager
wazuh-authd	Adds agents to the Wazuh manager	manager
wazuh-execd	Executes active responses	manager, agent
wazuh-logcollector	Monitors configured files and commands for new log messages	manager, agent
wazuh-monitord	Monitors agent connectivity and compresses log files	manager
wazuh-remoted	Communicates with agents	manager
wazuh-syscheckd	Checks configured files for security changes	manager, agent
wazuh-clusterd	Manages the Wazuh cluster manager	manager
wazuh-modulesd	Manages the Wazuh modules	manager, agent
wazuh-db	Manages the Wazuh database	manager

wazuh-agentd

The wazuh-agentd program is the client-side daemon that communicates with the server. It runs as user wazuh.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a group.
-h	Display the help message.
-t	Test configuration.
-u <user>	Run as a specific user.
	Default value	wazuh
-V	Display the version and license information

wazuh-analysisd

The wazuh-analysisd program receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule.

-c <config>	Run using <config> as the configuration file.
-D <dir>	Chroot to <dir>.
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a group.
-h	Display the help message.
-t	Test configuration.
-u	Run as a specific user.
-V	Display the version and license information.

Daemon multithreaded internal structure

How this works

The socket receives the message and sends it to the respective decoder queue. They can be one of the following:
1. Syscheck event decoder queue.
2. Syscollector event decoder queue.
3. Rootcheck event decoder queue.
4. Hostinfo event decoder queue.
5. Event decoder queue.
6. Windows event decoder queue.
If the selected queue is full, the event is dropped.
Each decoder thread:
1. Takes out the event from it's queue.
2. Cleans the event.
3. Decodes the event.
4. Sends the event to the rule matching queue.
Each rule matching thread:
1. Takes the event from the queue.
2. Runs rule matching.
3. If the event is a firewall event, it is sent to the firewall queue.
4. If the event has statistical flag, it is sent to the statistical queue.
5. If the event has the FTS flag, it is sent to the FTS queue.
6. If an alert is generated, it is sent to the alert queue.
7. If logall is activated, the event is sent to the archives queue.
Each writer thread:
1. Takes the event from the queue.
2. Stores the element in memory to be written on its own log file.
Logging:
1. Every 1 second, all the log files are written to the HDD.
2. Every 5 seconds (by default, if not overridden), the status file for Analysisd is generated.

Flow example of an event

The image below shows the flow for a Rootcheck event that generates an alert.

As you can see, every part of the Analysisd multithreaded engine is independent of one another, except for the rule-matching threads that share the same queue.

Automatic leveling of the threads

By default, when Analysisd starts it will spawn the number of threads based on the number of CPU cores of the machine where it's running. For example, if the machine has 4 physical cores, the following threads will be created:

4 threads for decoders (4 for Syscheck, 4 for Syscollector, 4 for Rootcheck, 4 for Hostinfo, and 4 for others).

4 threads for rule matching.

This default configuration can be changed on the internal_options.conf file by changing the fields from the table below:

analysisd.event_threads	Description	Number of event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.syscheck_threads	Description	Number of Syscheck event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.syscollector_threads	Description	Number of Syscollector event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.rootcheck_threads	Description	Number of Rootcheck event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.hostinfo_threads	Description	Number of hostinfo event decoder threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.rule_matching_threads	Description	Number of rule matching threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.
analysisd.winevt_threads	Description	Number of rule matching threads.
	Default value	0
	Allowed value	0: Sets the number of threads according to the number of CPU cores.
	Allowed value	Any integer between 0 and 32.

For example, if the manager receives a few Rootcheck events, we can decrease the number of threads for the Rootcheck decoder.

wazuh-authd

The wazuh-authd program can automatically add a Wazuh agent to a Wazuh manager and provide the key to the agent. The program creates an agent with an IP address of any instead of using a specific IP address.

Warning

By default, there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added.

wazuh-authd is able to generate X.509 certificates used for manager verification. OpenSSL is not required.

The certificate parameters are specified in the CLI:

# wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/"

If any of the parameters related to the certificate generation is missing, an error is triggered and the certificates are not generated.

-V	Version and license message.
-h	This help message.
-d	Debug mode. Use this parameter multiple times to increase the debug level.
-t	Test configuration.
-f	Run in foreground.
-g <group>	Group to run as.
	Default	wazuh
-D <dir>	Directory to chroot into.
	Default	/var/ossec
-p <port>	Manager port.
	Default	1515
-P	Enable shared password authentication, at `etc/authd.pass` or random.
-c <ciphers>	SSL cipher list. The format of this parameter is described in SSL ciphers.
	Default	HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
-v <path>	Path to CA certificate used to verify clients.
-s	Used with -v, enable source host verification.
-x <path>	Path to server certificate.
	Default	etc/sslmanager.cert.
-k <path>	Path to server key.
	Default	etc/sslmanager.key.
-a	Auto negotiate the most secure common SSL/TLS method with the client.
	Default	TLS v1.2 only (if supported by the server).
-L	Force insertion even though agent limit has been reached.
-C	Specify the number of days the certificate is valid for.
-B	Set the X.509 certificate key size in bits.
-K	Path to store the X.509 certificate key.
-X	Path to store the X.509 certificate.
-S	Subject of the X.509 certificate. The arg must be formatted as /type0=value0/type1=value1/type2=..

Note

Paths can be referred to as relative paths under the Wazuh installation directory or full paths.

wazuh-execd

The wazuh-execd program runs active responses by initiating the configured scripts. It also handles the socket needed to perform remote upgrades in the agents.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a specific group.
-h	Display the help message.
-t	Test configuration.
-V	Display the version and license information

wazuh-logcollector

The wazuh-logcollector program monitors configured files and commands for new log messages.

wazuh-logcollector is now multi-threaded, achieving an improvement in overall performance. Each of the threads will read the first log that is not already handled by other threads and when it finishes reading, it will try to read the next available log (file or command) so that all the threads are always occupied.

In addition, the interlocking problem that existed in the one-threaded version when it took a long time to read a log while the rest were left unattended, is avoided.

Warning

The advantages of the multithreaded logcollector are only available from version 3.6.0 and higher.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a specific group.
-h	Display the help message.
-t	Test configuration.
-V	Display the version and license information

wazuh-monitord

The wazuh-monitord program monitors agent connectivity. In addition, it rotates and compresses internal logs daily or when they reach a certain configurable size.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-D <dir>	Chroot to <dir>
	Default value	/var/ossec
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a group.
-h	Display the help message.
-n	Disable agent monitoring.
-t	Test configuration.
-u <user>	Run as a specific user.
	Default value	wazuh
-w <sec>	Time in seconds to wait before rotating logs and alerts.
-V	Display the version and license information

wazuh-remoted

The wazuh-remoted program is the server side daemon that communicates with the agents. It runs as wazuh and is chrooted to /var/ossec by default.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-D <dir>	Chroot to <dir>
	Default value	/var/ossec
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-g <group>	Run as a specific group.
-h	Display the help message.
-t	Test configuration.
-u <user>	Run as a specific user.
	Default value	wazuh
-V	Display the version and license information
-m	Avoid creating shared merged file (read only)

wazuh-syscheckd

The wazuh-syscheckd program checks configured files for changes to the checksums, permissions and ownership. It is run using wazuh-control.

-c <config>	Run using <config> as the configuration file.
	Default value	/var/ossec/etc/ossec.conf
-d	Run in debug mode. This option may be repeated to increase the verbosity of the debug messages.
-f	Run in the foreground.
-h	Display the help message.
-t	Test configuration.
-V	Display the version and license information

wazuh-clusterd

The wazuh-clusterd program manages the Wazuh cluster communications between the managers belonging to the cluster and synchronizes all files.

wazuh-clusterd options

-h

Display the help message.

-d

Run in debug mode. Use twice to increase verbosity.

-f

Run in the foreground.

-r

Run as root. Use only for debugging purposes.

-V

Print version.

wazuh-modulesd

The wazuh-modulesd program manages the Wazuh modules described below.

Database wodle

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data. This information is highly optimized to be handled by the core.

In order to provide well-structured data that can be accessed by the user or the Wazuh API, new SQLite-based databases have been introduced in the Wazuh manager. The Database Synchronization Module is a user-transparent component that collects the following information from the core:

Agent information: name, address, encryption key, last connection time, operating system, version, and shared configuration hash.

FIM data: creation, modification, and deletion of regular files and Windows registry entries.

Rootcheck detected defects: issue message, first detection date, and last alert time.

Static core settings: maximum permitted agents or SSL being enabled for Authd.

wazuh-modulesd options

-d	Basic debug mode.
-dd	Verbose debug mode.
-f	Run in the foreground.
-h	Display the help message.
-t	Test configuration.

wazuh-db

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.

Note

Each agent has a database which name is the id of the agent registered in the manager

wazuh-db options

-d	Basic debug mode.
-dd	Verbose debug mode.
-f	Run in foreground.
-h	Display the help message.
-V	Version and license message.
-t	Test configuration.

Tables available for wazuh-db

Agent tables

fim_entry
sync_info
scan_info
metadata
Syscollector tables

Task tables

tasks

fim_entry

Data from FIM records reported by the agent

Field	Description	Example
file	File name	/test/file
type	Type (file or registry)	file
date	Event timestamp	1538556788
changes	Successive file changes	0
size	File size	28179
perm	File permissions	100664
uid	User ID	1000
gid	Group ID (Unix)	1000
md5	File MD5	6d9bd718faff778bbeabada6f07f5c2f
sha1	File SHA1	3ad067d8949ab0e20c220d7b1acb338190967acc
uname	Unix name	root
gname	Group name	root
mtime	Modify time	1536059852
inode	Inode number	14946484
sha256	File SHA256	09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d
attributes	File attrs mask (Windows)	32
symbolic_path	Path of the monitored sym link	/test/link
checksum	SHA1 of all file attributes	da39a3ee5e6b4b0d3255bfef95601890afd80709

sync_info

It stores the information related to the synchronization between the databases of the agents and the manager

Field	Description	Example
component	Module name	fim
last_attempt	Unix timestamp of the last synchronization attempt	1580906939
last_completion	Unix timestamp of the last successful synchronization	1580906939
n_attempts	Number of synchronization attempts	32
n_completions	Number of successful synchronizations	29

scan_info

It stores the begin and end times of each scan of an agent (used for agents prior to 3.12)

Field	Description	Example
module	Module name	fim
first_start	First scan begin date	1538558233
first_end	First scan end date	1538556788
start_scan	Last scan start date	1538558233
end_scan	Last scan end date	1538558192
fim_first_check	Start date of first scan	1538558233
fim_second_check	Start date of two scans ago	1538556779
fim_third_check	Start date of three scans ago	1538555325

Note

Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans

metadata

Data needed to upgrade the agent's database

Field	Description	Example
key	Field name	db_version
value	Field value	3

The key field can also store the following values:

last_vacuum_time: its value field stores the last time the vacuum was performed.

last_vacuum_value: its value field stores the fragmentation value that the database was left with after the last vacuum was performed.

Syscollector tables

Table	Description
sys_hwinfo	Stores information about the hardware of the system
sys_netiface	Stores information about the existing network interfaces of the system
sys_netaddr	Stores information about the IPv4 and IPv6 of the existing network interfaces
sys_netproto	Stores information about routing configuration for each interface
sys_osinfo	Stores information about the operating system
sys_ports	Stores information about the opened ports of a system
sys_processes	Stores information about the current processes running in the system
sys_programs	Stores information about the packages installed in the system
sys_hotfixes	Stores information about the Windows updates installed on the agent
sys_users	Stores user account information on monitored endpoints
sys_groups	Stores information about user account groups on monitored endpoints
sys_services	Stores information about services on monitored endpoints
sys_browser_extensions	Stores browser extensions details on monitored endpoints

tasks

Tasks executed on the agents

Field	Description	Example
task_id	Task unique identifier	14
agent_id	Agent identifier	5
node	Node that executed the task	node01
module	Module that requested the task	upgrade_module
command	Command executed	upgrade
create_time	Timestamp of the task creation	1599147413
last_update_time	Timestamp of the last change	1599147657
status	Current status of the task	Failed
error_message	Optional when the task failed	Upgrade procedure exited with error code

The possible statuses of a task are the following:

Pending: The task was created but it is not running yet.
In progress: The task is running.
Done: The execution of the task finished successfully.
Failed: The execution of the task finished with an error. It should have an error message with more information.
Cancelled: The task was canceled and will not run.
Timeout: The task ran for a long period of time (configurable) and no final result was obtained.
Legacy: The result of the task cannot be known and must be checked manually.

Tools

Tools	Descriptions	Supported installations
wazuh-control	Manages the status of Wazuh processes	manager, agent
agent_control	Allows queries of the manager to get information about any agent	manager
manage_agents	Provides an interface to handle authentication keys for agents	agent
wazuh-logtest	Allows testing and verification of rules against provided log records	manager
rbac_control	Manage API RBAC resources and reset RBAC DB	manager
verify-agent-conf	Verifies the Wazuh agent.conf configuration	manager
agent_groups	Manages and assigns groups	manager
agent_upgrade	List outdated agents and upgrade them	manager
cluster_control	Manages and retrieves cluster information	manager
fim_migrate	Migrates older FIM databases to Wazuh-DB	manager
wazuh-keystore	Stores sensitive information for increased security	manager

wazuh-control

The wazuh-control script is used to start, stop, configure, check on the status of Wazuh processes and enable the debug mode.

Note

We recommend using the systemctl or service commands (depending on your OS) to start, stop or restart the Wazuh service. This will avoid inconsistencies between the service status and the processes status.

The -j option is used for enabling JSON output format, but only in Wazuh server installations.

start	Start the Wazuh processes.
stop	Stop the Wazuh processes.
restart	Restart the Wazuh processes.
reload	Restart all Wazuh processes except wazuh-execd. This allows an agent to reload without losing Active Response status. This option is not available on a local Wazuh installation.
status	Determine which Wazuh processes are running.
info	Prints the Wazuh installation type, version, and revision in environment variables format.
info	[-v -r -t]	Only one option at the time, prints the value of: version, revision or type.
enable	debug	Run all Wazuh daemons in debug mode.
disable	debug	Turn off debug mode.

Note

To use the database option, Database support must be compiled in during initial installation.

Examples

Show status of Wazuh processes:

# /var/ossec/bin/wazuh-control status

wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Print the value of Wazuh version:

# /var/ossec/bin/wazuh-control info -v

v5.0.0

agent_control

The agent_control program allows you to query the manager for information about any agent and also allows you to initiate a syscheck/rootcheck scan on an agent the next time it checks in.

With this tool, you can check the status of each available agent, which can be any of the following:

Active: The agent is correctly connected to the manager.
Pending: The agent is waiting for a response from the manager.
Disconnected: The agent is not connected to the manager.
Never connected: The agent has never connected to the manager.

agent_control options

-h	Display the help message
-l	List available agents whether they are active or not.
-lc	List only the currently connected agents.
-ln	List only the currently disconnected agents.
-i <agent_id>	Extract information from an agent
-R <agent_id>	Restart the Wazuh processes on the agent
-r	Run the integrity/rootcheck checking on agents. This must be used in conjunction with options -a or -u.
-a	Utilizes all agents
-u <agent_id>	Perform the requested action on the specified agent.

agent_control options for Active Response

-b <IP>	Blocks the specified IP address.
-f <ar>	Used with -b, specifies which response to run.
-L	List available active responses.
-s	Change the output to CSV format (comma delimited).
-j	Change the output to JSON format.

Note

The active-response identifier for use with the -f option is composed of the command name followed by the value indicated in the timeout option (active-response block). If timeout_allowed (command block) is set to no, or no timeout has been specified, the number next to the command name is 0.

You can verify the identifier of an active response with the first column of /var/ossec/etc/shared/ar.conf.

Example

Restart an agent:

# /var/ossec/bin/agent_control -R -u 001

Wazuh agent_control: Restarting agent: 001

manage_agents

The manage_agents program is available for agent installations.

The purpose of manage_agents is to provide an easy-to-use interface to handle authentication keys for Wazuh agents. These authentication keys are required for secure (encrypted and authenticated) communication between the Wazuh server and its affiliated agent instances.

Usage

manage_agents -[Vhj] [-i id]

Options

-V	Version and license message.
-h	This help message.
-j	Use JSON output.
-i <id>	Import authentication key.

wazuh-logtest

wazuh-logtest tool allows the testing and verification of rules against provided log examples inside a sandbox in wazuh-analysisd. Helpful when writing and debugging custom rules and decoders, troubleshooting false positives and negatives.

-d	Run as a Print debug output to the terminal.
-h	Display the help message.
-U <rule-id:alert-level:decoder-name>	This option will cause wazuh-logtest to return a zero exit status if the test results for the provided log line match the criteria in the arguments. Only one log line should be supplied for this to be useful.
-l <location>	Set custom location.
-V	Display the version and license information for Wazuh and wazuh-logtest.
-q	Quiet execution.
-v	Display the verbose results.

Note

-v is the key option to troubleshoot a rule or decoder problem.

Example

Test decoding and rule matching for an SSH invalid login attempt:

# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.12.0
Type one log per line

Aug 04 08:07:00 linux-agent sshd[39245]: Invalid user baduser from 25.25.25.25 port 57238

**Phase 1: Completed pre-decoding.
        full event: 'Aug 04 08:07:00 linux-agent sshd[39245]: Invalid user baduser from 25.25.25.25 port 57238'
        timestamp: 'Aug 04 08:07:00'
        hostname: 'linux-agent'
        program_name: 'sshd'

**Phase 2: Completed decoding.
        name: 'sshd'
        parent: 'sshd'
        srcip: '25.25.25.25'
        srcport: '57238'
        srcuser: 'baduser'

**Phase 3: Completed filtering (rules).
        id: '5710'
        level: '5'
        description: 'sshd: Attempt to login using a non-existent user'
        groups: '['syslog', 'sshd', 'authentication_failed', 'invalid_login']'
        firedtimes: '1'
        gdpr: '['IV_35.7.d', 'IV_32.2']'
        gpg13: '['7.1']'
        hipaa: '['164.312.b']'
        mail: 'False'
        mitre.id: '['T1110.001', 'T1021.004']'
        mitre.tactic: '['Credential Access', 'Lateral Movement']'
        mitre.technique: '['Password Guessing', 'SSH']'
        nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
        pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
        tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

rbac_control

The rbac_control tool allows managing resources from the Wazuh RBAC database and resetting the DB to its default state. For more information about the Wazuh RBAC resources and database, please visit the How it works section.

Usage

Option name	Option description
`-h, --help`	Display the help message.
`change-password`	Change the password for each default user.
`factory-reset`	Reset the RBAC database to its default state. Ask for confirmation unless the -f/--force flag is used.

Examples

-h argument:

# /var/ossec/bin/rbac_control -h

usage: rbac_control.py [-h] {change-password,factory-reset} ...

Wazuh RBAC tool: manage resources from the Wazuh RBAC database

Arguments:
  {change-password,factory-reset}
    change-password     Change the password for each default user. Empty values will leave the password unchanged.
    factory-reset       Reset the RBAC database to its default state. This will completely wipe your custom RBAC information.

optional arguments:
  -h, --help            show this help message and exit

factory-reset example:

# /var/ossec/bin/rbac_control factory-reset

This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: RESET
    Successfully reset RBAC database

factory-reset example (aborted):

# /var/ossec/bin/rbac_control factory-reset

This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: aa
    RBAC database reset aborted.

change-password example with an insecure password:

# /var/ossec/bin/rbac_control change-password

New password for 'wazuh' (skip):
New password for 'wazuh-wui' (skip):
    wazuh: FAILED | Error 5007 - Insecure user password provided

change-password example where the wazuh user password was changed successfully (to skip any of the user, leave the new password blank):

# /var/ossec/bin/rbac_control change-password

New password for 'wazuh' (skip):
New password for 'wazuh-wui' (skip):
    wazuh: UPDATED

verify-agent-conf

The verify-agent-conf program verifies the Wazuh agent.conf configuration.

This program searches in /var/ossec/etc/shared the possible folders belonging to groups and verifies the agent.conf file inside them if it exists. We can also specify the path of the file to be verified.

Usage:

verify-agent-conf [-f <agent.conf file>]

Example

# /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [etc/shared/default/agent.conf]
verify-agent-conf: OK

agent_groups

The agent_groups program allows you to list agents assigned to a group, assign agents to a group and manage the agents groups. Below are the parameters that can be used with this new function:

-h	Displays the help message
-q	Quiet mode (outputs no confirmation)
-d	Debug
-l	Lists all groups
-l -g group_id	Lists the agents in the group
-c -g group_id	Lists the configuration files in group
-a -g group_id [-q]	Creates a group
-r -g group_id [-q]	Removes a group (affects to all agents assigned to it)
-a -i agent_id -g group_id [-q]	Assigns group_id to the agent's group list
-a -f -i agent_id -g group_id [-q]	Replaces the agent's groups to group_id
-r -i agent_id [-q]	Remove an agent from all its groups
-r -i agent_id -g group_id [-q]	Remove an agent from a specific group
-s -i agent_id	Shows the groups of an agent
-S -i agent_id	Shows the shared files sync status of an agent

Examples

Create group 'debian':

$ /var/ossec/bin/agent_groups -a -g debian

Do you want to create the group 'debian'? [y/N]: y
Group 'debian' created.

Assign group 'debian' to agent 002:

$ /var/ossec/bin/agent_groups -a -i 002 -g debian

Do you want to set the group 'debian' to the agent '002'? [y/N]: y
Group 'debian' assigned to agent '002'.

Get the groups of agent 002:

$ /var/ossec/bin/agent_groups -s -i 002

The agent 'agent-deb-002' with ID '002' belongs to groups: default, debian, east-office

List all agents in group 'debian':

$ /var/ossec/bin/agent_groups -l -g debian

3 agent(s) in group 'debian':
    ID: 002  Name: agent-deb-002.
    ID: 003  Name: agent-deb-003.
    ID: 004  Name: agent-deb-004.

List configuration files in group 'debian':

$ /var/ossec/bin/agent_groups -c -g debian

Files for group 'debian':
  agent.conf                [ab73af41699f13fdd81903b5f23d8d00]
  merged.mg                 [4437654d67c9c4ac2e46cf5f73e04518]
  cis_debian_linux_rcl.txt  [38cc9b168dc24576daa76f4502575a4f]

Remove agent 002 from all groups except the default:

$ /var/ossec/bin/agent_groups -r -i 002

Do you want to delete all groups of agent '002'? [y/N]: y
Group unset for agent '002'.

Remove agent 003 from a specific group

$ /var/ossec/bin/agent_groups -r -i 003 -g group2

Do you want to delete the group 'group2' of agent '003'? [y/N]: y

Group 'group2' unset for agent '003'.

Remove the group 'debian' from every agent:

$ /var/ossec/bin/agent_groups -r -g debian

Do you want to remove the 'debian' group? [y/N]: y
Group debian removed.

Add an agent to more than one group:

$ /var/ossec/bin/agent_groups -a -i 001 -g group1

Do you want to add the group 'group1' to the agent '001'? [y/N]: y
Group 'group1' added to agent '001'.

$ /var/ossec/bin/agent_groups -a -i 001 -g group2

Do you want to add the group 'group2' to the agent '001'? [y/N]: y
Group 'group2' added to agent '001'.

Now, 'agent1' belongs to 'default', 'group1' and 'group2'.

agent_upgrade

The agent_upgrade program allows you to list outdated agents and upgrade them.

Note

In case of having a multi-node Wazuh cluster, agent_upgrade must be executed on the node where the agent is connected.

Note

Since v4.1.0, the upgrade procedure is performed by the Agent upgrade module and the agent_upgrade script can be executed on any node.

Option	Description
-h, --help	Displays the help message.
-l, --list_outdated	Generates a list with all outdated agents.
-a AGENT_IDs, --agents AGENT_IDs	Agent IDs to upgrade. When upgrading multiple agents, separate IDs with spaces.
-F, --force	Forces the agents to upgrade, ignoring version validations.
-s, --silent	Do not show output.
-v VERSION, --version VERSION	Version to upgrade. [Default: latest Wazuh version]
-r REPOSITORY, --repository REPOSITORY	Specify a repository URL. [Default: packages.wazuh.com/5.x/wpk/]
-f FILE, --file FILE	Custom WPK filename.
-x EXECUTE, --execute EXECUTE	Executable filename in the WPK custom file. [Default `upgrade.sh`]
--http	Uses http protocol instead of https.

Note

By default, the timeout will be the maximum allowed by the agent with the execd.max_restart_lock option in internal_options.conf.

Examples

List outdated agents:

# /var/ossec/bin/agent_upgrade -l

ID    Name                               Version
002   VM_Debian9                         Wazuh v4.2.0
003   VM_Debian8                         Wazuh v4.2.0
004   VM_WinServ2016                     Wazuh v4.1.0

Total outdated agents: 3

Upgrade agent:

# /var/ossec/bin/agent_upgrade -a 002

Upgrading...

Upgraded agents:
  Agent 002 upgraded: Wazuh v4.2.0 -> Wazuh v4.12.0

Upgrade multiple agents:

# /var/ossec/bin/agent_upgrade -a 003 004

Upgrading...

Upgraded agents:
  Agent 003 upgraded: Wazuh v4.2.0 -> Wazuh v4.12.0
  Agent 004 upgraded: Wazuh v4.1.0 -> Wazuh v4.12.0

Upgrade agent using a custom repository:

# /var/ossec/bin/agent_upgrade -a 002 -v v4.12.0 -r http://mycompany.wpkrepo.com/

Upgrading...

Upgraded agents:
  Agent 002 upgraded: Wazuh v4.2.0 -> Wazuh v4.12.0

Install custom WPK file:

# /var/ossec/bin/agent_upgrade -a 002 -d -f /root/wazuh-agent_v5.0.0_debian.wpk -x install.sh

Upgrading...

Upgraded agents:
 Agent 002 upgraded: Wazuh v4.2.0 -> Wazuh v4.12.0

Note

When the agent finishes updating, it is automatically restarted to apply the new configuration.

cluster_control

The cluster_control program allows you to manage the cluster from any manager. It is necessary that wazuh-clusterd is running in order to use this tool.

cluster_control options

Option name	Option description
`-h`, `--help`	Display the help message.
`-i`, `--health [more] [-fs]`	Display the cluster's healthcheck.
`-l`, `--list-nodes [-fn]`	Display connected nodes in the cluster.
`-d`, `--debug`	Show debug messages.
`-a`, `--list-agents [-fs] [-fn]`	Display agents in the cluster.
`-fn`, `--filter-node [NODE_NAME]`	Display information of specified node(s) only
`-fs`, `--filter-agent-status [STATUS]`	Display agents with the specified status(es) only

Examples

Get cluster's healthcheck

Summarized version

# /var/ossec/bin/cluster_control -i

Cluster name: wazuh_cluster

Last completed synchronization for connected nodes (2):
    wazuh-2 (172.16.1.14): Integrity check: 2025-08-18T17:10:41.432055Z | Integrity sync: 2025-08-18T17:05:07.390796Z | Agents-info: 2025-08-18T17:10:40.847664Z | Agent-groups: n/a | Agent-groups full: 2025-08-18T17:05:23.954292Z | Last keep alive: 2025-08-18T17:10:40.325416Z.
    wazuh-3 (172.16.1.15): Integrity check: 2025-08-18T17:10:41.005503Z | Integrity sync: 2025-08-18T17:05:07.015033Z | Agents-info: n/a | Agent-groups: n/a | Agent-groups full: 2025-08-18T17:05:23.954485Z | Last keep alive: 2025-08-18T17:10:39.970344Z.

Extended version

# /var/ossec/bin/cluster_control -i more

Cluster name: wazuh_cluster

Connected nodes (2):

    wazuh-1 (172.16.1.13)
        Version: 4.12.0
        Type: master
        Active agents: 1

    wazuh-2 (172.16.1.14)
        Version: 4.12.0
        Type: worker
        Active agents: 1
        Status:
            Last keep Alive:
                Last received: 2025-08-18T17:05:40.275469Z.
            Integrity check:
                Last integrity check: 0.013s (2025-08-18T17:06:28.638405Z - 2025-08-18T17:06:28.651010Z).
                Permission to check integrity: True.
            Integrity sync:
                Last integrity synchronization: 0.015s (2025-08-18T17:05:07.376177Z - 2025-08-18T17:05:07.390796Z).
                Synchronized files: Shared: 1 | Missing: 0 | Extra: 0.
            Agents-info:
                Last synchronization: 0.008s (2025-08-18T17:06:20.389530Z - 2025-08-18T17:06:20.397984Z).
                Number of synchronized chunks: 1.
                Permission to synchronize agent-info: True.
            Agents-groups:
                Last synchronization: n/a (2025-08-18T17:06:24.011490Z - n/a).
                Number of synchronized chunks: 0.
            Agents-groups full:
                Last synchronization: 0.01s (2025-08-18T17:05:23.944439Z - 2025-08-18T17:05:23.954292Z).
                Number of synchronized chunks: 1.

    wazuh-3 (172.16.1.15)
        Version: 4.12.0
        Type: worker
        Active agents: 0
        Status:
            Last keep Alive:
                Last received: 2025-08-18T17:05:39.950325Z.
            Integrity check:
                Last integrity check: 0.014s (2025-08-18T17:06:28.238423Z - 2025-08-18T17:06:28.252409Z).
                Permission to check integrity: True.
            Integrity sync:
                Last integrity synchronization: 0.003s (2025-08-18T17:05:07.011863Z - 2025-08-18T17:05:07.015033Z).
                Synchronized files: Shared: 1 | Missing: 0 | Extra: 0.
            Agents-info:
                Last synchronization: n/a (n/a - n/a).
                Number of synchronized chunks: 0.
                Permission to synchronize agent-info: True.
            Agents-groups:
                Last synchronization: n/a (2025-08-18T17:06:24.009932Z - n/a).
                Number of synchronized chunks: 0.
            Agents-groups full:
                Last synchronization: 0.008s (2025-08-18T17:05:23.946172Z - 2025-08-18T17:05:23.954485Z).
                Number of synchronized chunks: 1.

Getting healthcheck of multiple nodes

# /var/ossec/bin/cluster_control -i more -fn wazuh-2 wazuh-1

Cluster name: wazuh_cluster

Connected nodes (1):

    wazuh-1 (172.16.1.13)
        Version: 4.12.0
        Type: master
        Active agents: 1

    wazuh-2 (172.16.1.14)
        Version: 4.12.0
        Type: worker
        Active agents: 1
        Status:
            Last keep Alive:
                Last received: 2025-08-18T17:13:40.354898Z.
            Integrity check:
                Last integrity check: 0.004s (2025-08-18T17:14:00.037058Z - 2025-08-18T17:14:00.040772Z).
                Permission to check integrity: True.
            Integrity sync:
                Last integrity synchronization: 0.015s (2025-08-18T17:05:07.376177Z - 2025-08-18T17:05:07.390796Z).
                Synchronized files: Shared: 1 | Missing: 0 | Extra: 0.
            Agents-info:
                Last synchronization: 0.008s (2025-08-18T17:14:01.197572Z - 2025-08-18T17:14:01.205289Z).
                Number of synchronized chunks: 1.
                Permission to synchronize agent-info: True.
            Agents-groups:
                Last synchronization: n/a (2025-08-18T17:14:04.406802Z - n/a).
                Number of synchronized chunks: 0.
            Agents-groups full:
                Last synchronization: 0.01s (2025-08-18T17:05:23.944439Z - 2025-08-18T17:05:23.954292Z).
                Number of synchronized chunks: 1.

Get connected nodes

Get all connected nodes

# /var/ossec/bin/cluster_control -l

NAME     TYPE    VERSION  ADDRESS
wazuh-1  master  4.12.0   172.16.1.13
wazuh-3  worker  4.12.0   172.16.1.15
wazuh-2  worker  4.12.0   172.16.1.14

Filter connected nodes by name

# /var/ossec/bin/cluster_control -l -fn wazuh-1 wazuh-3

NAME     TYPE    VERSION  ADDRESS
wazuh-1  master  4.12.0   172.16.1.13
wazuh-3  worker  4.12.0   172.16.1.15

Get agents in cluster

Get all agents

# /var/ossec/bin/cluster_control -a

ID   NAME         IP           STATUS  VERSION        NODE NAME
centos8a     127.0.0.1    active  Wazuh v4.12.0  wazuh-1
ag-centos9s  172.16.1.85  active  Wazuh v4.12.0  wazuh-1
ag-ubuntu22  172.16.1.83  active  Wazuh v4.12.0  wazuh-2

Get all agents reporting to a node

# /var/ossec/bin/cluster_control -a -fn wazuh-2

ID   NAME         IP           STATUS  VERSION        NODE NAME
002  ag-ubuntu22  172.16.1.83  active  Wazuh v4.12.0  wazuh-2

Get all active disconnected reporting to a node

# /var/ossec/bin/cluster_control -a -fn wazuh-2 -fs Disconnected

ID  NAME  IP  STATUS  VERSION  NODE NAME

fim_migrate

The fim_migrate tool allows to migrate FIM databases older than Wazuh v3.7.0 to the new format included in Wazuh-DB. This tool must be executed after the upgrading process has been completed.

Note

The new database will be available at /var/ossec/queue/db.

Usage

This tool is not included in the Wazuh installation, but you can download it from the Wazuh repository on GitHub:

# curl -so fim_migrate https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/tools/migration/fim_migrate.py

Add execution permission and run this tool on the manager instance as follows:

# chmod +x fim_migrate

# ./fim_migrate

Warning

After completing the migration process, the old FIM databases won't be removed automatically. To do so, remove the /var/ossec/queue/syscheck folder.

Options

Option name	Option description
`-h`	Display the help message.
`-p <path>`	Change the default installation path (/var/ossec).
`-f`	Force insertion. By default, the tool checks if the file or registry is already added and skips the insertion. Using this option, the tool adds and overwrites the entry.
`-q`	Quiet mode.
`-d`	Debug mode.

Examples

# ./fim_migrate

2018-10-25 15:18:20 [INFO] Upgrading FIM database for manager...
2018-10-25 15:18:20 [INFO] Added 4734 file entries in manager database.
2018-10-25 15:18:20 [INFO] [1/3] Upgrading FIM database for agent '001'...
2018-10-25 15:18:20 [INFO] [1/3] Added 16 file entries in agent '001' database.
2018-10-25 15:18:20 [INFO] [1/3] Upgrading FIM database (syscheck-registry) for agent '001'...
2018-10-25 15:18:21 [INFO] [1/3] Added 4627 registry entries in agent '001' database.
2018-10-25 15:18:21 [INFO] [2/3] Upgrading FIM database for agent '002'...
2018-10-25 15:18:22 [INFO] [2/3] Added 3121 file entries in agent '002' database.
2018-10-25 15:18:22 [INFO] [3/3] Upgrading FIM database for agent '003'...
2018-10-25 15:18:22 [INFO] [3/3] Added 3 file entries in agent '003' database.
2018-10-25 15:18:22 [INFO] [3/3] Upgrading FIM database (syscheck-registry) for agent '003'...
2018-10-25 15:18:22 [INFO] [3/3] Added 4611 registry entries in agent '003' database.
2018-10-25 15:18:22 [INFO] Finished.

wazuh-keystore

The wazuh-keystore increases the security of sensitive information, storing in it any information that the Wazuh manager requires for its correct operation.

wazuh-keystore options

-h	Display the help message.
-f <FAMILY>	Specifies the target column family for the insertion.
-k <KEY>	Specifies the key for the key-value pair.
-v <VALUE>	Specifies the value associated with the key.
-vp <VALUE>	Specifies the path to a single-line file with the value.

You can use only one of the options -v or -vp at a time. If neither is specified, the tool reads the value from standard input.

When using -vp, the file must contain a single line with the value.

Example

Set the indexer username and password:

# echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Alternate methods to set values:

# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
# /var/ossec/bin/wazuh-keystore -f indexer -k password -vp /file/with/password

Unattended Installation

The unattended installation saves time deploying agents, allowing the user to predefine several installation variables instead of waiting for them to be prompted. This can be made by modifying the preloaded-vars.conf file and uncommenting the configuration lines that you want to automate during the installation process.

Global
Agent
Manager/local

Global

USER_LANGUAGE	Defines the language to be used.
	Allowed values	"en", "br", "cn", "de", "el", "es", "fr", "hu", "it", "jp", "nl", "pl", "ru", "sr", "tr"
USER_NO_STOP	If it is set to anything, the confirmation messages are not going to be asked for.
USER_INSTALL_TYPE	Defines the role for the Wazuh instance that is being installed.
	Allowed values	"local", "agent", "server"
USER_DIR	Defines the location to install Wazuh.
	Allowed values	Any path
USER_DELETE_DIR	If it is set to "y", the directory to install Wazuh will be removed if exists.
	Allowed values	"y", "n"
USER_ENABLE_ACTIVE_RESPONSE	If it is set to "n", Active Response will be disabled.
	Allowed values	"y", "n"
USER_ENABLE_SYSCHECK	If it is set to "n", syscheck will be disabled.
	Allowed values	"y", "n"
USER_ENABLE_ROOTCHECK	If it is set to "n", rootcheck will be disabled.
	Allowed values	"y", "n"
USER_ENABLE_AUTHD	If it is set to "y", Authd will be enabled.
	Allowed values	"y", "n"
USER_GENERATE_AUTHD_CERT	If it is set to "y", the Authd certificate will be auto generated.
	Allowed values	"y", "n"
USER_UPDATE	If it is set to anything, the update installation will be done.
USER_BINARYINSTALL	If it is set to anything, the installation is not going to compile the code, but use the binaries from ./bin/
USER_CA_STORE	Custom location for certificates to verify incoming WPK packages for remote upgrades.
	Allowed values	If none "n", otherwise the path to a X509 certificate or to a folder containing certificates.

Agent

USER_AGENT_SERVER_IP	Specifies the IP address of the Wazuh server.
USER_AGENT_SERVER_NAME	Specifies the hostname of the Wazuh server.
USER_AGENT_CONFIG_PROFILE	Specifies the agent's config profile name. This is used to create configuration profiles for this particular profile name.

Example:

USER_LANGUAGE="en"
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_ENABLE_ACTIVE_RESPONSE="y"

Manager/local

USER_ENABLE_EMAIL	Enables or disables alerts by e-mail.
	Allowed values	"y", "n"
USER_AUTO_START	Enables or disables the auto-start of Wazuh.
USER_EMAIL_ADDRESS	Defines the destination e-mail for the alerts.
	Allowed values	A valid e-mail address.
USER_EMAIL_SMTP	Defines the SMTP server to send the e-mails.
	Allowed values	A valid SMTP server.
USER_ENABLE_UPDATE_CHECK	Enables or disables the update checker.
	Allowed values	"y", "n"
USER_ENABLE_SYSLOG	Enables or disables remote syslog.
	Allowed values	"y", "n"
USER_WHITE_LIST	List of IP addresses or networks that are going to be set to never be blocked.

Example:

USER_LANGUAGE="en"
USER_NO_STOP="y"
USER_INSTALL_TYPE="server"
USER_DIR="/var/ossec"
USER_ENABLE_EMAIL="n"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_WHITE_LIST="n"
USER_ENABLE_SYSLOG="y"
USER_CA_STORE="n"

Note

To automate deployments in Windows, you can use the parameters of its installer.

Statistics files

The statistics files are documents that show real-time information about the Wazuh environment as the processed events, received messages, and the state of the remote connections.

Agents statistical files:

wazuh-agentd.state - It shows the amount of events generated, last connection date and agent status, among other useful information related to the agent.

Manager statistical files:

wazuh-remoted.state - It shows information about the remote daemon

wazuh-analysisd.state - It shows information about the analysis daemon.

Manager and Agents statistical files:

wazuh-logcollector.state - It shows information about logcollector daemon.

Contents

wazuh-agentd.state

The statistical file for wazuh-agentd is located at /var/ossec/var/run/wazuh-agentd.state.

This file provides information about the agent as the number of generated events, last connection, agent status, and some other useful information.

By default, this file is updated every 5 seconds. This interval can be changed by modifying the agent.state_interval value from the internal configuration file.

Note

This file is created the first time the agent connects to the manager.

Below there is an example of the content of the file:

# State file for wazuh-agentd

# Agent status:
# - pending:      waiting for get connected.
# - connected:    connection established with manager in the last 10 seconds.
# - disconnected: connection lost or no ACK received in the last 60 seconds.
status='connected'

# Last time a keepalive was sent
last_keepalive='2019-02-05 12:18:37'

# Last time a control message was received
last_ack='2019-02-05 12:18:37'

# Number of generated events
msg_count='12579'

# Number of messages (events + control messages) sent to the manager
msg_sent='12928'

# Number of events currently buffered
# Empty if anti-flooding mechanism is disabled
msg_buffer='35'

Note

Statistics can also be acquired in real-time through the API.

wazuh-remoted.state

The statistical file for wazuh-remoted is located at /var/ossec/var/run/wazuh-remoted.state.

This file provides information about the remote daemon as the queue size, discarded messages, number of remote connections, and other useful information.

By default, this file is updated every 5 seconds. This interval can be changed by modifying the remoted.state_interval value from the internal configuration file.

Below there is an example of the content of the file:

# State file for wazuh-remoted
# Updated every 5 seconds.

# Queue size
queue_size='0'

# Total queue size
total_queue_size='131072'

# TCP sessions
tcp_sessions='130'

# Events sent to Analysisd
evt_count='19097'

# Control messages received
ctrl_msg_count='3444'

# Discarded messages
discarded_count='23'

# Messages sent
msg_sent='3460'

# Total number of bytes received
recv_bytes='435879'

# Messages dequeued after the agent closes the connection
dequeued_after_close='487'

# Control messages queue usage
ctrl_msg_queue_usage='0'

# Control messages queue breakdown
ctrl_msg_queue_inserted='5587'
ctrl_msg_queue_replaced='13'
ctrl_msg_queue_processed='5587'

wazuh-analysisd.state

The statistical file for wazuh-analysisd is located at /var/ossec/var/run/wazuh-analysisd.state.

It can be useful when benchmarking our Wazuh manager analysis engine in highly loaded environments.

By default, this file is updated every 5 seconds. This interval can be changed by modifying the analysisd.state_interval value from the internal configuration file.

Below there is an example of the content of the file:

# State file for wazuh-analysisd

# Total events decoded
total_events_decoded='184'

# Syscheck events decoded
syscheck_events_decoded='49'
syscheck_edps='6'

# Syscollector events decoded
syscollector_events_decoded='11'
syscollector_edps='7'

# Rootcheck events decoded
rootcheck_events_decoded='48'
rootcheck_edps='3'

# Security configuration assessment events decoded
sca_events_decoded='0'
sca_edps='0'

# Hostinfo events decoded
hostinfo_events_decoded='3'
hostinfo_edps='0'

# Other events decoded
other_events_decoded='23'
other_events_edps='2'

# Events processed (Rule matching)
events_processed='19'
events_edps='2'

# Events received
events_received='10'

# Events dropped
events_dropped='1'

# Alerts written to disk
alerts_written='179'

# Firewall alerts written to disk
firewall_written='8'

# FTS alerts written to disk
fts_written='1'

# Syscheck queue
syscheck_queue_usage='0.12'

# Syscheck queue size
syscheck_queue_size='16384'

# Syscollector queue
syscollector_queue_usage='0.10'

# Syscollector queue size
syscollector_queue_size='16384'

# Rootcheck queue
rootcheck_queue_usage='0.73'

# Rootcheck queue size
rootcheck_queue_size='16384'

# Security configuration assessment queue
sca_queue_usage='0.00'

# Security configuration assessment queue size
sca_queue_size='16384'

# Hostinfo queue
hostinfo_queue_usage='0.05'

# Hostinfo queue size
hostinfo_queue_size='16384'

# Upgrade module message queue
upgrade_queue_usage='0.01'

# Upgrade module message queue size
upgrade_queue_size='16384'

# Event queue
event_queue_usage='0.53'

# Event queue size
event_queue_size='16384'

# Rule matching queue
rule_matching_queue_usage='0.42'

# Rule matching queue size
rule_matching_queue_size='16384'

# Alerts log queue
alerts_queue_usage='0.04'

# Alerts log queue size
alerts_queue_size='16384'

# Firewall log queue
firewall_queue_usage='0.18'

# Firewall log queue size
firewall_queue_size='16384'

# Statistical log queue
statistical_queue_usage='0.10'

# Statistical log queue size
statistical_queue_size='16384'

# Archives log queue
archives_queue_usage='0.09'

# Archives log queue size
archives_queue_size='16384'

wazuh-logcollector.state

The statistics file for wazuh-logcollector is located at /var/ossec/var/run/wazuh-logcollector.state.

It can be helpful to identify and measure if Wazuh is collecting and sending logs consistently.

By default, this file is updated every 60 seconds. This interval can be changed by modifying the logcollector.state_interval value from the internal configuration file.

Below there is an example of the file content:

{
"global": {
    "start": "2021-01-27 12:07:29",
    "end": "2021-01-27 12:09:29",
    "files": [
    {
        "location": "df -P",
        "events": 9,
        "bytes": 893,
        "targets": []
    },
    {
        "location": "/var/log/secure",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/log/messages",
        "events": 5,
        "bytes": 292,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/ossec/logs/active-responses.log",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "last -n 20",
        "events": 1,
        "bytes": 1529,
        "targets": []
    },
    {
        "location": "netstat listening ports",
        "events": 1,
        "bytes": 212,
        "targets": []
    },
    {
        "location": "/var/log/audit/audit.log",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/log/maillog",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        },
        {
            "name": "custom_socket",
            "drops": 0
        }
        ]
    }
    ]
},
"interval": {
    "start": "2021-01-27 12:08:29",
    "end": "2021-01-27 12:09:29",
    "files": [
    {
        "location": "df -P",
        "events": 0,
        "bytes": 0,
        "targets": []
    },
    {
        "location": "/var/log/secure",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/log/messages",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/ossec/logs/active-responses.log",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "last -n 20",
        "events": 0,
        "bytes": 0,
        "targets": []
    },
    {
        "location": "netstat listening ports",
        "events": 0,
        "bytes": 0,
        "targets": []
    },
    {
        "location": "/var/log/audit/audit.log",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        }
        ]
    },
    {
        "location": "/var/log/maillog",
        "events": 0,
        "bytes": 0,
        "targets": [
        {
            "name": "agent",
            "drops": 0
        },
        {
            "name": "custom_socket",
            "drops": 0
        }
        ]
    }
    ]
}
}

Cloud security

Wazuh helps increase the security of some of the most comprehensive and broadly adopted cloud platforms such as AWS, Microsoft Azure, or GCP. Learn more about Wazuh Cloud security in the below sections:

Monitoring Amazon Web Services (AWS)

Amazon Web Services (AWS) is a widely used cloud computing platform provided by Amazon. It offers a broad set of services, including computing power, storage, databases, machine learning, analytics, security, and more. AWS enables individuals, businesses, and organizations to access and utilize computing resources without the need to invest in and maintain physical infrastructure.

Wazuh, an open source security platform, provides a comprehensive suite of features to monitor and improve the security of your AWS infrastructure. You can install Wazuh agents on your EC2 instances or integrate the Wazuh module for AWS with supported AWS services. This allows you to analyze events and receive near real-time alerts for anomalies within your AWS infrastructure.

You can learn how to monitor your AWS infrastructure in the following sections:

Monitoring AWS instances

By installing the Wazuh agent on your AWS EC2 instances, you gain insights and monitor activities within these instances.

The Wazuh agent runs as a service on an EC2 instance, and collects and forwards system, security and application data to the Wazuh server through an encrypted and authenticated channel.

To install the Wazuh agent on an EC2 instance, follow the instructions available in the agent installation guide. The Wazuh agent allows you to monitor your EC2 instance with these capabilities:

To learn more about the different Wazuh capabilities, check out this section.

Monitoring AWS based services

The Wazuh module for AWS enables monitoring of various AWS services by collecting logs of these services and analyzing the logs with the Wazuh ruleset. This allows Wazuh to trigger alerts based on EC2 instance configuration, unauthorized behavior of users and systems, data stored on S3, and more. Thereby providing detailed information about activities within the AWS infrastructure.

Each section below contains detailed instructions to configure and set up all of the supported AWS services, and also the required Wazuh configuration to collect logs from these services. It also includes steps to resolve common issues that you may encounter.

This module requires several dependencies to work, and also the right credentials to access the AWS services. Take a look at the prerequisites section before proceeding.

Prerequisites

In this section, we outline the requirements for setting up Wazuh to retrieve logs from various AWS services.

Installing dependencies

You can configure the Wazuh module for AWS either in the Wazuh manager or in a Wazuh agent. This choice depends solely on how you access your AWS infrastructure in your environment.

You only need to install dependencies when configuring the integration with AWS in a Wazuh agent. The Wazuh manager already includes all the necessary dependencies.

We outline the dependencies needed to configure the integration on a Wazuh agent installed on a Linux endpoint.

Python

The Wazuh module for AWS is compatible with Python 3.8–3.13. While later Python versions should work as well, we can't assure they are compatible. If you do not have Python 3 already installed, run the following command on your monitored endpoint.

# apt-get update && apt-get install python3

# yum update && yum install python3

You can install the required modules with Pip, the Python package manager. Most UNIX distributions have this tool available in their software repositories. Run the following command to install pip on your endpoint if you do not have it already installed.

# apt-get update && apt-get install python3-pip

# yum update && yum install python3-pip

We recommend using Pip 19.3 or later to simplify the installation of the dependencies. Run this command to check your pip version.

# pip3 --version

An example output is as follows.

pip 22.0.2 from /usr/lib/python3/dist-packages/pip (python 3.10)

If your pip version is less than 19.3, run the following command to upgrade the version.

# pip3 install --upgrade pip

# pip3 install --upgrade pip --break-system-packages

Note

This command modifies the default externally managed Python environment. See the PEP 668 description for more information.

To prevent the modification, you can run pip3 install --upgrade pip within a virtual environment. You must update the shebang of the /var/ossec/wodles/aws/aws-s3 Python script with the interpreter in your virtual environment. For example, #!/path/to/your/virtual/environment/bin/python3.

AWS client library for Python

Boto3 is the official package supported by Amazon to manage AWS resources. It is used to download log messages from the different AWS services supported by Wazuh. The Wazuh module for AWS is compatible with boto3 from version 1.13.1 to 1.17.85. Future boto3 releases should maintain compatibility although we cannot assure it.

Execute the following command to install the dependencies:

# pip3 install boto3==1.34.135 pyarrow==14.0.1 numpy==1.26.0

# pip3 install --break-system-packages boto3==1.34.135 pyarrow==14.0.1 numpy==1.26.0

Note

If you're using a virtual environment, remove the --break-system-packages parameter from the command above.

# pip3 install --break-system-packages "numpy==2.1.0" "pyarrow==18.0.0" "boto3==1.34.135"

Note

If you're using a virtual environment, remove the --break-system-packages parameter from the command above.

Configuring an S3 Bucket

Amazon Simple Storage Service (Amazon S3) is an object storage service that delivers industry-leading scalability, data availability, security, and performance.

The Wazuh module for AWS requires all supported AWS services, except Inspector, CloudWatch Logs, and Security Lake, to store their logs in an S3 bucket. You can use a single S3 bucket for all these services, avoiding the need to create separate buckets. Wazuh retrieves the logs from this bucket for analysis.

In this section we describe how to create an Amazon S3 bucket:

On your AWS console, go to Services > Storage > S3.
Click Create bucket to create a new S3 bucket.
Enter the name of your S3 bucket, then click Create bucket.

Note

Copy the bucket ARN because it will be needed later for some AWS services.

Configuring AWS IAM Identities

In AWS Identity and Access Management (IAM), an identity represents a human user or programmatic workload that can be authenticated and authorized to perform actions in AWS. The Wazuh module for AWS requires authentication and authorization through an IAM identity to integrate with supported AWS services.

In the following sections, we describe how to create an IAM user group, how to create an AWS IAM user with access credentials, and how to add the user to the group.

Creating an IAM user group

Create a user group that an AWS IAM user will be added to.
1. On the AWS console, search for iam and click IAM from the results.
2. Go to User groups and click Create group to create a new group.
3. Assign a name for the group, scroll down, and click Create group.
4. Confirm the group has been successfully created.

Creating an IAM user

Wazuh requires an AWS IAM user with the necessary permissions to collect log data from the different AWS services. We show below how to create a new IAM user in your AWS environment and obtain the access credentials.

Create a new IAM user and add it to a user group:
1. On your AWS console, navigate to Services > IAM > Users > Create user.
2. Assign a username and click Next.
3. Assign the user to the previously created group and click Next to proceed.
4. Review the selected options and click Create user.
5. Confirm the user creation
Obtain the necessary access credentials for the IAM user.
1. Click on the created IAM user, go to Security credentials, scroll down to Access keys, and click Create access key.
2. Select and confirm the Command Line Interface (CLI) use case and click Next.
3. Assign a description tag value and click Create access key.
4. Save the access credentials, you will use them later to configure the Wazuh module for AWS. If you don't copy the credentials before you click Done, you cannot recover it later. However, you can create a new secret access key.

Depending on the service that will be monitored, the AWS IAM user will need a different set of permissions. The permissions required for each service are explained on each page of the supported services listed in the supported services section.

Configuring AWS policy

In AWS, a policy is an entity that links permissions with an identity or resource. The permissions in a policy determine whether a request is allowed or denied.

In this section, we describe how to create an AWS policy and how to attach the policy to a group.

Creating an AWS policy

Depending on the AWS service that will be monitored, the AWS IAM user will need different sets of permissions. The permissions required for each AWS service are explained on each page of the supported services section.

Follow the steps below on your AWS console to create an AWS policy that collects logs from an S3 bucket.

On the AWS console, search for iam and click IAM from the results.
Click Policies > Create policy.

Switch to JSON view, remove the default statement, and paste the following configuration. Replace <WAZUH_AWS_BUCKET> with the name of the previously created S3 bucket. In this example, the policy allows the IAM user to return and retrieve an object from the specified S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetS3Logs",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

Click Next to proceed to the next step.
Click Create policy to create a new policy.
Confirm the policy creation.

Attaching a policy to an IAM user group

After you create a policy, you can attach it to groups, users, or roles. In this guide, we show how to create a group and how to attach a policy to a group using the AWS console.

On the AWS console, search for iam and click IAM from the results.
Navigate to User groups and click on a previously created group.
Navigate to Permissions , click on Add permissions, then Attach policies.
Search for the policy, select the checkbox next to it, and click Attach policies to attach it to the group.
Confirm the policy is attached to the group.

Configuring AWS credentials

You can configure the Wazuh module for AWS on the Wazuh server (which also behaves as the Wazuh agent) or on a Wazuh agent installed on a Linux endpoint. Depending on the authentication option used, the Wazuh module for AWS will require access credentials of an AWS Identity and Access Management (IAM) identity to collect log data from the different AWS services. These credentials need to be stored in a file named .aws/credentials on the Wazuh server or agent.

You need to create the credentials file using the root user because the wazuh-modulesd daemon runs with root permission. Ensure the .aws/credentials file is saved in the home directory of the root user, therefore the absolute file path will be /root/.aws/credentials. This file is required for all authentication options except IAM roles for EC2 instances.

In the following sections, we describe how to configure the Wazuh module for AWS to pull AWS services logs using these credentials.

Authenticating options

Credentials can be loaded from different locations. You can specify the credentials in a file, assume an IAM role, or load them from other Boto3 supported locations.

In this section, we describe the several methods of adding the AWS credentials to Wazuh and how to configure the Wazuh module for AWS to use the credentials.

Profiles

Profiles are logical groups of configuration settings. You can set up multiple profiles in the following files.

/root/.aws/credentials: Each profile defines the access keys for a previously created IAM user.
/root/.aws/config: Each corresponding profile specifies an AWS region.

In the example below, the /root/.aws/credentials file defines the default, dev, and prod profiles.

[default]
aws_access_key_id=foo
aws_secret_access_key=bar

[dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2

[prod]
aws_access_key_id=foo3
aws_secret_access_key=bar3

The /root/.aws/config file specifies the AWS region for each profile:

[default]
region = us-east-1

[profile dev]
region = us-east-1

[profile prod]
region = us-east-1

After setting up the profiles, define which one the Wazuh module for AWS will use to collect logs. Configure this in the /var/ossec/etc/ossec.conf file of the Wazuh server or agent. The example below configures the module to pull Amazon CloudTrail logs from the specified bucket using the prod profile.

<bucket type="cloudtrail">
  <name>wazuh-s3-bucket</name>
  <aws_profile>prod</aws_profile>
</bucket>

IAM Roles

An IAM role is an identity within your AWS account with specific permissions. It's similar to an IAM user but isn't associated with a specific person. Trusted entities can also use IAM roles to interact with different AWS services. An IAM role can be assumed by AWS services, applications running on Amazon EC2 instances, and AWS Identity and Access Management (IAM) users.

Note

This authentication method requires some credentials to be previously added to the configuration using any other authentication method.

This section shows how to create a sample IAM role with read-only permissions to pull data from a bucket:

Go to Services > Security, Identity, & Compliance > IAM.
Go to Roles on the left side of the AWS console and click Create role.
Choose AWS service as Trusted entity type, S3 as service and Use case then click Next.
Select a previously created policy and click Next.
Give the role a descriptive name and click Create role.
Access the role Summary and click on its Policy name.
Add permissions so the new role can do sts:AssumeRole action.
Go back to the role Summary, go to the Trust relationships tab, and click Edit trust policy.
Add the AWS IAM user to the Principal tag and click Update policy.
After updating the trust policy, copy the Amazon Resource Name (ARN) of the role as this will be used to configure the Wazuh module for AWS.

It is necessary to configure the Wazuh module for AWS using the /var/ossec/etc/ossec.conf file of the Wazuh server or agent. In the example below, we configure the Wazuh module for AWS to pull Amazon CloudTrail logs from the specified bucket using the default profile and the Wazuh-IAM-Role IAM role.

<bucket type="cloudtrail">
   <name><WAZUH_AWS_BUCKET></name>
   <aws_profile>default</aws_profile>
   <iam_role_arn>arn:aws:iam::xxxxxxxxxxx:role/Wazuh-IAM-Role</iam_role_arn>
</bucket>

IAM roles for EC2 instances

You can use IAM roles and assign them to EC2 instances so there's no need to insert authentication parameters in the /var/ossec/etc/ossec.conf file of the Wazuh server or agent. This is the recommended configuration if the Wazuh server or agent is running on an EC2 instance. Find more information about IAM roles on EC2 instances in the official Amazon AWS documentation.

In the example below, we configure the Wazuh module for AWS to pull Amazon CloudTrail logs from the specified bucket using the IAM roles for EC2 instances.

<bucket type="cloudtrail">
  <name><WAZUH_AWS_BUCKET></name>
</bucket>

Considerations for the Wazuh module for AWS configuration

First execution

The Wazuh module for AWS will only fetch the AWS services logs from the date the module is first executed. If there are older logs that need to be fetched during the first execution of the module, you need to use the only_logs_after option.

Note

If you need to fetch older logs after the first execution of the Wazuh module for AWS, see the Reparse section.

Filtering

If the S3 bucket contains a long history of logs and its directory structure is organized by dates, it's possible to filter which logs will be read by Wazuh. There are multiple configuration options to do so:

only_logs_after: Allows filtering logs produced after a given date. The date format must be YYYY-MMM-DD. For example, 2018-AUG-21 would filter logs generated on or after the 21st of August 2018.
aws_account_id: This option will only work on CloudTrail, VPC, and Config buckets. If you have logs from multiple accounts, you can filter which ones will be read by Wazuh. You can specify multiple IDs separating them by commas.
regions: Works only with CloudTrail, VPC, Config buckets, and Inspector service. Use it to filter which regions Wazuh reads when you have logs from multiple regions. Separate multiple regions with commas.
path: If your logs are stored in a given path in an S3 bucket, this option can be specified. For example, to read logs stored in the directory vpclogs/, it is necessary to specify the path vpclogs in the Wazuh module for AWS configuration. It can also be specified with / or \.
aws_organization_id: This option will only work on CloudTrail buckets. If you have configured an organization, you need to specify the name of the AWS organization by using this parameter.

In the /var/ossec/etc/ossec.conf file of the Wazuh server or agent, the configuration will be similar to this.

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <!-- CloudTrail, two regions, path, account_id, organization_id and logs after January 2018 -->
  <bucket type="cloudtrail">
    <name><WAZUH_AWS_BUCKET></name>
    <aws_profile>default</aws_profile>
    <aws_account_id>123456789012</aws_account_id>
    <regions>us-east-1,us-east-2</regions>
    <path>wazuh-logs</path>
    <only_logs_after>2018-JAN-01</only_logs_after>
    <aws_organization_id>AWS-ORG-1</aws_organization_id>
  </bucket>
</wodle>

Older logs

The Wazuh module for AWS only looks for new logs in buckets based on the key of the last processed log object, which includes the datetime stamp. After the integration has processed logs, it cannot retrieve logs that are older than the processed ones, even if you respecify the only_logs_after option. The logs older than the first one processed will be ignored and not ingested into Wazuh. This is true for all supported services except the CloudWatch Logs service.

On the other hand, when monitoring the CloudWatch Logs service, the Wazuh module for AWS can process logs older than the first one processed. To do so, specify an older only_logs_after value, and the Wazuh module for AWS will process all logs between the value set for only_logs_after and the first log executed without generating duplicate alerts.

In this Wazuh module for AWS configuration in /var/ossec/etc/ossec.conf, when executed for the first time, the Wazuh module for AWS will process CloudTrail logs from 1st of January 2018 till the present day. If the only_logs_after value is specified after the first execution, it will not process the older logs.

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <!-- CloudTrail, two regions, and logs after January 2018 -->
  <bucket type="cloudtrail">
    <name><WAZUH_AWS_BUCKET></name>
    <aws_profile>default</aws_profile>
    <regions>us-east-1,us-east-2</regions>
    <only_logs_after>2018-JAN-01</only_logs_after>
  </bucket>
</wodle>

Note

If you need to process older logs after the Wazuh module for AWS has been executed for the first time, see the Reparse section.

In this Wazuh module for AWS configuration in /var/ossec/etc/ossec.conf file, regardless of when the Wazuh module for AWS is executed, it will process CloudWatch logs from 1st of January 2018 till the present day.

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <!-- CloudWatch, two regions, and logs after January 2018 -->
    <service type="cloudwatchlogs">
        <aws_profile>default</aws_profile>
        <aws_log_groups>log_group1,log_group2</aws_log_groups>
        <only_logs_after>2018-JAN-01</only_logs_after>
        <regions>us-east-1,us-west-1,eu-central-1</regions>
    </service>
</wodle>

Reparse

Using the reparse option will fetch and process every log from the starting point until the present. The only_logs_after value sets the time for the starting point. If you don't provide an only_logs_after value, the Wazuh module for AWS uses the date of the first log processed as the starting point. This process may generate duplicate alerts.

To collect and process older logs loaded into the S3 bucket, you need to run the Wazuh module for AWS manually using the --reparse option. In the example below, we manually run the Wazuh module for AWS using the --reparse option on a Wazuh server.

# /var/ossec/wodles/aws/aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2

The --debug 2 parameter produces verbose output. This is useful to show the script is working, especially when handling a large amount of data.

Connection configuration for retries

Some calls to AWS services may fail when made in highly congested environments. The AWS pip dependencies client raises ClientError exceptions describing the errors. This kind of exception often needs repeating the call, without further handling. To help retry these calls, Boto3 provides retries. This feature allows retrying client calls to AWS services when you experience errors like ThrottlingException.

Users can customize two retry configurations.

retry_mode: legacy, standard, and adaptive.
- Legacy mode is the default retry mode. It sets the older version 1 for the retry handler. This includes:
  - Retry attempts for a limited number of errors/exceptions.
  - A default value of 5 for maximum call attempts.
- Standard mode sets the updated version 2 for the retry handler. It includes:
  - Extended functionality over that found in the legacy mode where retry attempts apply to an expanded list of errors/exceptions.
  - A default value of 3 for maximum call attempts.
- Adaptive mode is an experimental retry mode. It includes all the features of the standard mode. This mode offers flexibility in client-side retries. Retries adapt to the error/exception state response from an AWS service.
max_attempts: The maximum number of attempts including the initial call. This configuration can override the default value set by the retry mode.

You can specify the retry configuration in the /root/.aws/config configuration file. The profile section must include the max_attempts, retry_mode, and region settings.

It is important to use the same profile as the one you chose as your authentication method profile. If the authentication method lacks a profile, then the [Default] profile must include the configurations. If the configuration file is missing, the Wazuh module for AWS defines the following values by default:

retry_mode=standard
max_attempts=10

The following example of a /root/.aws/config file sets retry parameters for the dev profile:

[profile dev]
region=us-east-1
max_attempts=5
retry_mode=standard

Additional configuration

Wazuh supports additional configuration options found in the /root/.aws/config file. The supported keys are the primary keys stated in the Boto3 configuration. Supported keys are:

region_name
signature_version
s3
proxies
proxies_config
retries

The following example of a /root/.aws/config file sets the supported configuration for the dev profile:

[profile dev]
region = us-east-1
output = json
max_attempts = 5
retry_mode = standard

dev.s3.max_concurrent_requests = 10
dev.s3.max_queue_size = 1000
dev.s3.multipart_threshold = 64MB
dev.s3.multipart_chunksize = 16MB
dev.s3.max_bandwidth = 50MB/s
dev.s3.use_accelerate_endpoint = true
dev.s3.addressing_style = virtual

dev.proxy.host = proxy.example.com
dev.proxy.port = 8080
dev.proxy.username = your-proxy-username
dev.proxy.password = your-proxy-password

dev.proxy.ca_bundle = /path/to/ca_bundle.pem
dev.proxy.client_cert = /path/to/client_cert.pem
dev.proxy.use_forwarding_for_https = true

signature_version = s3v4

Note

All s3 and proxy configuration sections must start with [profile <PROFILE_NAME>].

To configure multiple profiles for the integration, declare each profile section in /root/.aws/config with [profile <PROFILE_NAME>]. If you don't declare a profile section in this configuration file, Wazuh uses the default profile.

Configuring multiple services

Below is an example of different AWS services configuration:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>

  <!-- Inspector, two regions, and logs after January 2018 -->
  <service type="inspector">
    <aws_profile>default</aws_profile>
    <regions>us-east-1,us-east-2</regions>
    <only_logs_after>2018-JAN-01</only_logs_after>
  </service>

  <!-- GuardDuty, 'production' profile -->
  <bucket type="guardduty">
    <name><WAZUH_AWS_BUCKET></name>
    <path>guardduty</path>
    <aws_profile>production</aws_profile>
  </bucket>

  <!-- Config, 'default' profile -->
  <bucket type="config">
    <name><WAZUH_AWS_BUCKET></name>
    <path>config</path>
    <aws_profile>default</aws_profile>
  </bucket>

  <!-- KMS, 'dev' profile -->
  <bucket type="custom">
    <name><WAZUH_AWS_BUCKET></name>
    <path>kms_compress_encrypted</path>
    <aws_profile>dev</aws_profile>
  </bucket>

  <!-- CloudTrail, 'default' profile, without 'path' tag -->
  <bucket type="cloudtrail">
    <name><WAZUH_CLOUDTRAIL></name>
    <aws_profile>default</aws_profile>
  </bucket>

  <!-- CloudTrail, 'dev' profile, and 'us-east-1' region -->
  <bucket type="cloudtrail">
    <name><WAZUH_AWS_BUCKET></name>
    <path>dev-cloudtrail</path>
    <regions>us-east-1</regions>
    <aws_profile>dev</aws_profile>
  </bucket>

</wodle>

Where:

<disabled> enables or disables the Wazuh module for AWS.
<interval> is the time interval between module execution.
<run_on_start> execute the Wazuh module for AWS immediately after the Wazuh service starts.
<skip_on_error> skip a log with an error and continue processing other logs.
<service type> indicates the service configured. The available types are cloudwatchlogs, and inspector.
<aws_profile> a valid profile name from the AWS credential file or config file with permission to access the service.
<regions> a comma-separated list of regions to limit parsing of logs.
<only_logs_after> parses only logs from that date onwards.
<bucket type> indicates the service configured.
<name> the name of the S3 bucket from where logs are read.
<path> the path or prefix for the bucket.
<regions> A comma-separated list of regions to limit parsing of logs. Only works with CloudTrail buckets.

Note

Check the Wazuh module for AWS reference manual to learn more about each setting.

Using VPC and FIPS endpoints

In AWS, a VPC (Virtual Private Cloud) is a virtual network dedicated to your AWS account. It provides an isolated environment where you can launch AWS resources such as EC2 instances, RDS databases, and more.

FIPS (Federal Information Processing Standards) endpoints in AWS refer to endpoints that enforce FIPS 140-2 compliance for cryptographic modules. When you enable a FIPS endpoint, AWS ensures that any cryptographic operations performed by the endpoint use FIPS 140-2 validated cryptographic libraries.

Learn how to integrate the Wazuh module for AWS with VPC and FIPS endpoints.

VPC endpoints

VPC endpoints reduce VPC traffic costs by enabling direct connections to supported AWS services, eliminating the need for public IPs.

The Wazuh module for AWS can pull logs from an AWS S3 bucket regardless of the service the logs originate from. Wazuh can utilize VPC endpoints for this purpose if it is running within a Virtual Private Cloud (VPC). The same applies to the other AWS services the Wazuh module for AWS supports, such as CloudWatchLogs, provided that they are compatible with VPC endpoints. The list of AWS services supporting VPC endpoints can be checked here.

Configure the service_endpoint and sts_endpoint tags in the /var/ossec/etc/ossec.conf file. This specifies the VPC endpoint URL for obtaining the data and for logging into STS when an IAM role was specified, respectively.

The following is an example of a valid configuration:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>

  <bucket type="cloudtrail">
    <name><WAZUH_CLOUDTRAIL></name>
    <aws_profile>default</aws_profile>
    <service_endpoint>https://bucket.xxxxxx.s3.us-east-2.vpce.amazonaws.com</service_endpoint>
  </bucket>

  <bucket type="cloudtrail">
    <name>wazuh-cloudtrail-2</name>
    <aws_profile>default</aws_profile>
    <iam_role_arn>arn:aws:iam::xxxxxxxxxxx:role/wazuh-role</iam_role_arn>
    <sts_endpoint>xxxxxx.sts.us-east-2.vpce.amazonaws.com</sts_endpoint>
    <service_endpoint>https://bucket.xxxxxx.s3.us-east-2.vpce.amazonaws.com</service_endpoint>
  </bucket>

  <service type="cloudwatchlogs">
    <aws_profile>default</aws_profile>
    <regions>us-east-2</regions>
    <aws_log_groups>log_group_name</aws_log_groups>
    <service_endpoint>https://xxxxxx.logs.us-east-2.vpce.amazonaws.com</service_endpoint>
  </service>

</wodle>

FIPS endpoints

Wazuh supports the use of AWS FIPS endpoints to comply with the Federal Information Processing Standard (FIPS) Publication 140-2. Depending on the service and region of choice, a different endpoint must be selected from the AWS FIPS endpoints list. Specify the selected endpoint in the /var/ossec/etc/ossec.conf file using the service_endpoint tag.

The following is an example of a valid configuration.

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>

  <service type="cloudwatchlogs">
    <aws_profile>default</aws_profile>
    <regions>us-east-2</regions>
    <aws_log_groups>log_group_name</aws_log_groups>
    <service_endpoint>logs-fips.us-east-2.amazonaws.com</service_endpoint>
  </service>

</wodle>

Supported services

All services, except Inspector, CloudWatch Logs, and Security Lake, get their data from log files stored in an S3 bucket. These services store their data into log files which are configured inside <bucket type='TYPE'> </bucket> tags. Inspector and CloudWatch Logs services are configured inside <service type='inspector'> </service> and <service type='cloudwatchlogs'> </service> tags, respectively. To collect logs from Amazon Security Lake buckets, use <subscriber type='TYPE'> </subscriber> tags.

The next table contains the most relevant information about configuring each service in the /var/ossec/etc/ossec.conf file, as well as the path where the logs will be stored in the bucket if the corresponding service uses them as its storage medium:

Provider	Service	Configuration tag	Type	Path to logs	Required permission
Amazon	CloudTrail	bucket	cloudtrail	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<organization_id>/<ACCOUNT_ID>/CloudTrail/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	VPC	bucket	vpcflow	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/vpcflowlogs/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	Config	bucket	config	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<suffix>/<ACCOUNT_ID>/Config/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	KMS	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Macie	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Trusted Advisor	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	GuardDuty	bucket	guardduty	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>	Policy configuration
Amazon	WAF	bucket	waf	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>/<hh>	Policy configuration
Amazon	S3 Server Access logs	bucket	server_access	<WAZUH_AWS_BUCKET>/<prefix>	Policy configuration
Amazon	Inspector	service	inspector		Policy configuration
Amazon	CloudWatch Logs	service	cloudwatchlogs		Policy configuration
Amazon	Amazon ECR Image scanning	service	cloudwatchlogs		Policy configuration
Cisco	Umbrella	bucket	cisco_umbrella	<WAZUH_AWS_BUCKET>/<prefix>/<year>-<month>-<day>	Policy configuration
Amazon	ALB	bucket	alb	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	CLB	bucket	clb	<WAZUH_AWS_BUCKET>/<prefix>/AWSLogs/<ACCOUNT_ID>/elasticloadbalancing/<REGION>/<year>/<month>/<day>	Policy configuration
Amazon	NLB	bucket	custom	<WAZUH_AWS_BUCKET>/<prefix>/<year>/<month>/<day>	Policy configuration
Amazon	Amazon Security Lake	subscriber	security_lake		Policy configuration
Amazon	Custom Logs Buckets	subscriber	buckets		Amazon Simple Queue Service
Amazon	Security Hub	subscriber	security_hub

AWS CloudTrail

AWS CloudTrail is a service that enables auditing of your AWS account. With CloudTrail, you can log, monitor, and retain account activity related to actions across your AWS infrastructure. This service provides the event history of your AWS account activity, such as actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

AWS configuration

The following sections cover how to configure the Amazon CloudTrail service to integrate with Wazuh.

Amazon CloudTrail configuration

Create a new S3 bucket. If you want to use an already existing one, skip this step.
On your AWS console, search for “cloudtrail” in the search bar at the top of the page or go to Management & Governance > CloudTrail.
Click Create trail to create a new trail.
Assign a Trail Name and choose the S3 bucket that will store the CloudTrail logs (remember the name you provide here, you’ll need to reference it the Wazuh module for AWS configuration). If Log file SSE-KMS encryption is enabled, assign a name for a new AWS KMS alias or choose an existing one:
Note

The standard file system AWS CloudTrail will create has this structure:
```
<WAZUH_AWS_BUCKET>/<PREFIX>/AWSLogs/<ACCOUNT_ID>/CloudTrail/<REGION>/<YEAR>/<MONTH>/<DAY>
```
The structure may change depending on the different configurations of the services, or changing of the <WAZUH_AWS_BUCKET> and <PREFIX> values by the user.
Choose log events to be recorded and click Next.
Review the configuration and click Create trail.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

After creating a policy, you can attach it directly to a user or to a group to which the user belongs. In attaching a policy to an IAM user group, you see how to attach a policy to a group. More information on how to use other methods is available in the AWS documentation.

Configure Wazuh to process AWS CloudTrail logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name><WAZUH_AWS_BUCKET></name>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

CloudTrail use cases

Below you find examples of some of how Wazuh integrates with CloudTrail to monitor EC2 and IAM events. This enhances the security monitoring capabilities of AWS environments by providing near real-time detection of security incidents and compliance violations.

EC2

Amazon EC2 (Elastic Compute Cloud) provides scalable computing capacity in the cloud. When using this service, it is highly recommended to monitor it for intrusion attempts or other unauthorized actions performed against your cloud infrastructure.

Below are some use cases for EC2 monitoring.

Run a new instance in EC2

When a user creates a new instance in EC2, a CloudTrail event is generated. As previously mentioned, the log message is collected by the Wazuh agent, and forwarded to the Wazuh manager for analysis. The following alerts with rule ID 80202 will be shown on the Wazuh dashboard, it shows data such as instance type, the user who created it, or the creation date.

When a user tries to run an instance without relevant permissions, then the following alert with rule ID 80203 will be shown on the Wazuh dashboard.

Start instances in EC2

When an EC2 instance is started, the following alerts with rule ID 80202 will be shown on the Wazuh dashboard. It shows information such as the instance ID and the user who started it.

If a user tries to start instances without relevant permissions the following alert will be shown on the Wazuh dashboard.

Stop instances in EC2

When an EC2 instance is stopped, the following alerts with rule ID 80202 will be shown on the Wazuh dashboard.

If a user tries to stop instances without relevant permissions, the following alert with rule ID 80203 will be shown on the Wazuh dashboard.

Create security groups in EC2

When a new EC2 security group is created, the following alerts with rule ID 80202 is shown on the Wazuh dashboard. It shows information such as the user who created it and information about the security group.

Allocate a new Elastic IP address

If a new Elastic IP address is allocated, the following with rule ID 80202 alerts will be shown on the Wazuh dashboard.

Associate a new Elastic IP address

If an Elastic IP address is associated, the following alert with rule ID 80202 will be shown on the Wazuh dashboard.

IAM

Identity and Access Management (IAM) allows you to create and manage AWS users and groups, and manage permissions to allow and deny their access to AWS resources. You can use the AWS IAM log data to monitor user access to AWS services and resources.

Below are some use cases for IAM events.

Create a user account

When we create a new user account in IAM, a CloudTrail event is generated. As previously mentioned, the log message is collected by the Wazuh agent, and forwarded to the Wazuh server for analysis. When a user account is created, the following alerts with rule ID 80202 will appear on the Wazuh dashboard. You can see the username of the created user, the time it was created, and who created it.

Create a user account without permissions

If an unauthorized user attempts to create new users, the following alert with rule ID 80250 will be shown on the Wazuh dashboard. It will show you which user has tried to create a user account and the username it tried to create.

Possible break-in attempt

When more than four consecutive unsuccessful login attempts to the AWS console occur in a 360-second time window, the following alert with rule ID 80255 will be shown on the Wazuh dashboard.

Login success

After a successful login, the following alerts with rule ID 80253 will be shown on the Wazuh dashboard. It shows the user who logged in, the browser it used, and other useful information.

You can create visualizations like this on the Wazuh dashboard for IAM events by following the custom dashboard guide:

Pie Chart	Stacked Groups

Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (Amazon VPC) lets users provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define. Users have complete control over their virtual networking environment, including the selection of their IP address range, creation of subnets, and configuration of route tables and network gateways. Users can use both IPv4 and IPv6 in their VPC for secure and easy access to resources and applications.

Amazon configuration

The following sections cover how to configure the Amazon VPC service to integrate with Wazuh.

Go to S3 buckets, select an existing S3 bucket or create a new one, then copy the Amazon Resource Name (ARN) of the S3 bucket.
On your AWS console, go to Services > Compute > EC2.
Go to Network & Security > Network Interfaces on the left menu. Select a network interface and select Create flow log on the Actions menu.
Change all fields to look like the following screenshot and paste the Amazon Resource Name (ARN) of the previously created bucket.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

To allow an AWS user to execute the VPC integration, it must also have a policy like the following attached:

{
  "Sid": "VisualEditor0",
  "Effect": "Allow",
  "Action": "ec2:DescribeFlowLogs",
  "Resource": "*"
}

Configure Wazuh to process Amazon VPC logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="vpcflow">
    <name><WAZUH_AWS_BUCKET></name>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use cases

Using an Amazon VPC (Virtual Private Cloud), users can logically isolate some of their AWS assets from the rest of their cloud infrastructure. Users can set up their networks in the cloud. This is why it is usually important to monitor changes to their VPCs.

Create a VPC

If a VPC is created, the following alerts with rule ID 80202 will be shown on the Wazuh dashboard.

If a user without proper permissions attempts to create a VPC, the following alerts with rule ID 80203 will be shown on the Wazuh dashboard.

Working with VPC Data

A VPC alert contains data such as destination and source IP address, destination and source port, and how many bytes were sent.

These alerts can be easily analyzed by creating visualizations like the following one following the custom dashboard guide.

You can monitor your network with this visualization to identify peaks. Once a peak is identified, apply filters to view the alerts generated during that time and examine the communication between IP addresses. Since the IP address is a field in numerous AWS alerts, you may discover additional alerts and gain insights into the events that occurred.

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Amazon configuration

The following sections cover how to configure different services required to integrate AWS config service with Wazuh.

Amazon Data Firehose configuration

Create an Amazon Data Firehose delivery stream to store the AWS Config events into the desired S3 bucket so Wazuh can process them.

Create a new S3 bucket. If you want to use an already existing one, skip this step.
On your AWS console, search for "amazon data firehose" in the search bar at the top of the page or go to Services > Analytics > Amazon Data Firehose.
Click Create Firehose stream.
Select Direct PUT and Amazon S3 as the desired Source and Destination, respectively.
Choose an appropriate Firehose stream name.
Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be prefix-name/YYYY/MM/DD/HH. If a prefix is used it must be specified under the Wazuh bucket configuration. Select your preferred compression, Wazuh supports any kind of compression but Snappy.
Create or choose an existing IAM role to be used by Amazon Data Firehose in the Advanced settings section.
Click Create Firehose stream at the end of the page. The new delivery stream will be created and its details will be shown as follows.

AWS Config configuration

On the AWS Config page, go to Set up AWS Config.
Under Recording strategy, specify the AWS resource types you want AWS Config to record:
- All resource types with customizable overrides
- Specific resource types
Note

For more information about these options, see selecting which resources AWS Config records.
Create or select an existing IAM role for AWS Config.
Select an existing S3 bucket and prefix or create a new one then save your configuration.

After these steps, it is necessary to configure an Amazon EventBridge rule to send AWS config events to the Amazon Data Firehose delivery stream created in the previous step.

Amazon EventBridge configuration

Configure an Amazon EventBridge rule to send Config events to the Amazon Data Firehose delivery stream created in the previous step.

On your AWS console, search for "eventbridge" in the search bar at the top of the page or go to Services > Application Integration > EventBridge.
Select EventBridge Rule and click Create rule.
Assign a name to the EventBridge rule and select the Rule with an event pattern option.
In the Build event pattern section, choose AWS events or EventBridge partner events as Event source.
In the Event pattern section choose AWS services as Event source, Config as AWS service, and All Events as Event type. Click Next to apply the configuration.
Under Select a target, choose Firehose delivery stream and select the stream created previously. Also, create a new role to access the delivery stream. Click Next to apply the configuration.
Review the configuration and click Create rule.

Once the rule is created, every time an AWS Config event is sent, it will be stored in the specified S3 bucket. Remember to first enable the AWS Config service, otherwise, you won't get any data.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon Config logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="config">
    <name><WAZUH_AWS_BUCKET></name>
    <path>config</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use cases

AWS Config allows you to review changes in configuration and relationships between AWS resources. Below is an example of a use case for AWS Config.

Monitoring configuration changes

Multiple alerts with rule ID 80454 will be seen on the Wazuh dashboard when there are changes in the configuration of the resources monitored by AWS config. Some examples are shown in the image below.

You can expand an alert to see more information such as the resource name, resource type, and configuration state.

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) makes it easy for users to create and manage keys and control the use of encryption across a wide range of AWS services and in their applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect their keys. AWS KMS is integrated with AWS CloudTrail to provide users with logs of all key usage to help meet their regulatory and compliance needs.

AWS configuration

The following sections cover how to configure different services required to integrate AWS KMS service with Wazuh.

Amazon Data Firehose configuration

Create an Amazon Data Firehose delivery stream to store the AWS KMS events into the desired S3 bucket so Wazuh can process them.

Create a new S3 bucket. (If you want to use an already created one, skip this step).
On your AWS console, Search for "amazon data firehose" in the search bar at the top of the page or go to Services > Analytics > Amazon Data Firehose.
Click Create Firehose stream.
Select Direct PUT and Amazon S3 as the desired Source and Destination, respectively.
Choose an appropriate Firehose stream name.
Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be prefix-name/YYYY/MM/DD/HH. If a prefix is used it must be specified under the Wazuh bucket configuration. In our case, the prefix is kms_compress_encrypted/. Select your preferred compression, Wazuh supports any kind of compression but Snappy.
Create or choose an existing IAM role to be used by Amazon Data Firehose in the Advanced settings section.
Click Create Firehose stream at the end of the page. The new delivery stream will be created and its details will be shown as follows.

Amazon EventBridge configuration

Configure an Amazon EventBridge rule to send KMS events to the Amazon Data Firehose delivery stream created in the previous step.

On your AWS console, search for "eventbridge" in the search bar at the top of the page or go to Services > Application Integration > EventBridge.
Click Create rule.
Assign a name to the EventBridge rule and select the Rule with an event pattern option.
In the Build event pattern section, choose AWS events or EventBridge partner events as Event source.
In the Event pattern section, choose AWS services as Event source, Key Management Service (KMS) as AWS service, and All Events as Event type. Click Next to apply the configuration.
Under Select a target, choose Firehose delivery stream and select the stream created previously. Also, create a new role to access the delivery stream. Click Next to apply the configuration.
Review the configuration and click Create rule.

Once the rule is created, data will start to be sent to the previously created S3 bucket. Remember to first enable the service you want to monitor, otherwise, you won't get any data.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon KMS logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="custom">
    <name><WAZUH_AWS_BUCKET></name>
    <path>kms_compress_encrypted</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use case

AWS Key Management Service allows you to create and control cryptographic keys for securing your data. Monitoring this service with Wazuh allows you to understand the availability, state, and usage of your AWS KMS keys in AWS KMS.

Below is a use case for Wazuh alerts built for AWS KMS.

Monitoring KMS key usage

When KMS key usage events such as CreateKey, ScheduleKeyDeletion, DisableKeyDeletion and CreateAlias occurs, the following alerts with rule ID 80491 will be displayed on the Wazuh dashboard.

You can expand the alert to see more information such as the key policy, encryption type, and other details about the affected key.

Amazon Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects the risk of unauthorized access or inadvertent data leaks.

AWS configuration

The following sections cover how to configure different services required to integrate AWS Macie service with Wazuh.

Amazon Data Firehose configuration

Create an Amazon Data Firehose delivery stream to store the Amazon Macie events into the desired S3 bucket so Wazuh can process them.

Create a new S3 bucket. (If you want to use an already created one, skip this step).
On your AWS console, Search for "amazon data firehose" in the search bar at the top of the page or go to Services > Analytics > Amazon Data Firehose.
Click Create Firehose stream.
Select Direct PUT and Amazon S3 as the desired Source and Destination, respectively.
Choose an appropriate Firehose stream name.
Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be prefix-name/YYYY/MM/DD/HH. If a prefix is used it must be specified under the Wazuh bucket configuration. In our case, the prefix is macie/.
Create or choose an existing IAM role to be used by Amazon Data Firehose in the Advanced settings section.
Click Create Firehose stream at the end of the page. The new delivery stream will be created and its details will be shown as follows.

Amazon EventBridge configuration

Configure an Amazon EventBridge rule to send Macie events to the Amazon Data Firehose delivery stream created in the previous step.

On your AWS console, search for "eventbridge" in the search bar at the top of the page or navigate to Services > Application Integration > EventBridge.
Click Create rule.
Assign a name to the rule and select the Rule with an event pattern option.
In the Build event pattern section, choose AWS events or EventBridge partner events as Event source.
In the Event pattern section, choose AWS services as Event source, Macie as AWS service, and All Events as Event type. Click Next to apply the configuration.
Under Select a target, choose Firehose delivery stream and select the stream created previously. Also, create a new role to access the delivery stream. Click Next to apply the configuration.
Review the configuration and click Create rule.

Once the rule is created, every time a Macie event is sent, it will be stored in the specified S3 bucket. Remember to first enable the Macie service, otherwise, you won't get any data.

Amazon Macie configuration

On your AWS console, search for "Amazon Macie" in the search bar and click Amazon Macie from the results.
You'll have this interface if this is the first time of setting up the service, click Get started to proceed.
Click Enable Macie to enable the service.

Once enabled, Macie provides visibility into data security risks and enables automated protection against those risks. Check the official AWS documentation to learn more about the service.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon Macie logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="custom">
    <name><WAZUH_AWS_BUCKET></name>
    <path>macie</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

Check the Wazuh module for AWS reference manual to learn more about each setting.

Restart Wazuh in order to apply the changes:

Wazuh manager:
```
# systemctl restart wazuh-manager
```
Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use case

Amazon S3 (Simple Storage Service) provides secure and reliable storage capacity in the cloud. When using this service, it is highly recommended to monitor it to detect misconfigurations and sensitive data leakage.

Below is a use case for Wazuh alerts built for S3.

Sensitive data disclosure in S3 bucket

When sensitive data such as financial information, credentials, and personal information are found in an S3 bucket, the following alerts with rule ID 80352 and 80354 will be displayed on the Wazuh dashboard.

You can expand the alert to see more information such as the description of the alert, and details about the affected S3 bucket.

AWS Trusted Advisor

AWS Trusted Advisor helps users optimize their AWS environment by following AWS best practices to provide real-time guidance that aims to reduce cost, increase performance, and improve security. Trusted Advisor logs can be stored in an S3 bucket thanks to Amazon EventBridge and Amazon Data Firehose, allowing Wazuh to process them and generate alerts using the built-in rules Wazuh provides, as well as any custom rules available.

Note

You must have a Business, Enterprise On-Ramp, or Enterprise AWS Support plan to create an EventBridge rule for Trusted Advisor checks. For more information, see changing AWS support plans.

AWS configuration

The following sections cover how to configure the different services required to integrate Trusted Advisor into Wazuh.

Amazon Data Firehose configuration

Create an Amazon Data Firehose delivery stream to store the Trusted Advisor logs into the desired S3 bucket so Wazuh can process them.

Create a new S3 bucket. If you want to use an already existing one, skip this step.
On your AWS console, Search for "amazon data firehose" in the search bar at the top of the page or go to Services > Analytics > Amazon Data Firehose.
Click Create Firehose stream.
Select Direct PUT and Amazon S3 as the desired Source and Destination, respectively.
Choose an appropriate Firehose stream name.
Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be prefix-name/YYYY/MM/DD/HH. If a prefix is used it must be specified under the Wazuh bucket configuration. In our case, the prefix is trusted-advisor/. Select your preferred compression, Wazuh supports any kind of compression but Snappy.
Create or choose an existing IAM role to be used by Amazon Data Firehose in the Advanced settings section.
Click Create Firehose stream at the end of the page. The new firehose stream will be created and its details will be shown as follows.

Amazon EventBridge configuration

Configure an Amazon EventBridge rule to send Trusted Advisor events to the Amazon Data Firehose delivery stream created in the previous step.

On your AWS console, search for "eventbridge" in the search bar at the top of the page or navigate to Services > Application Integration > EventBridge.
Click Create rule.
Give a name to the EventBridge rule and select the Rule with an event pattern option.
In the Build event pattern section, choose AWS events or EventBridge partner events as Event source.
In the Event pattern section, choose AWS services as Event source, Trusted Advisor as AWS service, and All Events as Event type. Click Next to apply the configuration.
Under Select a target, choose Firehose stream and select the stream created previously. Also, create a new role to access the delivery stream. Click Next to apply the configuration.
Review the configuration and click Create rule.

Once the rule is created, every time a Trusted Advisor event is sent, it will be stored in the specified S3 bucket. Remember to first enable the Trusted Advisor service, otherwise, you won't get any data.

AWS Trusted Advisor configuration

On your AWS console, search for "Trusted Advisor" in the search bar at the top of the page or navigate to Services > Management & Governance > Trusted Advisor.
Go to Manage Trusted Advisor in the left menu and click on the Enabled button.

Once enabled, Trusted Advisor reviews the different checks for the AWS account. Check the official AWS documentation to learn more about the different Trusted Advisor checks available.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon Trusted Advisor logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="custom">
    <name><WAZUH_AWS_BUCKET></name>
    <path>trusted-advisor</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Note

In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
systemctl restart wazuh-manager
```
- Wazuh agent:
```
systemctl restart wazuh-agent
```

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.

AWS configuration

The following sections cover how to configure the different services required to integrate Guard Duty into Wazuh.

Amazon GuardDuty configuration

Create a new S3 bucket. If you want to use an existing bucket, skip this step.
On your AWS console, search for "guardduty" in the search bar at the top of the page or navigate to Services > Security, Identity, & Compliance > GuardDuty.
S3 Protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets. In the navigation pane, under Protection plans, click S3 Protection and enable S3 protection.
Confirm your selection.
In the navigation pane, go to Settings, scroll to Findings export options, and click Configure now to configure GuardDuty to export findings to an S3 bucket.
See the configuring an S3 bucket and creating symmetric encryption KMS keys guides on how to create an S3 bucket and KMS key. Copy and paste the appropriate values into the S3 bucket ARN and KMS key ARN fields.
In the Attach policy section, click on View Policy for S3 bucket and View Policy for KMS key. Copy and attach the corresponding policy to the selected S3 bucket and the KMS key. Click Save to apply the configuration.

Note

For more information on how to change the S3 and KMS policies, see the adding a bucket policy by using the Amazon S3 console and changing a key policy guides.
You'll have an interface similar to this, you can also set the frequency for updating the S3 bucket with the GuardDuty findings. In our case, the frequency is set to 15 minutes.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon GuardDuty logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="guardduty">
    <name><WAZUH_AWS_BUCKET></name>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

GuardDuty use cases

Below are some use cases for Wazuh rules built for EC2.

Brute force attacks

If an instance has an open port that is receiving a brute force attack, the following alerts with rule ID 80301 will be shown on the Wazuh dashboard.

It shows information about the attacked host, the attacker, and which port is being attacked.

EC2 API Calls made from unusual network

If an API call is made from an unusual network, the following alerts with rule ID 80301, 80302, and 80303 will be shown on the Wazuh dashboard.

It shows the location of the unusual network, the user who made the API calls, and which API calls it made.

Compromised EC2 instance

If there is any indicator of a compromised EC2 instance, an alert with rule ID 80303 will be shown on the Wazuh dashboard explaining what's happening. Some examples of alerts are shown below.

To sum up, the following screenshot shows some alerts generated for a compromised EC2 instance.

Amazon Web Application Firewall (WAF)

Amazon WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.

AWS configuration

The following sections cover how to configure different services required to integrate AWS WAF with Wazuh.

Amazon Data Firehose configuration

Create an Amazon Data Firehose delivery stream to store the Amazon WAF logs into the desired S3 bucket so Wazuh can process them.

Create a new S3 bucket. If you want to use an already existing one, skip this step.
On your AWS console, Search for "amazon data firehose" in the search bar at the top of the page or go to Services > Analytics > Amazon Data Firehose.
Click Create Firehose stream.
Select Direct PUT and Amazon S3 as the desired Source and Destination, respectively.
Under Firehose stream name, give the data firehose a name that starts with the prefix aws-waf-logs-.
Select the desired S3 bucket as the destination. It is possible to specify a custom prefix to alter the path where AWS stores the logs. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be prefix-name/YYYY/MM/DD/HH. If a prefix is used it must be specified under the Wazuh bucket configuration. In our case, the prefix is waf/.
Create or choose an existing IAM role to be used by Amazon Data Firehose in the Advanced settings section.
Click Create Firehose stream at the end of the page. The new delivery stream will be created and its details will be shown as follows.

AWS WAF configuration

Send logs from your Web Access Control Lists (web ACLs) to the previously created Amazon Data Firehose with a configured S3 storage destination. After you enable logging, AWS WAF delivers logs to your S3 bucket through the HTTPS endpoint of Firehose.

On the AWS console, search for "waf" or go to Services > Security, Identity, & Compliance > WAF & Shield.
Click Go to AWS WAF.
Go to Web ACLs and click the name of the Web ACL attached to your web application. If you have not configured the Web ACL, follow the set up AWS WAF guide.
Go to Logging and metrics, under Logging, click Enable.
Select Amazon Data Firehose stream as Logging destination, and select the previously created firehose stream under Amazon Data Firehose stream.
Under Filter logs, apply your preferred filtering requirements and click Save. In our case, we set up the filter to log blocked web requests only.
Confirm that logging is enabled.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon WAF logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="waf">
    <name><WAZUH_AWS_BUCKET></name>
    <path>waf</path>                   <!-- PUT THE S3 BUCKET PREFIX IF THE LOGS ARE NOT STORED IN THE BUCKET'S ROOT PATH -->
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

HTTP Request headers

The Wazuh AWS WAF implementation parses the header information present in the httpRequest field, allowing filtering by these headers and their values on the Wazuh dashboard. During this parsing, any non-standard header will be extracted and removed from the event before sending it to analysisd. Here is the complete list of the allowed standard header fields:

a-im
accept
accept-charset
accept-encoding
accept-language
access-control-request-method
access-control-request-headers
authorization
cache-control
connection
content-encoding
content-length
content-type
cookie
date
expect
forwarded
from
host
http2-settings
if-match
if-modified-since
if-none-match
if-range
if-unmodified-since
max-forwards
origin
pragma
prefer
proxy-authorization
range
referer
te
trailer
transfer-encoding
user-agent
upgrade
via
warning
x-requested-with
x-forwarded-for
x-forwarded-host
x-forwarded-proto

Use case

AWS WAF is a security service that helps protect your web applications or APIs from threats. By monitoring blocked requests, you can identify the types of threats your application is facing. This can help you understand the security landscape and adjust your defenses accordingly.

Monitoring blocked web application requests

If web requests are blocked by the rules of the Amazon Web ACL, the following alerts with rule ID 80442 and 80443 will be shown on the Wazuh dashboard.

Expand an alert to find more information such as the Request-URI, the method, and the Web ACL rule label that blocked the request.

Amazon S3 Server Access

Amazon S3 server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

AWS configuration

The following sections cover how to configure the Amazon S3 Server Access service to integrate with Wazuh.

Amazon S3 server access configuration

Create a new S3 bucket to store the access logs in it. If you want to use an existing one, skip this step.
On your AWS console search for "S3" or go to Services > Storage > S3.
Look for the S3 bucket you want to monitor and click on its name.
Go to the Properties tab, scroll down until you find the Server access logging, and click Edit.
Check the Enable option, and click Browse S3 to look for the bucket in which you want S3 Server Access logs to be stored. In our case, the logs are stored in the s3-server-logs/ path of the monitored S3 bucket.

Note

It is possible to store the S3 Server Access logs in the same bucket to be monitored. It is also possible to specify a custom path inside the bucket to store the logs in it.
Finally, click on the Save changes. S3 Server Access logs will start to be stored in the specified path.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon S3 Server Access logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="server_access">
    <name><WAZUH_AWS_BUCKET></name>       <!-- PUT THE S3 BUCKET CHOSEN IN STEP 5 HERE -->
    <path>s3-server-logs</path>                   <!-- IF THE LOGS ARE NOT STORED IN THE BUCKET'S ROOT PATH, PUT  THE PATH TO THE LOGS CHOSEN IN STEP 5 HERE -->
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use case

Amazon S3 Server Access logs provide detailed records for the requests that were made to a bucket.

Below is a use case for Wazuh alerts built for Amazon S3 Server Access logs.

Monitoring server access logs

The following screenshots shows some alerts with rule ID 80364 and 80367 generated for requests made to a monitored S3 bucket.

Expand an alert to find more information about the monitored S3 bucket, the operation being performed, and the request URI.

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Two versions are available:

Amazon Inspector Classic: The original service, which assesses applications for exposure, vulnerabilities, and deviations from best practices.
Amazon Inspector (v2): The new version, offering consolidated scanning for EC2 instances, container images in Amazon ECR, and AWS Lambda functions.

Both versions produce detailed security findings prioritized by severity. Findings can be reviewed directly or included in assessment reports accessible via the Amazon Inspector console or API.

AWS configuration

Learn how to configure Amazon Inspector (Classic and v2) integration in Wazuh.

Amazon Inspector Classic configuration

Amazon Inspector (v2) is available in your AWS account. To start using it:

Open the Amazon Inspector page in the AWS Management Console.
Click Get Started to access the dashboard.
Configure your scanning preferences under General settings:
- Enable EC2 scanning
- Enable ECR scanning
- Enable Lambda function scanning

Note

For detailed instructions on configuring scanning preferences, see the Amazon Inspector documentation.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "inspector:ListFindings",
                "inspector:DescribeFindings",
                "inspector2:ListFindings"
            ],
            "Resource": "*"
        }
    ]
}

Configure Wazuh to process Amazon Inspector logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.
Add the following Wazuh module for AWS configuration block to enable the integration with both Inspector versions:
```
<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>no</run_on_start>
  <skip_on_error>no</skip_on_error>
  <service type="inspector">
    <aws_profile>default</aws_profile>
    <regions>us-east-1,us-east-2</regions>
  </service>
</wodle>
```
You must specify at least a region. You can add multiple comma-separated regions.

Note

The same configuration block processes findings from both Inspector Classic and Inspector (v2). Findings from v2 will have aws.source set to inspector2.
Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Amazon CloudWatch Logs

AWS CloudWatch Logs is a service that allows the users to centralize the logs from all their systems, applications, and AWS services in a single place. To understand how Cloudwatch Logs works it is important to learn about the following concepts:

Log events: CloudWatch saves the logs generated by the application or resource being monitored as log events. A log event is a record with two properties: the timestamp when the event occurred and the raw log message.
Log streams: Log events are stored in log streams. A log stream represents a sequence of events coming from the application instance or resource being monitored. All log events in a log stream share the same source.
Log groups: Log streams are grouped using log groups. A log group defines a group of log streams that share retention, monitoring, and access control settings.

AWS configuration

Learn how to configure the Amazon CloudWatch service to integrate with Wazuh.

Amazon CloudWatch configuration

AWS CloudWatch logs can be accessed by using the Wazuh CloudWatch Logs integration. The AWS API allows Wazuh to retrieve those logs, analyze them, and raise alerts if applicable.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DeleteLogStream"
            ],
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:<LOG_STREAM_NAME>"
        }
    ]
}

Note

<REGION>, <ACCOUNT_ID>, <LOG_GROUP_NAME>, <LOG_GROUP_NAME> and <LOG_STREAM_NAME> are placeholders. Replace them with the appropriate values.

Configure Wazuh to process Amazon CloudWatch logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.
Add the following Wazuh module for AWS configuration block to enable the integration with CloudWatch Logs:
```
<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <service type="cloudwatchlogs">
    <aws_profile>default</aws_profile>
    <aws_log_groups>example_log_group</aws_log_groups>
    <regions>us-east-1</regions>
  </service>
</wodle>
```
You must specify at least one AWS log group from where the logs will be extracted. You can add multiple regions by separating them with commas. If no region is specified the Wazuh module for AWS will look for the log group in every available region.
Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

CloudWatch Logs use cases

Check the Amazon ECR Image scanning section to learn how to use the CloudWatch Logs integration to pull logs from Amazon ECR Image scans.

Amazon ECR Image scanning

Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) database from the open source Clair project to detect software vulnerabilities in container images and provide a list of scan findings, which can be easily integrated into Wazuh thanks to the Amazon CloudWatch Logs integration.

Amazon ECR sends an event to Amazon EventBridge when an image scan is completed. The event itself is only a summary and does not contain the details of the scan findings. However, it is possible to configure a Lambda function to request the scan findings details and store them in CloudWatch Logs. Here is a quick summary of what the workflow looks like:

An image scan is triggered.
Once the scan is completed Amazon ECR sends an event to EventBridge.
The "Scan completed" event triggers a Lambda function.
The lambda function takes the data from the "Scan completed" event and requests the scan details.
The Lambda function creates a log group and a log stream in CloudWatch Logs to store the response received.
Wazuh pulls the logs from the CloudWatch log groups using the CloudWatch Logs integration.

AWS configuration

The following sections cover how to configure AWS to store the scan findings in CloudWatch Logs and how to ingest them into Wazuh.

Amazon ECR Image scan configuration

AWS provides a template that logs to CloudWatch the findings of Amazon ECR scans of images. The template uses an AWS Lambda function to accomplish this.

Uploading the template and creating a stack, uploading the images to Amazon ECR, scanning the images, and using the logger all require specific permissions. Because of this, you need to create a custom policy granting these permissions.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

You need the permissions listed below inside the sections for RoleCreator and PassRole to create and delete the stack based on the template.

Warning

These permissions must be bound to the specific resources due to overly permissive actions.

{
   "Sid": "RoleCreator",
   "Effect": "Allow",
   "Action": [
      "iam:CreateRole",
      "iam:PutRolePolicy",
      "iam:AttachRolePolicy",
      "iam:DeleteRolePolicy",
      "iam:DeleteRole",
      "iam:GetRole",
      "iam:GetRolePolicy",
      "iam:PassRole"
   ],
   "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/*"
},
{
   "Sid": "PassRole",
   "Effect": "Allow",
   "Action": "iam:PassRole",
   "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/*-LambdaExecutionRole*"
}

CloudFormation stack permissions

A CloudFormation stack is a collection of AWS resources that can be managed as a single unit, including creation, update, or deletion. You need the following permissions to create and delete any template-based CloudFormation stack.

{
   "Sid": "CloudFormationStackCreation",
   "Effect": "Allow",
   "Action": [
      "cloudformation:CreateStack",
      "cloudformation:ValidateTemplate",
      "cloudformation:CreateUploadBucket",
      "cloudformation:GetTemplateSummary",
      "cloudformation:DescribeStackEvents",
      "cloudformation:DescribeStackResources",
      "cloudformation:ListStacks",
      "cloudformation:DeleteStack",
      "s3:PutObject",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:CreateBucket"
   ],
   "Resource": "*"
}

ECR registry and repository permissions

This Amazon ECR permission allows calls to the API through an IAM policy.

Note

Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ecr:GetAuthorizationToken.

{
   "Sid": "ECRUtilities",
   "Effect": "Allow",
   "Action": [
      "ecr:GetAuthorizationToken",
      "ecr:DescribeRepositories"
   ],
   "Resource": "*"
}

Image pushing and scanning permissions

You need the following Amazon ECR permissions to push images. They are scoped down to a specific repository. The steps to push Docker images are described in the Amazon ECR - pushing a docker image documentation.

{
   "Sid": "ScanPushImage",
   "Effect": "Allow",
   "Action": [
      "ecr:CompleteLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:InitiateLayerUpload",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:DescribeImageScanFindings",
      "ecr:StartImageScan"
   ],
   "Resource": "arn:aws:ecr:<REGION>:<ACCOUNT_ID>:repository/<REPOSITORY_NAME>"
}

Amazon Lambda and Amazon EventBridge permissions

You need the following permissions to create and delete the resources handled by the Scan Findings Logger template.

{
   "Sid": "TemplateRequired0",
   "Effect": "Allow",
   "Action": [
      "lambda:RemovePermission",
      "lambda:DeleteFunction",
      "lambda:GetFunction",
      "lambda:CreateFunction",
      "lambda:AddPermission"
   ],
   "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:*"
},
{
   "Sid": "TemplateRequired1",
   "Effect": "Allow",
   "Action": [
      "events:RemoveTargets",
      "events:DeleteRule",
      "events:PutRule",
      "events:DescribeRule",
      "events:PutTargets"
   ],
   "Resource": "arn:aws:events:<REGION>:<ACCOUNT_ID>:*"
}

How to create the CloudFormation Stack

Download the ECR Image Scan findings logger template from the official aws-samples GitHub repository.
Access CloudFormation and click on Create stack.
Create a new stack using the template from step 1.
Choose a name for the stack and finish the creation process. No additional configuration is required.
Wait until CREATE_COMPLETE status is reached. The stack containing the AWS Lambda is now ready to be used.

Once the stack configuration is completed, the Lambda can be tested by manually triggering an image scan of a container in Amazon ECR private registry. The scan results in the creation of a CloudWatch log group called /aws/ecr/image-scan-findings/<NAME_OF_ECR_REPOSITORY> containing the scan results. For every new scan, the corresponding log streams are created inside the log group.

Configure Wazuh to process Amazon ECR image scanning logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration block to enable the integration with Amazon ECR Image scanning. Replace <NAME_OF_ECR_REPOSITORY> with the name of the Amazon ECR repository:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <service type="cloudwatchlogs">
    <aws_profile>default</aws_profile>
    <aws_log_groups>/aws/ecr/<NAME_OF_ECR_REPOSITORY></aws_log_groups>
  </service>
</wodle>

Note

Check the AWS CloudWatch Logs integration to learn more about how the CloudWatch Logs integration works.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Use case

Amazon ECR provides an image scanning feature that uses the Common Vulnerabilities and Exposure (CVEs) database from the open source Clair project to detect vulnerabilities in container images. Wazuh polls and detects these vulnerabilities from AWS CloudWatch.

Detecting vulnerabilities in container images

Check the Detecting vulnerabilities in container images using Amazon ECR blog to learn how to detect vulnerabilities in container images using Wazuh and Amazon ECR integration.

Cisco Umbrella

Cisco Umbrella is a cloud-based Secure Internet Gateway (SIG) platform that provides you with multiple levels of defense against internet-based threats.

Cisco Umbrella configuration

You can find how to configure this service by following the official documentation on its official website. Furthermore, it is mandatory to configure that the logs generated by this service would be exported to an S3 bucket. You can find how to do that in the log management section of the official documentation.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Cisco Umbrella logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">

  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>

  <bucket type="cisco_umbrella">
    <name><WAZUH_AWS_BUCKET></name>
    <path>dnslogs</path>
    <aws_profile>default</aws_profile>
  </bucket>

  <bucket type="cisco_umbrella">
    <name><WAZUH_AWS_BUCKET></name>
    <path>proxylogs</path>
    <aws_profile>default</aws_profile>
  </bucket>

</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Elastic Load Balancers

AWS Elastic Load Balancers are services that distribute incoming traffic across multiple targets. The following sections explain the different types of load balancers available and how to configure and monitor them with Wazuh:

Amazon ALB

Application Load Balancers (Amazon ALB) Elastic Load Balancing automatically distributes the incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. Users can select the type of load balancer that best suits their needs. An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply then selects a target from the target group for the rule action.

AWS configuration

The following sections cover how to configure the Amazon ALB service to integrate with Wazuh.

Amazon ALB configuration

Go to S3 buckets, copy the name of an existing S3 bucket or create a new one.
On your AWS console, search for "EC2" or go to Services > Compute > EC2.
Go to Load Balancing > Load Balancers on the left menu. Create a new load balancer or select one or more load balancers and select Edit load balancer attributes on the Actions menu.
In the Monitoring tab, enable Access logs and define the S3 bucket and the path where the logs will be stored.
Note

To enable access logs for ALB (Application Load Balancers), check the following link:
- Application Load Balancer.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon ALB logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="alb">
    <name><WAZUH_AWS_BUCKET></name>
    <path>ALB</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Amazon CLB

Classic Load Balancers (Amazon CLB) Elastic Load Balancing automatically distributes the incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. Users can select the type of load balancer that best suits their needs. A Classic Load Balancer makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). Classic Load Balancers currently require a fixed relationship between the load balancer port and the container instance port.

AWS configuration

The following sections cover how to configure the Amazon CLB service to integrate with Wazuh.

Amazon CLB configuration

Go to S3 buckets, copy the name of an existing S3 bucket or create a new one.
On your AWS console, search for "EC2" or go to Services > Compute > EC2.
Go to Load Balancing > Load Balancers on the left menu. Create a new load balancer or select one or more load balancers and select Edit load balancer attributes on the Actions menu.
In the Monitoring tab define the S3 bucket and the path where the logs will be stored.
Note

To enable access logs for CLB (Classic Load Balancers), check the following link:
- Classic Load Balancer.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon CLB logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="clb">
    <name><WAZUH_AWS_BUCKET></name>
    <path>CLB</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Amazon NLB

Network Load Balancers (Amazon NLB) Elastic Load Balancing automatically distributes the incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. Users can select the type of load balancer that best suits their needs. A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

AWS configuration

The following sections cover how to configure the Amazon NLB service to integrate with Wazuh.

Amazon NLB configuration

Go to S3 buckets, copy the name of an existing S3 bucket or create a new one.
On your AWS console, search for "EC2" or go to Services > Compute > EC2.
Go to Load Balancing > Load Balancers on the left menu. Create a new load balancer or select one or more load balancers and select Edit load balancer attributes on the Actions menu.
In the Monitoring tab define the S3 bucket and the path where the logs will be stored.
Note

To enable access logs for NLB (Network Load Balancers), check the following link:
- Network Load Balancer.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Configure Wazuh to process Amazon NLB logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="nlb">
    <name><WAZUH_AWS_BUCKET></name>
    <path>NLB</path>
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Amazon Security Lake

Note

This document guides you through setting up Wazuh as a subscriber to AWS Security Lake data. To configure Wazuh as a source for Amazon Security Lake, refer to Amazon Security Lake integration

Amazon Security Lake is a fully-managed security data lake service that consolidates data from multiple AWS and other services, optimizing storage costs and performance at scale.

All logs in Amazon Security Lake use the Open Cybersecurity Schema Framework (OCSF) standard for formatting. You can use the Wazuh integration for Amazon Security Lake to ingest security events from AWS services.

These events are available as multi-event Apache Parquet objects in an S3 bucket. Each object has a corresponding SQS message, once it's ready for download.

Wazuh periodically checks for new SQS messages, downloads new objects, converts the files from Parquet to JSON, and indexes each event into the Wazuh indexer. To set up the Wazuh integration for Amazon Security Lake as a subscriber, you need to do the following:

Create a subscriber in Amazon Security Lake.
Set up the Wazuh integration for Amazon Security Lake.

AWS configuration

The following sections cover how to configure the Amazon Security Lake service to integrate with Wazuh.

Enabling Amazon Security Lake

If you haven't already, ensure that you have enabled Amazon Security Lake by following the instructions at Getting started - Amazon Security Lake.

For multiple AWS accounts, we strongly encourage you to use AWS Organizations and set up Amazon Security Lake at the Organization level.

Creating a Subscriber in Amazon Security Lake

After completing all required AWS prerequisites, configure a subscriber for Amazon Security Lake via the AWS console. This creates the resources you need to make the Amazon Security Lake events available for consumption in your Wazuh platform deployment.

Setting up a subscriber in the AWS Console

Logging in and navigating

Log into your AWS console and navigate to Security Lake.
Navigate to Subscribers, and click Create subscriber.

Creating a subscriber

Enter a descriptive name for your subscriber. For example, Wazuh.
Enter the AWS account ID for the account you are currently logged into.
Enter a unique value in External ID. For example, WAZUH-EXTERNAL-ID-VALUE.
Choose to either collect all log and event sources, or only specific log and event sources.
Select S3 as your data access method.
Under S3 notification type select SQS queue.
Click the Create button to get to the Subscribers pages.

Reviewing the subscriber

Navigate to My subscribers section, and click on your newly created subscriber to get to the Subscriber details page.
Check that AWS created the subscriber with the correct parameters.
Save the SQS queue name. You need the name of the Subscription endpoint for later on when verifying the information in the SQS queue.

Verifying information in SQS Queue

Follow these steps in your Amazon deployment to verify the information for the SQS Queue that Security Lake creates.

In your AWS console, navigate to the Amazon Simple Queue Service.
In the Queues section, navigate to the queue that Security Lake created. Click on its name.
In the information page for the queue, click on the Monitoring tab. Verify that events are flowing in by looking at the Approximate Number Of Messages Visible graph and confirming the number is increasing.

Verifying events are flowing into S3 bucket

Follow these steps in your Amazon deployment to verify that parquet files are flowing into your configured S3 buckets.

In your AWS console, navigate to the Amazon S3 service.
Navigate to the Buckets section, and click on the S3 bucket name that Security Lake created for each applicable region. These bucket names start with the prefix aws-security-data-lake.
In each applicable bucket, navigate to the Objects tab. Click through the directories to verify that Security Lake has available events flowing into the S3 bucket. Check that new files with the .gz.parquet extension appear.
- If you enabled Security Lake on more than one AWS account, check if you see each applicable account number listed. Check that parquet files exist inside each account.
In each applicable S3 bucket, navigate to the Properties tab and verify in the Event notifications section that the data destination is the Security Lake SQS queue.

Policy configuration

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are used.

Configuring the role

Follow these steps to modify the Security Lake subscriber role. You have to associate an existing user with the role.

In your AWS console, navigate to the Amazon IAM service.
In your Amazon IAM service, navigate to the Roles page.
In the Roles page, select the Role name of the subscription role notification that was created as part of the Security Lake subscriber provisioning process.
In the Summary page, navigate to the Trust relationships tab to modify the Trusted entity policy.

Modify the Trusted entity policy with the following updates:

In the stanza containing the ARN, attach the username from your target user account to the end of the ARN. This step connects a user to the role. It lets you configure the Security Lake service with the secret access key. See the following Trusted entity example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT_ID>:user/<USERNAME>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": [
                            "<WAZUH-EXTERNAL-ID-VALUE>"
                        ]
                    }
            }
        }
    ]
}

Note

<ACCOUNT_ID>, <USERNAME> and <WAZUH-EXTERNAL-ID-VALUE> are placeholders. Replace them with the appropriate values.

Granting user permission to switch roles

Follow these steps to configure the user permissions:

In your Amazon IAM service, navigate to the Users page.
In the Users page, select the Username of the user you have connected to the role (<USERNAME>).

Replace <ACCOUNT_ID> and <RESOURCE_ROLE> with the appropriate values and add the following permission to switch to the new role:

Note that <RESOURCE_ROLE> is the name of the subscription role that was created as part of the Security Lake subscriber provisioning process.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<RESOURCE_ROLE>"
        }
    ]
}

Parameters

The following fields inside the /var/ossec/etc/ossec.conf file on the Wazuh server or agent section allow you to configure the queue and authenticate:

Queue configuration

<sqs_name> : The name of the queue.
<service_endpoint> - Optional: The AWS S3 endpoint URL to be used to download the data from the bucket. Check Considerations for the Wazuh module for AWS configuration for more information about VPC and FIPS endpoints.

Authentication

<iam_role_arn>: Amazon Resource Name (ARN) for the corresponding IAM role to assume.
<external_id>: External ID to use when assuming the role.
<aws_profile>: A valid profile name from a Shared Credential File or AWS Config File with permissions to access the service. By default, the integration uses the settings found in the default profile. For this configuration, we use the dev profile. Replace it with the appropriate profile defined in your credential file.
<iam_role_duration> - Optional: The session duration in seconds.
<sts_endpoint> - Optional: The URL of the VPC endpoint of the AWS Security Token Service.

More information about the different authentication methods can be found in the Configuring AWS credentials documentation.

Configure Wazuh to process Amazon Security Lake logs

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the following Wazuh module for AWS configuration block to enable the integration with Amazon Security Lake.

<wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>1h</interval>
    <run_on_start>yes</run_on_start>
    <subscriber type="security_lake">
        <sqs_name>sqs-security-lake-main-queue</sqs_name>
        <iam_role_arn>arn:aws:iam::xxxxxxxxxxx:role/ASL-Role</iam_role_arn>
        <iam_role_duration>1300</iam_role_duration>
        <external_id><WAZUH-EXTERNAL-ID-VALUE></external_id>
        <aws_profile>dev</aws_profile>
        <sts_endpoint>xxxxxx.sts.region.vpce.amazonaws.com</sts_endpoint>
        <service_endpoint>https://bucket.xxxxxx.s3.region.vpce.amazonaws.com</service_endpoint>
    </subscriber>
</wodle>

After setting the required parameters, restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

Note

The Wazuh module for AWS execution time varies depending on the number of notifications present in the queue. This affects the time to display alerts on the Wazuh dashboard. If the <interval> value is less than the execution time, the Interval overtaken message appears in the /var/ossec/logs/ossec.log file.

Visualizing alerts in Wazuh dashboard

Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts on the Wazuh dashboard. To do this, go to the Threat Hunting module. Apply the filter rule.groups: amazon_security_lake for an easier visualization.

Custom Logs Buckets

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service. It offers secure, durable, and available hosted queues to decouple and scale software systems and components. It allows sending, storing, and receiving messages between software components at any volume, without losing messages or requiring other services to be available. These features make it an optimal component to associate with Amazon S3 buckets to consume any type of log.

Combining Amazon SQS with Amazon S3 buckets allows Wazuh to collect JSON, CSV, and plain text logs from any custom path. The origin of these logs don't even need to be AWS.

Note

To properly process CSV logs, they must include column headers.

To set up the Wazuh integration for Custom Logs Buckets, you need to do the following:

Create an AWS SQS Queue.
Configure an S3 bucket. For every object creation event, the bucket sends notifications to the queue.

AWS configuration

The following sections cover how to configure Custom Logs Buckets to integrate with Wazuh.

Amazon Simple Queue Service

Set up a Standard type SQS Queue with the default configurations. You can apply an Access Policy similar to the following example, where <REGION>, <ACCOUNT_ID>, <SQS-NAME>, and <S3-BUCKET> are the region, account ID, the SQS Queue name, and the name you are going to provide to the S3 bucket.

{
"Version": "2012-10-17",
"Id": "example-ID",
"Statement": [
  {
    "Sid": "example-access-policy",
    "Effect": "Allow",
    "Principal": {
      "Service": "s3.amazonaws.com"
    },
    "Action": "SQS:SendMessage",
    "Resource": "arn:aws:sqs:<REGION>:<ACCOUNT_ID>:<SQS-NAME>",
    "Condition": {
      "StringEquals": {
        "aws:SourceAccount": "<ACCOUNT_ID>"
      },
      "ArnLike": {
        "aws:SourceArn": "arn:aws:s3:*:*:<S3-BUCKET>"
      }
    }
  }
]
}

You can make your access policy to accept S3 notifications from different account IDs and to apply different conditions. More information in Managing access in Amazon SQS.

Amazon S3 and Event Notifications

To configure an S3 bucket that reports creation events, do the following.

Configure an S3 bucket as defined in the configuring an S3 bucket section. Provide the name you decided in the previous section.
Once created, go to Event notifications inside the Properties tab. Select Create event notification.
In Event Types, select All object create events. This generates notifications for any type of event that results in the creation of an object in the bucket.
In the Destination section, select the following options:
- SQS queue
- Choose from your SQS queues
Choose the queue you created previously.

Configuration parameters

Configure the following fields to set the queue and authentication configuration. For more information, check the subscribers reference.

Queue

<sqs_name>: The name of the queue.
<service_endpoint> – Optional: The AWS S3 endpoint URL for data downloading from the bucket. Check Using VPC and FIPS endpoints for more information about VPC and FIPS endpoints.

Authentication

The available authentication methods are the following:

These authentication methods require using the /root/.aws/credentials file to provide credentials. You can find more information in configuring AWS credentials.

The available authentication configuration parameters are the following:

<aws_profile>: A valid profile name from a Shared Credential File or AWS Config File with permission to read logs from the bucket.
<iam_role_arn>: Amazon Resource Name (ARN) for the corresponding IAM role to assume.
<iam_role_duration> – Optional: The session duration in seconds.
<sts_endpoint> – Optional: The URL of the VPC endpoint of the AWS Security Token Service.

Configure Wazuh to process logs from Custom Logs Buckets

Warning

Every message sent to the queue is read and deleted. Make sure you only use the queue for bucket notifications.

Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

Add the SQS name and your configuration parameters for the buckets service. Set this inside <subscriber type="buckets">. For example:

<wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>1h</interval>
    <run_on_start>yes</run_on_start>
    <subscriber type="buckets">
        <sqs_name>sqs-queue</sqs_name>
        <aws_profile>default</aws_profile>
    </subscriber>
</wodle>

Check the Wazuh module for AWS reference manual to learn more about the available settings.

Note

The amount of notifications present in the queue affects the execution time of the Wazuh module for AWS. If the <interval> value for the waiting time between executions is too short, the interval overtaken warning is logged into the /var/ossec/logs/ossec.log file.

Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:
- Wazuh manager:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# systemctl restart wazuh-agent
```

AWS Security Hub

AWS Security Hub automates security best practice checks and aggregates insights to help users understand their overall security posture across multiple AWS accounts. Security Hub helps users assess their compliance against security best practices. It achieves this by:

Running checks against security controls.
Generating control findings.
Grouping related findings into collections called insights.

You need to perform the following to set up the integration that allows you to receive Security Hub events on your Wazuh environment:

Configure your AWS environment. This involves:
- Enabling Amazon Security Hub. There are two methods to enable Amazon Security Hub in your environment. Please see the enabling Security Hub section.
- Creating a Firehose stream: The Amazon EventBridge is a serverless event bus service that makes it easy to connect applications using events from AWS services, integrated SaaS applications, and custom sources in real-time. EventBridge needs a target such as the Firehose stream. It triggers the target when it receives an event matching an event pattern defined in the rule.
- Integrating Security Hub with EventBridge: EventBridge allows storing Security Hub findings and insights in S3 buckets.
- Enabling an Amazon S3 bucket to include event notifications: The bucket sends notifications to the queue for every Security Hub object creation event.
- Enabling an Amazon SQS queue: The Amazon Simple Queue Service (SQS) is a message queuing service that enables decoupled communication between AWS components. The Wazuh module for AWS will query the SQS for notifications of created logs in S3 and generate alerts from Security Hub logs.
Configure the Wazuh module for AWS to receive Amazon Security Hub events.

Amazon configuration

Enabling Security Hub

Search for the “Security Hub” using the AWS console search bar to determine the best method that suits your environment. There are two ways to enable AWS Security Hub:

Manual Integration: We recommend this method for standalone accounts with a single organization. The screenshot below shows how to enable AWS Security Hub using the AWS Security Hub console. Please follow the enabling Security Hub manually guideline to find other methods to enable the AWS Security Hub.
Organizations integration: We recommend this method for multi-account and multi-region environments. Your organization must have a delegated administrator account. Please follow the enabling Security Hub with organizations integration guidelines to set your AWS Security Hub using this method.

Creating a Firehose stream

The Amazon Firehose stream serves as the channel for sending the AWS Security Hub logs to the S3 bucket. Follow the steps below to create an Amazon Firehose stream for your Amazon Security Hub logs.

Go to the Amazon Data Firehose service and click Create Firehose stream.
Select Direct PUT as the source and Amazon S3 as the destination.
Choose or create your proposed Amazon S3 bucket. You can use an Amazon S3 bucket prefix, but this is optional.
Click Create Firehose stream.

Integrating Security Hub with EventBridge

Integrating Security Hub with EventBridge enables the storage of Security Hub events in S3 buckets.

There are three types of events available, each using a specific Eventbridge event format. The Wazuh integration takes every relevant detail and detail-type value from them.

Security Hub Findings - Imported: Security Hub automatically sends events of this type to EventBridge. They include new findings and updates to existing findings, each containing a single finding.
Security Hub Findings - Custom Action: When you trigger custom actions, Security Hub sends these events to EventBridge. The custom actions associate the events with their findings.
Security Hub Insight Results: This event processes the Security Hub Insights. You can use custom actions to send sets of insight results to EventBridge. Insight results are the resources that match an insight.

To send the last two types of events to EventBridge, you need to create a custom action in Security Hub. Please refer to the Amazon Security Hub documentation to achieve this. Find more information about the types of Security Hub integration with EventBridge.

To integrate Security Hub with EventBridge, you must create an event rule in EventBridge.

Go to the Amazon EventBridge and create a new EventBridge rule.
Enter a name for the rule and select Rule with an event pattern. Then click on Next.
Scroll down to Event pattern. Select Security Hub as the AWS service and All Events in the Event type. Then click on Next.
Select Firehose stream as the target, and use the Firehose stream you created in the previous section. Click on Next.
Leave the other default options and create the EventBridge rule.

The AWS documentation provides steps to configure an EventBridge rule for AWS Security Hub.

Amazon S3 bucket with event notifications

Follow the steps below to configure an S3 bucket that reports the creation of events.

Configure an S3 bucket as defined in the configuring an AWS S3 Bucket section. Provide the name you decided in the previous section.
Go to Event notifications inside the Properties tab. Select Create event notification.
Select All object create events in Event Types. This generates notifications for any event that creates an object in the bucket.
Select SQS queue in the Destination section.
Select Choose from your SQS queues. Then, choose the queue you created previously.

Amazon Simple Queue Service

Amazon Simple Queue Service is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications.

In this case, it acknowledges new events to pull from the S3 bucket.

Set up a Standard type SQS Queue with the default configurations. You can apply an access policy similar to the following example, where <REGION>, <AWS_ACCOUNT_ID>, <S3_BUCKET>, <YOUR_SQS_QUEUE_NAME> are your region, account ID, S3 bucket name, and SQS queue name.
```
{
"Version": "2012-10-17",
"Id": "SecurityHub-ID",
"Statement": [
  {
    "Sid": "example-access-policy",
    "Effect": "Allow",
    "Principal": {
      "Service": "s3.amazonaws.com"
    },
    "Action": "SQS:SendMessage",
    "Resource": "arn:aws:sqs:<REGION>:<AWS_ACCOUNT_ID>:<AWS_ACCOUNT_ID>:<YOUR_SQS_QUEUE_NAME>",
    "Condition": {
      "StringEquals": {
        "aws:SourceAccount": "<AWS_ACCOUNT_ID>"
      },
      "ArnLike": {
        "aws:SourceArn": "arn:aws:s3:*:*:<S3_BUCKET>"
      }
    }
  }
]
}
```
The other settings related to this configuration are:
- "Version" specifies the version of the policy language being used, in this case, the version from 2012-10-17.
- "Id" is a unique identifier for this policy.
- "Statement" is an array that contains the individual permission statements for this policy.
- "Sid" is an optional identifier that provides a way to give the statement a unique name.
- "Effect" defines whether the statement results in an "Allow" or "Deny" for the specified actions.
- "Principal" specifies the AWS service or account allowed to access the resource, in this case, the "s3.amazonaws.com" service.
- "Action" specifies the action that is allowed or denied, in this case, "SQS", which allows sending messages to an SQS queue.
- "Condition" specifies conditional elements that must be met for the policy to take effect.
- "Resource" is the ARN of your SQS queue.
- "aws:SourceAccount" is your AWS account ID.
- "aws:SourceArn" is the ARN of the Amazon S3 bucket created for your Amazon Security Hub logs.
You can set your access policy to accept S3 notifications from different account IDs and apply different conditions. For more information, see managing access in Amazon SQS.

Wazuh configuration

Authentication

The available authentication methods are the following:

These authentication methods require providing credentials using the /root/.aws/credentials file. For more information, see configuring AWS credentials.

Configuration

You can perform the following configuration on the Wazuh server or Linux-based Wazuh agent.

Edit the /var/ossec/etc/ossec.conf file. Add the SQS name within the <sqs_name> tag. For example:
```
<wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>1h</interval>
    <run_on_start>yes</run_on_start>
    <subscriber type="security_hub">
       <sqs_name>YOUR_SQS_QUEUE_NAME</sqs_name>
       <aws_profile>YOUR_AWS_CREDENTIAL_PROFILE</aws_profile>
   </subscriber>
</wodle>
```
Where:
- <interval> is the time taken between each log pull.
- <run_on_start> pulls AWS Security Hub logs each time the Wazuh server starts.
- <subscriber type="security_hub"> are the added tags to obtain AWS Security Hub logs.
- <sqs_name> is the name of the Amazon SQS queue created in the previous section.
Optional
- <service_endpoint> – The AWS S3 endpoint URL for data downloading from the bucket. Check using non-default AWS endpoints for more information about VPC and FIPS endpoints.
Restart the Wazuh server or agent to apply the changes.
- Wazuh server:
```
# systemctl restart wazuh-manager
```
- Wazuh agent:
```
# Systemctl restart Wazuh-agent
```

Check the AWS S3 module reference to learn more about the available settings. Configure the following fields to set the queue and authentication configuration. For more information, check the subscriber’s reference.

Warning

Every message sent to the queue is read and deleted. Make sure you only use the queue for bucket notifications.

Visualizing the events

You can view these logs via the Threat Hunting dashboard of the agent you configured your Wazuh module for AWS.

The following dashboard shows the top 5 AWS Security Hub alerts discovered within 90 days.

The image below shows an event with a high severity.

Troubleshooting

The below information is intended to assist in troubleshooting issues.

Checking if the Wazuh module for AWS is running

When the Wazuh module for AWS runs it writes its output in the ossec.log file. This log file can be found in /var/ossec/logs/ossec.log and under Server Management > Logs if you use the Wazuh dashboard. It is possible to check if the Wazuh module for AWS is running without issues by looking in the /var/ossec/logs/ossec.log file. These are the messages that are displayed in the file depending on how the Wazuh module for AWS has been configured:

When the Wazuh module for AWS is starting:

2022/03/04 00:00:00 wazuh-modulesd:aws-s3: INFO: Module AWS started
2022/03/04 00:00:00 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.

When Scheduled scan is set:

2022/03/04 00:00:00 wazuh-modulesd:aws-s3: INFO: Starting fetching of logs.
2022/03/04 00:00:00 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

When the Wazuh module for AWS has finished its execution and is waiting until the interval condition is met:
```
2022/03/04 00:00:00 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
```

Enabling debug mode

It is possible to obtain additional information about the Wazuh module for AWS execution by enabling the debug mode. This is used to see INFO or DEBUG messages. There are three different debug levels available:

Debug level 0: Only ERROR and WARNING messages are written in the /var/ossec/logs/ossec.log file. This is the default value.
Debug level 1: In addition to ERROR and WARNING messages, INFO messages are written in the /var/ossec/logs/ossec.log file too. They are useful to check the execution of the module without having to manage large amounts of DEBUG messages.
Debug level 2: This is the highest level of verbosity. Every message type is dump into the /var/ossec/logs/ossec.log file, including DEBUG messages which contain the details of the different operations performed by the Wazuh module. This is the recommended mode when troubleshooting the Wazuh module for AWS.

Follow these steps to enable debug mode:

Add the following line to the /var/ossec/etc/local_internal_options.conf file of the Wazuh server or agent, specifying the desired debug level:
```
wazuh_modules.debug=2
```

Restart the Wazuh service.

Wazuh manager

# systemctl restart wazuh-manager

Wazuh agent

# systemctl restart wazuh-agent

Note

Don't forget to disable debug mode once the troubleshooting has finished. Leaving debug mode enabled could result in the addition of large amounts of logs in the /var/ossec/logs/ossec.log file.

Checking if logs are being processed

The easiest way to check if the logs are being processed, regardless of the type of bucket or service configured and regardless of whether alerts are being generated or not is by using the logall_json parameter.

To understand how the logall_json parameter works it is necessary to learn about the flow that is followed when processing a log until the corresponding alert is displayed on the Wazuh dashboard. It is as follows:

The Wazuh module for AWS downloads the logs available in AWS for the requested date and path. Check the Considerations for the Wazuh module for AWS configuration page to learn more about how to properly filter the logs.
The content of these logs is sent to the analysis engine in the form of an Event.
The analysis engine evaluates these events and compares them with the different rules available. If the event matches any of the rules an alert is generated, which is what ultimately is shown on the Wazuh dashboard.

With this in mind, it is possible to enable the Wazuh archives using the logall_json option. When this option is activated, Wazuh stores into the /var/ossec/logs/archives/archives.json file every event sent to the analysis engine whether they tripped a rule or not. By checking this file, it is possible to determine if the AWS events are being sent to the analysis engine and therefore the Wazuh module for AWS is working as expected.

Note

Don't forget to disable the logall_json parameter once the troubleshooting has finished. Leaving it enabled could result in high disk space consumption.

Common problems and solutions

Unable to locate credentials

The Wazuh module for AWS does not work and the following error messages appear in the /var/ossec/logs/ossec.log file:

2022/03/03 16:01:48 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Returned exit code 12
2022/03/03 16:01:48 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Unable to locate credentials

Solution

No authentication method was provided within the configuration of the Wazuh module for AWS. Check the Configuring AWS credentials section to learn more about the different options available and how to configure them.

Invalid credentials to access S3 Bucket

The Wazuh module for AWS does not work and the following error messages appear in the /var/ossec/logs/ossec.log file:

2022/03/03 16:06:56 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Returned exit code 3
2022/03/03 16:06:56 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Invalid credentials to access S3 Bucket

Solution

Make sure the credentials provided grant access to the requested S3 bucket and the bucket itself exists.

The config profile could not be found

The Wazuh module for AWS does not work and the following error messages appear in the /var/ossec/logs/ossec.log file:

2022/03/03 15:49:34 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Returned exit code 12
2022/03/03 15:49:34 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  The config profile (default) could not be found

Solution

Ensure the profile value specified in the configuration matches an existing one placed in /root/.aws/credentials. Check the Profiles section to learn more about configuring a profile for authentication.

The security token included in the request is invalid

The Wazuh module for AWS does not work and the following error messages appear in the /var/ossec/logs/ossec.log file:

2022/03/03 16:16:18 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  Returned exit code 12
2022/03/03 16:16:18 wazuh-modulesd:aws-s3: WARNING: Service: cloudwatchlogs  -  An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Solution

No credentials were provided to attempt to access to CloudWatch Logs or that the credentials provided don't grant access to CloudWatch Logs. Check the Configuring AWS credentials section to learn more about the different options available and how to configure them.

There are no AWS alerts present on the Wazuh dashboard

The Wazuh module for AWS is running but no alerts are displayed on the Wazuh dashboard.

Solution

First of all, review ERROR or WARNING messages in the /var/ossec/logs/ossec.log file by enabling debug mode. If the Wazuh module for AWS is running as expected but no alerts are being generated it could mean there is no reason for alerts to be raised in first place. Check the following to verify this:

Make sure there is data available for the given date.

When running, the Wazuh module for AWS requests AWS for the logs corresponding to the date indicated using the only_logs_after parameter. If this parameter is not specified, it will try to obtain the logs corresponding to the day of execution. Make sure you are specifying a value for only_logs_after and that there is data available for that particular date. Check the Considerations for the Wazuh module for AWS configuration page to learn more about how to properly filter the logs using the only_logs_after parameter.
Check if the events are being sent to the analysis engine.

A common scenario is that no alerts are being generated because the events do not match any of the available rules. Take a look at the Checking if logs are being processed section to learn how to check if the AWS logs are being sent to the analysis engine.

CloudWatch Logs integration is running but no alert is shown on the Wazuh dashboard

The Wazuh module for AWS is running without any error or warning messages, but no alerts from CloudWatch Logs are displayed on the Wazuh dashboard.

Solution

A common scenario is that no alerts are being generated because the events do not match any of the available rules. Take a look at the Checking if logs are being processed section to learn how to check if the AWS logs are being sent to the analysis engine.

Take into account that Wazuh does not provide default rules for the different logs that can be found in CloudWatch Logs, since they can have any type of format and come from any source. Because of this, if a user wants to make use of this integration to process any custom log they will most likely have to configure their own rules for them. Take a look at the Custom rules section to learn more about this topic.

Interval overtaken message is present in the log file

The Interval overtaken message is present in the /var/ossec/logs/ossec.log file.

Solution

Not an issue but a warning. This means the time the Wazuh module for AWS required to finish the last execution was greater than the interval value defined. It is important to note that the next run will not start until the previous one is finished.

Error codes reference

Errors in the /var/ossec/logs/ossec.log file of the Wazuh server or agent.

The exit codes and their possible remediation are as follows:

Code	Description	Possible remediation
1	Unknown error	Programming error. Please, open an issue in the Wazuh GitHub repository with the trace of the error.
2	SIGINT	The module stopped due to an interrupt signal.
3	Invalid credentials to access S3 bucket	Make sure that your credentials are correct. For more information, see the Configuring AWS credentials section.
4	boto3 module missing	Install `boto3` library. For more information, see the Installing dependencies section.
5	Unexpected error accessing SQLite DB	Check that no more instances of the Wazuh module for AWS are running at the same time.
6	Unable to create SQLite DB	Make sure that the wodle has the right permissions in its directory.
7	Unexpected error querying/working with objects in S3	Check that no more instances of the Wazuh module for AWS are running at the same time.
8	Failed to decompress file	Only `.gz` and `.zip` compression formats are supported.
9	Failed to parse file	Ensure that the log file contents have the expected structure.
10	pyarrow module missing	Install `pyarrow` library. For more information, see the Installing dependencies section.
11	Unable to connect to Wazuh	Ensure that Wazuh is running.
12	Invalid type of bucket	Check if the type of bucket is one of the supported.
13	Error sending message to Wazuh	Make sure that Wazuh is running.
14	Empty bucket	Make sure that the path to the log files is correct.
15	Invalid VPC endpoint URL	Ensure that the VPC endpoint URL provided is correct.
16	Throttling error	AWS is receiving more than 10 requests per second. Try to run the module again when the number of requests to AWS has decreased. For more information see the Connection configuration for retries section.
17	Invalid file key format	Ensure that the file path follows the format specified in the supported services
18	Invalid prefix	Make sure that the indicated path exists in the S3 bucket.
19	The server datetime and datetime of the AWS environment differ	Make sure that the server datetime is correctly set.
20	Unable to find SQS	Make sure that the `sqs_name` value in the Wazuh module for AWS configuration in the `ossec.conf` file is correct.
21	Failed fetch/delete from SQS	Check that no more instances of the Wazuh module for AWS are running at the same time.
22	Invalid region	Check the provided `region` in the `ossec.conf` file.
23	Profile not found	Check the provided `aws_profile` in the `ossec.conf` file.

Monitoring Microsoft Azure with Wazuh

Microsoft Azure is a cloud computing platform by Microsoft that offers a wide range of services, including computing power, storage options, and networking capabilities. It provides solutions for various applications such as virtual computing, analytics, storage, and networking, catering to the diverse needs of businesses and developers. Securing your cloud instance is an essential consideration for companies that use cloud services offered by cloud providers such as Microsoft Azure.

Wazuh, an open source security monitoring platform, offers solutions for collecting and analyzing data generated by security and runtime events within Microsoft Azure environments. Integrating Wazuh with Microsoft Azure enhances the security posture of Azure deployments and ensures compliance with regulatory standards and operational integrity.

This section provides instructions for monitoring Microsoft Azure infrastructures.

Monitoring instances

The Wazuh agent is cross-platform compatible, meaning it can run on various operating systems, such as Windows, Linux, and macOS. It collects data on different systems and applications and ensures the instance benefits from other Wazuh capabilities, such as File Integrity Monitoring (FIM) and Security Configuration Assessment (SCA). This data is sent to the Wazuh server through an encrypted and authenticated channel. A unique pre-shared key registration process establishes this secure channel.

You can install the Wazuh agent on the virtual machines in your Microsoft Azure environment. Monitoring cloud virtual machines using the Wazuh agent is beneficial because it ensures comprehensive security and performance oversight, enabling early detection of potential threats and operational issues in dynamic cloud environments.

Check the Wazuh agent installation and enrollment documentation to learn more about the Wazuh agents. Additionally, read about Wazuh SIEM and XDR capabilities and their configuration in our capabilities documentation.

Monitoring Azure platform and services

The Azure Monitor Logs collects and organizes logs and performance data from monitored resources, including Azure services, virtual machines, and applications. This insight is sent to Wazuh using the Azure Log Analytics REST API or by directly accessing the contents of a Microsoft Azure Storage account. The Wazuh module for Azure enables centralized logging, threat detection, and compliance management of your Microsoft Azure environments from your Wazuh deployment.

The Wazuh module for Azure requires dependencies and credentials to access your Microsoft Azure logs. These dependencies are available by default on the Wazuh manager, but you must install them when you use a Wazuh agent for the integration. Take a look at the Prerequisites section before proceeding.

Prerequisites

Installing dependencies

You can configure the Wazuh module for Azure either in the Wazuh manager or in a Wazuh agent. This choice depends solely on how you access your Azure infrastructure in your environment.

You only need to install dependencies when configuring the integration with Azure in a Wazuh agent. The Wazuh manager already includes all the necessary dependencies.

Python

The Wazuh module for Azure is compatible with Python 3.8–3.13. While later Python versions should work as well, we can't assure they are compatible. If you do not have Python 3 already installed, run the following command on your monitored endpoint.

# apt-get update && apt-get install python3

# yum update && yum install python3

# apt-get update && apt-get install python3-pip

# yum update && yum install python3-pip

We recommend using Pip 19.3 or later to simplify the installation of the dependencies. Run this command to check your pip version.

# pip3 --version

An example output is as follows.

pip 22.0.2 from /usr/lib/python3/dist-packages/pip (python 3.10)

If your pip version is less than 19.3, run the following command to upgrade the version.

# pip3 install --upgrade pip

# pip3 install --upgrade pip --break-system-packages

Note

This command modifies the default externally managed Python environment. See the PEP 668 description for more information.

To prevent the modification, you can run pip3 install --upgrade pip within a virtual environment. You must update the shebang of the /var/ossec/wodles/azure/azure-logs Python script with the interpreter in your virtual environment. For example, #!/path/to/your/virtual/environment/bin/python3.

Azure Storage client library for Python

You need the libraries in the command below to set up your Wazuh agent endpoint and monitor your Microsoft Azure platform and services.

# pip3 install azure-storage-blob==12.20.0 azure-storage-common==2.1.0 azure-common==1.1.25 cryptography==3.3.2 cffi==1.14.4 pycparser==2.20 six==1.14.0 python-dateutil==2.8.1 requests==2.25.1 certifi==2022.12.07 chardet==3.0.4 idna==2.9 urllib3==1.26.18 SQLAlchemy==2.0.23 pytz==2020.1

# pip3 install --break-system-packages azure-storage-blob==12.20.0 azure-storage-common==2.1.0 azure-common==1.1.25 cryptography==3.3.2 cffi==1.14.4 pycparser==2.20 six==1.14.0 python-dateutil==2.8.1 requests==2.25.1 certifi==2022.12.07 chardet==3.0.4 idna==2.9 urllib3==1.26.18 SQLAlchemy==2.0.23 pytz==2020.1

Note

If you use a virtual environment, remove the --break-system-packages parameter from the above command.

Install system-level package libffi.

# apt-get update && apt-get install -y libffi-dev

# yum update && yum install -y libffi-devel

Install the Python packages.

# pip3 install --break-system-packages azure-storage-blob==12.20.0 azure-storage-common==2.1.0 azure-common==1.1.25 cryptography==3.3.2 cffi==1.14.4 pycparser==2.20 six==1.16.0 python-dateutil==2.9.0.post0 requests==2.25.1 certifi==2022.12.07 chardet==3.0.4 idna==2.9 urllib3==1.26.18 SQLAlchemy==2.0.44 pytz==2020.1

Note

If you use a virtual environment, remove the --break-system-packages parameter from the above command.

Configuring Azure credentials

The Wazuh module for Azure must have access credentials to connect to Azure successfully. The credentials required vary depending on the type of monitoring. These include:

Access credentials for Microsoft Graph and Azure Log Analytics
Access credentials for Microsoft Azure Storage

The following sections provide an overview of how you can create these credentials.

Getting access credentials for Microsoft Graph and Azure Log Analytics

You need valid application_id and application_key values to authenticate connection from the Wazuh module for Azure.

Follow the steps below to obtain an application_id and application_key:

Go to Microsoft Entra ID and navigate to the registered application.
Go to the Certificates & secrets section of the chosen application, then generate a secret key by selecting New client secret.
Give the key a descriptive name and specify the duration for which the key should remain active, then select Add.
Copy the Value and the Secret ID. Ensure you securely store these values, as you can only view them once. The Value is the application_key.
Copy the application_id value for your registered application from the Overview section.

Getting access credentials for Microsoft Azure Storage

The Microsoft Azure Storage requires valid account_name and account_key values. You can obtain them in the Access keys section of Storage accounts on your Azure environment. Follow the Microsoft guide to create a storage account.

The section below shows the steps to retrieving the Microsoft Azure Storage account key.

Go to the Storage accounts section of your Microsoft Azure environment and select the account of interest.
Navigate to Access keys located on the left pane to access the account_name and account_key values.

Wazuh Azure authentication file

To authenticate your Microsoft Azure environment to Wazuh, you must store your credentials in a file using the format field = value.

The fields expected to be present in the credentials file depend on the type of service or activity you are monitoring.

Microsoft Azure Log Analytics and Graph

The file must contain only two lines, one for the application_id and another for the application_key obtained previously:

application_id = <YOUR_APPLICATION_ID>
application_key = <YOUR_APPLICATION_KEY>

Microsoft Azure Storage

The file must contain only two lines, one for the account_name and the other one for the account_key obtained previously:

account_name = <YOUR_ACCOUNT_NAME>
account_key = <YOUR_ACCOUNT_KEY>

Specify the authentication file in the /var/ossec/etc/ossec.conf configuration file using the <auth_path> tag, regardless of the service or activity you monitor. Take a look at the following example:

<wodle name="azure-logs">
  <disabled>no</disabled>
  <run_on_start>yes</run_on_start>

  <log_analytics>
     <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
      <tenantdomain>wazuh.com</tenantdomain>
      <request>
          <query>AzureActivity</query>
          <workspace>12345678-90ab-cdef-1234-567890abcdef</workspace>
          <time_offset>1d</time_offset>
      </request>
  </log_analytics>

  <graph>
     <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
      <tenantdomain>wazuh.com</tenantdomain>
      <request>
          <query>auditLogs/directoryAudits</query>
          <time_offset>1d</time_offset>
      </request>
  </graph>

<storage>
     <auth_path>/var/ossec/wodles/credentials/storage_credentials</auth_path>
      <container name="insights-activity-logs">
          <blobs>.json</blobs>
          <content_type>json_inline</content_type>
          <time_offset>24h</time_offset>
      </container>
  </storage>
</wodle>

For more information on <auth_path>, look at the Wazuh module for Azure reference page.

Adding more than one request block simultaneously in the same configuration is possible. The Wazuh module for Azure would process each request sequentially. The above configuration is an example. It includes Microsoft Azure Log Analytics, Graph, and Storage configuration blocks.

Reparse

Warning

The reparse option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts.

To fetch and process older Azure logs, you must run the Wazuh module for Azure using the --reparse option.

The la_time_offset value sets the time as an offset for the starting point. If you don't provide a la_time_offset value, the Wazuh module for Azure returns to the date it processed the first file.

The following code block shows an example of running the Wazuh module for Azure on a Wazuh manager using the --reparse option:

# /var/ossec/wodles/azure/azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse

The --debug 2 parameter gets a verbose output. This output is helpful to show that the script works, especially when handling a large amount of data.

Microsoft Azure Log Analytics

Microsoft Azure Log Analytics is a service that monitors your Microsoft Azure infrastructure, offering query capabilities that allow you to perform advanced searches specific to your data.

The Azure Log Analytics solution helps you to analyze and search Azure activity logs in all your Azure subscriptions, providing information about the operations performed with the resources of your subscriptions.

You can query data collected by Log Analytics using the Azure Log Analytics REST API, which uses the Microsoft Entra ID authentication scheme. You need a qualified application or client to use the Azure Log Analytics REST API. You must configure this manually on the Microsoft Azure portal. The section below shows how to set up the application and gives a use case:

Setting up the application
Azure Log Analytics use case

Configuration

Azure

Setting up the application

The process below details creating an application using the Azure Log Analytics REST API. It is also possible to configure an existing application. Please skip the Creating the application step if you already have an existing application.

Creating the application

We navigate to the Microsoft Entra ID panel on the Microsoft Azure portal to create a new application for Azure Log Analytics.

Select the App registrations option from the Microsoft Entra ID panel. Then, select New registration.
Define the user-facing display name for the application and select Register.

Granting permissions to the application

Select All applications from App registration and refresh it. The new application will appear. In our case, the display name is LogAnalyticsApp.
Go to the Overview section and save the Application (client) ID for later authentication.
Go to the API permissions section and add the Data.Read permission to the application.
Search for the Log Analytics API.
Select the Read Log Analytics data permission from Applications permissions.
Use an admin user to Grant admin consent for the tenant.

Granting the application access to the Azure Log Analytics API

Access Log Analytics workspaces and create a new workspace or choose an existing one.
Copy the Workspace ID value from the Overview section.
Go to the Access control (IAM) section, click Add and select Add role assignment to add the required role to the application.
Select the Log Analytics Reader role from the Job functions role tab.
Select User, group, or service principal from the Members tab. Click Select members and find the App registration created previously.
Click Review + assign to finish.

Sending logs to the Workspace

You need to create a diagnostic setting to collect logs and send them to the Azure Log Analytics Workspace created in the previous steps.

Return to Microsoft Entra ID, scroll down on the left menu bar, and select the Diagnostic settings section.
Click on Add diagnostic setting.
Choose the log categories you want to collect from under Categories. Check the Send to Log Analytics workspace option under Destination details. Select the Log Analytics Workspace you created in the previous steps.
Click on Save.

Azure Log Analytics will stream the selected categories to your workspace.

Wazuh requires valid credentials to pull logs from Azure Log Analytics. Look at the credentials section to learn how to generate a client secret to access the App registration.

Wazuh server or agent

You need to authorize the Wazuh module for Azure to access your Azure Log Analytics. For more information about setting up authorization, see the Configuring Azure credentials section.

Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure:

<wodle name="azure-logs">
    <disabled>no</disabled>
    <run_on_start>no</run_on_start>

    <log_analytics>
        <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
        <tenantdomain>wazuh.com</tenantdomain>

        <request>
            <tag>azure-auditlogs</tag>
            <query>AuditLogs</query>
            <workspace>d6b...efa</workspace>
            <time_offset>1d</time_offset>
        </request>

    </log_analytics>
</wodle>

Where:

<auth_path> is the full path of where the workspace secret key is stored.
<tenantdomain> is the tenant domain name. You can obtain this from the Overview section in Microsoft Entra ID.
<workspace> is the workspace ID that you need for authentication.
<time_offset> is the timeframe dated backwards. In this case, all logs within a 24-hour timeframe will be downloaded.

Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure.

Wazuh agent:
```
# systemctl restart wazuh-agent
```
Wazuh server:
```
# systemctl restart wazuh-manager
```

The configuration above allows Wazuh to search through any query using the tag value as the identifier.

Check the reference for more information about the Wazuh module for Azure.

Use case

Here is an example of monitoring the infrastructure activity using the previously created Azure application.

Creating a user

Follow the steps outlined below to create a user on Microsoft Entra ID:

Navigate to Entra ID and select All users.
Click on New User.
Choose the option to Create a new user.
Provide the necessary details for the user you want to create, and then choose the Create option to complete the creation.

Visualizing the events on the Wazuh dashboard

Once set up, you can check the results in the Wazuh dashboard.

Microsoft Azure Storage

Microsoft Azure Storage refers to the Microsoft Azure cloud storage solution. This service provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store.

As an alternative to the Azure Log Analytics REST API, Wazuh offers access to a Microsoft Azure Storage account. You can export the activity logs of the Microsoft Azure infrastructure to the storage accounts.

This section explains using the Azure portal to archive your Microsoft Azure activity logs in a storage account.

Configuration

Azure

Configuring the activity log export

Select the Audit Logs option from the Monitoring section within Microsoft Entra ID and click on Export Data Settings.
Click Add diagnostic setting.
Select the AuditLogs and Archive to the storage account checkbox, then select the subscription and Storage account to which you want to export the logs from the dropdown menu.

Wazuh server or agent

It is important to set the account_name and account_key of the storage account to authenticate. The image below shows an already configured storage account.

Check the credentials section for guidance on configuring Microsoft Azure Storage credentials.

Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure:
```
<wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <storage>

            <auth_path>/home/manager/Azure/storage_auth.txt</auth_path>
            <tag>azure-activity</tag>

            <container name="insights-activity-logs">
                <blobs>.json</blobs>
                <content_type>json_inline</content_type>
                <time_offset>24h</time_offset>
                <path>info-logs</path>
            </container>

    </storage>
</wodle>
```
Where
- <auth_path> is the full path of where the workspace secret key is stored.
- <container> contains useful parameters while fetching blog storage contents.
- <container name="insights-activity-logs"> the log container that will be streamed.
- <blobs>.json</blobs> is the blob format that will be downloaded.
- <time_offset> is the timeframe dated backward. In this case, all logs within a 24-hour timeframe will be downloaded.
- <content_type> is the format for storing the content of the blobs.
Check the Wazuh module for Azure reference page to learn more about the parameters available and how to use them.
Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure.

Wazuh agent:
```
# systemctl restart wazuh-agent
```
Wazuh server:
```
# systemctl restart wazuh-manager
```

Use case

Here is an example of Microsoft Entra ID activity monitoring using the above configuration.

Create a new user

Create a new user in your Microsoft Azure environment using Microsoft Entra ID. A few minutes after creating the user, a new log will be available in a container named insights-activity-logs inside the Storage account specified when configuring the Activity log export.

Please refer to the creating a user section under the Azure Log Analytics use case.

You can check the results in the Wazuh dashboard.

Microsoft Graph

In this section, you will learn how to monitor your Microsoft Entra ID activity using the Microsoft Graph REST API. This section contains:

Azure configuration
Wazuh configuration
Microsoft Entra ID use case

The following are endpoints in the Microsoft Graph REST API related to auditing and monitoring activities in Microsoft Entra ID.

Report type	Query
Directory audits	`auditLogs/directoryaudits`
Sign-ins	`auditLogs/signIns`
Provisioning	`auditLogs/provisioning`

These endpoints allow administrators and developers to monitor and audit activities within Microsoft Entra ID for security, compliance, and operational purposes.

Wazuh can process Microsoft Entra ID activity reports using the above endpoints. Each one of them requires you to execute a different query. You will place these queries within the command block of your Wazuh module for Azure configuration.

Configuration

Azure

Creating the application

This section explains creating an application using the Azure Log Analytics REST API. However, it is also possible to configure an existing application. If this is the case, skip this step.

In the Microsoft Entra ID panel, select App registrations. Then, select New registration.
Give the app a descriptive name, select the appropriate account type, and click Register.

The app is now registered.

Granting permissions to the application

Click on the application, go to the Overview section, and save the Application (client) ID for later authentication.
Select the Add a permission option in the API permissions section.
Search for "Microsoft Graph" and select the API.
Select the permissions in Applications permissions that align with your infrastructure. In this case, AuditLog.Read.All permissions will be granted. Then, click Add permissions.
Use an admin user to Grant admin consent for the tenant.

Obtaining the application key for authentication

To use the Log Analytics API to retrieve the logs, we must generate an application key to authenticate the Log Analytics API. Follow the steps below to generate the application key.

Select Certificates & secrets, then select New client secret to generate a key.
Give an appropriate description, set a preferred duration for the key, and then click Add.
Copy the key value. This would be later used for authentication.

Note

Copy the key before exiting this page, as it will only be displayed once. If you do not copy it before exiting the page, you will have to generate a fresh key.

Wazuh server or agent

You will use the key and ID of the application saved during the previous steps here. In this case, both fields were saved in a file for authentication. Check the Configuring Azure credentials section for more information about this topic.

Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure:
```
<wodle name="azure-logs">
  <disabled>no</disabled>
  <wday>Monday</wday>
  <time>2:00</time>
  <run_on_start>no</run_on_start>

  <graph>
    <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
    <tenantdomain>wazuh.com</tenantdomain>
    <request>
        <tag>microsoft-entra_id</tag>
        <query>auditLogs/directoryAudits</query>
        <time_offset>1d</time_offset>
    </request>
  </graph>

</wodle>
```
Where:
- <auth_path> is the full path of where the workspace secret key is stored.
- <tenantdomain> is the tenant domain name. You can obtain this from the Overview section in Microsoft Entra ID
- <wday> is the day of the week scheduled for the scan
- <query> is the path to where the audit logs are stored.
- <time> is the time scheduled for the scan.
- <time_offset> set to 1d means that only the log data from the last day is parsed.
Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure.

Wazuh agent:
```
# systemctl restart wazuh-agent
```
Wazuh server:
```
# systemctl restart wazuh-manager
```

Check the Wazuh module for Azure reference for more information about using the different available parameters. Please see the Wazuh Azure authentication file section for guidance on how to set up credentials to monitor your Microsoft Entra ID.

Warning

The field tenantdomain is mandatory. You can obtain it from the Overview section in Microsoft Entra ID.

Use case

Monitoring Microsoft Entra ID

Microsoft Entra ID is the identity and directory management service that combines essential directory services, application access management, and identity protection in a single solution.

Wazuh can monitor the Microsoft Entra ID (ME-ID) service using the activity reports provided by the Microsoft Graph REST API. Microsoft Graph API can perform read operations on directory data and objects on Microsoft Entra ID applications.

Here is an example of Microsoft Entra ID activity monitoring using the above configuration.

Create a new user

Create a new user in Azure. A successful user creation activity will produce a log to reflect it. You can retrieve this log using the auditLogs/directoryAudits query.

Navigate to Users > All users, select New user > Create new user.
Fill in the required details and click Review + create. The user is now created.

You can check for the result of the successful user creation in the Audit logs section of Microsoft Entra ID.

Once the integration is running, the results will be available in the Security Events tab of the Wazuh dashboard.

Monitoring Microsoft Graph services with Wazuh

The Microsoft Graph API is a comprehensive system that provides access to data across the full suite of Microsoft cloud services, including Microsoft 365, Azure, Dynamics 365, and other Microsoft cloud services. It is an endpoint for accessing structured data, insights, and rich relationships from the Microsoft Cloud ecosystem.

This section provides instructions for monitoring your organization's Microsoft Graph API resources and relationships using the Wazuh module for Microsoft Graph.

The Wazuh module for Microsoft Graph allows you to monitor the following:

Microsoft Entra ID Protection
Microsoft 365 Defender
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Microsoft Purview eDiscovery
Microsoft Purview Data Loss Prevention (DLP)

The data from these services is visualised using the Wazuh Microsoft API Dashboard

While these are fundamental to the security resource, you can monitor many additional resources using the Microsoft Graph API. See the Overview of Microsoft Graph documentation to learn more.

Note

The security resource can be considered mature, as it has been tested with pre-made rules. However, your organization can ingest logs from other resources into your Wazuh deployment.

Retrieving content

To retrieve a set of logs from Microsoft Graph, make a GET request using the URL below:

GET https://graph.microsoft.com/{version}/{resource}/{relationship}?{query-parameters}

A description of the current production version of the Microsoft Graph API can be found in the Overview of Microsoft Graph.

Alternatively, the API can be tested directly in the Microsoft Graph Explorer.

Microsoft Graph API setup

Wazuh must be authorized before it can pull logs and other content from the Microsoft Graph API. This authentication process is possible using the tenant_id, client_id, and secret_value of an authorized application, which we will register through Azure.

Registering your app

Register an application to authenticate with the Microsoft identity platform endpoint.
Fill in the name of your app, choose the desired account type, and click on the Register button:

The app is now registered; you can see information about it in its Overview section. Make sure to note down the client_id and tenant_id information:

Certificates & secrets

Generate a secret you will use for the authentication process. Go to Certificates & secrets and click on New client secret, which will then generate the secret and its ID:
Ensure to copy and save the secret_value information:

Note

Ensure you write down the secret's value section, as the UI won't let you copy it later.

API permissions

Your application needs specific API permissions to retrieve logs and events from the Microsoft Graph API. The specific API permission required depends on the resource to be accessed. The comprehensive list of permissions is documented in Microsoft Graph permissions reference.

To configure the application permissions, go to the API permissions page and choose Add a permission.

Select Microsoft Graph API and click on Application permissions:
Add the following relationships' permissions under the SecurityAlert and SecurityIncident sections:
- SecurityAlert.Read.All: This permission is required to read security alerts from the /security/alerts_v2 API on your tenant.
- SecurityIncident.Read.All: This permission is required to read security incident data, including associated events/alerts from the /security/incidents API on your tenant.
Use an admin user to Grant admin consent for the tenant:

Note

An Admin account is required to Grant admin consent for Default Directory.

Wazuh server or agent

Next, we will set the necessary configurations to allow the Wazuh module for Microsoft Graph to pull logs from the Microsoft Graph API successfully.

Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf:
```
<ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>10M</curl_max_size>
    <run_on_start>yes</run_on_start>
    <interval>5m</interval>
    <version>v1.0</version>
    <api_auth>
      <client_id><YOUR_APPLICATION_ID></client_id>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <secret_value><YOUR_SECRET_VALUE></secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>security</name>
      <relationship>alerts_v2</relationship>
      <relationship>incidents</relationship>
    </resource>
    <resource>
      <name>deviceManagement</name>
      <relationship>auditEvents</relationship>
    </resource>
</ms-graph>
```
In this case, we will search for alerts_v2 and incidents within the security resource at an interval of 5m. The logs will only be created after the Wazuh module for Microsoft Graph starts.

Where:
- <client_id> (also known as an Application ID) is the unique identifier of your registered application.
- <tenant_id> (also known as Directory ID) is the unique identifier for your Azure tenant
- <secret_value> is the value of the client secret. It is used to authenticate the registered app on the Azure tenant.
- <api_type> specifies the type of Microsoft 365 subscription plan the tenant uses. global refers to either a commercial or GCC tenant.
- <name> specifies the resource's name (i.e., specific API endpoint) to query for logs.
- <relationship> specifies the types of content (relationships) to obtain logs for.
Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Microsoft Graph.

Wazuh agent:
```
# systemctl restart wazuh-agent
```
Wazuh server:
```
# systemctl restart wazuh-manager
```

Note

Multi-tenant is not supported. You can only configure one block of api_auth. To learn more about the Wazuh module for Microsoft Graph options, see the ms-graph reference.

Use cases

Using the configuration mentioned above, we examine the following use cases:

Monitoring security resources.
Monitoring Microsoft Intune device management audit events.

Monitoring security resources

One ubiquitous alert an organisation of any size receives is spam email. In this case, we can examine a spam email containing malicious content and see how Microsoft Graph and Wazuh report on this information.

We can set up the Wazuh module for Microsoft Graph to monitor the security resource and the alerts_v2 relationship within our Microsoft 365 tenant described in Retrieving content. We also enable Microsoft Defender for Office 365 within the Microsoft 365 tenant. Microsoft Defender for Office 365 monitors email messages for threats such as spam and malicious attachments.

Detect malicious email

Enable Microsoft Defender for Office 365 and send a malicious email to an email address in the monitored domain. A malicious email detection activity will produce a log that can be accessed using the alerts_v2 relationship within the Microsoft 365 tenant.

Log in to Microsoft 365 Defender portal using an admin account.
Navigate to Policies & rules > Threat policies > Preset Security Policies.
Toggle the Standard protection is off button under Standard protection.
Click on Manage protection settings and follow the prompt to set up the policies.

When Microsoft Defender for Office 365 detects a malicious email event, a log similar to the following is generated. You can view this event using the Alerts tab of the Microsoft Defender for Office 365 page:

{
    "id":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "providerAlertId":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "incidentId":"xx",
    "status":"resolved",
    "severity":"informational",
    "classification":"truePositive",
    "determination":null,
    "serviceSource":"microsoftDefenderForOffice365",
    "detectionSource":"microsoftDefenderForOffice365",
    "detectorId":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "tenantId":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "title":"Email messages containing malicious file removed after delivery.",
    "description":"Emails with malicious file that were delivered and later removed -V1.0.0.3",
    "recommendedActions":"",
    "category":"InitialAccess",
    "assignedTo":"Automation",
    "alertWebUrl":"https://security.microsoft.com/alerts/xxxx-xxxx-xxxx-xxxx-xxxx?tid=xxxx-xxxx-xxxx-xxxx-xxxx",
    "incidentWebUrl":"https://security.microsoft.com/incidents/xx?tid=xxxx-xxxx-xxxx-xxxx-xxxx",
    "actorDisplayName":null,
    "threatDisplayName":null,
    "threatFamilyName":null,
    "mitreTechniques":[
        "T1566.001"
    ],
    "createdDateTime":"2022-11-13T23:48:21.9847068Z",
    "lastUpdateDateTime":"2022-11-14T00:08:37.5366667Z",
    "resolvedDateTime":"2022-11-14T00:07:25.7033333Z",
    "firstActivityDateTime":"2022-11-13T23:45:41.0593397Z",
    "lastActivityDateTime":"2022-11-13T23:47:41.0593397Z",
    "comments":[

    ],
    "evidence":[
        {
            "_comment":"Snipped"
        }
    ]
}

The Wazuh module for Microsoft Graph retrieves this log via the Microsoft Graph API. This log matches an out-of-the-box rule with ID 99506. This triggers an alert with the following details:

{
    "timestamp":"2024-08-29T14:53:15.301+0000",
    "rule":{
        "id":"99506",


           "level":6,


           "description":"MS Graph message: The alert is true positive and detected malicious activity.",
            "groups":["ms-graph"],
            "firedtimes":1,
            "mail":"false"
    },
    "agent":{
        "id":"001",
        "name":"ubuntu-bionic"
    },
    "manager":{
        "name":"ubuntu-bionic"
    },
    "id":"1623276774.47272",
    "decoder":{
        "name":"json"
    },
    "data":{
        "integration":"ms-graph",
        "ms-graph":{
            "id":"xxxx-xxxx-xxxx-xxxx-xxxx",
            "providerAlertId":"xxxx-xxxx-xxxx-xxxx-xxxx",
            "incidentId":"91",
            "status":"resolved",
            "severity":"informational",
            "classification":"truePositive",
            "determination":null,
            "serviceSource":"microsoftDefenderForOffice365",
            "detectionSource":"microsoftDefenderForOffice365",
            "detectorId":"xxxx-xxxx-xxxx-xxxx-xxxx",
            "tenantId":"xxxx-xxxx-xxxx-xxxx-xxxx",
            "title":"Email messages containing malicious file removed after delivery.",
            "description":"Emails with malicious file that were delivered and later removed -V1.0.0.3",
            "recommendedActions":"",
            "category":"InitialAccess",
            "assignedTo":"Automation",
            "alertWebUrl":"https://security.microsoft.com/alerts/xxxx-xxxx-xxxx-xxxx-xxxx?tid=xxxx-xxxx-xxxx-xxxx-xxxx",
            "incidentWebUrl":"https://security.microsoft.com/incidents/91?tid=xxxx-xxxx-xxxx-xxxx-xxxx",
            "actorDisplayName":null,
            "threatDisplayName":null,
            "threatFamilyName":null,
            "resource":"security",
            "relationship":"alerts_v2",
            "mitreTechniques":[
                "T1566.001"
            ],
            "createdDateTime":"2022-11-13T23:48:21.9847068Z",
            "lastUpdateDateTime":"2022-11-14T00:08:37.5366667Z",
            "resolvedDateTime":"2022-11-14T00:07:25.7033333Z",
            "firstActivityDateTime":"2022-11-13T23:45:41.0593397Z",
            "lastActivityDateTime":"2022-11-13T23:47:41.0593397Z",
            "comments":[

            ],
            "evidence":[
                {
                    "_comment":"Snipped"
                }
            ]
        }
    }
}

The alert is seen on the Wazuh dashboard.

Monitoring device management audit events

Intune event

Mobile Device Management (MDM) tools, such as Microsoft Intune, enable organizations to manage devices. By integrating Microsoft Graph with Wazuh, organizations can monitor Microsoft Intune logs.

For instance, if a user updates the enrollment settings, configuring the module to monitor the deviceManagement resource, the auditEvents relationship generates a JSON like the following:

{
    "id":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "displayName": "Create DeviceEnrollmentConfiguration",
    "componentName": "Enrollment",
    "activity": null,
    "activityDateTime": "2024-08-09T18:29:00.7023255Z",
    "activityType": "Create DeviceEnrollmentConfiguration",
    "activityOperationType": "Create",
    "activityResult": "Success",
    "correlationId":"xxxx-xxxx-xxxx-xxxx-xxxx",
    "category": "Enrollment",
    "actor": {
        "auditActorType": "ItPro",
        "userPermissions": [
            "*"
        ],
        "applicationId":"xxxx-xxxx-xxxx-xxxx-xxxx",
        "applicationDisplayName": "Microsoft Intune portal extension",
        "userPrincipalName": "xxx@xxx.com",
        "servicePrincipalName": null,
        "ipAddress": null,
        "userId":"xxxx-xxxx-xxxx-xxxx-xxxx"
    },
    "resources": [
        {
            "displayName": "Test restriction",
            "auditResourceType": "DeviceEnrollmentLimitConfiguration",
            "resourceId":"xxxx-xxxx-xxxx-xxxx-xxxx",
            "modifiedProperties": [
                {
                    "displayName": "Id",
                    "oldValue": null,
                    "newValue":"xxxx-xxxx-xxxx-xxxx-xxxx_Limit"
                },
                {
                    "displayName": "Limit",
                    "oldValue": null,
                    "newValue": "5"
                },
                {
                    "displayName": "Description",
                    "oldValue": null,
                    "newValue": ""
                },
                {
                    "displayName": "Priority",
                    "oldValue": null,
                    "newValue": "1"
                },
                {
                    "displayName": "CreatedDateTime",
                    "oldValue": null,
                    "newValue": "8/9/2024 6:29:00 PM"
                },
                {
                    "displayName": "LastModifiedDateTime",
                    "oldValue": null,
                    "newValue": "8/9/2024 6:29:00 PM"
                },
                {
                    "displayName": "Version",
                    "oldValue": null,
                    "newValue": "1"
                },
                {
                    "displayName": "DeviceEnrollmentConfigurationType",
                    "oldValue": null,
                    "newValue": "Limit"
                },
                {
                    "displayName": "DeviceManagementAPIVersion",
                    "oldValue": null,
                    "newValue": "5023-03-29"
                },
                {
                    "displayName": "$Collection.RoleScopeTagIds[0]",
                    "oldValue": null,
                    "newValue": "Default"
                }
            ]
        }
    ]
}

In this example, you can look at rule ID 99652, which corresponds to the Microsoft Graph message "MDM Intune audit event.

<rule id="99652" level="3">
    <if_sid>99651</if_sid>
    <options>no_full_log</options>
    <field name="ms-graph.relationship">auditEvents</field>
    <description>MS Graph message: MDM Intune audit event.</description>
</rule>

Once Wazuh connects with the Microsoft Graph API, the previous log triggers the rule and raises the following Wazuh alert:

{
    "timestamp": "2024-08-09T18:29:03.362+0000",
    "rule": {
        "id": "99652",
        "level": 3,
        "description": "MS Graph message: MDM Intune audit event.",
        "firedtimes": 1,
        "mail": false,
        "groups": [
            "ms-graph"
        ]
    },
    "agent": {
        "id": "001",
        "name":"ubuntu-bionic"
    },
    "manager": {
        "name":"ubuntu-bionic"
    },
    "id": "1723228143.38630",
    "decoder": {
        "name": "json"
    },
    "data": {
        "integration": "ms-graph",
        "ms-graph": {
            "id": "xxxx-xxxx-xxxx-xxxx-xxxx",
            "displayName": "Create DeviceEnrollmentConfiguration",
            "componentName": "Enrollment",
            "activity": null,
            "activityDateTime": "2024-08-09T18:29:00.7023255Z",
            "activityType": "Create DeviceEnrollmentConfiguration",
            "activityOperationType": "Create",
            "activityResult": "Success",
            "correlationId": "xxxx-xxxx-xxxx-xxxx-xxxx",
            "category": "Enrollment",
            "actor": {
                "auditActorType": "ItPro",
                "userPermissions": [
                    "*"
                ],
                "applicationId": "xxxx-xxxx-xxxx-xxxx-xxxx",
                "applicationDisplayName": "Microsoft Intune portal extension",
                "userPrincipalName": "xxx@xxx.com",
                "servicePrincipalName": null,
                "ipAddress": null,
                "userId": "xxxx-xxxx-xxxx-xxxx-xxxx"
            },
            "resources": [
                {
                    "displayName": "Test restriction",
                    "auditResourceType": "DeviceEnrollmentLimitConfiguration",
                    "resourceId": "xxxx-xxxx-xxxx-xxxx-xxxx",
                    "modifiedProperties": [
                        {
                            "displayName": "Id",
                            "oldValue": null,
                            "newValue": "xxxx-xxxx-xxxx-xxxx-xxxx_Limit"
                        },
                        {
                            "displayName": "Limit",
                            "oldValue": null,
                            "newValue": "5"
                        },
                        {
                            "displayName": "Description",
                            "oldValue": null,
                            "newValue": ""
                        },
                        {
                            "displayName": "Priority",
                            "oldValue": null,
                            "newValue": "1"
                        },
                        {
                            "displayName": "CreatedDateTime",
                            "oldValue": null,
                            "newValue": "8/9/2024 6:29:00 PM"
                        },
                        {
                            "displayName": "LastModifiedDateTime",
                            "oldValue": null,
                            "newValue": "8/9/2024 6:29:00 PM"
                        },
                        {
                            "displayName": "Version",
                            "oldValue": null,
                            "newValue": "1"
                        },
                        {
                            "displayName": "DeviceEnrollmentConfigurationType",
                            "oldValue": null,
                            "newValue": "Limit"
                        },
                        {
                            "displayName": "DeviceManagementAPIVersion",
                            "oldValue": null,
                            "newValue": "5023-03-29"
                        },
                        {
                            "displayName": "$Collection.RoleScopeTagIds[0]",
                            "oldValue": null,
                            "newValue": "Default"
                        }
                    ]
                }
            ],
            "resource": "deviceManagement",
            "relationship": "auditEvents"
        }
    },
    "location": "ms-graph"
}

Microsoft Intune integration

Microsoft Intune is a cloud-based solution for managing various devices, including virtual endpoints, physical computers, mobile devices, and IoT devices. Integrating Microsoft Intune with Wazuh provides the following benefits:

It allows Wazuh to retrieve and process audit logs from managed devices using built-in decoders and rules, and generate insightful and actionable security alerts.
It enhances visibility into all managed endpoint activities, strengthening security monitoring across the organization.
It helps organizations ensure device administration aligns with compliance requirements, thus helping with maintaining security policies.

Wazuh integration with Microsoft Intune is available from Wazuh 4.10.0 and builds on the existing Microsoft Graph API integration. It operates synchronously, retrieving logs from managed endpoints at scheduled intervals. This integration allows the Wazuh agent to collect and process three types of data from Intune:

Audit events: Logs of actions and changes occurring within the Intune environment.
Managed devices: Information about devices managed by Intune.
Detected applications: Applications installed on managed devices as reported by Intune.

The configuration of this integration is handled via the Wazuh module for Microsoft Graph in the Wazuh agent. You must configure the deviceManagement resource (i.e., specific API endpoint) on the Wazuh agent with the following relationships to enable the integration:

auditEvents: Audit logs include a record of activities that generate a change in Microsoft Intune.
managedDevices: List of devices managed by Microsoft Intune.
detectedApps: List of applications managed by Microsoft Intune. The results will also include a list of devices where each app is installed.

Refer to the ms-graph configuration reference documentation for more information.

Configuration

Perform the following steps to integrate Microsoft Intune with Wazuh:

Configure the Microsoft Graph API permissions.
Configure the relationships.
Extend the Wazuh ruleset (optional).
Import custom dashboards.

Configure the Microsoft Graph API permissions

This integration allows Wazuh to pull data from the Microsoft Graph API. Before Wazuh can pull logs and other content from the Microsoft Graph API, it must be authorized and pass through an authentication process. Wazuh must provide the tenant_id, client_id, and secret_value of an authorized application that is registered through Azure.

This step involves configuring the API permissions required to access Microsoft Intune events via the Microsoft Graph API. The required permissions are:

DeviceManagementApps.Read.All: Read auditEvents and detectedApps relationship data from your tenant.
DeviceManagementManagedDevices.Read.All: Read auditEvents and managedDevices relationship data from your tenant.

For further information, please refer to the Microsoft Graph API setup guide.

Configure the relationships

The relationships auditEvents, managedDevices, and detectedApps need to be configured within the Wazuh module for Microsoft Graph in the Wazuh agent. This configuration enables Wazuh to search for logs created by Microsoft Graph resources and relationships.

In the example below, we search for auditEvents, managedDevices, and detectedApps type events within the deviceManagement resource at an interval of 5m. The logs will only be those that were created after the module was started.

Perform the following steps on the Wazuh agent:

Edit the Wazuh agent configuration file /var/ossec/etc/ossec.conf and add the following to enable the Wazuh module for Microsoft Graph with the desired relationships:

<ossec_config>
  <ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>10M</curl_max_size>
    <run_on_start>yes</run_on_start>
    <interval>5m</interval>
    <version>v1.0</version>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <client_id><YOUR_CLIENT_ID></client_id>
      <secret_value><YOUR_SECRET_VALUE></secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>deviceManagement</name>
      <relationship>auditEvents</relationship>
      <relationship>managedDevices</relationship>
      <relationship>detectedApps</relationship>
    </resource>
  </ms-graph>
</ossec_config>

Replace:

<YOUR_TENANT_ID> with the tenant ID of the application registered in Azure.
<YOUR_CLIENT_ID> with the client ID of the application registered in Azure.
<YOUR_SECRET_VALUE> with the secret associated with the application registered in Azure.

Save the changes and restart the Wazuh agent to effect the changes:
```
# systemctl restart wazuh-agent
```

For more configuration details, refer to the ms-graph configuration reference documentation.

Note

To avoid duplicate alerts, this setting should be added to only one Wazuh agent.

Extend the Wazuh ruleset

You can extend the ruleset to customize the hierarchy of detection rules. The Wazuh manager includes a basic ruleset to detect events and inventory items collected by the Wazuh agent. To customize detection rules for Microsoft Intune data, extend the Wazuh ruleset by following the ruleset customization documentation. This allows you to tailor the hierarchy and behavior of detection rules to meet specific requirements.

Note

The Wazuh manager includes a set of inbuilt rules that aid in classifying the importance and context of different events.

The official rules associated with Microsoft Intune are:

<group name="ms-graph,">
  <rule id="99651" level="3">
       <if_sid>99500</if_sid>
       <options>no_full_log</options>
       <field name="ms-graph.resource">deviceManagement</field>
       <description>MS Graph message: MDM Intune event.</description>
   </rule>

   <rule id="99652" level="3">
       <if_sid>99651</if_sid>
       <options>no_full_log</options>
       <field name="ms-graph.relationship">auditEvents</field>
       <description>MS Graph message: MDM Intune audit event.</description>
   </rule>

   <rule id="99653" level="3">
       <if_sid>99651</if_sid>
       <options>no_full_log</options>
       <field name="ms-graph.relationship">managedDevices</field>
       <description>MS Graph message: MDM Intune device.</description>
   </rule>

   <rule id="99654" level="3">
       <if_sid>99651</if_sid>
       <options>no_full_log</options>
       <field name="ms-graph.relationship">detectedApps</field>
       <description>MS Graph message: MDM Intune app.</description>
   </rule>
</group>

The image below shows Microsoft Intune alerts generated on the Wazuh dashboard.

Below, we show sample alerts for some of the relationships we configured previously.

Sample alert for detectedApps:

In the example below, Microsoft Intune detects the application Freeform on one of the managed devices. As a result, the JSON below is generated:

{
  "_index": "wazuh-alerts-4.x-2025.01.21",
  "_id": "m3R0iZQBy8z-qvGHPpVH",
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "X.X.X.X",
      "name": "Windows-10",
      "id": "001"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "ms-graph": {
        "deviceCount": "1",
        "resource": "deviceManagement",
        "displayName": "Freeform",
        "managedDevices": [
          {
            "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
            "deviceName": "xxxxxxxx"
          }
        ],
        "id": "cb7d25a27a1d420817229d272fd27a039b4c330380fc29b2ccc1d3f01e1cfa78",
        "relationship": "detectedApps",
        "version": "2.0",
        "sizeInByte": "0",
        "platform": "macOS"
      },
      "integration": "ms-graph",
      "scan_id": "594315551"
    },
    "rule": {
      "firedtimes": 865,
      "mail": false,
      "level": 3,
      "description": "MS Graph message: MDM Intune app.",
      "groups": [
        "ms-graph"
      ],
      "id": "99654"
    },
    "location": "ms-graph",
    "decoder": {
      "name": "json-msgraph"
    },
    "id": "1737472881.2773328",
    "timestamp": "2025-01-21T15:21:21.941+0000"
  },
  "fields": {
    "timestamp": [
      "2025-01-21T15:21:21.941Z"
    ]
  },
  "sort": [
    1737472881941
  ]
}

Sample alert for managedDevices:

In the example below, Microsoft Intune detects information about a managed device. As a result, the JSON below is generated:

{
  "_index": "wazuh-alerts-4.x-2025.01.21",
  "_id": "ynR3iZQBy8z-qvGHYZae",
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "X.X.X.X",
      "name": "Windows-10",
      "id": "001"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "ms-graph": {
        "azureADRegistered": "true",
        "deviceRegistrationState": "registered",
        "deviceActionResults": [],
        "easDeviceId": "XXXXXXXXXXXXXXXXXXX",
        "complianceState": "noncompliant",
        "partnerReportedThreatState": "unknown",
        "deviceName": "XXXXXXXXXXXXXXXXXXX",
        "operatingSystem": "Windows",
        "manufacturer": "HP",
        "osVersion": "10.0.22631.4037",
        "lastSyncDateTime": "2024-09-23T18:38:44Z",
        "isEncrypted": "false",
        "exchangeAccessStateReason": "none",
        "totalStorageSpaceInBytes": "478772461568.000000",
        "model": "HP Pavilion Laptop 15-cs0xxx",
        "wiFiMacAddress": "XXXXXXXXXXXXXXXXXXX",
        "id": "XXXXXXXXXXXXXXXXXXX",
        "managedDeviceOwnerType": "company",
        "exchangeLastSuccessfulSyncDateTime": "0001-01-01T00:00:00Z",
        "relationship": "managedDevices",
        "userPrincipalName": "XXXXXXXXXXXXXXXXXXX",
        "easActivationDateTime": "0001-01-01T00:00:00Z",
        "jailBroken": "Unknown",
        "serialNumber": "XXXXXX",
        "resource": "deviceManagement",
        "easActivated": "true",
        "exchangeAccessState": "none",
        "deviceEnrollmentType": "deviceEnrollmentManager",
        "userDisplayName": "Tomás",
        "freeStorageSpaceInBytes": "153643646976.000000",
        "managedDeviceName": "XXXXXXXXXXXXXXXXXXX",
        "userId": "XXXX-XXXX-XXXX-XXXXXXX",
        "managementAgent": "mdm",
        "isSupervised": "false",
        "azureADDeviceId": "XXXX-XXXX-XXXX-XXXXXXX",
        "deviceCategoryDisplayName": "Unknown",
        "physicalMemoryInBytes": "0",
        "managementCertificateExpirationDate": "2025-08-29T20:39:04Z",
        "complianceGracePeriodExpirationDateTime": "2024-10-23T23:52:11Z",
        "enrolledDateTime": "2024-08-30T19:48:53Z"
      },
      "integration": "ms-graph",
      "scan_id": "1365180664"
    },
    "rule": {
      "firedtimes": 6,
      "mail": false,
      "level": 3,
      "description": "MS Graph message: MDM Intune device.",
      "groups": [
        "ms-graph"
      ],
      "id": "99653"
    },
    "location": "ms-graph",
    "decoder": {
      "name": "json-msgraph"
    },
    "id": "1737473086.3097425",
    "timestamp": "2025-01-21T15:24:46.407+0000"
  },
  "fields": {
    "data.ms-graph.exchangeLastSuccessfulSyncDateTime": [
      "0001-01-01T00:00:00.000Z"
    ],
    "timestamp": [
      "2025-01-21T15:24:46.407Z"
    ],
    "data.ms-graph.enrolledDateTime": [
      "2024-08-30T19:48:53.000Z"
    ],
    "data.ms-graph.complianceGracePeriodExpirationDateTime": [
      "2024-10-23T23:52:11.000Z"
    ],
    "data.ms-graph.managementCertificateExpirationDate": [
      "2025-08-29T20:39:04.000Z"
    ],
    "data.ms-graph.lastSyncDateTime": [
      "2024-09-23T18:38:44.000Z"
    ],
    "data.ms-graph.easActivationDateTime": [
      "0001-01-01T00:00:00.000Z"
    ]
  },
  "sort": [
    1737473086407
  ]
}

Import custom dashboards

Import the predefined dashboards to visualize Microsoft Intune alerts in the Wazuh dashboard. These dashboards are not configured out-of-the-box on Wazuh deployments and are provided as separate packages. Perform the following steps to import the Microsoft Intune dashboards:

Download the MS graph Intune events and Intune managed devices and apps dashboards.
Import the downloaded dashboards using the Wazuh dashboard import functionality. Navigate to Dashboard management > Dashboards Management > Saved objects on the Wazuh dashboard. Click Import.
Select one of the downloaded files and click on Import. Repeat this step for the other file.
Access the dashboards from the Saved objects tab. Alternatively, navigate to Explore > Dashboards to view the dashboards.

Dashboard examples

Monitoring GitHub

GitHub is a cloud-based platform that provides version control and collaboration tools for software development projects. It offers an API that enables developers to interact with it programmatically. GitHub provides an audit logging feature that records events as they occur within an organization. Organizations can leverage the audit log to track changes and monitor user activities, therefore enhancing transparency.

This section describes how to monitor GitHub audit logs for your organization. Wazuh can monitor the following GitHub activities:

Access to your organization or repository settings.
Changes in repository permissions.
User addition or removal in an organization, repository, or team.
Changes in members privilege.
Changes to permissions of a GitHub App.
Git events such as cloning, fetching, and pushing.

Contents

Monitoring GitHub audit logs

Organizational administrators proactively utilize GitHub audit logs to review the actions performed by members within their organization. It includes details such as the user who performs the action, the nature of the action, and the timestamp of its execution. The Wazuh module for GitHub enables the collection of audit logs from GitHub through its API. Wazuh initiates an HTTP GET request to GitHub API endpoint /orgs/{org}/audit-log to collect the audit logs. For further details, you can refer to the GitHub REST API documentation.

Requirements for monitoring GitHub audit logs

You need the following requirements on GitHub to access the audit logs with Wazuh.

GitHub organization: You can only view audit logs for GitHub organizations.
GitHub Enterprise Cloud subscription: Only organizations with a GitHub Enterprise Cloud subscription can use the GitHub audit log REST API.

Creating a personal access token on GitHub

Take the following steps on GitHub to generate the required personal access token:

Sign into GitHub with an account that belongs to the organization owner.
Navigate to https://github.com/settings/tokens/new to create a new personal access token.
Include a descriptive note for the personal access token, and select an expiration time.
Scroll down, select audit_log, and click Generate token.
Copy the newly generated personal access token.

Configure Wazuh to pull GitHub logs

Perform the following steps to allow Wazuh to monitor, collect, and analyze the GitHub audit logs. You can either configure the Wazuh module for GitHub in the Wazuh server or the Wazuh agent.

Append the following configuration to the /var/ossec/etc/ossec.conf file on the Wazuh server.
```
<ossec_config>
  <github>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <time_delay>1m</time_delay>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <org_name><ORG_NAME></org_name>
      <api_token><API_TOKEN></api_token>
    </api_auth>
    <api_parameters>
      <event_type>all</event_type>
    </api_parameters>
  </github>
</ossec_config>
```
Where:
- <enabled>: Enables the Wazuh module for GitHub. The allowed values are yes and no.
- <interval>: Defines the time interval between each execution of the Wazuh module for GitHub. The default value is 10m, and the allowed value is any positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).
- <time_delay>: Specifies the delay time of the scan with respect to the current time. The default value is 30s, and the allowed value is any positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).
- <curl_max_size>: Specifies the maximum size allowed for the GitHub API response. The default value is 1M, and the allowed value is any positive number that contains a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes).
- <only_future_events>: When set to yes, the Wazuh module for GitHub collects only events generated after you start the Wazuh manager. when set to no, it collects previous events generated before you start the Wazuh manager. The default value is yes, and the allowed values are yes and no.
- <api_auth>: This block configures the credential for the authentication with the GitHub REST API. The following tags <org_name> and <api_token> are configuration tags within <api_auth>.
  - <org_name>: Name of your GitHub organization. The allowed value is any string.
  - <api_token>: Personal access token to authenticate with the GitHub API. The allowed value is any string.
- <api_parameters>: This block configures the internal options in the GitHub REST API. One sub-configuration block within <api_parameters> is <event_type>.
  - <event_type>: Specifies the event types Wazuh should collect. The available event types are web and git events. The default value for this configuration block is all, to collect both web and git events. Allowed values are all, web, and git.
To learn more about the configuration options, refer to the Wazuh module for GitHub reference.
Restart the Wazuh manager or agent service to apply the changes:
- Wazuh manager
```
# systemctl restart wazuh-manager
```
- Wazuh agent
```
# systemctl restart wazuh-agent
```

Monitor multiple GitHub organizations

You can monitor multiple GitHub organizations with Wazuh by specifying the organization credentials in individual <api_auth> sections. For example, the following configuration monitors two organizations named organization1 and organization2.

<github>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <time_delay>1m</time_delay>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>no</only_future_events>

  <api_auth>
    <org_name>organization1</org_name>
    <api_token><API_TOKEN></api_token>
  </api_auth>

  <api_auth>
    <org_name>organization2</org_name>
    <api_token><API_TOKEN></api_token>
  </api_auth>

  <api_parameters>
    <event_type>git</event_type>
  </api_parameters>
</github>

Where:

<API_TOKEN> is the GitHub personal access token created within the admin:org scope.

Use case

Requirements

Integrate Wazuh with GitHub according to the monitoring GitHub activity documentation.
An Ubuntu 23.10 endpoint with curl installed.

GitHub

Create a GitHub personal access token within the admin:org, repo, and delete_repo scopes. We will use this token with the GitHub REST API to test the use cases by performing actions on the organization that trigger alerts on Wazuh. Take the following steps to create the token:

Navigate to https://github.com/settings/tokens/new, add a note for the token, select your desired expiration time, and then select the repo and the admin:org scopes.
Scroll to the bottom of the page, then select the delete_repo scope and click the Generate token button.
Copy the newly generated personal access token.

Ubuntu endpoint

Detect organization members’ manipulation

Invite a member

Take the following steps to invite a member to your organization.

Run the following command on the Ubuntu endpoint:

# curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <API_TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/<ORG_NAME>/invitations \
  -d '{"email":"<USER_EMAIL>","role":"direct_member"'

Where:

<API_TOKEN> is the GitHub personal access token created within the admin:org scope.
<ORG_NAME> is your organization name.
<USER_EMAIL> is the email address of the user you want to invite.

Go to the invited member’s mailbox and accept the invite.

Promote a member to administrator

Run the following command to promote a member of your organization to the role of an administrator:

# curl \
  -u <ADMIN_USERNAME>:<API_TOKEN> \
  -X PUT \
  -H "Accept: application/vnd.github.v3+json" https://api.github.com/orgs/<ORG_NAME>/memberships/<MEMBER_USERNAME> \
   -d '{"role":"admin"}'

Where:

<ADMIN_USERNAME> is the username of a current administrator. For example, the username of the owner of the organization.
<API_TOKEN> is the GitHub personal access token created within the admin:org scope.
<ORG_NAME> is your organization name.
<MEMBER_USERNAME> is the username of the user you want to promote.

Create a new team

Run the following command to create a new team in your organization:

# curl -X POST \
     -H "Authorization: Bearer <API_TOKEN>" \
     -d '{"name": "<NEW_TEAM_NAME>"}' \
     "https://api.github.com/orgs/<ORG_NAME>/teams"

Where:

<NEW_TEAM_NAME> is the name of the new team.
<API_TOKEN> is the GitHub personal access token created within the admin:org scope.
<ORG_NAME> is your organization name.

The image below shows the alerts generated on the Wazuh dashboard after we performed the above actions on the monitored GitHub organization.

GitHub members monitoring alerts dashboard

Detect changes to a repository

Create a new repository

Run the following command to create a new repository:

# curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <API_TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/<ORG_NAME>/repos \
  -d '{"name":"<NEW_REPO_NAME>"}'

Where:

<API_TOKEN> is the GitHub personal access token created within the repo scope.
<ORG_NAME> is your organization name.
<NEW_REPO_NAME> is the name of the repository you want to create.

Add a team to your repository

Run the following commands to list teams and add a team to your repository:

List the team IDs in your organization.

# curl -H "Authorization: Bearer <API_TOKEN>" "https://api.github.com/orgs/<ORG_NAME>/teams"

Input the ID of the team you want to add to your repository.
```
# curl -X PUT \
     -H "Authorization: Bearer <API_TOKEN>" \
     -d '{"permission": "push"}' \
     "https://api.github.com/teams/<TEAM_ID>/repos/<ORG_NAME>/<REPO_NAME>"
```
Where:
- <TEAM_ID> is the team ID.
- <API_TOKEN> is the GitHub personal access token created within the admin:org scope.
- <ORG_NAME> is your organization name.
- <REPO_NAME> is the name of the repository you want to add a team to.

Manage privileges

Run the following command to grant members of your team administrator privileges on the repository:

# curl \
-u <ADMIN_USERNAME>:<API_TOKEN> \
-X PUT \
-H "Accept: application/vnd.github.v3+json" https://api.github.com/orgs/<ORG_NAME>/teams/<TEAM_NAME>/repos/<ORG_NAME>/<REPO_NAME> \
 -d '{"permission":"admin"}'

Where:

<ADMIN_USERNAME> is the username of the user that has permission to promote a user to admin
<API_TOKEN> is the GitHub personal access token created within the admin:org scope.
<ORG_NAME> is your organization name.
<REPO_NAME> is the name of the repository you want to manage its team’s access.
<TEAM_NAME> is the name of the specific team in your repository.

Delete repository

Run the following command to delete a repository in your organization:

# curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <API_TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/<ORG_NAME>/<REPO_NAME>

Where:

<API_TOKEN> is the GitHub personal access token created within the delete_repo scope.
<ORG_NAME> is your organization name.
<REPO_NAME> is the name of the repository you want to delete from your organization.

Delete team

Run the following command to delete the team you created:

# curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <API_TOKEN>" \
  https://api.github.com/orgs/<ORG_NAME>/teams/<TEAM_NAME>

Where:

<API_TOKEN> is the GitHub personal access token created within the admin:org scope.
<ORG_NAME> is your organization name.
<TEAM_NAME> is the name of the specific team in your repository.

The image below shows the alerts generated on the Wazuh dashboard after we performed the above actions on the monitored GitHub organization.

GitHub repository monitoring alerts dashboard

Monitoring Google Cloud

Google Cloud is a comprehensive suite of cloud computing services provided by Google. It offers various infrastructure and application services, enabling businesses to efficiently deploy, build, and scale applications as needed.

Wazuh offers security monitoring, incident response, and regulatory compliance capabilities that enhance the security posture of your Google Cloud infrastructure. You can install Wazuh agents on your Google Cloud instances or configure Wazuh modules to integrate with supported Google Cloud services. This allows you to analyze events and receive real-time alerts for anomalies within your Google Cloud environment.

Contents

Monitoring Google Cloud instances

You can install the Wazuh agent directly on Google Cloud virtual machines or instances for Linux, Windows, and macOS operating systems. Once installed, Wazuh agents collect security data from the monitored endpoints and transmit it to the Wazuh server for analysis. Security protection is applied to the monitored endpoints based on the analysis and the detected events.

Monitoring Google Cloud services

Wazuh provides modules that integrate with the Google Cloud Pub/Sub and Google Cloud Storage bucket services. Pub/Sub is a Google Cloud messaging service that allows communications between independent applications while Cloud Storage is a managed service that allows you to store and distribute your data in Google Cloud. The Wazuh modules for monitoring Google Cloud fetches different events such as data access, privileged activities, system events, and DNS queries from your Google Cloud infrastructure.

These log collection and analysis capabilities allow organizations that rely on Google Cloud Platform for their infrastructure, providing them with the ability to proactively monitor activities and respond effectively to security incidents within their cloud environment.

Further sections highlight the prerequisites for monitoring Google Cloud supported services.

Prerequisites

You can configure either the Wazuh server or the agent to collect logs from Google Cloud Pub/Sub or storage buckets. You need to install dependencies and configure Google Cloud credentials on the endpoint you want to perform the integration to access the supported services. Take a look at the following sections:

Installing dependencies

You can configure the Wazuh module for GCP either in the Wazuh manager or in a Wazuh agent. This choice depends solely on how you access your GCP infrastructure in your environment.

You only need to install dependencies when configuring the integration with GCP in a Wazuh agent. The Wazuh manager already includes all the necessary dependencies.

Python

The Wazuh module for GCP is compatible with Python 3.8–3.13. While later Python versions should work as well, we can't assure they are compatible. If you do not have Python 3 already installed, run the following command on your monitored endpoint.

# apt-get update && apt-get install python3

# yum update && yum install python3

# apt-get update && apt-get install python3-pip

# yum update && yum install python3-pip

We recommend using Pip 19.3 or later to simplify the installation of the dependencies. Run this command to check your pip version.

# pip3 --version

An example output is as follows.

pip 22.0.2 from /usr/lib/python3/dist-packages/pip (python 3.10)

If your pip version is less than 19.3, run the following command to upgrade the version.

# pip3 install --upgrade pip

# pip3 install --upgrade pip --break-system-packages

Note

This command modifies the default externally managed Python environment. See the PEP 668 description for more information.

To prevent the modification, you can run pip3 install --upgrade pip within a virtual environment. You must update the shebang of the /var/ossec/wodles/gcloud/gcloud Python script with the interpreter in your virtual environment. For example, #!/path/to/your/virtual/environment/bin/python3.

Google Cloud pip dependencies

google-cloud-pubsub and google-cloud-storage are the official Python libraries supported by Google to manage Google Cloud Pub/Sub and Cloud Storage resources.

Google Cloud Pub/Sub API is used to pull the log messages from the Pub/Sub queue, while Google Cloud Storage API is used to store and retrieve data.

Run the following command to install the dependencies depending on your Python version:

$ sudo pip3 install google-cloud-core==1.7.1 google-cloud-pubsub==2.7.1 google-cloud-storage==1.39.0 pytz==2020.1 setuptools==68.0.0

$ sudo pip3 install --break-system-packages google-cloud-core==1.7.1 google-cloud-pubsub==2.7.1 google-cloud-storage==1.39.0 pytz==2020.1 setuptools==68.0.0

Note

If you're using a virtual environment, remove the --break-system-packages parameter from the command above.

Creating Google Cloud credentials

You need to authenticate Wazuh to Google Cloud to pull events and log data from the Google Pub/Sub or Google Storage services. You must create a new service account and add roles depending on the desired module. A service account must have Pub/Sub permissions, Storage permissions, or both, along with a private key. It is important to save this private key in a JSON format as it will be used as the authentication method for the Wazuh Google Cloud modules.

Creating a service account

On your Google Cloud Platform console, navigate to the IAM & Admin > Service Accounts section or search for Service Account in the top center search bar.
Click on + CREATE SERVICE ACCOUNT.
Add a name and description and click on CREATE AND CONTINUE.
Add roles to the service account:
- For the Wazuh module for Google Cloud Pub/Sub, add two roles with Pub/Sub permissions:
  - Pub/Sub Publisher
  - Pub/Sub Subscriber
- For the Wazuh module for Google Cloud Storage buckets, add the following roles with Google Cloud Storage bucket permissions:
  - Storage Object User
  - Storage Insights Collector Service
Depending on your requirement, the service account can have the roles for authenticating to both Google Cloud Pub/Sub and Storage services.
Click Done to complete the creation of the service account.

Creating a credentials file for the service account

A credentials file is required by the Wazuh Google Cloud modules to access the Google Cloud Pub/Sub or Google Cloud Storage bucket services. You must add a new private key after creating a service account on Google Cloud. The private key, project ID, and other information are stored in a credentials file created on Google Cloud. The credential file is in JSON format.

Perform the following steps to add a new key to the service account.

Select the Service Account option from IAM & Admin.
From the KEYS tab, click on the ADD KEY dropdown button and select Create Key.

Select JSON, and click CREATE to complete the action.

The credentials file will be downloaded on the endpoint accessing the Google Cloud console. See an example below of the format of a credentials file:

{
   "type": "service_account",
   "project_id": "wazuh-gcloud-123456",
   "private_key_id": "1f7578bcd3e41b54febdac907f9dea7b5d1ce352",
   "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxjzFuu7kO+sfY\nXPq0EZo1Oth9YjCyrhIQr6XavJQyD/OT9gcd9Q5+/VvLwCXBijEgVdXFQf5Tcsh2\ndpp/hOjGuc7Lh9Kk+DtebUDZ9AIF92LvRX2yKJJ4a6zqV9iEqCfxAhSrwsYMLnp0\nGbxG0ACUR/VdLv8U2ctNDG4DL8jk6yYowABbsL/074GOFWtwW99w1BJb09+l0f2l\njIom15iY897W1gjOBskM7fsHm3WwlCwD/+4PPodp8PRIjvefnMwx7E0Lu6IcJ8Kg\n4Rhm1Rk5hJWKWEgQHmZ4ik4kc/FKdHRMGERkMY5VVYoZ6bUx7OdhF7Vt3HVZDA88\nsx9fbTBxAgMBAAECggEAAWSAHMA4KVfqLVY9WSAyN2yougMFIsGevqbCBD8qYmIh\npO1vDNsZLAHMsIJnSWdOD1TdAlkMJ5dk3xj7CTj/ol9esdX03vpbbNgqhAsX4PgZ\nvIqs+7K5w1wE1SmvNwsilQ9RHi++4eWTbEmvYlbLSl5uHDb8JSu4HniUfE3po3H5\nWDj01OMSe9dhaXrzhqOn2qo37XJ9xF1VCSkY3JRj3cY7W7crVE3UmDyYT+ZE1Tei\nyYhrZh1QDFeQVCFiHEP3RA1T/MYaFn1ylkwGcvgFvoB81vOJaVEXh1Xldwx/6KZC\nyrXBlnVqa//IuCtEE4zTl146G99kRdQFrAdqTadlSQKBgQDauQefH+zCpxTaO03E\nlzGoXr9mxo6Rzhim60e+uDgkCnDhElc3rqiuxFH6QNORa2/A/zvc7iHYZsu8QAvB\n776S9rrpxHoc1271fLqzMBR6gDkTzh/MjUJnsPNjnfehE2h6U8Zoeq755Xv9S85I\nuk9bIJzs5JH6xBEDxnIb/ier5wKBgQDP0i9jTb5TgrcqYYpjURsHGQRv+6lOaZrC\nD94vNDmhTLg3kW5b2BD0ZeZwGCwiSOSqL/5fjlRie94pPnIn6pm5uGgndgdRLQvw\nIdpRyvAUAOY7SnoLhZjVue4syzwV3k7+d4x7LrzpZclBH8uc3sLU3vOSsmFRIkf+\nfK9qcVv15wKBgQDL2fHRi/algQW9U9JqbKQakZwAVQThvd1aDSVECvxAEv8btnVV\nb1LF+DGTdUH6YdC5ZujLQ6KFx2ERZfvPV/wdixmv8LADG4LOB98WTLR5a/JGlDEs\n+2ctr01YxgzasnUItfXQwK8+N3U1Iab0P7jgbOf1Hh80QfK9uwH1Nw6QdwKBgCuP\nigFNpWxJxOzsPx6sPHcTZlu2q3lVJ2wv+Ul5r+7AbwiuwiwcMQmZZmDuoCmbj9qg\nbrhG1CdEgX+xqCn3wbstDR/gXI5GW+88mU91szbuLVQWO1i46x05eNQI0ZJf47zx\nABA97rkZbcLp0DsUclA+X13LaByii+aq6fXsxvLXAoGBALzkBzJ/SOvotz/UnBxl\nGU9QWmptZttaqtLKizPNQZpY1KO9VxeyoGbkTnN0M58ktpIp8LGlSJejk/tkRKBG\nUFRW/v49GW3eCgl4D+MOTFLCJDT68D2lp4F9hdBHsoH17ZdHy8rennmJN3QExIjx\n0xoq6OYjjzNwhFqkPl0H6HrM\n-----END PRIVATE KEY-----\n",
   "client_email": "wazuh-mail@wazuh-gcloud-123456.iam.gserviceaccount.com",
   "client_id": "102784232161964177687",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
   "token_uri": "https://oauth2.googleapis.com/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/wazuh-gcloud-acc%40wazuh-gcloud-123456.iam.gserviceaccount.com"
}

Transfer the credentials file to the endpoint where you are performing the integration; either your Wazuh server or Wazuh agent. We recommend that you transfer the credentials file to the /var/ossec/wodles/gcloud/ path, although you can also move this file to any path of your choice.

Change the file ownership of the credentials file:

$ sudo chown root:wazuh /var/ossec/wodles/gcloud/<AUTHENTICATION_FILE_NAME>.json

Gcloud Python script

The Wazuh modules for Google Cloud are accessible through the var/ossec/wodles/gcloud/gcloud Python script. This script enables them to automatically fetch various types of events from Google Cloud Pub/Sub and Google Cloud Storage bucket services based on the configuration. It provides multiple options to manually fetch data and test the configuration as shown below:

# /var/ossec/wodles/gcloud/gcloud --help

usage: usage: gcloud.py [options]

Wazuh wodle for monitoring Google Cloud

optional arguments:
  -h, --help            show this help message and exit
  -T INTEGRATION_TYPE, --integration_type INTEGRATION_TYPE
                        Supported integration types: ('pubsub', 'access_logs')
  -p PROJECT, --project PROJECT
                        Project ID
  -s SUBSCRIPTION_ID, --subscription_id SUBSCRIPTION_ID
                        Subscription name
  -c CREDENTIALS_FILE, --credentials_file CREDENTIALS_FILE
                        Path to credentials file
  -m MAX_MESSAGES, --max_messages MAX_MESSAGES
                        Number of maximum messages pulled in each iteration
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log level
  -b BUCKET_NAME, --bucket_name BUCKET_NAME
                        The name of the bucket to read the logs from
  -P PREFIX, --prefix PREFIX
                        The relative path to the logs
  -r, --remove          Remove processed blobs from the GCS bucket
  -o ONLY_LOGS_AFTER, --only_logs_after ONLY_LOGS_AFTER
                        Only parse logs after this date - format YYYY-MMM-DD
  -t N_THREADS, --num_threads N_THREADS
                        Number of threads
  --reparse             Parse the log, even if its been parsed before

Visualizing Google Cloud events on the Wazuh dashboard

Navigate to Google Cloud to view Google Cloud events and analytics on the Wazuh dashboard.

Configuring the supported services

You can use the Wazuh module for Google Cloud Pub/Sub and the Wazuh module for Google Cloud Storage to monitor and secure your Google Cloud environment. These modules integrate with the Google Cloud Pub/Sub and Google Cloud Storage buckets services. Using the Wazuh module for Google Cloud Pub/Sub, for example, you can collect and analyze log data from various Google Cloud services, such as Compute Engine, Cloud Firewall, VPC Flow Logs, and more.

Monitoring Google Cloud Pub/Sub

Wazuh integrates with the Google Cloud Pub/Sub messaging and ingestion service using the Wazuh module for Google Cloud Pub/Sub. Google Cloud Pub/Sub is widely used for event-driven systems and streaming analytics. It allows sending and receiving messages between different applications. Integrating with the Pub/Sub service allows the Wazuh module for Google Cloud Pub/Sub to fetch different events like the ones listed below from your Google Cloud environment:

Once these events are collected, Wazuh processes them using its detection rules and displays the appropriate alerts on the Wazuh dashboard.

The data flow between Google Cloud Pub/Sub and Wazuh is shown below. Visit this Google Cloud documentation to learn more about the Pub/Sub service.

A publisher service or application sends messages to a Google Cloud Pub/Sub topic.
Each published message remains stored until the Wazuh module for Google Cloud Pub/Sub reads and processes them.
Wazuh pulls the messages using its subscription to the Google Cloud Pub/Sub service.
Wazuh receives all messages from its subscription and acknowledges each one to the Google Cloud Pub/Sub service.
The Google Cloud Pub/Sub service then removes messages from the subscription’s message queue.

Configuring Google Cloud Pub/Sub

To integrate Wazuh with Google Cloud Pub/Sub, you first need to create a topic, and subscription, and then configure the Wazuh server with the subscription details and credentials.

In this section, we describe how to perform each of these steps.

Creating a topic

In the Google Cloud console, click on Pub/Sub or search for Pub/Sub in the search bar and select it.
Click on the Topics tab and select the Create Topic button.
Enter a name for your topic in Topic ID and click CREATE to create the topic.

Creating a topic will automatically create a new subscription. If a subscription was not created, or you need to add more subscriptions, follow the steps below. If not, skip the section below.

Adding a subscription

In the left-hand navigation pane, click on Pub/Sub to open the Pub/Sub section.
Click on Topics and select the topic you just created.
In the Subscription tab, click on the Create subscription button and fill in the subscription form:
- Fill in the Subscription ID
- Select a topic from Select a Cloud Pub/Sub topic
- Choose Pull in the Delivery type field
- Select the duration of the Message retention duration
- Select the duration in days of the Expiration period

You can create as many subscriptions as you wish.

At this point, the Pub/Sub environment is ready to manage the message flow between the publishing services and the Wazuh module for Google Cloud Pub/Sub.

Setting up Google Cloud credentials for Wazuh

If you do not have credentials yet, follow the steps in the credentials section.

Configuring the Wazuh module for Google Cloud Pub/Sub

Follow the next steps to configure the Wazuh module for Google Cloud Pub/Sub on your Wazuh server or Wazuh agent to access the Pub/Sub services.

Append the following configuration to the /var/ossec/etc/ossec.conf configuration file of your preferred endpoint:
```
<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id><YOUR_PROJECT_ID></project_id>
    <subscription_name><YOUR_SUBSCRIPTION_ID></subscription_name>
    <credentials_file>/var/ossec/wodles/gcloud/<AUTHENTICATION_FILE_NAME>.json</credentials_file>
  </gcp-pubsub>
</ossec_config>
```
Where:
- <pull_on_start> pulls logs on the start or restart of the Wazuh manager or agent service, depending on where the module is configured, and by default is set to yes.
- <interval> sets a time interval between module execution.
- <project_id> represents your Google Cloud project ID and <YOUR_PROJECT_ID> represents your project ID.
- <subscription_name> represents the subscription name created for this Topic, and <YOUR_SUBSCRIPTION_ID> represents your subscription ID.
- <credential_file> represents the path to the Google Cloud credentials file <AUTHENTICATION_FILE_NAME> represents the path to the Google Cloud credentials file. Ensure the JSON extension is present after the file. If you do not have credentials, follow the steps in the configuring Google Cloud credentials section.
See the gcp-pubsub section for more information on configuring the Wazuh module for Google Pub/Sub.
Restart the Wazuh manager or agent service to apply the changes:
# systemctl restart wazuh-manager
# systemctl restart wazuh-agent

Export logs via sink

Google Cloud log activities appear under the Log Router section. Cloud audit logs can be published to a Cloud Pub/Sub topic through sinks. Create a sink and use the topic as a destination.

In the Google Cloud console pane, click on Logging or search for Log Router in the search bar and select it.
Select Log Router and click the Create Sink button.
Follow the steps below to complete the Create logs routing sink form.
1. Sink details: provide a name and description for the logs routing sink.
2. Sink destination: select the sink service type and destination.
3. Choose logs to include in sink: create an inclusion filter to determine which logs are included.
4. Choose logs to filter out to sink: create exclusion filters to determine which logs are excluded.
5. Click the CREATE SINK button.

After you set everything up, you should see activity in the Logs Explorer tab.

Once the configuration is complete, you can visualize the logs on the Google Cloud module on your Wazuh dashboard.

Visualize logs in the Google Cloud module

Use cases

In this section, we explore how to use the Wazuh module for Pub/Sub to collect and monitor different types of logs from your Google Cloud environment, such as cloud audit logs, DNS queries, VPC Flow Logs, Firewall Rules Logging, and HTTP(S) load balancing.

Cloud audit logs

Google Cloud provides four types of audit logs for each project, folder, and organization in your environment:

Admin Activity audit logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. This is useful for tracking administrative activities and changes made to the configuration of resources.
Data Access audit logs contain API calls that read the configuration or metadata of resources and user-driven API calls that create, modify, or read user-provided resource data. This is valuable for monitoring access to data, including who is reading or modifying resource configurations and user-provided data.
System Event audit logs contain log entries for Google Cloud administrative actions that modify the configuration of resources. The Google system generates these audit logs, which helps track system-level administrative actions that impact the configuration of resources.
Policy Denied audit logs are recorded when a Google Cloud service denies access to a user or service account because of a security policy violation.

These audit logs provide a comprehensive view of activities and events within a Google Cloud environment, supporting security, compliance, and operational needs.

Configuring Google Cloud audit logs collection

To collect Google Cloud audit logs, it is necessary to first ingest the audit logs into a Pub/Sub topic defining a custom log router.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Visit the Google Cloud Logging section and click on Create sink.
Provide a descriptive name for the sink and click on NEXT.
You need to select the sink destination after providing the name of the sink. Under Select sink service, select Cloud Pub/Sub topic, and then create or choose a topic to be used as a destination. Then click on NEXT.
Under Choose logs to include in sink, use the following query to collect all the audit logs from every project. It is possible to edit it to only collect audit logs from a particular project:
```
logName=~("projects/.*/logs/cloudaudit.googleapis.com%2F(activity|data_access|system_event|policy)")
```
If it is not necessary to filter any logs out of the sink, click on CREATE SINK.

Once this process is finished, you can configure the Wazuh module for Google Cloud Pub/Sub to process the audit logs of the selected resources as usual.

Visualizing the events on the Wazuh dashboard

After configuring the Wazuh Google Cloud Pub/Sub module to fetch the audit logs from Google Cloud, it is possible to visualize the alerts generated in the Wazuh dashboard.

Set the operator for data.gcp.logName field to exists.

Available logs must appear as shown in the picture below.

Visit the Google Cloud documentation to learn more about the different Google services capable of writing audit logs.

DNS queries

Wazuh has default rules for DNS queries made to a private DNS handled by the Google Cloud DNS service. Those logs can be collected using the Wazuh module for Google Cloud Pub/Sub. Details on how to configure the module can be found in the gcp-pubsub configuration reference.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Configuring Google DNS logs collection

To collect the DNS queries made to the Google DNS service, we use DNS policies to enable or disable logging for your networks. When you enable query logging, every DNS query to a Cloud DNS private managed zone is logged.

On Google Cloud Console, click the Shell button to activate Cloud Shell and authenticate your Google Cloud SDK.
Enable logging:

To enable logging for a network that does not have a DNS policy, run the dns policies create command:
```
gcloud dns policies create <POLICY_NAME> --networks=<NETWORK_NAME>  --enable-logging --description=<DESCRIPTION>
```
Where:
- <POLICY_NAME>: Contains the name of the DNS policy
- <NETWORK>: One or more networks in a comma-separated list
- <DESCRIPTION>: A description of the policy
Example:
```
$ gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS logging" --networks=wazuh-dev-net
```
To enable logging for a network that has an existing DNS policy, run the dns policies update command:
```
gcloud dns policies update <POLICY_NAME> --networks=<NETWORK_NAME>  --enable-logging
```
Where:
- <POLICY_NAME>: Takes the name of the DNS policy
- <NETWORK>: one or more networks in a comma-separated list
Example:
```
$ gcloud dns policies update enable-dns-logging --enable-logging --networks=wazuh-dev-net
```

Exporting DNS queries logs to Pub/Sub

Once DNS Cloud logging is configured, the generated logs must be ingested into a Pub/Sub topic so that Wazuh can collect them using the Google Pub/Sub integration. To achieve that, it is necessary to define a custom log router.

Visit the Google Cloud Logging section and click on CREATE SINK.
Provide a descriptive name for the sink and click on NEXT.
Once the name for the sink is chosen, it is necessary to select the sink destination. As a sink service, choose Cloud Pub/Sub topic, and then create or choose a topic to be used as a destination. Then click on NEXT.
Use the following query to collect all the DNS queries:
```
resource.type = "dns_query"
```
If it is not necessary to filter any logs out of the sink, click on Create sink.

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for DNS queries logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fdns_queries.

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

Available logs must appear as shown in the picture below.

VPC Flow Logs

VPC Flow Logs record a sample of network flows sent from and received by VM instances, including instances used as Google Kubernetes Engine nodes. VPC Flow Logs are aggregated by the connection from Compute Engine VMs and exported in real-time.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling VPC Flow Logs

VPC Flow Logs can be enabled on the VPC networks page in the Google Cloud Console. They can be enabled for both new and existing subnets. Follow the Google Virtual Private Cloud documentation for the most up-to-date instructions on how to enable this feature.

Exporting VPC Flow Logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not just the VPC Flow Logs. It is possible to configure the sink to export VPC Flow Logs only to a topic, ignoring logs coming from other services by adding a filtering condition to the sink. To do so, follow the same instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

resource.type="gce_subnetwork"
log_name="projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows"

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

Visualizing the events on Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for VPC Flow Logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows. Replace <YOUR_PROJECT_ID> with your Google Cloud project ID.

Available logs must appear as shown in the picture below.

Firewall Rules Logging

Firewall Rules Logging records traffic to and from Compute Engine virtual machine (VM) instances. This includes Google Cloud products built on Compute Engine VMs, such as Google Kubernetes Engine (GKE) clusters and App Engine flexible environment instances. To send Firewall Rules Logging logs to Wazuh, you must first configure Cloud Logging to export these logs to Pub/Sub.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling Firewall Rules Logging

Firewall Rules Logging can be enabled on the Firewall page in the Google Cloud Console. Follow the Google Virtual Private Cloud documentation for the most up-to-date instructions on how to enable this feature.

Exporting Firewall Rules logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not only the Firewall Rules Logging. It is possible to configure the sink to export Firewall Rules Logging logs only to a topic, ignoring logs from other services, by adding a filtering condition to the sink. To do so, follow the instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

(resource.type="gce_subnetwork"
log_name="projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Ffirewall")

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

You can confirm that logs are generated in your environment by running the query in the Logs Explorer as shown in the picture below.

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for Firewall Rules logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Ffirewall. Replace <YOUR_PROJECT_ID> with your own project ID on Google Cloud.

Available logs must appear as shown in the picture below.

HTTP(S) Load Balancing Logging

HTTP(S) Load Balancing Logging allows the user to enable, disable, and view logs for an HTTP(S) Load Balancing backend service. To send HTTP(S) Load Balancing Logging logs to Wazuh, you must first configure Cloud Logging to export these logs to Pub/Sub.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling logging on HTTP(S) Load Balancer

HTTP(S) Load Balancer Logging can be enabled on the Load Balancing page in the Google Cloud Console. Follow the Google Cloud Load Balancing documentation for the most up-to-date instructions on how to enable this feature.

Exporting HTTP(S) Load Balancer logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not just the HTTP(S) Load Balancer logs. It is possible to configure the sink to export HTTP(S) Load Balancer logs only to a topic, ignoring logs from other services, by adding a filtering condition to the sink. To do so, follow the same instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

resource.type=http_load_balancer

Create logs routing sink – HTTP load balancer

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Wazuh dashboard to filter for Load balancer logs.

Set the value of the data.gcp.resource.type field to http_load_balancer.

Available logs must appear as shown in the picture below.

Load balancer log alerts in the Wazuh dashboard

Monitoring Google Cloud Storage buckets

Google Cloud Storage offers usage logs and storage logs, also known as access logs, in the form of CSV files that can be downloaded. Usage logs provide information for all of the requests made on a specified bucket and are created hourly. Storage logs provide information about the storage consumption of that bucket for the last day and are created daily. Once set up, usage logs and storage logs are automatically created as new objects in the specified bucket. The Wazuh module for Google Cloud Storage buckets collects these logs from the bucket and processes the events using defined threat detection rules and decoders.

Configuring Google Cloud Storage buckets

This section describes how to create a bucket and enable logging. If you do not have credentials, follow the steps in the configuring Google Cloud credentials section.

Setting up log delivery to a Google Cloud Storage bucket

You need to create Storage buckets and enable logging before logs can be delivered to them. The log delivery for any bucket must be set up using the Google Cloud Shell, gsutil tool, the XML API, or the JSON API. Follow the usage logs and storage logs documentation for the most up-to-date instructions on enabling this feature.

In the following steps, we use the Google Cloud Shell to create a bucket and enable logging.

On Google Cloud Console, click the Shell button to activate Cloud Shell and authenticate your Google Cloud SDK.
Create a bucket to store your logs using the following command:
```
$ gcloud storage buckets create gs://<YOUR_BUCKET_NAME>
```
Replace <YOUR_BUCKET_NAME> with your bucket name.

Make sure to follow the Google naming guidelines to name your bucket.

Grant Google Cloud Storage the roles/storage.objectCreator role to the bucket:

$ gcloud storage buckets add-iam-policy-binding gs://<YOUR_BUCKET_NAME> --member=group:cloud-storage-analytics@google.com --role=roles/storage.objectCreator

Enable logging for your bucket using the --log-bucket flag:

$ gcloud storage buckets update  gs://<YOUR_BUCKET_NAME> --log-bucket=gs://<YOUR_BUCKET_NAME>

Check logging status:

$ gcloud storage buckets describe gs://<YOUR_BUCKET_NAME> --format="default(logging_config)"

If logging is enabled, the server returns the logging configuration in the response:

logging_config:
  logBucket: <YOUR_BUCKET_NAME>
  logObjectPrefix: <YOUR_BUCKET_NAME>

If logging is not enabled, the following is returned:

null

Configuring the Wazuh module for Google Cloud Storage buckets

Perform the following steps to configure the Wazuh module for Google Cloud Storage buckets to read logs from a Cloud Storage bucket. You can perform these steps on your Wazuh server or Wazuh agent.

Add the following configuration within the <ossec_config> block in the /var/ossec/etc/ossec.conf configuration file of your endpoint:
```
<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name><YOUR_BUCKET_NAME></name>
       <credentials_file>/var/ossec/wodles/gcloud/<YOUR_AUTHENTICATION_FILE></credentials_file>
   </bucket>
</gcp-bucket>
```
Where:
- <run_on_start>: Schedules the module to run on the start or restart of the Wazuh manager or agent service, depending on where the module is configured.
- <interval>: Sets a time interval between module execution.
- <name>: Contains the name of the Google Cloud Storage bucket from which logs are read.
- <credentials_file>: Contains the path to the Google Cloud credentials file. If you do not have credentials yet, follow the steps in the configuring Google Cloud credentials section.
Replace <YOUR_BUCKET_NAME> with your bucket name and <YOUR_AUTHENTICATION_FILE> with the name of your credential file.

See the gcp-bucket section for more information on configuring the Wazuh module for Google Cloud Storage buckets.
Restart the Wazuh manager or agent service to apply the changes:
# systemctl restart wazuh-manager
# systemctl restart wazuh-agent

Visualizing the events on the Wazuh dashboard

Apply one of the filters below on the Wazuh dashboard to filter for Google Cloud storage and usage logs.

data.gcp.resource.type is gcs_bucket.
data.gcp.source is gcp_bucket.

Available logs must appear as shown in the picture below.

Google Cloud Storage – Available logs alerts

Considerations for the Google Cloud Storage buckets integration

Configuring multiple buckets

You can configure the Wazuh server or agent to pull logs from multiple buckets. To do so, you must add multiple <bucket> blocks within the <gcp-bucket> section of the Wazuh server or agent configuration file.

Find below an example configuration for multiple buckets:

<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name>wazuh-test-bucket</name>
       <credentials_file>/var/ossec/wodles/gcloud/wazuh-test-bucket-credentials.json</credentials_file>
   </bucket>

   <bucket type="access_logs">
       <name>wazuh-test-bucket-2</name>
       <credentials_file>/var/ossec/wodles/gcloud/wazuh-test-bucket2-credentials.json</credentials_file>
       <only_logs_after>2021-JUN-01</only_logs_after>
       <path>access_logs/</path>
   </bucket>

   <bucket type="access_logs">
       <name>wazuh-test-bucket-3</name>
       <credentials_file>/var/ossec/wodles/gcloud/wazuh-test-bucket3-credentials.json</credentials_file>
       <path>access_logs</path>
       <remove_from_bucket>no</remove_from_bucket>
   </bucket>

 </gcp-bucket>

Where:

<name>:Contains the name of the Google Cloud Storage bucket from which logs are read.
<credentials_file>:Contains the path to the Google Cloud credentials file.
<only_logs_after>: Parses logs from a specific date onwards. It must follow the YYYY-MM-DD format.
<remove_from_bucket>: Sets whether the logs should be removed from the Google Cloud Storage bucket once they are read. The possible values are no and yes.

Note

Only the <name> and <credentials_file> options are mandatory. Take a close look at bucket options.

Restart the Wazuh manager or agent service to apply the changes:

# systemctl restart wazuh-manager

# systemctl restart wazuh-agent

First execution

If no only_logs_after value is provided, the module will only fetch the logs of the date of the execution.

Creation time in Google Cloud Storage bucket contents

When using the only_logs_after tag, the Wazuh module checks the creation time of each item in the Google Cloud Storage bucket to determine if a file should be processed or not. This means that if the user manually moves any blob inside the specified bucket, its creation date changes, and the Wazuh module for Google Cloud Storage processes it again as it is considered a new blob.

Any date in the file's name is ignored, and only the creation date is used to determine whether or not a file should be processed.

Older logs

The Wazuh module for Cloud Storage buckets only looks for new logs in buckets based on the key of the last processed log object, which includes the datetime stamp. When the only_logs_after option date is set to a datetime earlier than previous module executions, the system will ignore older logs.

Logging level

The Google Cloud integration uses the wazuh_modules.debug level to set its verbosity level. This switches between different logging levels for debugging and troubleshooting purposes.

Reparse

Using the reparse option will re-fetch all Google Cloud Storage bucket logs from the starting date of the integration until the present.

Warning

Using this option will generate duplicate alerts.

To fetch and process older logs, manually run the /var/ossec/wodles/gcloud/gcloud tool using the --reparse option.

# /var/ossec/wodles/gcloud/gcloud --integration_type access_logs --bucket_name 'wazuh-example-bucket' --credentials_file credentials.json --reparse --only_logs_after '2021-Jun-10' --log_level 2

Where:

--only_logs_after parameter sets the time for the starting point. If you don't provide an only_logs_after value, the module uses the date of the first file processed.
--log_level 2 parameter gets a verbose output. This is useful to show that the script works, especially when handling a large amount of data.

Cloud Security Posture Management

Cloud Security Posture Management (CSPM) is important in ensuring the security and compliance of cloud environments. The potential for security misconfigurations increases in cloud computing, where organizations can quickly and easily provision, configure, and modify cloud resources. These security issues can arise due to mismanagement of permissions, gaps in network configurations, and various other factors.

Cloud Security Posture Management addresses this challenge by continuously monitoring and assessing cloud workloads to identify misconfigurations, vulnerabilities, and potential risks. It also provides remediation steps to rectify potential security risks, thereby enhancing the overall security posture of the cloud environment.

Wazuh is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments. This section demonstrates how to use Wazuh to review posture security on the Google Cloud.

Integrating Wazuh with Google Cloud

Wazuh integrates with Google Cloud using the Google Cloud publisher and subscriber service (Google Cloud Pub/Sub). Google Cloud Pub/Sub is a messaging service that helps you send and receive log data between applications. Wazuh provides an integration module for Google Cloud that fetches logs from the Pub/Sub service.

Google Cloud

Configuring the Google Cloud account

Create a new Google Cloud project and a service account that enables the Wazuh Google Cloud module to pull log data from the Google Pub/Sub service. Once this is done, configure the Pub/Sub and the Sink services. The Sink service routes cloud security posture logs from the central Google Cloud Logging service to the Pub/Sub service.

Follow the steps below to perform the configuration.

Create a new Google Cloud project. Take note of the project ID.

Where:
- Project name is the name given to the project.
- Organization is the name of the Google Cloud organization.
Go to the IAM and admin drop-down menu and select Service accounts to create a new service account. On the service accounts creation page, add the Pub/Sub Publisher and Pub/Sub Subscriber roles to the account.

Where:
- Service account name is the privileged account that Wazuh uses to connect to Google Cloud.
- Roles are the rights given to the service account.
Open the newly created service account and create a private key in JSON format. Your browser automatically downloads the key. Wazuh uses the key to authenticate to your Google Cloud project.
Search for Pub/Sub from the console search field at the top of the page and select it. Click on Create Topic. On the Create Topic page, input the Topic ID and ensure the Add a default subscription checkbox is selected. Then, click Create. Take note of the Subscription ID.
Search for Log Router in the Google Cloud console and select it. Click on Create Sink. Name the sink and click Next. On the Sink destination service, select Cloud Pub/Sub topic. Next, select the topic name created above. Click Create Sink.

The Log Router and Sink services in a Google Cloud project are responsible for log management and log destination routing, respectively.
Configure continuous log export from the Google Cloud Findings service to the Google Cloud Pub/Sub service.

Wazuh server

Configure the Wazuh server to receive logs from Google Cloud by performing the following steps.

Note

Run the commands with root permission.

Create a credentials.json file in the /var/ossec/wodles/gcloud/ directory:
```
# touch /var/ossec/wodles/gcloud/credentials.json
```
Update the /var/ossec/wodles/gcloud/credentials.json file with the contents of the private key in JSON format file downloaded earlier. The Wazuh module for Google Cloud Pub/Sub uses the key file to authenticate your Google Cloud account.
Append the following content to the /var/ossec/etc/ossec.conf configuration file. The configuration specifies how Wazuh connects to Google Cloud using the project ID, Google Cloud PubSub subscription ID, and a credential.
```
<ossec_config>
  <gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>5m</interval>
    <project_id><PROJECT_ID></project_id>
    <subscription_name><SUBSCRIPTION_ID></subscription_name>
     <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
  </gcp-pubsub>
</ossec_config>
```
Replace the variables in the configuration with the appropriate values.

Where:
- <PROJECT_ID> is the ID of the Google Cloud project created above.
- <SUBSCRIPTION_NAME> is the subscription ID of your Google Cloud Pub/Sub.

Create a rule file gcp_posture.xml in the /var/ossec/etc/rules/ directory and add the following custom rules to detect Google Cloud posture findings:

<group name="gcp,">
  <!-- Misconfiguration detection -->
    <rule id="100200" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">MISCONFIGURATION</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.description)</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>

  <!-- Threat detection -->
    <rule id="100201" level="10">
        <if_sid>65000</if_sid>
        <field name="gcp.finding.findingClass">THREAT</field>
        <description>A $(gcp.finding.findingClass) with $(gcp.finding.severity) severity has been discovered on the GCP project $(gcp.resource.projectDisplayName). $(gcp.finding.category).</description>
        <mitre>
          <id>T1562</id>
        </mitre>
    </rule>
</group>

Where:

Rule ID 100200 is triggered when Wazuh detects a misconfiguration in a Google Cloud account.
Rule ID 100201 is triggered when Google Cloud detects a threat.

Restart the Wazuh manager to apply the configuration:
```
# systemctl restart wazuh-manager
```

Cloud security posture management simulation

The Findings module is a Google Cloud Security Command Centre service that records security misconfigurations across a Google Cloud project.

Network misconfigurations

Perform the following actions on the Google Cloud console to simulate network misconfiguration.

Enable the Compute Engine API. This will enable the internal VPC firewall.
Create a firewall rule, verybadrule on the Google Cloud network security to simulate multiple network misconfigurations. The firewall rule allows connections from all IP addresses and ports.
Delete the firewall rule verybadrule from the list of rules on Google Cloud network security.

Identity and access management anomalous activity

Create a test Gmail email address if you don’t have one already.
Navigate to the IAM & Admin drop-down menu and select IAM. Click on Grant Access. On the Grant Access page, enter the test user’s Gmail address as a New principal. Next, assign the role, Project > Owner and click Save.

Posture management result

Visualize the Google Cloud posture management results by navigating to Threat Hunting. Filter for the rule IDs 100200 and 100201.

The image above shows misconfiguration and threats discovered in the Google Cloud environment.

Note

The alerts may not appear on the Wazuh dashboard immediately the first time you activate Google Cloud's security command center. This is due to the latency caused by the activation process.

Monitoring Office 365

Office 365 is a cloud-based service offered by Microsoft, that provides access to a suite of productivity and collaboration tools, including applications such as Word, Excel, PowerPoint, Outlook, OneDrive, Teams, and SharePoint. Monitoring Office 365 provides visibility and data visualization into actions occurring on its suite of tools.

Contents

Monitoring Office 365 audit logs

Office 365 audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as the user who logs in, who performs an action, the type of action performed, and the time an action is performed.

This section provides instructions for monitoring the Office 365 audit log for your organization. The audit log provides information on the changes and user activities taking place in an Office 365 environment. Wazuh allows you to monitor the following activities in Office 365:

User activity in SharePoint Online and OneDrive for Business.
User activity in Exchange Online (Exchange mailbox audit logging).
Admin activity in SharePoint Online.
Admin activity in Azure Active Directory (the directory service for Office 365).
Admin activity in Exchange Online (Exchange admin audit logging).
eDiscovery activities in the security and compliance center.
User and admin activity in:
- Power BI.
- Microsoft Teams.
- Dynamics 365.
- Yammer.
- Microsoft Power Automate.
- Microsoft Stream.
- Microsoft Workplace Analytics.
- Microsoft Power Apps.
- Microsoft Forms.
User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams.
Admin activity in Briefing email and MyAnalytics.

Office 365 Management Activity API

The Office 365 Management APIs provide a platform for various management tasks, including service communications, security, compliance, reporting, and auditing. It offers an interface for collecting audit logs from an Office 365 environment. Wazuh collects audit logs from Office 365 using this interface.

The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are structured data tailored to each organization's Office 365 environment. These content blobs classify the information based on the type and source of the content they contain, allowing organizations to monitor and analyze actions and events within their Office 365 tenant for security auditing, compliance monitoring, and other administrative purposes.

Activity API operations based on plans

The Office 365 Management Activity API is a RESTful API that enables organizations to access and integrate audit logs and activity data from different Office 365 services. It categorizes activities based on their associated service, covering a wide range of services within the Office 365 suite. The specific activities available depend on your Office 365 subscription plan and the services you have enabled.

All API operations are restricted to a single tenant, and the root URL of the API includes a tenant ID that specifies the tenant context. The URL for the API endpoint that you use is based on the type of Office 365 subscription plan for your organization. Here is the list of the available plans and their corresponding API endpoint URLs.

Enterprise plan

https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}

Government Community Cloud (GCC) government plan

https://manage-gcc.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}

Government Community Cloud (GCC) High government plan

https://manage.office365.us/api/v1.0/{tenant_id}/activity/feed/{operation}

Department of Defense (DoD) government plan

https://manage.protection.apps.mil/api/v1.0/{tenant_id}/activity/feed/{operation}

Office 365 subscription plans may have different features and services included, so the available activities can vary based on your specific plan. Here are some categories of activities that you may find in the Office 365 Management API, depending on common Office 365 plans and services:

Azure Active Directory (Azure AD) activities - Events related to the creation, modification, or deletion of users and groups in Azure AD. This also includes sign-ins, authentication events, and role assignments and changes.
Exchange Online activities: This includes email-related activities, mailbox permission changes, and changes to email properties, attachments, and folders.
SharePoint Online activities: This category includes events related to sharing documents and sites, user access rights and permissions changes, and file and folder operations.
Microsoft Teams activities: Activities relating to channel and team management, message and chat operation, and meeting-related events.
Security and Compliance Center activities: This category includes events related to compliance policies and data loss prevention (DLP). This also includes alerts for policy violations and eDiscovery activities.
General activities: Events that do not fall into specific service categories. This category may include general changes and administrative activities.

The Office 365 Management Activity API supports several operations. These include starting a subscription to receive notifications, retrieving activity data for a tenant, and stopping a subscription to discontinue data retrieval for a tenant. Using the Activity API, you can list current subscriptions, available content, and the corresponding content URLs. You can also retrieve content by using the content URL.

Below, we show how to use the Activity API to list available content and retrieve content operations.

Listing available content

You can list the content currently available for retrieval for a specified content type. This content constitutes a collection of actions and events that occur in an Office 365 environment. To retrieve the available content, Microsoft provides the following API endpoint to retrieve data when using an Office 365 enterprise plan:
```
Get https://manage.office.com/api/v1.0/<Tenant_ID>/activity/feed//subscriptions/content?contentType=<ContentType>&startTime=<START_TIME>&endTime=<END_TIME>
```
Where:
- The <Tenant_ID> variable is the tenant ID for the subscription.
- The <ContentType> variable indicates the content type. For example, Audit.AzureActiveDirectory and Audit.General.
- The <START_TIME> and <END_TIME> variables indicate the time range of content to return, based on when the content became available (date format: YYYY-MM-DD).
You can list the content currently available for retrieval for the specified content type manually by following the steps below.
1. Use the PowerShell script below to generate an access token. Create a file AccessToken.ps1, then copy and paste the contents below into the file created. Replace <YOUR_APPLICATION_ID>, <YOUR_CLIENT_SECRET>, and <YOUR_TENANT_ID> with the correct values collected during the application registration:
```
$clientId = "<YOUR_APPLICATION_ID>"
$clientSecret = "<YOUR_CLIENT_SECRET>"
$tenantId = "<YOUR_TENANT_ID>"
$resource = "https://manage.office.com"

$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/token"
$tokenRequestBody = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    resource      = $resource
}

$tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method POST -Body $tokenRequestBody
$MyToken = $tokenResponse.access_token
echo $MyToken
```
2. Open a regular PowerShell terminal and run the commands below to execute the PowerShell script AccessToken.ps1 created in the previous step:
```
> Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
> $accessToken = <PATH>/AccessToken.ps1
```
  Note
  
  The command Set-ExecutionPolicy RemoteSigned -Scope CurrentUser is used to allow the execution of local scripts. Replace <PATH> with the file path to the PowerShell script.
3. Run the command below on the same PowerShell terminal to get the list of currently available content for a content type:
```
Invoke-RestMethod -Uri "https://manage.office.com/api/v1.0/<TENANT_ID>/activity/feed/subscriptions/content?contentType=<CONTENT_TYPE>&startTime=<START_TIME>&endTime=<END_TIME>" -Headers @{ Authorization = "Bearer $accessToken"; ContentType = "application/json" } -Method Get; $response.value
```
  Replace:
  - The <TENANT_ID> variable with a valid tenant ID.
  - The <CONTENT_TYPE> variable with a valid content type. For example Audit.AzureActiveDirectory
  - The <START_TIME> and <END_TIME> variables with date range (format: YYYY-MM-DD)
```
contentUri        : https://manage.office.com/api/v1.0/<Tenant_ID>/activity/feed/audit/20240129073247100003384$20*********081955691028239                        $audit_azureactivedirectory$Audit_AzureActiveDirectory$emea0010
contentId         : 20240129073247100003384$20*********081955691028239$audit_azureactivedirectory$Audit_AzureActiveDirectory$emea0010
contentType       : Audit.AzureActiveDirectory
contentCreated    : 2024-01-29T08:19:55.691Z
contentExpiration : 2024-02-05T07:32:47.100Z
...
```
Retrieving content

To retrieve a content blob, make a GET request against the corresponding content URI that is included in the list of available content. The returned content will be a collection of one or more actions or events in JSON format.
```
GET <CONTENT_URI>
```
Replace the <CONTENT_URI> variable with the value of a content URI that is included in the list of available content.

The Office 365 Management API documentation provides details on the available endpoints and response formats. You can refer to the documentation for more information.

Office 365 API requirements

Wazuh needs to authenticate to the Office 365 Management API to connect and pull audit logs for analysis. This process is achieved by registering an application on the Microsoft Azure portal to obtain the required credentials.

You need the following requirements to access the audit logs of Office 365 with Wazuh:

The application (client) ID: The unique ID of the application created in the Microsoft Azure portal to pull logs from Office 365.
The directory (tenant) ID: The tenant ID which is the same as the organization ID identifies which Azure Active Directory instance the application sits under.
The client secret: A shared secret known to both the application and the authorization server.

Setting up Office 365 for monitoring

The Office 365 API provides an endpoint for accessing audit logs in Office 365. You need an application with the right permissions to access the Microsoft API. The following list provides a summary of the steps you need to perform on Microsoft Azure to integrate with Wazuh:

Registering an app via the Microsoft Azure portal: This step involves creating an application with unique credentials (client ID, tenant ID, and client secret) in your organization.
Creating certificates and secrets: The created application needs to authenticate to the Office 365 Management API to ensure security. This step shows how to create certificates and secrets for the application.
Enabling API permissions: The created application needs specific API permissions to request the Office 365 activity events. This step shows how to assign the appropriate permissions required to pull logs from the Office 365 Management API.

Registering an app via the Azure portal

To authenticate with the Microsoft identity platform endpoint, you need to register an app in your Azure portal.

Sign in to your Azure portal.
Click on New registration in the Microsoft Azure portal app registrations section.
Fill in the name of your application, choose the desired account type, and click on the Register button.

At this point, the application is registered.
Click on the Overview tab on the menu to view and copy the application’s client and tenant IDs.

Creating certificates and secrets

The application requires a certificate and secret to use during the authentication process.

Navigate to the Certificates & secrets menu and click the New client secret button. Then, fill in the Description and Expires fields of the new secret under the Add a client secret section.
Copy and save the value of the secret under the Client secrets section.

Note

Make sure you write it down because the web interface won’t let you copy it afterward.

Enabling API permissions

The application requires specific API permissions to request Office 365 activity events. In this case, we are looking for permissions related to the https://manage.office.com resource.

Perform the following steps to configure the application permissions:

Navigate to the API permissions menu and choose Add a permission.
- Select the Office 365 Management APIs and click on Application permissions.
- Add the following permissions under the ActivityFeed group:
  - ActivityFeed.Read: Read activity data for your organization.
  - ActivityFeed.ReadDlp: Read DLP policy events including detected sensitive data.
- Click on the Add permissions button.
Note

Admin consent is required for API permission changes.

Setting up Wazuh for Office 365 monitoring

This section delves into the processes involved in configuring Wazuh for effective monitoring of Office 365 environments. The various aspects of the configuration process include the integration with Office 365 APIs for log collection, the activation of the dashboard visualization module for Office 365 events, and the correlation of rules.

Configuring Wazuh with Office 365 APIs

The Wazuh module for Office 365 pulls audit logs from the Office 365 APIs for analysis and rule correlation. You can configure the module on either the Wazuh server or the Wazuh agent. It is recommended to configure it on the Wazuh agent to reduce the workload on the Wazuh server, thereby improving the performance of your monitoring infrastructure.

Perform the following steps to configure the Wazuh server to pull audit logs from an Office 365 environment.

Append the following configuration to the /var/ossec/etc/ossec.conf file. The configuration pulls only the Audit.SharePoint type of events within an interval of 1m.
```
<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <client_id><YOUR_CLIENT_ID></client_id>
      <client_secret><YOUR_CLIENT_SECRET></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.SharePoint</subscription>
    </subscriptions>
  </office365>
</ossec_config>
```
Where:
- <enabled> enables the Wazuh module for Office 365. The allowed values for this option are yes and no.
- <interval> defines the time interval between each execution of the Wazuh module for Office 365. The allowed value is any positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days). The default interval for the module execution if not specified is 10m.
- <curl_max_size> specifies the maximum size allowed for the Microsoft API response. The allowed value is any positive number that contains a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes). The default value is 1M.
- <only_future_events> specifies the Wazuh module for Office 365 to collect only events generated after you start the Wazuh manager when the value is set to yes. When the value is set to no, it collects previous events generated before you start the Wazuh manager. The default value is yes, and the allowed values are yes and no.
- The <api_auth> block configures the credential for the authentication with the Office 365 REST API. The tags <tenant_id>, <client_id>, <client_secret>, and <api_type> are configuration tags within <api_auth>.
  - <tenant_id> specifies the tenant ID of the application registered in Azure. The allowed value is any string. Replace the variable, <YOUR_TENANT_ID> with the tenant ID of your application registered in Azure.
  - <client_id> specifies the client ID of the application registered in Azure. The allowed value is any string. Replace the variable, <YOUR_CLIENT_ID> with the client ID of your application registered in Azure.
  - <client_secret> specifies the client secret value of the application registered in Azure. Replace the variable, <YOUR_CLIENT_SECRET> with the client secret of your application registered in Azure.
  - <api_type> specifies the type of Office 365 subscription plan used by the tenant. The allowed subscriptions are commercial, gcc, and gcc-high.
- The <subscriptions> block configures the internal options in the Office 365 REST API.
  - <subscription> specifies the content types from which Wazuh collects audit logs. The subscription types that can be configured include Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All.
To learn more about the configuration options, kindly check the Wazuh module for Office 365 reference guide.
Restart the Wazuh manager service to apply the changes:
```
# systemctl restart wazuh-manager
```

Configuring multiple tenants

You can configure Wazuh to monitor multiple tenants in an organization by specifying the organization’s credentials (<tenant_id>, <client_id>, <client_secret>, and <api_type>) in individual <api_auth> blocks.

For example, the following configuration monitors two tenants in an organization:

<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID_1></tenant_id>
      <client_id><YOUR_CLIENT_ID_1></client_id>
      <client_secret><YOUR_CLIENT_SECRET_1></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID_2></tenant_id>
      <client_id><YOUR_CLIENT_ID_2></client_id>
      <client_secret><YOUR_CLIENT_SECRET_2></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.AzureActiveDirectory</subscription>
      <subscription>Audit.General</subscription>
    </subscriptions>
  </office365>
</ossec_config>

Replace:

<YOUR_TENANT_ID_1>, <YOUR_CLIENT_ID_1>, and <YOUR_CLIENT_SECRET_1> with the organization's credentials for tenant 1.
<YOUR_TENANT_ID_2>, <YOUR_CLIENT_ID_2>, and <YOUR_CLIENT_SECRET_2> with the organization's credentials for tenant 2.

Configuring multiple subscriptions

Wazuh pulls audit logs from the following subscription types in Office 365:

Audit.AzureActiveDirectory: User identity management.
Audit.Exchange: Mail and calendaring server.
Audit.SharePoint: Web-based collaborative platform.
Audit.General: Includes all other workloads not included in the previous content types.
DLP.All: Data loss prevention workloads.

You can configure Wazuh to monitor multiple subscriptions in an organization tenant(s) by specifying the subscription type in individual <subscription> tags within the same <subscriptions> block.

For example, the following configuration pulls only the Audit.AzureActiveDirectory and Audit.General type of events within a tenant in an organization:

<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <client_id><YOUR_CLIENT_ID></client_id>
      <client_secret><YOUR_CLIENT_SECRET></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.AzureActiveDirectory</subscription>
      <subscription>Audit.General</subscription>
    </subscriptions>
  </office365>
</ossec_config>

Replace <YOUR_TENANT_ID>, <YOUR_CLIENT_ID>, and <YOUR_CLIENT_SECRET> with the organization's credentials for the tenant.

Visualizing the Office 365 activity

The Wazuh dashboard has an Office 365 module that provides detailed information and insights about the events that occur in Office 365. The module provides three visualization options.

Dashboard
Panel
Events

To select any of them, navigate to the Office 365 tab on the Cloud security section of the Wazuh dashboard.

Dashboard

The dashboard visualization option provides a comprehensive view of the actions performed in a monitored Office 365 environment. This information includes suspicious downloads, Full Access Permissions, Phishing and Malware, Events by severity over time, IP address by Users, Geolocation map, and many more as seen in the image below.

Panel

This visualization option provides detailed information about the event that occurred including the top users of the service, the top client IP addresses using the service, top rules that have been triggered, and the top operations performed in Office 365.

Events

The events visualization option shows the alerts generated by events that occur in the Office 365 environment. Here you can see details such as the agent name, the operation a user performs, the user who performs an action, a description of the alert, the rule level of the alert, and more fields.

This visualization also offers additional functionalities that include:

Event filtering based on specific fields such as rule IDs, rule groups, IP addresses, and others.
Dynamic searches based on structured queries.
Complete details of the generated alert including the full log, matched decoder, and others.

You can expand each alert entry to view additional information about the event that triggered the alert, as shown in the image below.

Office 365 events visualization option – Expand alert

Use cases

Detecting user login into Microsoft Azure AD

When a user logs into the Microsoft Azure AD, the action generates an event. You can configure Wazuh to monitor and visualize these events by performing the following actions:

Append the following configuration to the /var/ossec/etc/ossec.conf file on the Wazuh server:

<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <client_id><YOUR_CLIENT_ID></client_id>
      <client_secret><YOUR_CLIENT_SECRET></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.AzureActiveDirectory</subscription>
    </subscriptions>
  </office365>
</ossec_config>

Replace:

The <YOUR_TENANT_ID> variable with the tenant ID of your application registered in Microsoft Azure.
The <YOUR_CLIENT_ID> variable with the client ID of your application registered in Microsoft Azure.
The <YOUR_CLIENT_SECRET> variable with the client secret of your application registered in Microsoft Azure.

Restart the Wazuh manager service to apply the changes:
```
# systemctl restart wazuh-manager
```
Log into your Azure portal.

Visit the Wazuh dashboard and navigate to Office 365, then click on the Events tab to view the generated alerts.

Below is the JSON format of the generated alert.

{
  "_index": "wazuh-alerts-4.x-2024.01.29",
  "_id": "vNQjVI0B9LTh695MXIMn",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "wazuh-server",
      "id": "000"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "integration": "office365",
      "office365": {
        "AzureActiveDirectoryEventType": "1",
        "UserKey": "5a4603e7-100d-4fab-83c0-8dac779b2628",
        "ActorIpAddress": "102.244.157.118",
        "Operation": "UserLoggedIn",
        "OrganizationId": "0fea4e03-8146-453b-b889-54b4bd11565b",
        "ExtendedProperties": [
          {
            "Value": "Redirect",
            "Name": "ResultStatusDetail"
          },
          {
            "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
            "Name": "UserAgent"
          },
          {
            "Value": "OAuth2:Authorize",
            "Name": "RequestType"
          }
        ],
        "IntraSystemId": "aa9ef67e-5237-49e0-9d45-587d8afc1f00",
        "Target": [
          {
            "Type": 0,
            "ID": "5f09333a-842c-47da-a157-57da27fcbca5"
          }
        ],
        "RecordType": "15",
        "Version": "1",
        "ModifiedProperties": [],
        "Actor": [
          {
            "Type": 0,
            "ID": "5a4603e7-100d-4fab-83c0-8dac779b2628"
          },
          {
            "Type": 5,
            "ID": "XXXXXXX@wazuh.com"
          }
        ],
        "DeviceProperties": [
          {
            "Value": "Windows10",
            "Name": "OS"
          },
          {
            "Value": "Chrome",
            "Name": "BrowserType"
          },
          {
            "Value": "80ce5b15-c485-4128-a9ea-f9c0cdfb663d",
            "Name": "SessionId"
          }
        ],
        "Subscription": "Audit.AzureActiveDirectory",
        "ActorContextId": "0fea4e03-8146-453b-b889-54b4bd11565b",
        "ResultStatus": "Success",
        "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5",
        "ErrorNumber": "0",
        "ClientIP": "102.244.157.118",
        "Workload": "AzureActiveDirectory",
        "UserId": "XXXXXXX@wazuh.com",
        "TargetContextId": "0fea4e03-8146-453b-b889-54b4bd11565b",
        "CreationTime": "2024-01-29T07:29:21",
        "Id": "aa9ef67e-5237-49e0-9d45-587d8afc1f00",
        "InterSystemsId": "e0e158a5-202d-4e1f-bb93-873be484222d",
        "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7",
        "UserType": "0"
      },
      "aws": {
        "accountId": "",
        "region": ""
      }
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 3,
      "hipaa": [
        "164.312.a.2.I",
        "164.312.b",
        "164.312.d",
        "164.312.e.2.II"
      ],
      "pci_dss": [
        "8.3",
        "10.6.1"
      ],
      "description": "Office 365: Secure Token Service (STS) logon events in Azure Active Directory.",
      "groups": [
        "office365",
        "AzureActiveDirectoryStsLogon"
      ],
      "id": "91545"
    },
    "location": "office365",
    "decoder": {
      "name": "json"
    },
    "id": "1706513609.3469",
    "GeoLocation": {
      "city_name": "Sangmelima",
      "country_name": "Cameroon",
      "region_name": "South",
      "location": {
        "lon": XX.XX33,
        "lat": XX.XX33
      }
    },
    "timestamp": "2024-01-29T07:33:29.195+0000"
  },
  "fields": {
    "timestamp": [
      "2024-01-29T07:33:29.195Z"
    ]
  },
  "highlight": {
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
    ],
    "rule.groups": [
      "@opensearch-dashboards-highlighted-field@office365@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1706513609195
  ]
}

Detecting creation and deletion of user accounts in Microsoft Azure AD

This use case shows how to monitor admin activities in Microsoft Azure AD (the directory service for Office 365) including creation and deletion of a user account.

Wazuh server

Perform the following steps to configure the Wazuh server for monitoring admin activities on Microsoft Azure AD.

Append the following configuration to the /var/ossec/etc/ossec.conf file on the Wazuh server:

<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
      <tenant_id><YOUR_TENANT_ID></tenant_id>
      <client_id><YOUR_CLIENT_ID></client_id>
      <client_secret><YOUR_CLIENT_SECRET></client_secret>
      <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
      <subscription>Audit.AzureActiveDirectory</subscription>
    </subscriptions>
  </office365>
</ossec_config>

Replace:

The variable, <YOUR_TENANT_ID>, with the tenant ID of your application registered in Microsoft Azure.
The variable, <YOUR_CLIENT_ID>, with the client ID of your application registered in Microsoft Azure.
The variable, <YOUR_CLIENT_SECRET>, with the client secret of your application registered in Microsoft Azure.

Restart the Wazuh manager service to apply the changes:
```
# systemctl restart wazuh-manager
```

Microsoft Azure portal

We create and delete a user account on the Microsoft Azure AD to generate an activity for Wazuh to monitor and display on the dashboard.

Perform the following actions to create and delete a test user account.

Azure Active Directory is now Microsoft Entra ID. In the Search bar of the Azure portal, type Microsoft Entra ID, and click on it to access your AD.
Navigate to Users from the side menu and click on New user > Create new user.
Fill in the user’s information and click on the Review + create button to create the user.
Delete the user by selecting the Display name and clicking on the Delete button.

Wazuh dashboard

Navigate to Modules > Office 365 and click on the Events tab to view the generated alerts.

Below is a sample alert of the user addition event in JSON format.

{
  "_index": "wazuh-alerts-4.x-2024.01.29",
  "_id": "0NRwVY0B9LTh695MCISi",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "name": "wazuh-server",
      "id": "000"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "integration": "office365",
      "office365": {
        "AzureActiveDirectoryEventType": "1",
        "ResultStatus": "Success",
        "ObjectId": "testuser@wazuh.com",
        "UserKey": "10032002120F5B41@wazuh.com",
        "Operation": "Add user.",
        "OrganizationId": "0fea4e03-8146-453b-b889-54b4bd11565b",
        "ExtendedProperties": [
          {
            "Value": "{}",
            "Name": "additionalDetails"
          },
          {
            "Value": "User",
            "Name": "extendedAuditEventCategory"
          }
        ],
        "Workload": "AzureActiveDirectory",
        "IntraSystemId": "db6d1058-438e-452a-8de2-82650855e986",
        "Target": [
          {
            "Type": 2,
            "ID": "User_f1937c88-f4f2-43b3-a753-e324345e39e4"
          },
          {
            "Type": 2,
            "ID": "f1937c88-f4f2-43b3-a753-e324345e39e4"
          },
          {
            "Type": 2,
            "ID": "User"
          },
          {
            "Type": 5,
            "ID": "testuser@wazuh.com"
          },
          {
            "Type": 3,
            "ID": "100320034A719856"
          }
        ],
        "RecordType": "8",
        "Version": "1",
        "ModifiedProperties": [
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  true\r\n]",
            "Name": "AccountEnabled"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"testuser\"\r\n]",
            "Name": "DisplayName"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"Test\"\r\n]",
            "Name": "GivenName"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"testuser\"\r\n]",
            "Name": "MailNickname"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"2024-01-29T13:19:12Z\"\r\n]",
            "Name": "StsRefreshTokensValidFrom"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"User\"\r\n]",
            "Name": "Surname"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"testuser@wazuh.com\"\r\n]",
            "Name": "UserPrincipalName"
          },
          {
            "OldValue": "[]",
            "NewValue": "[\r\n  \"Member\"\r\n]",
            "Name": "UserType"
          },
          {
            "OldValue": "",
            "NewValue": "AccountEnabled, DisplayName, GivenName, MailNickname, StsRefreshTokensValidFrom, Surname, UserPrincipalName, UserType",
            "Name": "Included Updated Properties"
          }
        ],
        "UserId": "XXXXXXX@wazuh.com",
        "TargetContextId": "0fea4e03-8146-453b-b889-54b4bd11565b",
        "Actor": [
          {
            "Type": 5,
            "ID": "XXXXXXX@wazuh.com"
          },
          {
            "Type": 3,
            "ID": "10032002120F5B41"
          },
          {
            "Type": 2,
            "ID": "User_046e51c3-4029-44c0-b57a-e80d39e4970e"
          },
          {
            "Type": 2,
            "ID": "046e51c3-4029-44c0-b57a-e80d39e4970e"
          },
          {
            "Type": 2,
            "ID": "User"
          }
        ],
        "CreationTime": "2024-01-29T13:19:12",
        "Id": "0c620dac-5a11-4478-a8fe-4c8f35d89517",
        "InterSystemsId": "1f9afa31-170c-4862-8655-5b48b00cc368",
        "Subscription": "Audit.AzureActiveDirectory",
        "UserType": "0",
        "ActorContextId": "0fea4e03-8146-453b-b889-54b4bd11565b"
      },
      "aws": {
        "accountId": "",
        "region": ""
      }
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 6,
      "hipaa": [
        "164.312.a.2.I",
        "164.312.b"
      ],
      "pci_dss": [
        "8.1.2",
        "10.6.2"
      ],
      "description": "Office 365: Added user",
      "groups": [
        "office365",
        "AzureActiveDirectory"
      ],
      "mitre": {
        "technique": [
          "Valid Accounts",
          "Additional Cloud Credentials"
        ],
        "id": [
          "T1078",
          "T1098.001"
        ],
        "tactic": [
          "Defense Evasion",
          "Persistence",
          "Privilege Escalation",
          "Initial Access"
        ]
      },
      "id": "91709"
    },
    "location": "office365",
    "decoder": {
      "name": "json"
    },
    "id": "1706535414.239597",
    "timestamp": "2024-01-29T13:36:54.168+0000"
  },
  "fields": {
    "timestamp": [
      "2024-01-29T13:36:54.168Z"
    ]
  },
  "highlight": {
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
    ],
    "rule.groups": [
      "@opensearch-dashboards-highlighted-field@office365@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1706535414168
  ]
}

Regulatory compliance

Wazuh helps implement compliance requirements for regulatory compliance support and visibility. This is done by providing automation, improved security controls, log analysis, and incident response.

The default Wazuh ruleset provides support for PCI DSS, HIPAA, NIST 800-53, TSC, and GDPR frameworks and standards. Wazuh rules and decoders are used to detect attacks, system errors, security misconfigurations, and policy violations.

Learn more about achieving compliance with Wazuh in the sections below:

Using Wazuh for PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle credit cards. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Wazuh helps ensure PCI DSS compliance by performing log collection, file integrity checking, configuration assessment, intrusion detection, real-time alerting, and active response. The Wazuh dashboard displays information in real-time, allowing filtering by different types of alert fields, including compliance controls. We have also developed a couple of PCI DSS dashboards for convenient viewing of relevant alerts. The syntax used for tagging PCI DSS relevant rules is pci_dss_ followed by the number of the requirement (e.g., pci_dss_10.2.4 and pci_dss_10.2.5).

This guide explains how Wazuh capabilities and modules assist with meeting PCI DSS version 4.0 requirements:

Wazuh for PCI DSS V4.0 Guide (PDF)

In the following sections, we show some use cases on how to use Wazuh capabilities and modules to meet PCI DSS version 4.0 requirements:

Log data analysis

In many cases, you can find evidence of an attack in the log messages of devices, systems, and applications. The Wazuh log data analysis module receives logs through text files or Windows event logs. It can also directly receive logs via remote syslog, which is useful for firewalls and other such devices.

Additionally, the log data analysis module analyzes the log data received from agents. It performs decoding and rule matching on the received data to process it. You can then use this processed log data for threat detection, prevention, and active response.

The log collector module helps to meet the following PCI DSS requirement:

Requirement 10 - Log and Monitor All Access to System Components and Cardholder Data: This control requires that user activities, including those by employees, contractors, consultants, internal and external vendors, and other third parties are logged and monitored, and the log data stored for a specified period of time.

To help meet this requirement, the Wazuh agent collects logs from the endpoints it is deployed on. The log analysis module also receives logs via syslog for network and other syslog-enabled devices. It decodes the logs received to extract relevant information from its fields. After that, it compares the extracted information to the ruleset to look for matches. When the extracted information matches a rule, Wazuh generates an alert. Refer to the ruleset section for more information.

Wazuh also holds logs of events that don't generate an alert. For this it uses its archive feature and the indexer long term storage. For more information on configuring log collection, see the Log data collection section.

Use cases

PCI DSS 10.2.2 requires that audit logs record the following details for each auditable event:
- User identification.
- Type of event.
- Date and time.
- Success and failure indication.
- Origination of event.
- Identity or name of affected data, system component, resource, or service (for example, name and protocol).
  
  The following are some Wazuh rules that help achieve this requirement:
- Rule 5710 - sshd: attempt to login using a non-existent user: This rule generates an alert when a non-existent user tries to log in to a system via SSH. The generated alert contains the information required by requirement 10.2.2 (user identification, type of event, date and time, success and failure indication, origination of event, and identity or name of affected data, system component, resource, or service). The screenshot below shows the alert generated on the dashboard:
- Rule 5715 - sshd: authentication success: This rule generates an alert when a user successfully logs into a system via SSH. The generated alert contains the information required by requirement 10.2.2 (user identification, type of event, date and time, success and failure indication, origination of event, and identity or name of affected data, system component, resource, or service). The screenshot below shows the alert generated on the dashboard:
PCI DSS 10.5.1 requires that you retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. You can achieve this by enabling Wazuh log archives and configuring index management policies. To enable Wazuh log archives, take the following steps:
Enable archives monitoring in the Wazuh indexer:
1. Set <logall_json>yes</logall_json> in /var/ossec/etc/ossec.conf.
2. Set archives: enabled to true in /etc/filebeat/filebeat.yml:
  archives: enabled: true
3. Restart Filebeat:
  # systemctl restart filebeat
4. Restart the Wazuh manager:
  # systemctl restart wazuh-manager
5. Select ☰ > Dashboard management > Dashboards Management in the Wazuh dashboard.
6. Choose Index Patterns and select Create index pattern. Use wazuh-archives-* as the index pattern name.
7. Select timestamp as the primary time field for use with the global time filter, then proceed to create the index pattern.
8. Open the menu and select Discover under Explore. Events should be getting reported there.
PCI DSS requirement 10.4.1 requires to review the following audit logs at least once daily:
- All security events.
- Logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
- Logs of all critical system components.
- Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), and authentication servers).
This requirement ensures analyzing logs for indicators of compromise at least once daily. The following are some Wazuh rules that may help in achieving this requirement:
- Rule 61138: New Windows Service Created. The analysis engine analyzes the Windows system logs to find out if a new service was created generating an alert from this rule.
- Rule 31168: Shellshock attack detected. The analysis engine analyzes logs to find out about shellshock attacks from a WAF or web application generating an alert.

Configuration assessment

The Security configuration assessment module determines the state of hardening and configuration policies on agents. SCA performs scans to discover exposures or misconfigurations in monitored endpoints. Those scans assess the configuration of the hosts using policy files that contain rules to be tested against the actual configuration of the host.

The SCA module helps to meet the following PCI DSS requirements:

Requirement 2 - Apply Secure Configuration to All System Components: This requirement ensures the changing of default passwords, removing unnecessary software, functions, and accounts, and disabling or removing unnecessary services all in order to reduce the potential attack surface.
Requirement 8 - Identify Users and Authentication Access to System Components: This requirement ensures that the identification of an individual or process on a computer system is conducted by associating an identity with a person or process through an identifier, such as a user, system, or application ID. These IDs (also referred to as “accounts”) fundamentally establish the identity of an individual or process by assigning unique identification to each person or process to distinguish one user or process from another. When each user or process is uniquely identified, it ensures there is accountability for actions performed by that identity. When such accountability is in place, actions taken are traced to known and authorized users and processes.

To achieve the above requirements, SCA runs assessment checks. These checks assess whether it is necessary to change password related configuration to ensure strong passwords, remove unnecessary software, disable unnecessary services, or audit the TCP/IP stack configuration. Sources of system hardening standards accepted by the industry include, but are not limited to: the Center for Internet Security (CIS), the International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST).

Out-of-the-box, Wazuh includes CIS baselines for a wide range of operating systems and applications. This includes Debian, macOS, Red hat, and Windows operating systems. For more information, see a list of the available SCA policies. You can create other baselines for other systems or applications as well. Find more details on configuring SCA checks in the SCA documentation section.

Use cases

Below are some PCI DSS requirement use cases that can be met with the SCA module.

PCI DSS 2.2.4 requires enabling only necessary services, protocols, daemons, and functions to remove or disable all unnecessary functionality. IP forwarding is an example of a system service that may be abused if misconfigured. When IP forwarding is configured on a device, it may serve as a router to be abused.

In order to perform checks for this specific use case, the SCA module has check 18579 Ensure IP forwarding is disabled for Ubuntu 18.04 endpoints. When an SCA scan runs, you can detect if this use case is satisfied.

Note that the SCA check IDs for the same requirement may vary depending on the endpoint the SCA scan is being run on.
PCI DSS 8.3.7 states that individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

We have the SCA check 18674 Ensure password reuse is limited for Ubuntu 18.04 endpoints. It checks the password reuse policy and helps meet requirement 8.3.7. So, when an SCA scan runs, you can detect if the password history policy meets the requirement.

Malware detection

Wazuh offers several capabilities that support malware detection. These detections can be done by:

These malware detection components help meet the following PCI DSS requirement:

Requirement 5 - Protect All Systems and Networks from Malicious Software: Malicious software (malware) is software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system. The goal of this requirement is to protect systems from current and evolving malware threats.

To help meet the above PCI DSS requirement, Wazuh uses a combination of rootcheck, CDB lists, integrations with VirusTotal and YARA, and active response to detect and remove malicious files.

Use cases

PCI DSS 5.2.2 requires that the deployed anti-malware solution(s):
- Detects all known types of malware.
- Removes, blocks, or contains all known types of malware.
Detecting a rootkit is a sample case for malware detection. The rootcheck module runs several tests to detect rootkits. One of them checks for files hidden in /dev. The /dev directory should only contain device-specific files such as the primary IDE hard disk (/dev/hda), and the kernel random number generators (/dev/random and /dev/urandom), among others. Any additional files, beyond the expected device-specific files, needs inspection. Many rootkits use /dev as a storage partition to hide files.

In the following example we have a rootkit on the endpoint that creates hidden files in /lib/udev/rules.d. When the rootcheck scan is run, an alert is generated detecting the hidden files.

File integrity monitoring

File integrity monitoring compares the cryptographic checksum and other attributes of a known file against the checksum and attributes of that file after it has been modified.

First, the Wazuh agent scans the system periodically at a specified interval, then it sends the checksums of the monitored files and registry keys (for Windows systems) to the Wazuh server. The server stores the checksums and looks for modifications by comparing the newly received checksums against the historical checksum values for those files and/or registry keys. An alert is generated if the checksum (or another file attribute) changes. Wazuh also supports near real-time file integrity monitoring.

The file integrity monitoring module is used to meet some sub-requirements of PCI DSS requirement 11 which requires testing the security of systems and networks regularly. This requirement aims to ensure that system components, processes, and bespoke and custom software are tested frequently to ensure security controls continue to reflect a changing environment. Some of the changes in the environment may include the modification and deletion of critical files. This module helps to monitor these file changes and assist in achieving PCI DSS compliance.

Use cases

PCI DSS 11.5.2 requires the deployment of a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel of unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and to configure the software to perform critical file comparisons at least weekly.

In the following sections, we look at configuring Wazuh to do the following:
- Detect changes in a file
- Perform critical file comparisons at specified intervals
- Detect file deletion

Detect changes in a file

For this use case, we configure Wazuh to detect when changes are made to a file in the directory /root/credit_cards and the details of the user that made the changes.

On the agent

Firstly we need to check if the Audit daemon is installed in our system.

In RedHat based systems, Auditd is commonly installed by default. If it's not installed, we need to install it using the following command:
```
# yum install audit
```
For Debian based systems, use the following:
```
# apt install auditd
```

Check the full file path for the file or directory to be monitored. In this case, the module monitors the directory /root/credit_cards for changes:

# ls -l  /root/credit_cards/

total 4
-rw-r--r--. 1 root root 14 May 16 14:53 cardholder_data.txt

# cat /root/credit_cards/cardholder_data.txt

User1 = card4

Add the following configuration to the syscheck block of the agent configuration file (/var/ossec/etc/ossec.conf). This enables real-time monitoring of the directory. It also ensures that Wazuh generates an alert when a file in the directory is modified. This alert has the details of the user who made the changes on the monitored files and the program name or process used to carry them out:
```
<syscheck>
   <directories check_all="yes" whodata="yes">/root/credit_cards</directories>
</syscheck>
```

Restart the Wazuh agent to apply the changes:

# systemctl restart wazuh-agent

# service wazuh-agent restart

Execute the following command to check if the Audit rule for monitoring the selected folder is applied:
```
auditctl -l | grep wazuh_fim
```
Check in the command output that the rule was added:
```
auditctl -w /root/credit_cards -p wa -k wazuh_fim
```
Edit the file and add new content:
nano credit_cards/cardholder_data.txt
You can see an alert generated to show that a file in the monitored directory was modified.

In the alert details, you can see the PCI DSS requirement met, the differences in the file checksum, the file modified, the modification time, the whodata showing the process and user that made the modification, and other details.

Perform critical file comparisons at specified intervals

In this use case, we configure Syscheck to detect when changes have been made to monitored files over specific time intervals and show the differences in the file between the last check and the present check. To illustrate this, in the steps below, we configure syscheck to perform a scan every 1 hour and generate an alert for every file change detected.

Note

Syscheck runs scans every 12 hours by default. The scan frequency set is for all monitored files/directories except directories with real-time monitoring enabled.
Depending on the number of files/directories configured for scans, and the frequency of syscheck scans, you may observe increased CPU and memory usage. Please use the frequency option carefully.

On the agent

Determine the full file path for the file to be monitored. In this case, we are monitoring the file /root/credit_cards/cardholder_data.txt for changes.

Note

Showing the changes made in a file is limited to only text files at this time.
Update the frequency option of the syscheck block in the /var/ossec/etc/ossec.conf agent configuration file. Set a scan interval in seconds. For example, every 3600 seconds:
```
<frequency>3600</frequency>
```
Add the following configuration to the syscheck block of the /var/ossec/etc/ossec.conf agent configuration file. This enables monitoring of the file. It also ensures that Wazuh generates an alert with the differences when the file is modified.
```
<syscheck>
   <directories check_all="yes" report_changes="yes" >/root/credit_cards/cardholder_data.txt</directories>
</syscheck>
```
Note

If you prefer that the changes are monitored in real-time, you can use the configuration below to monitor the directory where the file is saved and disregard making the frequency modification.
```
<syscheck>
   <directories check_all="yes" report_changes="yes" realtime="yes" >/root/credit_cards</directories>
</syscheck>
```

Restart the Wazuh agent to apply the changes.

# systemctl restart wazuh-agent

# service wazuh-agent restart

Proceed to modify the file. In this case, we removed some content. An alert is generated on the next Syscheck scan about the modified file.

In the alert details, you can see the changes made in syscheck.diff, the file modified, the PCI DSS requirement met, the differences in the file checksum, the modification time, and other details.

Detect file deletion

In this scenario, Syscheck detects when a file in a monitored directory is deleted. To illustrate this, in the steps below, Syscheck is configured to monitor the /root/credit_cards/ directory for changes.

On the agent

Determine the full file path for the file or directory to be monitored. In this case, we are monitoring the directory /root/credit_cards.
Add the following configuration to the syscheck block of the /var/ossec/etc/ossec.conf agent configuration file. This enables monitoring of the file. It also ensures that Wazuh generates an alert if the file is deleted.
```
<syscheck>
   <directories check_all="yes" realtime="yes" >/root/credit_cards</directories>
</syscheck>
```

Restart the Wazuh agent to apply the changes.

# systemctl restart wazuh-agent

# service wazuh-agent restart

Delete a file from the directory. For example, cardholder_data.txt. You can see an alert generated for the file deleted.

In the alert details, you can see the file deleted, the PCI DSS requirement met, the deletion time, and other details.

You can track these activities from the PCI DSS module dashboard. The dashboard shows all activities that trigger a PCI DSS requirement including FIM changes.

Vulnerability detection

Wazuh is able to detect vulnerabilities in the applications installed on agents using the Vulnerability Detection module. This software audit is performed by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, CISA, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

The vulnerability detection module helps to meet the following PCI DSS requirements:

Requirement 6 - Develop and Maintain Secure Systems and Software: Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.

The goal of this requirement is to ensure that systems and software have the appropriate security patches for discovered vulnerabilities to prevent compromise.

Requirement 11 - Test Security of Systems and Networks Regularly: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

The goal of this requirement is to ensure that systems and networks are regularly tested to confirm their security status. These tests include penetration testing and vulnerability scans.

The Wazuh vulnerability detection module helps to meet the above requirements. The Wazuh agent collects a list of installed applications and OS information and sends it periodically to the manager. The Wazuh manager compares this information with vulnerability content documents to determine what vulnerabilities exist on an endpoint. You can find more details on configuring vulnerability detection in the vulnerability detection section of the documentation.

Use cases

Below are some PCI DSS requirements use cases that can be met with the vulnerability detection module:

PCI DSS 6.3 requires to identify and address security vulnerabilities. While vulnerability detection is enabled by default, you can still check everything is properly configured. For example, you can add the following block to the shared agent configuration file /var/ossec/etc/shared/default/agent.conf to make sure to detect vulnerabilities in packages installed on Ubuntu 20.04 endpoints.
```
<wodle name="syscollector">
   <disabled>no</disabled>
   <interval>1h</interval>
   <packages>yes</packages>
</wodle>
```
Make sure vulnerability detection is enabled by checking the /var/ossec/etc/ossec.conf manager configuration file.
<vulnerability-detection> <enabled>yes</enabled> <index-status>yes</index-status> <feed-update-interval>60m</feed-update-interval> </vulnerability-detection> <indexer> <enabled>yes</enabled> <hosts> <host>https://0.0.0.0:9200</host> </hosts> <ssl> <certificate_authorities> <ca>/etc/filebeat/certs/root-ca.pem</ca> </certificate_authorities> <certificate>/etc/filebeat/certs/filebeat.pem</certificate> <key>/etc/filebeat/certs/filebeat-key.pem</key> </ssl> </indexer>
If you made changes, restart the manager to apply them.
# systemctl restart wazuh-manager
# service wazuh-manager restart
You can see the results on the Wazuh dashboard. They include details of vulnerable packages, for example, vulnerabilities in the vim application. When you select a specific vulnerability detected, the Wazuh dashboard shows an overview of the issue and its status on the agent.
PCI DSS 11.3 requires to identify, prioritize, and address external and internal vulnerabilities regularly. The Wazuh vulnerability detection gives details on the severity rating and the CVSS scores. This helps to prioritize the vulnerabilities. From the vulnerability detection dashboard, you can filter by vulnerability severity rating to prioritize its remediation.

Active Response

Active Response allows the execution of scripts whenever an event matches certain rules in your Wazuh ruleset. The actions executed could be a firewall block or drop, traffic shaping or throttling, or account lockout, among others.

The Active Response module helps to meet the following PCI DSS requirement:

Requirement 11 - Test Security of Systems and Networks Regularly: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

This requirement aims to ensure that you test your systems and networks regularly. Testing allows you to detect and respond to security status and possible intrusions. With the Active Response module, you can respond to intrusions and unauthorized file changes. You can find more details on configuring the Active Response module in the Active Response documentation section.

Use cases

PCI DSS 11.5 requires that you detect and respond to network intrusions and unexpected file changes. You can configure scripts to run when specific actions occur to respond to these intrusions. Wazuh comes with preconfigured active response scripts. Refer to the Default Active response scripts section to access these scripts.

Using the steps below, we configure the Active Response module to execute an IP block when an attempt to log in with a non-existent user via SSH occurs.
1. Configure the Active Response to execute the firewall-drop command when the rule for attempts to log in to a non-existent user is triggered (rule 5710) by adding the following block in the manager configuration file (/var/ossec/etc/ossec.conf):
```
<active-response>
   <disabled>no</disabled>
   <command>firewall-drop</command>
   <location>local</location>
   <rules_id>5710</rules_id>
   <timeout>100</timeout>
</active-response>
```
  Note
  
  The firewall-drop command is included in the manager configuration file by default.
2. Restart the Wazuh manager to apply the configuration:
  # systemctl restart wazuh-manager
  # service wazuh-manager restart
  When we attempt to SSH with a non-existent user, rule 5710 generates an alert followed by the active response getting triggered.

System inventory

Wazuh uses the Syscollector module to gather information about a monitored endpoint. This information includes hardware details, OS information, network details, services, browser extensions, running processes, users, and groups. The agent runs periodic scans on the endpoint and sends the information to the manager. The manager then updates the appropriate system information. See the System inventory section for more information about the Wazuh Syscollector module.

The Wazuh Syscollector module helps to meet the following PCI DSS requirement:

Requirement 2 - Apply Secure Configuration to All System Components: Malicious individuals, both external and internal to an entity, often use default passwords and other vendor default settings to compromise systems. These passwords and settings are well known and are easily determined via public information. Applying secure configurations to system components reduces the means available to an attacker to compromise the system. Changing default passwords, removing unnecessary software, functions, and accounts, and disabling or removing unnecessary services all help to reduce the potential attack surface.

The Wazuh Syscollector module helps to achieve some of the objectives of this requirement. It keeps an inventory of all endpoints and the processes/daemons running on them. The Wazuh Syscollector module also gets information about the endpoint hardware, OS, network details, services, browser extensions, users, and groups. This allows visibility into the PCI DSS relevant assets, enabled network ports, and running processes/daemons, to individuals in an organization.

Use cases

PCI DSS 2.2.4 requires keeping only necessary services, protocols, daemons, and functions enabled and removing or disabling all unnecessary functionality. Using the Wazuh Syscollector module, you can see what processes are running on a specific endpoint and determine if the running process or protocol is necessary for the operation of the asset. You can find this information in the IT Hygiene section on the Wazuh dashboard.

The Wazuh Syscollector module is enabled with all available scans by default in all compatible systems.

Visualization and dashboard

Wazuh provides a web dashboard for data visualization and analysis. The dashboard comes with out-of-the-box modules for threat hunting, PCI DSS compliance, detected vulnerable applications, file integrity monitoring data, configuration assessment results, cloud infrastructure monitoring events, and others. You can perform forensic and historical analysis of your alerts with the Wazuh dashboard.

Wazuh also provides a PCI DSS compliance dashboard under SECURITY OPERATIONS.

Thanks to the PCI DSS compliance dashboard, it's possible to monitor and track events that trigger PCI DSS requirements. This dashboard offers a quick view of the PCI DSS controls and visualizations of related events and requirements.

The Wazuh dashboard allows meeting the following PCI DSS requirements:

Requirement 10 - Log and Monitor All Access to System Components and Cardholder Data: This control requires that user activities, including those by employees, contractors, consultants, internal and external vendors, and other third parties are logged, monitored, and any generated alerts are reviewed periodically.

The Visualization and dashboard module helps to meet this requirement by showing events, alerts, configuration assessment results, and other information relevant to achieving PCI DSS compliance.

Use cases

PCI DSS 10.4 requires that audit logs are reviewed to identify anomalies or suspicious activity. Using the Wazuh dashboard component, you can review events and alerts generated by suspicious activities.

Using Wazuh for HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) has specifications and procedures for handling health information. This act aims to improve the effectiveness of healthcare services. It includes standards for electronic health care transactions and code sets. It also includes standards for security and unique health identifiers. Because changes in technology can impact the privacy and security of healthcare data, HIPAA provisions have sections that require the use of federal privacy protections for individually identifiable health information.

Part 164, subpart C (Security Standards For The Protection Of Electronic Protected Health Information), provides guidelines for the transmission, handling, storage, and protection of electronic healthcare information.

Wazuh has various capabilities that assist with HIPAA compliance such as log data analysis, file integrity monitoring, configuration assessment, threat detection and response.

Wazuh includes default rules and decoders for detecting security incidents, system errors, security misconfigurations, and policy violations. By default, these rules are mapped to the associated HIPAA standard. In addition to the default rule mapping provided by Wazuh, it’s possible to map your custom rules to one or more HIPAA standards by adding the compliance identifier in the <group> tag of the rule. The syntax used to map a rule to a HIPAA standard is hipaa_ followed by the number of the requirement, for example, hipaa_164.312.b. Refer to the ruleset section for more information.

The Wazuh for HIPAA guide (PDF) focuses on part 164, subpart C (Security Standards For The Protection Of Electronic Protected Health Information) of the HIPAA standard. This guide explains how the various Wazuh modules assist in complying with HIPAA standards.

We have use cases in the following sections that show how to use Wazuh capabilities and modules to comply with HIPAA standards:

Visualization and dashboard

Wazuh offers a web dashboard for data visualization and analysis. The Wazuh dashboard comes with out-of-the-box modules for threat hunting, compliance, detected vulnerable applications, file integrity monitoring data, configuration assessment results, and cloud infrastructure monitoring. It’s useful for performing forensic and historical alert analysis.

The Wazuh dashboard assists in meeting the following HIPAA section:

Security Management Process §164.308(a)(1) - Information System Activity Review: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

This section of the HIPAA standard requires reviewing the activities performed on endpoints that handle health data regularly. This is to detect malicious behavior or security violations.

Use case: Review HIPAA security alerts

Wazuh generates alerts when there are violations of the HIPAA sections. The Wazuh dashboard is used to review events and alerts generated by suspicious activities.

The Wazuh dashboard comes with a dedicated module to track HIPAA related events.

When you choose the HIPAA module, you can see all alerts related to the HIPAA standard:

Additionally, the Controls section of the HIPAA compliance dashboard shows the various HIPAA related events. For ease of navigation, the Wazuh dashboard groups events according to the HIPAA section they meet or violate.

On the Wazuh dashboard, each HIPAA section has an information area. This area details the goals of the section, its description, and related events on the monitored endpoints.

Log data analysis

The logs generated from devices, systems, and applications are useful for detecting security incidents and system errors. The Wazuh log data analysis module collects and analyzes logs from various sources such as applications, endpoints, network devices, cloud workloads, and other security solutions. The data collected and analyzed by the log data analysis module helps in threat detection, prevention, and active response. Refer to the ruleset section for more information.

The Wazuh log data analysis module can help comply with the following HIPAA sections:

Audit Controls §164.312(b): “A covered entity or business associate must, in accordance with § 164.306 implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

This section of the HIPAA standard requires that tools be in place to log activities on all systems containing health data. The activities logged may include: authentication, system or application failure, and file read, write, or modification events.
Security Incident Procedures §164.308(a)(6)(i) - Response and reporting: “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”

This section of the HIPAA standard requires you to identify and mitigate security incidents and threats. The log data analysis module helps identify these incidents by analysis of endpoint activities.
Person or Entity Authentication §164.312(d): “A covered entity or business associate must, in accordance with § 164.306 implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

This section of the HIPAA standard requires you to log and review user authentication activities. The analysis of these activities helps determine if they are legitimate. The Wazuh log data analysis module analyzes logs to generate alerts when suspicious activities are detected.

Use case: SSH authentication

In this use case, the Wazuh server receives SSH authentication logs from an Ubuntu 22.04 endpoint. The log data analysis module subsequently decodes and evaluates these logs against Wazuh rules to find if they match the behavior of interest. For example, successful authentication.

Below is a rule to detect and alert on a successful SSH authentication:

Rule 5715 - sshd: authentication success: When a user successfully logs into an endpoint via SSH, this rule generates an alert. The alert includes the username, timestamp, and authentication status (success, or failure). The image below shows the alerts generated on the Wazuh dashboard for successful SSH authentications:

Configuration assessment

The Security Configuration Assessment (SCA) module performs scans to determine if monitored endpoints meet secure configuration and hardening policies. These scans assess the configuration of the endpoint using policy files that contain rules to be tested against the actual configuration of the endpoint.

The SCA module can help to implement the following HIPAA sections:

Evaluation §164.308(a)(8): “A covered entity or business associate must perform a periodic technical and nontechnical evaluation, based initially on the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.”

This section of the HIPAA standard requires you to conduct regular reviews of systems containing health information to ensure that they comply with security policies.
Access Control §164.312(a)(1) - Automatic Logoff: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

This section of the HIPAA standard requires you to implement measures that will terminate login sessions in systems that contain healthcare information after a specified period of inactivity. This includes making sure that an RDP or SSH session is automatically terminated after a predetermined duration of inactivity.

The Wazuh SCA module scans endpoints on a regular basis to ensure they comply with specified security policies. These scans also find missing access control policies like automatic logoff configurations. Refer to the Wazuh SCA documentation for more details on configuring SCA checks.

Use cases: SCA scan and SSH session timeout

In this use case, the SCA module performs periodic scans on an Ubuntu 22.04 endpoint to ensure that it complies with security policies and hardening configurations. Additionally, the Configuration Assessment module on the Wazuh dashboard displays the status of the SCA checks (passed, failed, or not applicable) and the time of the last scan for a specific endpoint, as shown below:

The Wazuh SCA policy CIS benchmark for Ubuntu Linux 22.04 LTS is an out-of-the-box policy based on the Center for Internet Security (CIS) benchmarks, a well-established standard for host hardening.
In this use case, Wazuh runs SCA checks to determine the status of SSH session timeouts on an Ubuntu 22.04 endpoint. The ID of the check is 28653. When this SCA check is run, if SSH session timeout on the endpoint is not configured, its result is Failed. Additionally, each SCA check contains the reason why the check is being performed, a description of the check and a remediation if the SCA check fails.

Malware detection

Wazuh offers several capabilities that support malware detection. The following methods achieve these detections:

These components of Wazuh help to comply with the following HIPAA sections:

Security Awareness and Training §164.308(a)(5)(i) - Protection from Malicious Software: “Procedures for guarding against, detecting, and reporting malicious software.”

This section of the HIPAA standard requires you to have procedures to detect and remove malicious software. The Wazuh malware detection capability implements this HIPAA section with the aid of out-of-the-box rules, VirusTotal and YARA integration, and the use of CDB lists. The rootcheck component of Wazuh also detects abnormal behavior in monitored endpoints. These capabilities help support this HIPAA section.

We show a use case of how to detect a rootkit.

File integrity monitoring

The Wazuh File Integrity Monitoring (FIM) module monitors an endpoint filesystem to detect changes in specified files and directories. It triggers alerts on file creation, modification, or deletion from the monitored paths. The FIM module stores the cryptographic checksum and other attributes of the monitored file, folder, or Windows registry key, and alerts when there is a change.

The File Integrity Monitoring module assists you in meeting the following HIPAA sections:

Workforce Security §164.308(a)(3)(i) - Authorization and/or supervision: “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
Integrity §164.312(c)(1) - Mechanism to authenticate electronic protected health information: “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. ”
Transmission Security §164.312(e)(1) - Integrity controls: “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

These sections of the HIPAA standard require monitoring files and directories containing healthcare data. The Wazuh FIM module assists in meeting this HIPAA section. It monitors files containing healthcare information and generates alerts when there is a modification or deletion. Refer to the Wazuh FIM documentation for more details on configuring file integrity monitoring.

Use cases: Detect file changes and deletion

The use cases in this section are performed on an Ubuntu 22.04 endpoint.

Detect file changes

In this use case, the Wazuh agent detects changes made to the patient_data.txt file in the /root/health_data directory.

On the Ubuntu endpoint

Create the health_data directory in the /root directory:
```
# mkdir /root/health_data
```

Create the file patient_data.txt in the /root/health_data directory and include some content:

# touch /root/health_data/patient_data.txt
# echo "User1 = medication" >> /root/health_data/patient_data.txt

Add the following configuration to the syscheck block of the agent configuration file /var/ossec/etc/ossec.conf to monitor the /root/health_data directory for changes:
```
<syscheck>
   <directories check_all="yes" realtime="yes">/root/health_data</directories>
</syscheck>
```

Restart the Wazuh agent to apply the changes:

# systemctl restart wazuh-agent

# service wazuh-agent restart

Modify the file by adding new content:
```
# echo "User2 = medication3" >> /root/health_data/patient_data.txt
```
You can see an alert generated to show that a file in the monitored directory was modified.

The alert details include the differences in the file checksum, the file modified, the modification time, and other information.

Detect file deletion

In this use case, you configure the Wazuh agent to detect file deletion in a monitored directory. Using the steps below, configure the FIM module to monitor the /root/health_data/ directory for changes.

On the Ubuntu endpoint

Create the health_data directory in the /root directory if it is not present:
```
# mkdir /root/health_data
```

Create the file patient_data.txt in the /root/health_data directory and include some content:

# touch /root/health_data/patient_data.txt
# echo "User1 = medication" > /root/health_data/patient_data.txt

Add the following configuration to the syscheck block of the agent configuration file /var/ossec/etc/ossec.conf to monitor the /root/health_data directory for changes:
```
<syscheck>
   <directories check_all="yes" realtime="yes">/root/health_data</directories>
</syscheck>
```

Restart the Wazuh agent to apply the changes:

# systemctl restart wazuh-agent

# service wazuh-agent restart

Delete a file from the monitored directory. In this case, delete patient_data.txt. You can see an alert generated for the file deleted.

The alert details include the file deleted, the endpoint where the file was deleted, the deletion time, and other details.

Vulnerability detection

Wazuh detects vulnerabilities in the applications installed on monitored endpoints using the Vulnerability Detection module. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, CISA, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

The Vulnerability Detection module helps to implement the following HIPAA section:

Security Management Process §164.308(a)(1) - Risk Analysis: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

This section of the HIPAA standard requires identifying risks and vulnerabilities affecting systems containing healthcare information.

The Wazuh Vulnerability Detection module assists in meeting aspects of this HIPAA section. The Vulnerability Detection module checks for vulnerable applications/packages and missing OS updates in an endpoint. Refer to the vulnerability detection section of our documentation for more details on configuring vulnerability detection.

Use case: Detect vulnerabilities

In this use case, you configure Wazuh to detect vulnerabilities on a Debian endpoint with the following steps:

Edit the Wazuh server configuration file /var/ossec/etc/ossec.conf. Make sure the module is enabled.

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

If you made changes, restart the Wazuh manager to apply them.
# systemctl restart wazuh-manager
# service wazuh-manager restart

You can view the results on the Wazuh dashboard, which includes information about vulnerable packages on the monitored endpoint. In this case, the vim software installed on the endpoint has vulnerabilities.

When you select any of the vulnerabilities, the dashboard shows an overview of the issues detected.

Active Response

The Wazuh Active Response module is configured to automatically execute scripts when events match specified rules in the Wazuh ruleset. These scripts may perform a firewall block or drop, traffic shaping or throttling, account lockout, or any other user defined action.

The Active Response module assists in meeting the following HIPAA section:

Security Incident Procedures §164.308(a)(6)(i) - Response and Reporting: “Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”

The goal of this section is to make sure that you detect and respond to security incidents in your environment. The Active Response module assists in meeting this HIPAA section by responding to intrusions and unauthorized file changes. For more information on configuring Active Response, see the Active Response section of our documentation.

Use case: Block an IP address

In this use case, you configure the Active Response module to block an IP address when someone attempts to log in to an Ubuntu 22.04 endpoint with a non-existent user via SSH. To implement this, follow the steps below:

Add the following block to the Wazuh server configuration file (/var/ossec/etc/ossec.conf).
<active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>local</location> <rules_id>5710</rules_id> <timeout>100</timeout> </active-response>
This configures the Active Response to execute the firewall-drop command when there is an attempt to log in to a non-existent user (rule 5710).

Note

The Wazuh server configuration file includes the firewall-drop command by default.
Restart the Wazuh server to apply the configuration:
# systemctl restart wazuh-manager
# service wazuh-manager restart
When you attempt to SSH with a non-existent user, rule 5710 generates an alert followed by an Active Response event.

Using Wazuh for NIST 800-53 compliance

NIST 800-53 is a cybersecurity framework developed by the National Institute of Standards and Technology (NIST). NIST 800-53 specifies security and privacy mechanisms and controls that U.S. federal information systems must implement and meet. The U.S. government makes compliance with these requirements mandatory for organizations and entities that process and handle federal data.

While NIST guidelines and recommendations are primarily targeted at federal agencies in the United States, they are widely used and respected by organizations in other sectors and countries as well. In fact, many industries and organizations have adopted the NIST Cybersecurity Framework as a basis for their own cybersecurity practices.

Wazuh has various capabilities and modules, such as log data analysis, file integrity monitoring, configuration assessment, threat detection, and autonomous response, that help improve organizations' cybersecurity posture. These Wazuh modules and capabilities also assist organizations in complying with NIST 800-53 controls.

Wazuh includes default rules and decoders for detecting security incidents, system errors, security misconfigurations, and policy violations. These rules are mapped to the NIST 800-53 controls by default. In addition to the default rule mapping provided by Wazuh, it’s possible to map your custom rules to one or more NIST 800-53 controls. For this, you need to add their compliance identifier in the <group> tag of the rule. The syntax used to map a rule to a NIST 800-53 control is nist_800_53_ followed by the acronym of the control and the specific control number. For example, the syntax nist_800_53_AU.12 maps a rule to the AU-12 Audit Record Generation control. Refer to the Rules syntax section for more information.

In the Wazuh for NIST 800-53 revision 5 guide (PDF), we explain how the various Wazuh modules assist in meeting and implementing NIST 800-53 controls.

We have some use cases in the following sections that show how to use Wazuh capabilities and modules to comply with NIST 800-53 controls:

Visualization and dashboard

Wazuh offers a web dashboard for continuous data visualization and analysis. The Wazuh dashboard comes with out-of-the-box modules for: threat hunting, regulatory compliance, detected vulnerable applications, file integrity monitoring, configuration assessment results, and cloud infrastructure monitoring. It helps perform forensic and historical alert analyses.

The Wazuh dashboard assists in meeting the following NIST 800-53 controls:

AU-6 Audit record review, analysis, and reporting: “Audit record review, analysis, and reporting covers information security and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.”
CA-7 Continuous monitoring: “Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.”

The Wazuh dashboard module provides dashboards for continuously monitoring and reviewing security incidents and generating reports of security and audit events. The Wazuh dashboard and its NIST 800-53 module help you meet the above NIST 800-53 controls.

Use cases

Generate a report of successful authentications

This use case shows how Wazuh helps meet the CA-7 Continuous monitoring NIST requirement by providing security reporting to administrators. Use the Wazuh dashboard to generate a report of all successful authentications in the last 24 hours:

Go to the Wazuh dashboard menu and select Discover under Explore.
Add a filter for the authentication_success rule group and click Save.
Save the results of the search using any name of your choice.
Select Reporting, then choose Generate CSV. This downloads a report of all successful authentication events as a CSV file for your review.

Review NIST 800-53 alerts

In this use case, Wazuh assists security administrators in meeting the AU-6 Audit record review, analysis, and reporting requirement by providing a NIST 800-53 compliance dashboard.

Select the NIST 800-53 module from your Wazuh dashboard.
Select the Events tab to see all alerts related to NIST 800-53 controls.
Select the Controls tab to view available control requirements.

The Controls section of the NIST 800-53 compliance dashboard shows the various NIST 800-53 controls and the related events. For ease of navigation, the Wazuh dashboard groups events according to the NIST 800-53 control they meet or violate.

Log data analysis

The Wazuh log data analysis module collects and analyzes logs from various sources, such as applications, systems, network devices, and cloud workloads. This data helps in resource monitoring, threat detection, and incident response.

The Wazuh Log data analysis module helps comply with the following NIST 800-53 controls:

IA-4 Identifier management: “Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.”
SI-4 System monitoring: “System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real-time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.”

The above NIST 800-53 controls require you to monitor system activities in your organization. Analysis of these activities helps you keep track of security incidents and occurrences within your infrastructure. The Wazuh log data analysis module analyzes logs and generates alerts when it detects suspicious activities.

Use case: Failed authentication attempts on a Windows endpoint

This use case shows how Wazuh helps meet the IA-4 Identifier management requirement by using the IP address label as an example identifier. In this scenario, Wazuh detects failed login attempts on a monitored Windows 10 endpoint.

Enable RDP on the Windows 10 endpoint. Select Start > Settings > System > Remote Desktop, and turn on Enable Remote Desktop. Please note that some Windows versions might not support Remote Desktop.
Open the Remote Desktop Connection application from another Windows endpoint on the same network. Perform five failed login attempts against the monitored Windows endpoint. .
Expand one of the rule ID 60204 alerts on the Wazuh dashboard. This allows finding more information about the multiple logon failure event. For example, target username, device identifiers such as source IP address, and the NIST 800-53 control the event is related to.

Security configuration assessment

The Wazuh Security Configuration Assessment (SCA) module performs scans to determine if monitored endpoints meet secure configuration and hardening policies. These scans assess the endpoint configuration using policy files. These policy files contain rules that serve as a benchmark for the configurations that exist on the monitored endpoint.

The Wazuh SCA helps to comply with the following NIST 800-53 controls:

SC-7 Boundary protection: “Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third-party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).”
IA-5 Authenticator management: “Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.”
CM-6 Configuration settings: “Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections.”

Wazuh has out-of-the-box SCA policies to check if endpoints meet authentication, network, and boundary policies, among other security policies. The Wazuh SCA module scans endpoints regularly to determine if they comply with specific security policies.

Use case: Ensure default deny firewall policy and SCA scan

This use case shows how Wazuh helps meet the CM-6 Configuration settings requirement by ensuring endpoint compliance with the CIS configuration benchmark. In this scenario, Wazuh runs default SCA checks to determine the default firewall deny policy status on an Ubuntu 22.04 endpoint.

Restart the Wazuh agent to trigger a new SCA scan.
```
# systemctl restart wazuh-agent
```
Select the Configuration Assessment module on your Wazuh dashboard. SCA scans are enabled by default so you don’t require further configuration actions.
Select the endpoint running the Wazuh agent.
Select CIS benchmark for Ubuntu Linux 22.04 LTS.

This scan helps ensure that the endpoint complies with security policies and hardening configurations. CIS Benchmark for Ubuntu Linux 22.04 LTS shows the results of the SCA checks (passed, failed, and not applicable) and the time of the last scan, as shown above.
Navigate to ID 28577.

This SCA check returns Failed if the default firewall policy on the endpoint is configured. Additionally, each SCA check contains the reason for performing the check, a description, and possible remediation for the failed SCA check.

Malware detection

Wazuh offers several capabilities that support malware detection. The Malware detection module uses the following integrations and methods to detect malicious activities on a monitored endpoint:

File integrity monitoring and threat detection rules.
Rootkit behavior detection rules.
CDB lists and threat intelligence to detect and remove malicious files.
VirusTotal integration for malware detection.
File integrity monitoring and YARA scans for malware detection.
Custom rules to detect malware IOC.
ClamAV logs collection.
Windows Defender logs collection.

These Malware detection components of Wazuh help you comply with the following NIST 800-53 controls:

SI-3 Malicious code protection: “Malicious code protection mechanisms include both signature and non-signature-based technologies. Non-signature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Such malicious code includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Non-signature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.”
SI-7 Software, firmware, and information integrity: “Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms-including parity checks, cyclic redundancy checks, cryptographic hashes, and associated tools-can automatically monitor the integrity of systems and hosted applications.”

The NIST 800-53 controls above require users to have tools and processes to detect malicious code and modified software and firmware. Wazuh supports the detection of suspicious system binaries, malware, and suspicious processes using out-of-the-box rules, VirusTotal and YARA integrations, and CDB lists. In addition, Wazuh also includes a File Integrity Monitoring module that allows users to continuously monitor specific files and paths that malware might use.

Use case: Detecting suspicious binaries

This use case shows how Wazuh meets the SI-3 Malicious code protection requirement by detecting a malicious binary on a monitored endpoint. In this scenario, the Wazuh rootcheck module is used to detect a trojan system binary on a Ubuntu 22.04 endpoint.

The Wazuh rootcheck module is enabled by default on the Wazuh agent configuration file. The rootcheck section explains the options in the rootcheck module.

Create a copy of the original system binary:

$ sudo cp -p /usr/bin/w /usr/bin/w.copy

Replace the original system binary /usr/bin/w with the following shell script:

$ sudo tee /usr/bin/w << EOF
#!/bin/bash
echo "`date` this is evil" > /tmp/trojan_created_file
echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file
# Now running original binary
/usr/bin/w.copy
EOF

Restart the Wazuh agent to see the relevant alert:
```
$ sudo systemctl restart wazuh-agent
```
Navigate to the Threat Hunting dashboard. Search for the event with rule ID 510.

The image above shows an example of a suspicious binary file detected on a monitored endpoint.

File integrity monitoring

The Wazuh File Integrity Monitoring (FIM) module monitors an endpoint filesystem to detect file changes in specified files and directories. It triggers alerts on file creation, modification, or deletion from the monitored paths. The FIM module compares the cryptographic checksum and other attributes of the monitored files and folders when a change occurs.

The Wazuh File Integrity Monitoring module assists you in meeting the following NIST 800-53 controls:

SC-28 Protection of information at rest: “Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.”
CM-3 Configuration changes control: “Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.”

These NIST 800-53 controls require you to protect information at rest and monitor configuration changes in your infrastructure. The Wazuh FIM module helps you monitor the creation, modification, and deletion of files, directories, and Windows registry keys. This helps you meet the NIST 800-53 controls that require monitoring changes to files and folders.

Use cases

Detect SSH configuration changes

This use case shows how Wazuh helps meet the SC-28 Protection of information at rest requirement by providing file integrity monitoring on specified files and paths.

In this scenario, the Wazuh FIM monitors the SSH configuration file /etc/ssh/sshd_config on an Ubuntu 22.04 endpoint to detect changes in the SSH configuration. Monitor the SSH configuration file for changes using the steps below:

Add the following configuration to the <syscheck> block of the Wazuh agent configuration file /var/ossec/etc/ossec.conf. This monitors the /etc/ssh/sshd_config file for changes:
<directories report_changes="yes" realtime="yes">/etc/ssh/sshd_config</directories>
Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```
Change the PasswordAuthentication option in the /etc/ssh/sshd_config file from no to yes to create a change in the SSH configuration:
# sed -re 's/^(PasswordAuthentication)([[:space:]]+)no/\1\2yes/' -i.`date -I` /etc/ssh/sshd_config
Select the File Integrity Monitoring module from the Wazuh dashboard. Find the alert triggered by rule ID 550. The alert details show that the content of /etc/ssh/sshd_config has changed. They include the differences in the file checksum, the modification time, and other information.

Detecting change actors to UFW firewall rules using who-data

This use case shows how Wazuh helps meet the CM-3 Configuration changes control requirement by providing extra audit data on triggered events for monitoring system configuration changes.

In this scenario, the Wazuh FIM monitors the Uncomplicated Firewall (UFW) rule files in the /etc/ufw/ directory on an Ubuntu 22.04 endpoint. Using who-data, you can get more information like the user, program, or process that made changes to a monitored file or folder. Perform the steps below to monitor and detect changes to the UFW rule files:

Add the following configuration to the <syscheck> block of the Wazuh agent configuration file /var/ossec/etc/ossec.conf . This monitors all UFW rule files for changes:
```
<directories report_changes="yes" whodata="yes">/etc/ufw/</directories>
```
UFW stores its rule files in the /etc/ufw/ directory, and all rule files have the extension .rules. We use the configuration above to monitor the modification, addition, and deletion of any files in the /etc/ufw/ directory.
Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```
Modify the permissions for an existing rule file, user.rules, in the /etc/ufw directory to create a change to the UFW rule files:
# sudo chmod 777 /etc/ufw/user.rules
Check the alert of rule ID 550 on the Wazuh dashboard. This alert shows permissions for the /etc/ufw/user.rules file have changed.
Expand the alert to view the full_log field. This field shows an overview of the event.
Check the syscheck.audit.login_user.name and syscheck.audit.process.name fields to see the user and process that initiated the change.

System inventory

The Wazuh Syscollector module gathers system resource information from each monitored endpoint. The information gathered includes hardware details, OS information, network details, and running processes. The Wazuh agent runs periodic scans on the endpoint and constantly updates the appropriate system information. The Wazuh Syscollector module helps to meet the following NIST 800-53 controls:

CM-7 Least functionality: “Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).”
CM-8 System component inventory: “System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.”

The NIST 800-53 controls above require you to maintain an inventory of system components, including ports, protocols, applications, and services, and their authorized usage. The CM-7 Least functionality requirement specifies that you must permit only a minimum useful set of features necessary for software or systems functioning. The Wazuh Syscollector module helps to meet an aspect of this control by providing detailed information on processes, packages, and ports that run on a monitored endpoint.

Use case: Inventory of applications installed on a Windows endpoint

This use case shows how Wazuh helps meet the NIST CM-8 System component inventory by providing a module for system inventory.

Using the Wazuh Syscollector module for this use case, you can see all packages installed on a monitored Windows endpoint. You can find this information on the Wazuh dashboard for the specific agent.

Restart the Wazuh agent to trigger a new system inventory scan.
> Restart-Service -Name wazuh
> net stop wazuh > net start wazuh
Go to IT Hygiene on the Wazuh dashboard and select your endpoint.

The Wazuh Syscollector module runs all available scans once every twelve hours by default in all compatible operating systems.

Vulnerability detection

The Wazuh Vulnerability Detection module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module queries our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, CISA, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

The Vulnerability Detection module helps to implement the following NIST 800-53 controls:

RA-5 Vulnerability monitoring and scanning: “Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automation Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).”
SC-38 Operations security: “Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.”

The Wazuh Vulnerability Detection module assists with the above requirements by checking for vulnerable applications/packages and missing OS updates in an endpoint.

Use case: Detect vulnerabilities on a Windows endpoint

This use case shows how Wazuh helps meet the NIST RA-5 Vulnerability monitoring and scanning requirement using the Vulnerability detection module to identify system vulnerabilities.

In this use case, you make sure that a monitored Windows 10 endpoint is properly configured and the Wazuh Vulnerability detection module enabled. The Vulnerability Detection module of the Wazuh dashboard shows the result of the vulnerabilities detection.

Windows endpoint

Check that the following highlighted options are within the syscollector wodle block of the /var/ossec/etc/ossec.conf file of your Wazuh agent:

<!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
     <interval>1h</interval>
     <scan_on_start>yes</scan_on_start>
     <hardware>yes</hardware>
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
     <users>yes</users>
     <groups>yes</groups>
     <services>yes</services>
     <browser_extensions>yes</browser_extensions>

     <!-- Database synchronization settings -->
     <synchronization>
       <max_eps>10</max_eps>
       <integrity_interval>24h</integrity_interval>
     </synchronization>
   </wodle>

Wazuh server

Edit the <vulnerability-detection> block within the /var/ossec/etc/ossec.conf file and make sure <enabled> is set to yes. This enables the vulnerability detection module.

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

If you made changes, restart the Wazuh server to apply them.
# systemctl restart wazuh-manager
# service wazuh-manager restart
Go to Vulnerability Detection > Inventory on the Wazuh dashboard. Select the Windows agent to find vulnerable applications and packages.

The alert details include the CVE number and severity, amongst other information.

Active Response

The Wazuh Active Response module performs autonomous actions on endpoints to mitigate security threats. You can configure the module to automatically execute scripts when specific alerts trigger. These scripts execute actions, such as a firewall block or drop, traffic shaping or throttling, and account lockout.

The Wazuh Active Response module assists in meeting the following NIST 800-53 controls:

AC-7 Unsuccessful logon attempts: “The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically released after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.”
SC-5 Denial-of-service protection: “Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.”

The Wazuh Active Response module assists in meeting the above controls by responding to brute force and denial of service attacks. Wazuh includes out-of-the-box active response commands that drop traffic from a malicious IP address or disable a user account that is a victim of brute forcing.

Use case: Automatically disable an account

This use case shows how Wazuh helps meet the NIST AC-7 Unsuccessful logon attempts requirement by identifying and taking precautionary responses to failed login attempts.

In this scenario, the Wazuh Active Response module automatically disables a user account on a monitored Ubuntu 22.04 endpoint when events analysis detects multiple failed terminal login attempts. You can then track the alerts for these events and actions on the Wazuh dashboard.

Wazuh server

Add the following configuration to the <ossec-config> block of the Wazuh server configuration file /var/ossec/etc/ossec.conf:
```
<ossec-config>
  <active-response>
    <disabled>no</disabled>
    <command>disable-account</command>
    <location>local</location>
    <rules_id>5503</rules_id>
  </active-response>
<ossec-config>
```
- command: The active response script for the disable-account command disables a user account when triggered.
- location: This specifies where to execute the active response command. The local option executes the script on the monitored endpoint where the event occurred.
- rules_id: This active response script runs when an alert for rule ID 5503 is generated. Rule ID 5503 detects multiple failed terminal login attempts and generates alerts. You can define multiple rules by separating them with a comma.
Restart the Wazuh server to apply the configuration changes:
# systemctl restart wazuh-manager
# service wazuh-manager restart

Ubuntu endpoint

Create two users for this use case:
```
# useradd <USER1>
# useradd <USER2>
```
In our use case, <USER1> is kon, while <USER2> is jon.
Attempt to log in with the wrong credentials to the <USER2> account using <USER1> account:
```
<USER1>:$ su <USER2>
```
The image below shows the related alerts on the Wazuh dashboard:
Check that the account was successfully locked using the passwd command on the Ubuntu endpoint:
```
# passwd --status <USER2>
```
```
jon L 11/24/2022 0 99999 7 -1
```

The L flag indicates the account is locked.

Threat intelligence

The Wazuh MITRE ATT&CK module provides you with threat intelligence capability. You can use it to gain further context on alerts in your environment. MITRE ATT&CK is a repository for information about attack tactics and techniques, and what to do to detect and mitigate them. The Wazuh MITRE ATT&CK module shows alerts that detail the threat actors, attack tactics, and techniques used in a security event. This module is helpful when an attack generates alerts and a user wants to know more about it. Refer to the MITRE ATT&CK framework for more details about MITRE mapping to rules.

The Wazuh threat intelligence capability helps to meet the following NIST 800-53 controls:

RA-10 Threat hunting: “Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.”
PM-16 Threat awareness program: “Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.”

The NIST 800-53 controls above require organizations to perform threat hunting and stay continuously updated about cyber threats and adversaries. Wazuh helps you meet these controls by mapping alerts to MITRE ATT&CK techniques and providing an intelligence dashboard for reviewing adversary tactics, techniques, software, and mitigations.

Use cases

Review MITRE ATT&CK techniques in your environment

In this use case, Wazuh helps meet the PM-16 Threat awareness program requirement by providing the MITRE ATT&CK module for threat information sharing. Review various MITRE ATT&CK techniques and see the events associated with those techniques in your environment. To perform this review, follow the steps below:

Select the MITRE ATT&CK module on the Wazuh dashboard.
Select Framework. Here, you can see the available MITRE tactics and their associated techniques.
Select any technique to display its details as well as the events in your environment associated with that technique. In this example, we choose T1112 Modify Registry.

You can proceed to review the events for possible malicious activity.

Review intelligence on threat actors

In this use case, Wazuh helps meet the RA-10 Threat hunting requirement by providing a threat intelligence platform for threat hunters.

In this scenario, you review intelligence from MITRE about various threat actors, techniques, mitigations, and tools. Wazuh provides this information in the Intelligence section of the MITRE ATT&CK module. This review helps support the NIST PM-16 Threat awareness program control and keeps security administrators informed about threats. Follow the steps below to perform this review:

Select the MITRE ATT&CK module from the Wazuh dashboard.
Select Intelligence. Here, you can see the available MITRE intelligence sections.
Select Groups. Here, you can see the different threat groups identified by MITRE. In this use case, choose G0018.

You can see the group description, the software they use, and their associated techniques.

Using Wazuh for TSC compliance

The American Institute of Certified Professional Accountants (AICPA) developed the SOC 2 reporting framework to provide organizations with a uniform method to assess and report on the efficacy of their information security policies. SOC 2 reports focus on the five trust service categories of security, availability, processing integrity, confidentiality, and privacy.

The Trust Services Criteria (TSC) created by the Assurance Services Executive Committee (ASEC) of the AICPA presents control evaluation benchmarks. These evaluation benchmarks include metrics for security, availability, processing integrity, confidentiality, and privacy of information and systems across an entire entity. These metrics also relate to granular aspects of the entity, such as a division, an operational procedure, or a particular type of information used by the entity. The AICPA defines the common criteria as a set of controls that apply to the five Trust Services Criteria categories.

The COSO Principles and Common Criteria

The Committee of Sponsoring Organizations (COSO) internal control framework provides a systematic approach for organizations to manage risk and improve performance. It includes a detailed framework for evaluating and improving an entity's internal control structure.

TSC common criteria (CC) provides a framework for assessing and certifying the security of information technology (IT) products and systems. It defines a set of security standards and evaluation guidelines that organizations can adopt to assess the security of IT products and systems.

It's important to note that though both frameworks intersect, they are different. The TSC framework and COSO principles evaluate the effectiveness of an organization's internal controls and risk management processes. While the COSO principles prioritize the entity's overall internal control and risk management, the TSC common criteria focus primarily on the security of IT products and systems. It achieves this by providing a set of specific criteria for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy.

Providing security to IT products and systems is a key element in improving an entity's overall risk management strategy and internal control structure. These criteria focus on the logical and physical protection of information, systems, and networks. The common criteria (CC) are organized into nine subsections, which are:
- CC1: Control environment
- CC2: Communication and Information
- CC3: Risk Management and Design and Implementation of Controls
- CC4: Control Activities
- CC5: Monitoring of Controls
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
In summary, SOC 2, TSC, COSO, and CC are all frameworks and standards organizations use to manage risks and ensure the effectiveness of their internal controls. SOC 2 and TSC focus on the security, availability, processing integrity, confidentiality, and privacy of an organization's systems and services. COSO provides a broader framework for enterprise risk management and internal control, while CC offers a method for evaluating the security features of IT products and systems. Organizations may use a combination of these frameworks and standards to develop a comprehensive risk management and compliance strategy.
TSC additional criteria

The TSC additional criteria are an extension of the common criteria. Organizations can use these additional criteria to address precise security requirements not defined by the conventional TSC common criteria.

Wazuh assists with these criteria by performing log collection, file integrity monitoring, configuration assessment, threat detection, vulnerability assessment, and automated threat response.

This document outlines use cases that show how Wazuh helps users comply with the TSC common criteria, and the additional criteria for availability, confidentiality, and processing integrity. We have also created the Using Wazuh for TSC 2017 requirements guide, which complements this document. Please refer to the guide for more details on how Wazuh helps meet TSC requirements.

The following sections outline some of the technical requirements that Wazuh supports:

The COSO Principle and Common Criteria
Additional criteria
- Availability - A1.1
- Processing integrity - PI1.4

Common criteria 2.1 (COSO Principle 13)

The TSC common criteria (CC2.1) relate to using relevant information and communication within an organization. It states, "The organization obtains or generates and uses relevant, quality information to support the functioning of internal control”.

This principle emphasizes the importance of accurate and prompt information to manage risks and achieve organizational objectives effectively. It also highlights the need for an efficient communication channel so that information can be conveyed and utilized by the appropriate individuals and departments within the organization. There are four objectives needed to meet this requirement:

Identify information requirements: A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives.
Capture internal and external sources of data: Information systems capture internal and external sources of data.
Process relevant data into information: Information systems process and transform relevant data into information.
Maintain quality throughout processing: Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components.

To comply with Principle 13, an entity should have processes in place to identify and gather relevant information, assess the quality of that information, and use it to support proper decision-making, such as internal control activities. It should also establish a functional communication channel to ensure timely information distribution to the appropriate individuals and departments.

The use case below shows how Wazuh assists in meeting this requirement.

Use case: Collecting and analyzing logs across multiple endpoints

Wazuh helps meet the COSO Principle 13 (CC2.1) requirement by providing capabilities that generate quality information for the proper functioning of internal control measures. An example is log data analysis. The Wazuh logcollector module retrieves and centralizes log data from different sources, such as operating systems, applications, network devices, and security appliances. Once the log data is collected, Wazuh applies various analysis techniques to extract valuable insights and detect potential security issues. This is done by matching the received data with the Wazuh out of the box decoders and rules.

This use case shows how log data analysis can be used to detect specific events across multiple endpoints. The process below shows how Wazuh groups Threat Hunting for an Ubuntu 22.04 agent.

Click on Threat Hunting in the Wazuh dashboard:

Check the security events on the dashboard and click on any alert to view more details.

The Wazuh ruleset also gives proper labeling to these triggered events. An example is the image below that shows the details for the triggered alert Attached USB Storage with rule ID 81101.

Common criteria 3.1 (COSO Principle 6)

The TSC common criteria CC3.1: The principle states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives”. This means that the entity should monitor the effectiveness of internal controls over financial reporting on an ongoing basis. In other words, an entity should have a system in place to regularly assess the effectiveness of its internal controls, identify and address any deficiencies, and make necessary adjustments to ensure that the controls effectively achieve their intended objectives.

This principle is a major component of the COSO framework for internal control and is essential for ensuring the integrity of financial reporting within an entity.

The use case below shows how Wazuh assists in meeting this requirement.

Use case: Utilizing Wazuh detection and response capabilities for security monitoring

Wazuh includes several out-of-the-box modules that help meet the COSO Principle 6 CC3.1 requirement. These modules provide capabilities for vulnerability assessment, configuration assessment, threat intelligence, and regulatory compliance, to mention a few. The analysis from these modules can be viewed from the Wazuh dashboard for easy identification and risk assessment.

Using the Wazuh dashboard, you can review events and alerts generated across your environment.

Common criteria 5.1 (COSO Principle 10)

The TSC common criteria CC5.1: The principle states, “The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” This means that the organization should design and implement controls appropriate for its specific business environment aligned with its overall goals and objectives. Examples of control activities include policies, authorizations and approvals processes, information management, and physical controls.

One of the points of focus for this criteria is that an effective control framework should include a diverse mix of control activities, considering different approaches to address risks and incorporating a combination of manual and automated, preventive and detective controls.

This principle is a crucial part of the overall control metrics of an organization and is frequently applied in the context of internal control and risk management. It aids organizations in detecting and reducing risks and ensuring compliance with laws and regulations.

The use case below shows how Wazuh assists in meeting this requirement.

Use case: Security Configuration Assessment of a monitored endpoint

Wazuh helps meet this aspect of the COSO Principle 10 CC5.1 control activities requirement by providing several modules. One of these modules is the Security Configuration Assessment (SCA) module. This module allows a user to scan system components and configurations to detect misconfigurations that could lead to security issues. The Wazuh SCA module is an example of a detective control for proactively identifying misconfiguration issues for timely remediation.

In this case, we use the SCA module to evaluate a monitored Windows 10 endpoint against the CIS Benchmark for Windows 10. By monitoring and detecting security configuration issues, you can quickly identify and remediate potential security risks, ensuring the security and compliance of your systems. You can track these events and actions on the Wazuh dashboard:

Navigate to the Configuration Assessment module from the Wazuh dashboard. Select the monitored Windows 10 endpoint.

You can see the result of the assessment of the monitored endpoint.

Common criteria 6.1

The TSC common criteria CC6.1 states that: “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives”. This control is part of the security category of the TSC requirements. It requires the entity to maintain an inventory of its information assets. It also seeks to define the minimum requirements for the management of logical and physical access to the entity's information systems. These controls are implemented with user authentication, encryption, and asset inventory.

The TSC CC6.1 is a key consideration when assessing the reliability of a system. It demonstrates that the required security precautions have been taken to maintain an entity's security.

The use case below shows how Wazuh assists in meeting this requirement.

Use case: Maintaining asset inventory on a Windows endpoint

Wazuh meets the architecture, infrastructure, and security software aspects of the common criteria CC6.1 by providing several modules. One of these is the Syscollector module. In this use case, we show how to use the Wazuh Syscollector module to collect system information on a Windows 11 endpoint. You can use this module to monitor specific components, protocols, services, or applications running on an endpoint.

Open the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf and scroll to the syscollector block to verify that you have the same configuration below:

<!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
     <interval>1h</interval>
     <scan_on_start>yes</scan_on_start>
     <hardware>yes</hardware>
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
     <users>yes</users>
     <groups>yes</groups>
     <services>yes</services>
     <browser_extensions>yes</browser_extensions>

     <!-- Database synchronization settings -->
     <synchronization>
       <max_eps>10</max_eps>
       <integrity_interval>24h</integrity_interval>
     </synchronization>
   </wodle>

Navigate to IT Hygiene on the Wazuh dashboard and select your endpoint. You can see details about installed applications, network services, and used ports on the monitored endpoint.

Common criteria 7.1

The TSC common criteria CC7.1 states that: “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities”. This control indicates the depth and rigor of the evaluation required to be performed on an information asset to monitor changes to the configuration. It ensures that changes do not introduce new vulnerabilities to the system or make it prone to new vulnerabilities.

Evaluation and compliance of an information asset to CC7.1 ensure that the asset is strengthened to a high level of security assurance. CC7.1 facilitates the prevention of misconfiguration flaws and ensures continuous monitoring to quickly identify vulnerabilities.

The use case below shows how Wazuh assists in meeting this requirement.

Use case: Monitoring a CentOS endpoint for vulnerabilities

Wazuh helps meet the common criteria CC7.1 by providing the Vulnerability Detection module. This module can uncover vulnerabilities in operating systems and installed applications. It performs a software audit by querying our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, CISA, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

In this use case, you can see how the Wazuh Vulnerability Detection module detects vulnerabilities on a CentOS 8 endpoint.

Edit the Wazuh server configuration file /var/ossec/etc/ossec.conf. Make sure the module is enabled.

<vulnerability-detection>
  <enabled>yes</enabled>
  <index-status>yes</index-status>
  <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

If you made changes, restart the Wazuh manager to apply them:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Navigate to the Vulnerability Detection module from the Wazuh dashboard. Select the agent to view its discovered vulnerabilities.

Common criteria 8.1

The TSC common criteria CC8.1 provides a comprehensive and well-recognized technique for evaluating the security of IT products and systems. CC 8.1 defines a set of security requirements and evaluation procedures for IT products, such as software, hardware, and systems, that are intended to be used in a security context. The objective of CC 8.1 is to provide a standardized, objective, and repeatable evaluation process for IT products and to facilitate the development of secure IT products and systems. It states that: “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives”. The end goal of the common criteria 8.1 is to provide assurance to users of IT products that the product has been independently evaluated and meets a high level of security.

The following use case shows how Wazuh can assist in meeting this objective.

Use case: Monitoring packages installed on an Ubuntu endpoint

Wazuh helps meet the TSC common criteria CC8.1 requirement by providing several modules such as SCA, vulnerability detection, and active response. This use case shows how Wazuh can be used to view installed packages on an Ubuntu 22.04 endpoint.

To carry out this use case, set up a Wazuh server and an Ubuntu 22.04 endpoint with the Wazuh agent installed and connected to the Wazuh server.

Upgrade the Ubuntu endpoint to trigger the installation of packages:
```
$ sudo apt upgrade
```
Select Threat Hunting from your Wazuh dashboard.
Ensure the Ubuntu endpoint is selected.
Filter for rule ID 2902.

Wazuh contributes to the CC8.1 requirement by maintaining an accurate and up-to-date record of the software installed on each monitored agent. This information is vital for understanding the overall system configuration, tracking licenses, and ensuring compliance. Wazuh also integrates with vulnerability assessment tools and databases to identify known vulnerabilities associated with specific software packages. By cross-referencing the package inventory with vulnerability information, Wazuh highlights potential security weaknesses. This information allows organizations to prioritize patching or mitigating vulnerable packages, reducing the risk of exploitation.

The additional criteria

The Trust Service Criteria include an additional set of criteria that complement the COSO principle. These criteria, defined within the introductory section of this document, outline metrics that aim to improve the entity’s internal control process and risk management. They are specific to availability, processing integrity, confidentiality, and privacy. The sections below show the application and use cases for some selected requirements.

Availability - A1.1

The TSC additional criteria for availability A1.1 states that “The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives”. Maintaining the availability of information systems is very important to the business activities of service organizations.

Many service organizations offer outsourced services to their clients and typically have contractual obligations or service-level agreements regarding the services provided. These agreements make it valuable to include TSC requirements regarding availability, as it provides confidence to customers and the organization. It is especially common among data centers and organizations that have service (SaaS) offerings which often include TSC compliance.

The use case below demonstrates how Wazuh assists in meeting this requirement.

Use case: Using Wazuh for system resource monitoring on a Windows endpoint

Wazuh helps to meet the TSC additional criteria for availability A1.1 using a combination of several Wazuh modules. These modules can monitor system resources and performance to create alerts based on custom thresholds to help administrators react to events that impact availability. The modules include command monitoring and system inventory.

Using the Wazuh command monitoring module, we configure the Wazuh agent to run commands to monitor system resources on a Windows Server 2022 endpoint. We also show how to create custom rules to monitor the commands and view the relevant alerts on the Wazuh dashboard.

Add the configuration below to the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf. This monitors the RAM and CPU consumption of the monitored Windows endpoint:

<wodle name="command">
  <disabled>no</disabled>
  <tag>CPUUsage</tag>
  <command>Powershell -c "@{ winCounter = (Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples[0] } | ConvertTo-Json -compress"</command>
  <interval>1m</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>

<wodle name="command">
  <disabled>no</disabled>
  <tag>MEMUsage</tag>
  <command>Powershell -c "@{ winCounter = (Get-Counter '\Memory\Available MBytes').CounterSamples[0] } | ConvertTo-Json -compress"</command>
  <interval>1m</interval>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>

Launch PowerShell as administrator and restart the Wazuh agent for the changes to take effect:
```
> Restart-Service -Name wazuh
```

Create a file performance_monitor.xml in the /var/ossec/etc/rules/ directory on the Wazuh server. Add the custom rules below to trigger alerts on different performance thresholds:

<group name="WinCounter,">
    <rule id="301000" level="0">
      <decoded_as>json</decoded_as>
      <match>^{"winCounter":</match>
      <description>Windows Performance Counter: $(winCounter.Path).</description>
    </rule>

    <rule id="302000" level="3">
      <if_sid>301000</if_sid>
      <field name="winCounter.Path">memory\\available mbytes</field>
      <description>Windows Counter: Available Memory.</description>
      <group>MEMUsage,tsc_A1.1,</group>
    </rule>

    <rule id="302001" level="5">
      <if_sid>302000</if_sid>
      <field name="winCounter.CookedValue" type="pcre2">^[5-9]\d{2}$</field>
      <description>Windows Counter: Available Memory less than 1GB.</description>
      <group>MEMUsage,tsc_A1.1,</group>
    </rule>

    <rule id="302002" level="7">
      <if_sid>302000</if_sid>
      <field name="winCounter.CookedValue" type="pcre2">^[1-4]\d{2}$</field>
      <description>Windows Counter: Available Memory less than 500MB.</description>
      <group>MEMUsage,tsc_A1.1,</group>
    </rule>

    <rule id="303000" level="3">
      <if_sid>301000</if_sid>
      <field name="winCounter.Path">processor\S+ processor time</field>
      <description>Windows Counter: CPU Usage.</description>
      <group>CPUUsage,tsc_A1.1,</group>
    </rule>

    <rule id="303001" level="5">
      <if_sid>303000</if_sid>
      <field name="winCounter.CookedValue">^8\d.\d+$</field>
      <description>Windows Counter: CPU Usage above 80%.</description>
      <group>CPUUsage,tsc_A1.1,</group>
    </rule>

    <rule id="303002" level="7">
      <if_sid>303000</if_sid>
      <field name="winCounter.CookedValue">^9\d.\d+$</field>
      <description>Windows Counter CPU Usage above 90%.</description>
      <group>CPUUsage,tsc_A1.1,</group>
    </rule>
</group>

Where:

Rule ID 301000 matches all "Windows Performance Counter" events and is the parent rule for all the other rules.
Rule ID 302000 reports the current memory utilization, measured in megabytes.
Rule ID 302001 triggers when the available memory is less than 1GB.
Rule ID 302002 triggers when the available memory is less than 500MB
Rule ID 303000 reports the current CPU utilization, measured in percentage.
Rule ID 303001 triggers when the CPU usage is above 80%.
Rule ID 303002 triggers when the CPU usage is above 90%.

Restart the Wazuh manager to apply the changes:
```
# systemctl restart wazuh-manager
```
Select TSC from the Wazuh dashboard to see the alerts. These alerts are identified with the tag A1.1.

Processing integrity - PI1.4

The trust service criteria for additional criteria for processing integrity PI1.4 is a set of guidelines that outline the requirements for ensuring the completeness and integrity of the processed data of an entity. It states: "The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.". The following actions are performed to achieve this:

Protect output: Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications.
Distribute output only to intended parties: Output is distributed or made available only to intended parties.
Distribute output completely and accurately: Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output.
Create and maintain records of system output activities: Records of system output activities are created and maintained completely and accurately in a timely manner.

The use case below demonstrates how Wazuh assists in meeting this requirement.

Use case: Detecting file changes using the Wazuh File Integrity Monitoring module

This use case shows how Wazuh helps meet the processing integrity PI1.4 requirement by monitoring and reporting file changes using the FIM module. In this scenario, we show how you can configure the Wazuh agent on a Ubuntu 22.04 endpoint to detect changes in the critical_folder directory.

Ubuntu endpoint

Switch to the root user:
```
$ sudo su
```
Create the directory critical_folder in the /root directory:
```
# mkdir /root/critical_folder
```

Create the file special_data.txt in the /root/critical_folder directory and add some content:

# touch /root/critical_folder/special_data.txt
# echo "The content in this file must maintain integrity" >> /root/critical_folder/special_data.txt

Add the highlighted configuration to the <syscheck> block of the Wazuh agent configuration file /var/ossec/etc/ossec.conf:

<syscheck>
  <directories realtime="yes" check_all="yes" report_changes="yes">/root/critical_folder</directories>
</syscheck>

Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```

Modify the file by changing the content of special_data.txt from The content in this file must maintain integrity to A change has occurred:

# echo "A change has occurred" > /root/critical_folder/special_data.txt
# cat /root/critical_folder/special_data.txt

A change has occurred

Select TSC from the Wazuh dashboard to view the alert with rule ID 550.

The alert is tagged with PI1.4 and other compliance tags with requirements that intersect with this use case.

Proof of Concept guide

In this section of the documentation, we provide a set of use cases to explore different Wazuh capabilities. We describe how Wazuh can be configured for threat prevention, detection, and response. Each use case represents a real-world scenario that users can deploy using specific configurations.

Preparing your lab environment

The Wazuh solution consists of security agents, which are deployed on monitored endpoints, and the Wazuh central components, which collect and analyze data gathered by the agents.

We recommend that you use virtual machines and take snapshots immediately after setting up the infrastructure. Doing this you can get a clean environment whenever you want to test a new use case. A clean environment is important because it prevents the different tests from interfering with each other.

The diagram below illustrates the architecture of the Wazuh lab environment that is required to test the use cases described in this document.

Wazuh central components

In these use cases, the Wazuh central components (server, indexer, and dashboard) run on one system. This is because you’re monitoring a small scale environment and there’s no need for a distributed architecture.

To install the Wazuh central components on a single system, it’s recommended to use one of the following options:

The Quickstart guide: Using this guide, you can install all the components on the same system in approximately 5 minutes.
Our preconfigured Virtual Machine: Wazuh provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. It can be imported to VirtualBox or other OVA-compatible virtualization systems.

Monitored endpoints

The Wazuh agent monitors the following endpoints. Depending on the use case, the endpoints act as victims of an attack, or as malicious actors (attackers).

Endpoint	Operating system (64-bits)	CPU cores	RAM	Disk
Ubuntu	Ubuntu 22.04 LTS	1 vCPU	2 GB	10 GB
RHEL	Red Hat Enterprise Linux 9.0	1 vCPU	2 GB	10 GB
Windows	Windows 11	2 vCPU	4 GB	25 GB

You can see our installation guide for information on how to install the Wazuh agent on these endpoints. You need Internet access to perform some integrations and download the software used in these use cases.

Use cases

Blocking a known malicious actor

In this use case, we demonstrate how to block malicious IP addresses from accessing web resources on a web server. You set up Apache web servers on Ubuntu and Windows endpoints, and try to access them from an RHEL endpoint.

This case uses a public IP reputation database that contains the IP addresses of some malicious actors. An IP reputation database is a collection of IP addresses that have been flagged as malicious. The RHEL endpoint plays the role of the malicious actor here, therefore you add its IP address to the reputation database. Then, configure Wazuh to block the RHEL endpoint from accessing web resources on the Apache web servers for 60 seconds. It’s a way of discouraging attackers from continuing to carry out their malicious activities.

In this use case, you use the Wazuh CDB list and Active Response capabilities.

Infrastructure

Endpoint	Description
RHEL 9.0	Attacker endpoint connecting to the victim's web server on which you use Wazuh CDB list capability to flag its IP address as malicious.
Ubuntu 22.04	Victim endpoint running an Apache 2.4.54 web server. Here, you use the Wazuh Active Response module to automatically block connections from the attacker endpoint.
Windows 11	Victim endpoint running an Apache 2.4.54 web server. Here, you use the Wazuh Active Response module to automatically block connections from the attacker endpoint.

Configuration

Ubuntu endpoint

Perform the following steps to install an Apache web server and monitor its logs with the Wazuh agent.

Update local packages and install the Apache web server:
```
$ sudo apt update
$ sudo apt install apache2
```
If the firewall is enabled, modify the firewall to allow external access to web ports. Skip this step if the firewall is disabled:
```
$ sudo ufw status
$ sudo ufw app list
$ sudo ufw allow 'Apache'
```
Check the status of the Apache service to verify that the web server is running:
```
$ sudo systemctl status apache2
```
Use the curl command or open http://<UBUNTU_IP> in a browser to view the Apache landing page and verify the installation:
```
$ curl http://<UBUNTU_IP>
```

Add the following to /var/ossec/etc/ossec.conf file to configure the Wazuh agent and monitor the Apache access logs:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/apache2/access.log</location>
</localfile>

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Windows endpoint

Install the Apache web server

Perform the following steps to install and configure an Apache web server.

Install the latest Visual C++ Redistributable package.
Download the Apache web server Win64 ZIP installation file. This is an already compiled binary for Windows operating systems.
Unzip the contents of the Apache web server zip file and copy the extracted Apache24 folder to the C: directory.
Navigate to the C:\Apache24\bin\ folder and run the following command in a PowerShell terminal with administrator privileges:
```
> .\httpd.exe
```
The first time you run the Apache binary a Windows Defender Firewall pops up.
Click on Allow Access. This allows the Apache HTTP server to communicate on your private or public networks depending on your network setting. It creates an inbound rule in your firewall to allow incoming traffic on port 80.
Open http://<WINDOWS_IP> in a browser to view the Apache landing page and verify the installation. Also, verify that this URL can be reached from the attacker endpoint.

Configure the Wazuh agent

Perform the steps below to configure the Wazuh agent to monitor Apache web server logs.

Add the following to C:\Program Files (x86)\ossec-agent\ossec.conf to configure the Wazuh agent and monitor the Apache access logs:
```
<localfile>
  <log_format>syslog</log_format>
  <location>C:\Apache24\logs\access.log</location>
</localfile>
```
Restart the Wazuh agent in a PowerShell terminal with administrator privileges to apply the changes:
```
> Restart-Service -Name wazuh
```

Wazuh server

You need to perform the following steps on the Wazuh server to add the IP address of the RHEL endpoint to a CDB list, and then configure rules and Active Response.

Download the utilities and configure the CDB list

Install the wget utility to download the necessary artifacts using the command line interface:
```
$ sudo yum update && sudo yum install -y wget
```

Download the Alienvault IP reputation database:

$ sudo wget https://iplists.firehol.org/files/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset

Append the IP address of the attacker endpoint to the IP reputation database. Replace <ATTACKER_IP> with the RHEL IP address in the command below:
```
$ sudo echo "<ATTACKER_IP>" >> /var/ossec/etc/lists/alienvault_reputation.ipset
```

Download a script to convert from the .ipset format to the .cdb list format:

$ sudo wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py

Convert the alienvault_reputation.ipset file to a .cdb format using the previously downloaded script:

$ sudo /var/ossec/framework/python/bin/python3 /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault

Optional: Remove the alienvault_reputation.ipset file and the iplist-to-cdblist.py script, as they are no longer needed:
```
$ sudo rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset
$ sudo rm -rf /tmp/iplist-to-cdblist.py
```

Assign the right permissions and ownership to the generated file:

$ sudo chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault

Configure the Active Response module to block the malicious IP address

Add a custom rule to trigger a Wazuh active response script. Do this in the Wazuh server /var/ossec/etc/rules/local_rules.xml custom ruleset file:

<group name="attack,">
  <rule id="100100" level="10">
    <if_group>web|attack|attacks</if_group>
    <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
    <description>IP address found in AlienVault reputation database.</description>
  </rule>
</group>

Edit the Wazuh server /var/ossec/etc/ossec.conf configuration file and add the etc/lists/blacklist-alienvault list to the <ruleset> section:

<ossec_config>
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/blacklist-alienvault</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

</ossec_config>

Add the Active Response block to the Wazuh server /var/ossec/etc/ossec.conf file:

For the Ubuntu endpoint

The firewall-drop command integrates with the Ubuntu local iptables firewall and drops incoming network connection from the attacker endpoint for 60 seconds:

<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100100</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

For the Windows endpoint

The active response script uses the netsh command to block the attacker's IP address on the Windows endpoint. It runs for 60 seconds:

<ossec_config>
  <active-response>
    <disabled>no</disabled>
    <command>netsh</command>
    <location>local</location>
    <rules_id>100100</rules_id>
    <timeout>60</timeout>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

Access any of the web servers from the RHEL endpoint using the corresponding IP address. Replace <WEBSERVER_IP> with the appropriate value and execute the following command from the attacker endpoint:
```
$ curl http://<WEBSERVER_IP>
```

The attacker endpoint connects to the victim's web servers the first time. After the first connection, the Wazuh Active Response module temporarily blocks any successive connection to the web servers for 60 seconds.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

Ubuntu - rule.id:(651 OR 100100)
Windows - rule.id:(657 OR 100100)

File integrity monitoring

File Integrity Monitoring (FIM) helps in auditing sensitive files and meeting regulatory compliance requirements. Wazuh has an inbuilt FIM module that monitors file system changes to detect the creation, modification, and deletion of files.

This use case uses the Wazuh FIM module to detect changes in monitored directories on Ubuntu and Windows endpoints. The Wazuh FIM module enriches alert data by fetching information about the user and process that made the changes using who-data audit.

Infrastructure

Endpoint	Description
Ubuntu 22.04	The Wazuh FIM module monitors a directory on this endpoint to detect file creation, changes, and deletion.
Windows 11	The Wazuh FIM module monitors a directory on this endpoint to detect file creation, changes, and deletion.

Configuration

Ubuntu endpoint

Perform the following steps to configure the Wazuh agent to monitor filesystem changes in the /root directory.

Edit the Wazuh agent /var/ossec/etc/ossec.conf configuration file. Add the directories for monitoring within the <syscheck> block. For this use case, you configure Wazuh to monitor the /root directory. To get additional information about the user and process that made the changes, enable who-data audit:
```
<directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>
```
Note

You can also configure any path of your choice in the <directories> block.
Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Windows endpoint

Take the following steps to configure the Wazuh agent to monitor filesystem changes in the C:\Users\Administrator\Desktop directory.

Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file on the monitored Windows endpoint. Add the directories for monitoring within the <syscheck> block. For this use case, you configure Wazuh to monitor the C:\Users\Administrator\Desktop directory. To get additional information about the user and process that made the changes, enable who-data audit:
```
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\<USER_NAME>\Desktop</directories>
```
Note

You can also configure any path of your choice in the <directories> block.
Restart the Wazuh agent using Powershell with administrator privileges to apply the changes:
```
> Restart-Service -Name wazuh
```

As an alternative to local configurations on the Wazuh agents, you can centrally configure groups of agents.

Test the configuration

Create a text file in the monitored directory then wait for 5 seconds.
Add content to the text file and save it. Wait for 5 seconds.
Delete the text file from the monitored directory.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the File Integrity Monitoring module and add the filters in the search bar to query the alerts:

Ubuntu - rule.id: is one of 550,553,554
Windows - rule.id: is one of 550,553,554

Detecting a brute-force attack

Brute-forcing is a common attack vector that threat actors use to gain unauthorized access to endpoints and services. Services like SSH on Linux endpoints and RDP on Windows endpoints are usually prone to brute-force attacks. Wazuh identifies brute-force attacks by correlating multiple authentication failure events.

The section on Blocking attacks with Active Response describes how to configure an active response to block the IP address of an attacker. In this use case, we show how Wazuh detects brute-force attacks on RHEL and Windows endpoints.

Infrastructure

Endpoint	Description
Ubuntu 22.04	Attacker endpoint that performs brute-force attacks. It’s required to have an SSH client installed on this endpoint.
RHEL 9.0	Victim endpoint of SSH brute-force attacks. It’s required to have an SSH server installed and enabled on this endpoint.
Windows 11	Victim endpoint of RDP brute-force attacks. It’s required to enable RDP on this endpoint.

Configuration

Perform the following steps to configure the Ubuntu endpoint. This allows performing authentication failure attempts on the monitored RHEL and Windows endpoints.

On the attacker endpoint, install Hydra and use it to execute the brute-force attack:
```
$ sudo apt update
$ sudo apt install -y hydra
```

Attack emulation

Create a text file with 10 random passwords.
Run Hydra from the attacker endpoint to execute brute-force attacks against the RHEL endpoint. To do this, replace <RHEL_IP> with the IP address of the RHEL endpoint and run the command below:
```
$ sudo hydra -l badguy -P <PASSWD_LIST.txt> <RHEL_IP> ssh
```
Run Hydra from the attacker endpoint to execute brute-force attacks against the Windows endpoint. To do this, replace <WINDOWS_IP> with the IP address of the Windows endpoint and run the command below:
```
$ sudo hydra -l badguy -P <PASSWD_LIST.txt> rdp://<WINDOWS_IP>
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

Linux - rule.id:(5551 OR 5712). Other related rules are 5710, 5711, 5716, 5720, 5503, 5504.
Windows - rule.id:(60122 OR 60204)

Monitoring Docker events

Docker automates the deployment of different applications inside software containers. The Wazuh module for Docker identifies security incidents across containers and alerts in real-time. In this use case, you configure Wazuh to monitor Docker events on an Ubuntu endpoint hosting Docker containers.

See the Monitoring container activity section of the documentation to learn more about monitoring Docker and the docker-listener module.

Infrastructure

Endpoint	Description
Ubuntu 22.04	This is the Docker host where you create and delete containers.

Configuration

Perform the following steps to install Docker on the Ubuntu endpoint and configure Wazuh to monitor Docker events.

Install Python and pip:
```
# sudo apt install python3 python3-pip
```
Upgrade pip:
```
# pip3 install --upgrade pip
```
Install Docker and Python Docker Library:
$ curl -sSL https://get.docker.com/ | sh $ sudo pip3 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2
$ curl -sSL https://get.docker.com/ | sh $ sudo pip3 install docker==7.1.0 urllib3==1.26.20 requests==2.32.2 --break-system-packages
Note

This command modifies the default externally managed Python environment. See the PEP 668 description for more information.

To prevent the modification, you can run pip3 install --upgrade pip within a virtual environment. You must update the docker /var/ossec/wodles/docker/DockerListener script shebang with your virtual environment interpreter. For example: #!</path/to/your/virtual/environment>/bin/python3.

Edit the Wazuh agent configuration file /var/ossec/etc/ossec.conf and add this block to enable the docker-listener module:

<ossec_config>
  <wodle name="docker-listener">
    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
  </wodle>
</ossec_config>

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Test the configuration

Perform several Docker activities like pulling a Docker image, starting an instance, running some other Docker commands, and then deleting the container.

Pull an image, such as the NGINX image, and run a container:

$ sudo docker pull nginx
$ sudo docker run -d -P --name nginx_container nginx
$ sudo docker exec -it nginx_container cat /etc/passwd
$ sudo docker exec -it nginx_container /bin/bash
$ exit

Stop and remove the container:

$ sudo docker stop nginx_container
$ sudo docker rm nginx_container

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to Docker.

Troubleshooting

Error log:

wazuh-modulesd:docker-listener: ERROR: /usr/bin/env: ‘python’: No such file or directory

Location: Wazuh agent log - /var/ossec/logs/ossec.log

Resolution: You can create a symbolic link to solve this:

$ sudo ln -s /usr/bin/python3 /usr/bin/python

Monitoring AWS infrastructure

This use case shows how the Wazuh module for AWS (aws-s3) enables the log data collection from different AWS sources.

To learn more about monitoring AWS resources, see the Using Wazuh to monitor AWS section of the documentation.

Infrastructure

Cloud service	Description
Amazon CloudTrail	AWS Cloudtrail, like all other supported AWS services, requires setting the necessary policies for user permissions and providing a valid authentication method. In this PoC, we use the profile authentication method.

Configuration

Take the following steps to configure Wazuh to monitor Amazon CloudTrail services and identify security incidents.

CloudTrail

Access the CloudTrail service using the AWS console.
Create a new trail.
Choose between creating a new S3 bucket or specifying an existing one to store CloudTrail logs. Note down the name of the S3 bucket used as it’s necessary to specify it in the Wazuh configuration.

The image below shows how to create a new CloudTrail service and attach a new S3 bucket.

Wazuh server

Enable the Wazuh AWS module in the /var/ossec/etc/ossec.conf configuration file on the Wazuh server. Add only the AWS buckets of interest. Read our guide on how to Configure AWS credentials:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>30m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>no</skip_on_error>

  <bucket type="cloudtrail">
    <name><AWS_BUCKET_NAME></name>
    <aws_profile><AWS_PROFILE_NAME></aws_profile>
  </bucket>
</wodle>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Once you configure Cloudtrail, you can generate events by simply creating a new IAM user account using the IAM service. This generates an event that Wazuh processes.

The Wazuh default ruleset parses AWS logs and generates alerts automatically. The alerts appear as soon as Wazuh receives the logs from the AWS S3 bucket.

You can also find additional CloudTrail use cases in our documentation.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, navigate through Amazon Web Services module.

Detecting unauthorized processes

The Wazuh command monitoring capability runs commands on an endpoint and monitors the output of the commands.

In this use case, you use the Wazuh command monitoring capability to detect when Netcat is running on an Ubuntu endpoint. Netcat is a computer networking utility used for port scanning and port listening.

Infrastructure

Endpoint	Description
Ubuntu 22.04	You configure the Wazuh command monitoring module on this endpoint to detect a running Netcat process.

Configuration

Ubuntu endpoint

Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint.

Add the following configuration block to the Wazuh agent /var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes:

<ossec_config>
  <localfile>
    <log_format>full_command</log_format>
    <alias>process list</alias>
    <command>ps -e -o pid,uname,command</command>
    <frequency>30</frequency>
  </localfile>
</ossec_config>

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```
Install Netcat and the required dependencies:
```
$ sudo apt install ncat nmap -y
```

Wazuh server

You have to configure the following steps on the Wazuh server to create a rule that triggers every time the Netcat program launches.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="ossec,">
  <rule id="100050" level="0">
    <if_sid>530</if_sid>
    <match>^ossec: output: 'process list'</match>
    <description>List of running processes.</description>
    <group>process_monitor,</group>
  </rule>

  <rule id="100051" level="7" ignore="900">
    <if_sid>100050</if_sid>
    <match>nc -l</match>
    <description>netcat listening for incoming connections.</description>
    <group>process_monitor,</group>
  </rule>
</group>

Restart the Wazuh manager to apply the changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

On the monitored Ubuntu endpoint, run nc -l 8000 for 30 seconds.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.id:(100051)

Network IDS integration

Wazuh integrates with a network-based intrusion detection system (NIDS) to enhance threat detection by monitoring and analyzing network traffic.

In this use case, we demonstrate how to integrate Suricata with Wazuh. Suricata can provide additional insights into your network's security with its network traffic inspection capabilities.

Infrastructure

Endpoint	Description
Ubuntu 22.04	This is the endpoint where you install Suricata. In this use case, Wazuh monitors and analyzes the network traffic generated on this endpoint.

Configuration

Take the following steps to configure Suricata on the Ubuntu endpoint and send the generated logs to the Wazuh server.

Install Suricata on the Ubuntu endpoint. We tested this process with version 6.0.8 and it can take some time:

$ sudo add-apt-repository ppa:oisf/suricata-stable
$ sudo apt-get update
$ sudo apt-get install suricata -y

Download and extract the Emerging Threats Suricata ruleset:

$ cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
$ sudo tar -xvzf emerging.rules.tar.gz && sudo mkdir /etc/suricata/rules && sudo mv rules/*.rules /etc/suricata/rules/
$ sudo chmod 777 /etc/suricata/rules/*.rules

Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:

HOME_NET: "<UBUNTU_IP>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"

# Global stats configuration
stats:
enabled: yes

# Linux high speed capture support
af-packet:
  - interface: enp0s3

interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint. For example, enp0s3.

# ifconfig

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::9ba2:9de3:57ad:64e5  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:14:65:bd  txqueuelen 1000  (Ethernet)
        RX packets 6704315  bytes 1268472541 (1.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4590192  bytes 569730548 (543.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Restart the Suricata service:
```
$ sudo systemctl restart suricata
```

Add the following configuration to the /var/ossec/etc/ossec.conf file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:

<ossec_config>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
</ossec_config>

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Attack emulation

Wazuh automatically parses data from /var/log/suricata/eve.json and generates related alerts on the Wazuh dashboard.

Ping the Ubuntu endpoint IP address from the Wazuh server:

$ ping -c 20 "<UBUNTU_IP>"

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.groups:suricata

Troubleshooting

Error log:

16/9/2022 -- 12:32:16 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed

Location: Suricata log - /var/log/suricata/suricata.log

Resolution: To solve this issue, check the name of your network interface and configure it accordingly in the /etc/sysconfig/suricata and /etc/suricata/suricata.yaml files.

Detecting an SQL injection attack

You can use Wazuh to detect SQL injection attacks from web server logs that contain patterns like select, union, and other common SQL injection patterns.

SQL injection is an attack in which a threat actor inserts malicious code into strings transmitted to a database server for parsing and execution. A successful SQL injection attack gives unauthorized access to confidential information contained in the database.

In this use case, you simulate an SQL injection attack against an Ubuntu endpoint and detect it with Wazuh.

Infrastructure

Endpoint	Description
Ubuntu 22.04	Victim endpoint running an Apache 2.4.54 web server.
RHEL 9.0	Attacker endpoint that launches the SQL injection attack.

Configuration

Ubuntu endpoint

Perform the following steps to install Apache and configure the Wazuh agent to monitor the Apache logs.

Update the local packages and install the Apache web server:
```
$ sudo apt update
$ sudo apt install apache2
```
If the firewall is enabled, modify it to allow external access to web ports. Skip this step if the firewall is disabled.
```
$ sudo ufw app list
$ sudo ufw allow 'Apache'
$ sudo ufw status
```
Check the status of the Apache service to verify that the web server is running:
```
$ sudo systemctl status apache2
```
Use the curl command or open http://<UBUNTU_IP> in a browser to view the Apache landing page and verify the installation:
```
$ curl http://<UBUNTU_IP>
```

Add the following lines to the Wazuh agent /var/ossec/etc/ossec.conf file. This allows the Wazuh agent to monitor the access logs of your Apache server:

<ossec_config>
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>
</ossec_config>

Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Attack emulation

Replace <UBUNTU_IP> with the appropriate IP address and execute the following command from the attacker endpoint:

$ curl -XGET "http://<UBUNTU_IP>/users/?id=SELECT+*+FROM+users";

The expected result here is an alert with rule ID 31103 but a successful SQL injection attempt generates an alert with rule ID 31106.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.id:31103
rule.id:31106

Detecting suspicious binaries

Wazuh has anomaly and malware detection capabilities that detect suspicious binaries on an endpoint. Binaries are executable code written to perform automated tasks. Malicious actors use them mostly to carry out exploitation to avoid being detected.

In this use case, we demonstrate how the Wazuh rootcheck module can detect a trojan system binary on an Ubuntu endpoint. You perform the exploit by replacing the content of a legitimate binary with malicious code to trick the endpoint into running it as the legitimate binary.

The Wazuh rootcheck module also checks for hidden processes, ports, and files.

Infrastructure

Endpoint	Description
Ubuntu 22.04	The Wazuh rootcheck module detects the execution of a suspicious binary on this endpoint.

Configuration

Take the following steps on the Ubuntu endpoint to enable the Wazuh rootcheck module and perform anomaly and malware detection.

By default, the Wazuh rootcheck module is enabled in the Wazuh agent configuration file. Check the <rootcheck> block in the /var/ossec/etc/ossec.conf configuration file of the monitored endpoint and make sure that it has the configuration below:

<rootcheck>
    <disabled>no</disabled>

    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <skip_nfs>yes</skip_nfs>
</rootcheck>

The rootcheck section explains the options in the rootcheck module.

Attack emulation

Create a copy of the original system binary:

$ sudo cp -p /usr/bin/w /usr/bin/w.copy

Replace the original system binary /usr/bin/w with the following shell script:

$ sudo tee /usr/bin/w << EOF
#!/bin/bash
echo "`date` this is evil" > /tmp/trojan_created_file
echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file
#Now running original binary
/usr/bin/w.copy
EOF

The rootcheck scan runs every 12 hours by default. Force a scan by restarting the Wazuh agent to see the relevant alert:
```
$ sudo systemctl restart wazuh-agent
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

location:rootcheck AND rule.id:510 AND data.title:Trojaned version of file detected.
Additionally, using the Filter by type search field, apply the full_log filter.

Detecting and removing malware using VirusTotal integration

Wazuh uses the integrator module to connect to external APIs and alerting tools such as VirusTotal.

In this use case, you use the Wazuh File Integrity Monitoring (FIM) module to monitor a directory for changes and the VirusTotal API to scan the files in the directory. Then, configure Wazuh to trigger an active response script and remove files that VirusTotal detects as malicious. We test this use case on Ubuntu and Windows endpoints.

You need a VirusTotal API key in this use case to authenticate Wazuh to the VirusTotal API.

For more information on this integration, check the VirusTotal integration section of the documentation.

Infrastructure

Endpoint	Description
Ubuntu 22.04	This is the Linux endpoint where you download a malicious file. Wazuh triggers an active response script to remove the file once VirusTotal flags it as malicious.
Windows 11	This is the Windows endpoint where you download a malicious file. Wazuh triggers an active response script to remove the file once VirusTotal flags it as malicious.

Configuration for the Ubuntu endpoint

Configure your environment as follows to test the use case for the Ubuntu endpoint. These steps work for other Linux distributions as well.

Ubuntu endpoint

Perform the following steps to configure Wazuh to monitor near real-time changes in the /root directory of the Ubuntu endpoint. These steps also install the necessary packages and create the active response script that removes malicious files.

Search for the <syscheck> block in the Wazuh agent configuration file /var/ossec/etc/ossec.conf. Make sure that <disabled> is set to no. This enables the Wazuh FIM to monitor for directory changes.
Add an entry within the <syscheck> block to configure a directory to be monitored in near real-time. In this case, you are monitoring the /root directory:
```
<directories realtime="yes">/root</directories>
```
Install jq, a utility that processes JSON input from the active response script.
```
$ sudo apt update
$ sudo apt -y install jq
```

Create the /var/ossec/active-response/bin/remove-threat.sh active response script to remove malicious files from the endpoint:

#!/bin/bash

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

PWD=`pwd`

read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
 # Send control message to execd
 printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

 read RESPONSE
 COMMAND2=$(echo $RESPONSE | jq -r .command)
 if [ ${COMMAND2} != "continue" ]
 then
  echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
  exit 0;
 fi
fi

# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi

exit 0;

Change the /var/ossec/active-response/bin/remove-threat.sh file ownership, and permissions:

$ sudo chmod 750 /var/ossec/active-response/bin/remove-threat.sh
$ sudo chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh

Restart the Wazuh agent to apply the changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Perform the following steps on the Wazuh server to alert for changes in the endpoint directory and enable the VirusTotal integration. These steps also enable and trigger the active response script whenever a suspicious file is detected.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. These rules alert about changes in the /root directory that are detected by FIM scans:

<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
    <!-- Rules for Linux systems -->
    <rule id="100200" level="7">
        <if_sid>550</if_sid>
        <field name="file">/root</field>
        <description>File modified in /root directory.</description>
    </rule>
    <rule id="100201" level="7">
        <if_sid>554</if_sid>
        <field name="file">/root</field>
        <description>File added to /root directory.</description>
    </rule>
</group>

Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf file to enable the Virustotal integration. Replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. This allows to trigger a VirusTotal query whenever any of the rules 100200 and 100201 are triggered:
```
<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> 
    <rule_id>100200,100201</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>
```
Note

The free VirusTotal API rate limits requests to four per minute. If you have a premium VirusTotal API key, with a high frequency of queries allowed, you can add more rules besides these two. You can also configure Wazuh to monitor more directories.

Append the following blocks to the Wazuh server /var/ossec/etc/ossec.conf file. This enables Active Response and triggers the remove-threat.sh script when VirusTotal flags a file as malicious:

<ossec_config>
  <command>
    <name>remove-threat</name>
    <executable>remove-threat.sh</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>

Add the following rules to the Wazuh server /var/ossec/etc/rules/local_rules.xml file to alert about the Active Response results:

<group name="virustotal,">
  <rule id="100092" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100093" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

Download an EICAR test file to the /root directory on the Ubuntu endpoint:

$ sudo curl -Lo /root/eicar.com https://secure.eicar.org/eicar.com && sudo ls -lah /root/eicar.com

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

Linux - rule.id: is one of 553,100092,87105,100201

Configuration for the Windows endpoint

Windows endpoint

Perform the following steps to configure Wazuh to monitor near real-time changes in the /Downloads directory. These steps also install the necessary packages and create the active response script to remove malicious files.

Search for the <syscheck> block in the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file. Make sure that <disabled> is set to no. This enables the Wazuh FIM module to monitor for directory changes.
Add an entry within the <syscheck> block to configure a directory to be monitored in near real-time. In this use case, you configure Wazuh to monitor the C:\Users\<USER_NAME>\Downloads directory. Replace the <USER_NAME> variable with the appropriate user name:
```
<directories realtime="yes">C:\Users\<USER_NAME>\Downloads</directories>
```
Download the Python executable installer from the official Python website.
Run the Python installer once downloaded. Make sure to check the following boxes:
- Install launcher for all users
- Add Python 3.X to PATH (This places the interpreter in the execution path)
Once Python completes the installation process, open an administrator PowerShell terminal and use pip to install PyInstaller:
```
> pip install pyinstaller
> pyinstaller --version
```
You use Pyinstaller here to convert the active response Python script into an executable application that can run on a Windows endpoint.

Create an active response script remove-threat.py to remove a file from the Windows endpoint:

Warning

This script is a proof of concept (PoC). Review and validate it to ensure it meets the operational and security requirements of your environment.

# Copyright (C) 2015-2025, Wazuh Inc.
# All rights reserved.

import os
import sys
import json
import datetime
import stat
import tempfile
import pathlib

if os.name == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"

ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3

OS_SUCCESS = 0
OS_INVALID = -1

class message:
    def __init__(self):
        self.alert = ""
        self.command = 0

def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")

def setup_and_check_message(argv):
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break

    msg_obj = message()
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        msg_obj.command = OS_INVALID
        return msg_obj

    msg_obj.alert = data
    command = data.get("command")

    if command == "add":
        msg_obj.command = ADD_COMMAND
    elif command == "delete":
        msg_obj.command = DELETE_COMMAND
    else:
        msg_obj.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)

    return msg_obj

def send_keys_and_check_message(argv, keys):
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
    write_debug_file(argv[0], keys_msg)

    print(keys_msg)
    sys.stdout.flush()

    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break

    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return OS_INVALID

    action = data.get("command")
    if action == "continue":
        return CONTINUE_COMMAND
    elif action == "abort":
        return ABORT_COMMAND
    else:
        write_debug_file(argv[0], "Invalid value of 'command'")
        return OS_INVALID

def secure_delete_file(filepath_str, ar_name):
    filepath = pathlib.Path(filepath_str)

    # Reject NTFS alternate data streams
    if '::' in filepath_str:
        raise Exception(f"Refusing to delete ADS or NTFS stream: {filepath_str}")

    # Reject symbolic links and reparse points
    if os.path.islink(filepath):
        raise Exception(f"Refusing to delete symbolic link: {filepath}")

    attrs = os.lstat(filepath).st_file_attributes
    if attrs & stat.FILE_ATTRIBUTE_REPARSE_POINT:
        raise Exception(f"Refusing to delete reparse point: {filepath}")

    resolved_filepath = filepath.resolve()

    # Ensure it's a regular file
    if not resolved_filepath.is_file():
        raise Exception(f"Target is not a regular file: {resolved_filepath}")

  # Perform deletion
    os.remove(resolved_filepath)

def main(argv):
    write_debug_file(argv[0], "Started")
    msg = setup_and_check_message(argv)

    if msg.command < 0:
        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)

        if action != CONTINUE_COMMAND:
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)

        try:
            file_path = alert["data"]["virustotal"]["source"]["file"]
            if os.path.exists(file_path):
                secure_delete_file(file_path, argv[0])
                write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
            else:
                write_debug_file(argv[0], f"File does not exist: {file_path}")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
        except Exception as e:
            write_debug_file(argv[0], f"{json.dumps(msg.alert)}: Error removing threat: {str(e)}")
    else:
        write_debug_file(argv[0], "Invalid command")

    write_debug_file(argv[0], "Ended")
    sys.exit(OS_SUCCESS)

if __name__ == "__main__":
    main(sys.argv)

Convert the active response Python script remove-threat.py to a Windows executable application. Run the following PowerShell command as an administrator to create the executable:
```
> pyinstaller -F \path_to_remove-threat.py
```
Take note of the path where pyinstaller created remove-threat.exe.
Move the executable file remove-threat.exe to the C:\Program Files (x86)\ossec-agent\active-response\bin directory.
Restart the Wazuh agent to apply the changes. Run the following PowerShell command as an administrator:
```
> Restart-Service -Name wazuh
```

Wazuh server

Perform the following steps on the Wazuh server to configure the VirusTotal integration. These steps also enable and trigger the active response script whenever a suspicious file is detected.

Add the following configuration to the /var/ossec/etc/ossec.conf file on the Wazuh server to enable the VirusTotal integration. Replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. This allows to trigger a VirusTotal query whenever any of the rules in the FIM syscheck group are triggered:
```
<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> 
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>
```
Note

The free VirusTotal API rate limits requests to four per minute. If you have a premium VirusTotal API key, with a high frequency of queries allowed, you can add more rules besides these two. You can configure Wazuh to monitor more directories besides C:\Users\<USER_NAME>\Downloads.

Append the following blocks to the Wazuh server /var/ossec/etc/ossec.conf file. This enables Active Response and trigger the remove-threat.exe executable when the VirusTotal query returns positive matches for threats:

<ossec_config>
  <command>
    <name>remove-threat</name>
    <executable>remove-threat.exe</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>

Add the following rules to the Wazuh server /var/ossec/etc/rules/local_rules.xml file to alert about the Active Response results.

<group name="virustotal,">
  <rule id="100092" level="12">
      <if_sid>657</if_sid>
      <match>Successfully removed threat</match>
      <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100093" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

Follow the next steps to temporarily turn off real-time Microsoft Defender antivirus protection in Windows Security:
1. Click on the Start menu and type Windows Security to search for that app.
2. Select the Windows Security app from results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings.
3. Switch Real-time protection to Off.
Download an EICAR test file to the C:\Users\<USER_NAME>\Downloads directory on the Windows endpoint.
```
> Invoke-WebRequest -Uri https://secure.eicar.org/eicar.com.txt -OutFile eicar.txt
> cp .\eicar.txt C:\Users\<USER_NAME>\Downloads
```
This triggers a VirusTotal query and generates an alert. In addition, the active response script automatically removes the file.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

Windows - rule.id: is one of 554,100092,553,87105

Vulnerability detection

Wazuh uses the Vulnerability Detection module to identify vulnerabilities in applications and operating systems running on monitored endpoints.

This use case shows how Wazuh detects unpatched Common Vulnerabilities and Exposures (CVEs) in the monitored endpoint.

For more information on this capability, check the Vulnerability detection section of the Wazuh documentation.

Infrastructure

Endpoint	Description
Red Hat Enterprise Linux 7	The Wazuh Vulnerability Detection module scans this Linux endpoint for vulnerabilities in the operating system and installed applications.

Note

Vulnerabilities tagged with the description unimportant will not appear on the Wazuh dashboard. Visit the Wazuh CTI page for more information. The Compatibility matrix shows the operating systems officially supported by the Vulnerability Detection module.

Configuration

The Wazuh Vulnerability Detection module is enabled by default and it generates alerts when new vulnerabilities are detected or when existing vulnerabilities are resolved through package updates, removal, or system upgrades.

Wazuh Server

Perform the following steps on the Wazuh server to confirm that the Wazuh Vulnerability Detection module is enabled and properly configured.

Open the Wazuh configuration /var/ossec/etc/ossec.conf and check the following settings.
- Vulnerability detection is enabled:
```
<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
```
- The Wazuh indexer connection is properly configured.
  
  By default, the indexer settings have one host configured. It's set to 0.0.0.0 as highlighted below.
```
<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>
```
  - Replace 0.0.0.0 with your Wazuh indexer node IP address or hostname. You can find this value in the Filebeat config file /etc/filebeat/filebeat.yml.
  - Ensure the Filebeat certificate and key name match the certificate files in /etc/filebeat/certs.
  If you are running a Wazuh indexer cluster infrastructure, add a <host> entry for each one of your nodes. For example, in a two-node configuration:
```
<hosts>
  <host>https://10.0.0.1:9200</host>
  <host>https://10.0.0.2:9200</host>
</hosts>
```
  The Wazuh server prioritizes reporting to the first Wazuh indexer node in the list. It switches to the next node in case it is not available.
Restart the Wazuh manager if you made changes to the configuration:
```
$ sudo systemctl restart wazuh-manager
```

Test the configuration

Note

The time it takes to detect vulnerabilities depends on the <interval> value in the Syscollector module, configured in the /var/ossec/etc/ossec.conf file on the Wazuh agent. For this test, we reduce the Syscollector module interval time from 1h to 10m. Refer to System inventory capability configuration for more information.

Install Vim version 2:7.4.629-8 which is known to be vulnerable, on the RHEL 7 endpoint. Wait approximately 10 minutes (or the duration set in your Syscollector <interval>) for a new scan to run and the vulnerability to be detected.
Remove the Vim package to fix the vulnerability. Wait 10 minutes for the syscollector to run a new scan to confirm the vulnerability has been cleared.

Visualize the vulnerabilities

You can visualize the detected vulnerabilities on the Wazuh dashboard. To see a list of active vulnerabilities, perform the following on the Wazuh dashboard:

Go to Vulnerability Detection and select Inventory.
Click + Add filter. Then filter by package.name.
In the Operator field, select is.
Search and select vim in the Values field.

To see vulnerability alerts from the last system inventory scan, switch to the Events tab. Add filters in the search bar to query vulnerability alerts for Vim.

Note

Not all vulnerabilities added to or removed from the inventory generate alerts. This depends on the event source. See Alert generation for more details.

Upon installation of the vulnerable Vim package, the active vulnerability alerts can be seen on the Wazuh dashboard by changing the filter to data.vulnerability.package.name: vim AND data.vulnerability.status:Active

After removing the vulnerable package from the endpoint, to view the resolved vulnerability alerts, simply change the filter values to data.vulnerability.package.name: vim AND data.vulnerability.status:Solved

Detecting malware using YARA integration

You can use the YARA integration with Wazuh to scan files added or modified on an endpoint for malware. YARA is a tool to detect and classify malware artifacts.

In this use case, we demonstrate how to configure YARA with Wazuh to detect malware on Linux and Windows endpoints.

To learn more about this integration with Wazuh, see the How to integrate Wazuh with YARA section of the documentation.

Infrastructure

Endpoint	Description
Ubuntu 22.04 / RHEL 9.0	The YARA Active Response module scans new or modified files whenever the Wazuh FIM module triggers an alert.
Windows 11	The YARA Active Response module scans new or modified files whenever the Wazuh FIM module triggers an alert.

Configuration for Linux

Linux endpoint

Perform the following steps to install YARA, and configure the Active Response and FIM modules.

Download, compile and install YARA:

Ubuntu

$ sudo apt update
$ sudo apt install -y make gcc autoconf libtool libssl-dev pkg-config jq
$ sudo curl -LO https://github.com/VirusTotal/yara/archive/v4.5.5.tar.gz
$ sudo tar -xvzf v4.5.5.tar.gz -C /usr/local/bin/ && rm -f v4.5.5.tar.gz
$ cd /usr/local/bin/yara-4.5.5/
$ sudo ./bootstrap.sh && sudo ./configure && sudo make && sudo make install && sudo make check

RHEL

$ sudo yum makecache
$ sudo yum install epel-release
$ sudo yum update
$ sudo yum install -y make automake gcc autoconf libtool openssl-devel pkg-config jq
$ sudo curl -LO https://github.com/VirusTotal/yara/archive/v4.5.5.tar.gz
$ sudo tar -xvzf v4.5.5.tar.gz -C /usr/local/bin/ && rm -f v4.5.5.tar.gz
$ cd /usr/local/bin/yara-4.5.5/
$ sudo ./bootstrap.sh && sudo ./configure && sudo make && sudo make install && sudo make check

Test that YARA is running properly:

$ yara

yara: wrong number of arguments
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Try `--help` for more options

If the error message below is displayed:

/usr/local/bin/yara: error while loading shared libraries: libyara.so.9: cannot open shared object file: No such file or directory.

This means that the loader doesn’t find the libyara library usually located in /usr/local/lib. Add the /usr/local/lib path to the /etc/ld.so.conf loader configuration file to solve this:

$ sudo su
# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig

Switch back to the previous user.

Download YARA detection rules:

$ sudo mkdir -p /tmp/yara/rules
$ sudo curl 'https://valhalla.nextron-systems.com/api/v1/get' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://valhalla.nextron-systems.com/' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
--data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
-o /tmp/yara/rules/yara_rules.yar

Create a yara.sh script in the /var/ossec/active-response/bin/ directory. This is necessary for the Wazuh-YARA Active Response scans:

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.


#------------------------- Gather parameters -------------------------#

# Extra arguments
read INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)

# Set LOG_FILE path
LOG_FILE="logs/active-responses.log"

size=0
actual_size=$(stat -c %s ${FILENAME})
while [ ${size} -ne ${actual_size} ]; do
    sleep 1
    size=${actual_size}
    actual_size=$(stat -c %s ${FILENAME})
done

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
    echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
    exit 1
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
    # Iterate every detected rule and append it to the LOG_FILE
    while read -r line; do
        echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
    done <<< "$yara_output"
fi

exit 0;

Change yara.sh file owner to root:wazuh and file permissions to 0750:

$ sudo chown root:wazuh /var/ossec/active-response/bin/yara.sh
$ sudo chmod 750 /var/ossec/active-response/bin/yara.sh

Add the following within the <syscheck> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file to monitor the /tmp/yara/malware directory:
```
<directories realtime="yes">/tmp/yara/malware</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Perform the following steps to configure Wazuh to alert for file changes in the endpoint monitored directory. The steps also configure an active response script to trigger whenever a suspicious file is detected.

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file. The rules detect FIM events in the monitored directory. They also alert when the YARA integration finds malware. You can modify the rules to detect events from other directories:

<group name="syscheck,">
  <rule id="100300" level="7">
    <if_sid>550</if_sid>
    <field name="file">/tmp/yara/malware/</field>
    <description>File modified in /tmp/yara/malware/ directory.</description>
  </rule>
  <rule id="100301" level="7">
    <if_sid>554</if_sid>
    <field name="file">/tmp/yara/malware/</field>
    <description>File added to /tmp/yara/malware/ directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>
  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

Add the following decoders to the Wazuh server /var/ossec/etc/decoders/local_decoder.xml file. This allows extracting the information from YARA scan results:

<decoder name="yara_decoder">
  <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
  <parent>yara_decoder</parent>
  <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
  <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf configuration file. This configures the Active Response module to trigger after the rule 100300 and 100301 are fired:

<ossec_config>
  <command>
    <name>yara_linux</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>yara_linux</command>
    <location>local</location>
    <rules_id>100300,100301</rules_id>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

Create the directory /tmp/yara/malware:
```
$ sudo mkdir /tmp/yara/malware
```

Create the script /tmp/yara/malware/malware_downloader.sh on the monitored endpoint to download malware samples:

#!/bin/bash
# Wazuh - Malware Downloader for test purposes
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

function fetch_sample(){

  curl -s -XGET "$1" -o "$2"

}

echo "WARNING: Downloading Malware samples, please use this script with  caution."
read -p "  Do you want to continue? (y/n)" -n 1 -r ANSWER
echo

if [[ $ANSWER =~ ^[Yy]$ ]]
then
    echo
    # Mirai
    echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)"
    echo "Downloading malware sample..."
    fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading."
    echo

    # Xbash
    echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
    echo "Downloading malware sample..."
    fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading."
    echo

    # VPNFilter
    echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/"
    echo "Downloading malware sample..."
    fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading."
    echo

    # Webshell
    echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php"
    echo "Downloading malware sample..."
    fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading."
    echo
fi

Run the malware_downloader.sh script to download malware samples to the /tmp/yara/malware directory:
```
$ sudo bash /tmp/yara/malware/malware_downloader.sh
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.groups:yara

Configuration for Windows

Windows endpoint

Configure Python and YARA

Perform the following steps to install Python, YARA, and download YARA rules.

Download Python executable installer from the official Python website.
Run the Python installer once downloaded and make sure to check the following boxes:
- Install launcher for all users
- Add Python 3.X to PATH. This places the interpreter in the execution path.
Download and install the latest Visual C++ Redistributable package.

Open PowerShell with administrator privileges to download and extract YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.5/yara-4.5.5-2368-win64.zip -OutFile v4.5.5-win64.zip
> Expand-Archive v4.5.5-win64.zip; Remove-Item v4.5.5-win64.zip

Create a directory called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA executable into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\yara-v4.5.5-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Install the valhallaAPI module:
```
> pip install valhallaAPI
```

Copy the following script and save it as download_yara_rules.py:

from valhallaAPI.valhalla import ValhallaAPI

v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()

with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

Run the following commands to download the rules and place them in the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory:

> python.exe download_yara_rules.py
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

Configure Active Response and FIM

Perform the steps below to configure the Wazuh FIM and an active response script for the detection of malicious files on the endpoint.

Create the yara.bat script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This is necessary for the Wazuh-YARA Active Response scans:

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT


if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)

if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)


set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)

del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
)

exit /b

Add the C:\Users\<USER_NAME>\Downloads directory for monitoring within the <syscheck> block in the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf. Replace <USER_NAME> with the username of the endpoint:
```
<directories realtime="yes">C:\Users\<USER_NAME>\Downloads</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
> Restart-Service -Name wazuh
```

Wazuh server

Perform the following steps on the Wazuh server. This allows alerting for changes in the endpoint monitored directory and configuring an active response script to trigger whenever it detects a suspicious file.

Add the following decoders to the Wazuh server /var/ossec/etc/decoders/local_decoder.xml file. This allows extracting the information from YARA scan results:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

Add the following rules to the Wazuh server /var/ossec/etc/rules/local_rules.xml file. The rules detect FIM events in the monitored directory. They also alert when malware is found by the YARA integration. Replace <USER_NAME> with the username of the endpoint.

<group name="syscheck,">
  <rule id="100303" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File modified in C:\Users\<USER_NAME>\Downloads directory.</description>
  </rule>
  <rule id="100304" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\<USER_NAME>\\Downloads</field>
    <description>File added to C:\Users\<USER_NAME>\Downloads  directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf file:

<ossec_config>
  <command>
    <name>yara_windows</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>yara_windows</command>
    <location>local</location>
    <rules_id>100303,100304</rules_id>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

Note

For testing purposes, we download the EICAR anti-malware test file as shown below. We recommend testing in a sandbox, not in a production environment.

Download a malware sample on the monitored Windows endpoint:

Turn off Microsoft Virus and threat protection.

Download the EICAR zip file:

Invoke-WebRequest -Uri https://secure.eicar.org/eicar_com.zip -OutFile eicar.zip

Unzip it:
```
> Expand-Archive .\eicar.zip
```
Copy the EICAR file to the monitored directory. Replace <USER_NAME> with the username of the endpoint.
```
> cp .\eicar\eicar.com C:\Users\<USER_NAME>\Downloads
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.groups:yara

Detecting hidden processes

In this use case, we show how Wazuh detects hidden processes created by a rootkit on a Linux endpoint. In this use case, you deploy a kernel-mode rootkit on an Ubuntu endpoint.

This rootkit hides from the kernel module list. It also hides selected processes from the ps utility. However, Wazuh detects it using setsid(), getpid(), and kill() system calls.

The Malware detection section of our documentation contains more details about how the Wazuh detects malware and the rootcheck module.

Infrastructure

Endpoint	Description
Ubuntu 22.04	On this endpoint, download, compile, and load a rootkit. Then, configure the Wazuh rootcheck module on this endpoint for anomaly detection.

Configuration

Perform the following steps on the Ubuntu endpoint to emulate a rootkit, and to run a rootcheck scan to detect it.

Switch to the root user and update the kernel of this endpoint:
```
$ sudo su
# apt update
```
Install packages required for building the rootkit:
```
# apt -y install gcc git
```

Next, configure the Wazuh agent to run rootcheck scans every 2 minutes. In the /var/ossec/etc/ossec.conf file. Set the frequency option in the <rootcheck> section to 120:

<rootcheck>
  <disabled>no</disabled>
  <check_dev>yes</check_dev>
  <check_sys>yes</check_sys>
  <check_pids>yes</check_pids>
  <check_ports>yes</check_ports>
  <check_if>yes</check_if>

  <!-- rootcheck execution frequency - every 12 hours by default-->

  <frequency>120</frequency>

  <skip_nfs>yes</skip_nfs>
</rootcheck>

Restart the Wazuh agent to apply the changes:
```
# systemctl restart wazuh-agent
```

Attack emulation

Ubuntu endpoint

Fetch the Diamorphine rootkit source code from GitHub:
```
# git clone https://github.com/m0nad/Diamorphine
```
Navigate to the Diamorphine directory and compile the source code:
```
# cd Diamorphine
# make
```
Load the rootkit kernel module:
```
# insmod diamorphine.ko
```
The kernel-level rootkit “Diamorphine” is now installed on the Ubuntu endpoint.

Note

Depending on the environment, the module sometimes fails to load or function properly. If you receive the error insmod: ERROR: could not insert module diamorphine.ko: Invalid parameters in the last step, you can restart the Linux endpoint and try again. Sometimes it takes several tries for it to work.
Run the kill signal 63 with the PID of a random process running on the Ubuntu endpoint. This unhides the Diamorphine rootkit. By default, Diamorphine hides itself so we don’t detect it by running the lsmod command. Try it out:
```
# lsmod | grep diamorphine
# kill -63 509
# lsmod | grep diamorphine
```
```
diamorphine            13155  0
```
When using these last commands, you can expect an empty output. In the case of Diamorphine, any kill signal 63 sent to any process whether it exists or not, toggles the Diamorphine kernel module to hide or unhide.
Run the following commands to see how the rsyslogd process is first visible and then no longer visible. This rootkit allows you to hide selected processes from the ps command. Sending a kill signal 31 hides/unhides any process.
```
# ps auxw | grep rsyslogd | grep -v grep
```
```
root       732  0.0  0.7 214452  3572 ?        Ssl  14:53   0:00 /usr/sbin/rsyslogd -n
```
```
# kill -31 <PID_OF_RSYSLOGD>
# ps auxw | grep rsyslog | grep -v grep
```
When using this last command, you can expect an empty output.

The next rootcheck scan will run and alert us about the rsyslogd process which was hidden with the Diamorphine rootkit.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.groups:rootcheck

Remember, if you run the same kill -31 command as before against rsyslogd, the rsyslogd process becomes visible again. The subsequent rootcheck scan would no longer generate alerts about it.

Monitoring execution of malicious commands

Auditd is an auditing utility native to Linux systems. It’s used for accounting actions and changes in a Linux endpoint.

In this use case, you configure Auditd on an Ubuntu endpoint to account for all commands executed by a given user. This includes commands run by a user in sudo mode or after changing to the root user. You configure a custom Wazuh rule to alert for suspicious commands.

Consider reading the Monitoring system calls section to get a broader picture of the ways to take advantage of it.

Infrastructure

Endpoint	Description
Ubuntu 22.04	On this endpoint, you configure Auditd to monitor the execution of malicious commands. Then, make use of the Wazuh CDB list lookup capability to create a list of potential malicious commands that can be run on it.

Configuration

Ubuntu endpoint

Perform the following steps to install Auditd and create the necessary audit rules to query all commands run by a privileged user.

Install, start and enable Auditd if it’s not present on the endpoint:

$ sudo apt -y install auditd
$ sudo systemctl start auditd
$ sudo systemctl enable auditd

As the root user, execute the following commands to append audit rules to /etc/audit/audit.rules file:

# echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b32 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules
# echo "-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b64 -S execve -k audit-wazuh-c" >> /etc/audit/audit.rules

Reload the rules and confirm that they are in place:

# sudo auditctl -R /etc/audit/audit.rules
# sudo auditctl -l

-a always,exit -F arch=b32 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c
-a always,exit -F arch=b64 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c

Add the following configuration to the Wazuh agent /var/ossec/etc/ossec.conf file. This allows the Wazuh agent to read the auditd logs file:
```
<localfile>
  <log_format>audit</log_format>
  <location>/var/log/audit/audit.log</location>
</localfile>
```
Restart the Wazuh agent:
```
$ sudo systemctl restart wazuh-agent
```

Wazuh server

Perform the following steps to create a CDB list of malicious programs and rules to detect the execution of the programs in the list.

Look over the key-value pairs in the lookup file /var/ossec/etc/lists/audit-keys.
```
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
```
This CDB list contains keys and values separated by colons.

Note

Wazuh allows you to maintain flat file CDB lists which must be key only or key:value pairs. These are compiled into a special binary format to facilitate high-performance lookups in Wazuh rules. Such lists must be created as files, added to the Wazuh configuration, and then compiled. After that, rules can be built to look up decoded fields in those CDB lists as part of their match criteria. For example, in addition to the text file /var/ossec/etc/lists/audit-keys, there is also a binary /var/ossec/etc/lists/audit-keys.cdb file that Wazuh uses for actual lookups.
Create a CDB list /var/ossec/etc/lists/suspicious-programs and fill its content with the following:
```
ncat:yellow
nc:red
tcpdump:orange
```
Add the list to the <ruleset> section of the Wazuh server /var/ossec/etc/ossec.conf file:
```
<list>etc/lists/suspicious-programs</list>
```

Create a high severity rule to fire when a "red" program is executed. Add this new rule to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server.

<group name="audit">
  <rule id="100210" level="12">
      <if_sid>80792</if_sid>
  <list field="audit.command" lookup="match_key_value" check_value="red">etc/lists/suspicious-programs</list>
    <description>Audit: Highly Suspicious Command executed: $(audit.exe)</description>
      <group>audit_command,</group>
  </rule>
</group>

Restart the Wazuh manager:
```
$ sudo systemctl restart wazuh-manager
```

Attack emulation

On the Ubuntu endpoint, install and run a "red" program netcat:
```
$ sudo apt -y install netcat
# nc -v
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

data.audit.command:nc

Detecting a Shellshock attack

Wazuh is capable of detecting a Shellshock attack by analyzing web server logs collected from a monitored endpoint. In this use case, you set up an Apache web server on the Ubuntu endpoint and simulate a shellshock attack.

Infrastructure

Endpoint	Description
Ubuntu 22.04	Victim endpoint running an Apache 2.4.54 web server.
RHEL 9.0	This attacker endpoint sends a malicious HTTP request to the victim’s web server.

Configuration

Ubuntu endpoint

Perform the following steps to install an Apache web server and monitor its logs with the Wazuh agent.

Update local packages and install the Apache web server:
```
$ sudo apt update
$ sudo apt install apache2
```
If a firewall is enabled, modify it to allow external access to web ports. Skip this step if the firewall is disabled:
```
$ sudo ufw app list
$ sudo ufw allow 'Apache'
$ sudo ufw status
```
Check that the Apache web server is running:
```
$ sudo systemctl status apache2
```
Add the following lines to the Wazuh agent /var/ossec/etc/ossec.conf configuration file. This sets the Wazuh agent to monitor the access logs of your Apache server:
```
<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/apache2/access.log</location>
</localfile>
```
Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Attack emulation

Replace <WEBSERVER_IP_ADDRESS> with the Ubuntu IP address and execute the following command from the attacker endpoint:
```
$ sudo curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" <WEBSERVER_IP_ADDRESS>
```

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

rule.description:Shellshock attack detected
If you have Suricata monitoring the endpoint traffic, you can also query rule.description:*CVE-2014-6271* for the related Suricata alerts.

Leveraging LLMs for alert enrichment

Large Language Model is a type of artificial intelligence (AI) model designed to understand, generate, and manipulate human language. These models are typically built using machine learning techniques, particularly those involving deep learning and neural networks. LLMs can add human-like intelligence to process data, enhancing the efficiency of various business and personal operations. LLMs such as the ones adopted by ChatGPT have gained massive popularity and are widely used in various industries including security operations.

YARA is a tool that detects and classifies malware artifacts. While YARA can identify known patterns and signatures of malicious activity, human intervention is often required to interpret and contextualize the output of YARA scans. ChatGPT is a generative AI chatbot developed by OpenAI. It provides users with various LLMs to process data. These LLMs can analyze and enrich YARA alerts with additional context, providing security teams with deeper insights into the nature and severity of detected threats.

In this use case, we integrate Wazuh with YARA to detect when a malicious file is added to a monitored endpoint. The integration utilizes the Wazuh FIM module to monitor a directory for new or modified files. When a file modification or addition is detected, the Wazuh Active Response module triggers a YARA scan on the file. The Active Response module automatically deletes the malicious file from the endpoint if it has a positive match with a malicious signature. The Active Response module then queries ChatGPT to enrich the YARA scan result with additional insight into the malicious file that helps security teams understand its nature, potential impact, and remediation.

Infrastructure

Endpoint	Description
Ubuntu 22.04	Monitored endpoint configured with Wazuh File Integrity Monitoring (FIM) module and YARA integration with ChatGPT log enrichment.
Windows 11	Monitored endpoint configured with Wazuh File Integrity Monitoring (FIM) module and YARA integration with ChatGPT log enrichment.

Configuration

Perform the following steps to set up the YARA and ChatGPT integration. Choose either Ubuntu or Windows configuration depending on the operating system of the monitored endpoint.

Ubuntu 22.04 endpoint

Perform the following steps to install YARA and configure the Active Response and FIM modules.

Download, compile, and install YARA:

$ sudo apt update
$ sudo apt install -y make gcc autoconf libtool libssl-dev pkg-config jq
$ sudo curl -LO https://github.com/VirusTotal/yara/archive/v4.5.1.tar.gz
$ sudo tar -xvzf v4.5.1.tar.gz -C /usr/local/bin/ && rm -f v4.5.1.tar.gz
$ cd /usr/local/bin/yara-4.5.1/
$ sudo ./bootstrap.sh && sudo ./configure && sudo make && sudo make install && sudo make check
$ sudo ldconfig

Test that YARA is running properly:

$ yara

yara: wrong number of arguments
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Try `--help` for more options

Download YARA detection rules using valhallaAPI. Valhalla is a YARA and Sigma rule repository provided by Nextron Systems:

$ sudo mkdir -p /var/ossec/active-response/yara/rules
$ sudo curl 'https://valhalla.nextron-systems.com/api/v1/get' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
--compressed \
-H 'Referer: https://valhalla.nextron-systems.com/' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
--data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
-o /var/ossec/active-response/yara/rules/yara_rules.yar

Change the owner of the yara_rules.yar file to root:wazuh, and the file permissions to 750:
```
$ sudo chown root:wazuh /var/ossec/active-response/yara/rules/yara_rules.yar
$ sudo chmod 750 /var/ossec/active-response/yara/rules/yara_rules.yar
```
Note

If you use a custom YARA rule, ensure that the description field in the YARA rule metadata is present as this field is required to enrich the alert with ChatGPT.

Create a script yara.sh in the /var/ossec/active-response/bin/ directory. This script runs YARA scans on files added or modified in the monitored directories. It also queries ChatGPT to enrich the logs and attempts to remove malware files detected by YARA.

Replace <API_KEY> with your OpenAI API key and <OPENAI_MODEL> with your preferred OpenAI model. The model used in this POC guide is gpt-4-turbo:

#!/bin/bash
# Wazuh - YARA active response
# Copyright (C) 2015-2024, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.


#------------------------- Configuration -------------------------#

# ChatGPT API key
API_KEY="<API_KEY>"
OPENAI_MODEL="<OPENAI_MODEL>" #for example gpt-4-turbo


# Set LOG_FILE path
LOG_FILE="logs/active-responses.log"

#------------------------- Gather parameters -------------------------#

# Extra arguments
read INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)

size=0
actual_size=$(stat -c %s ${FILENAME})
while [ ${size} -ne ${actual_size} ]; do
    sleep 1
    size=${actual_size}
    actual_size=$(stat -c %s ${FILENAME})
done

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
    echo "wazuh-YARA: ERROR - YARA active response error. YARA path and rules parameters are mandatory." >> ${LOG_FILE}
    exit 1
fi

#------------------------- Main workflow --------------------------#

# Execute YARA scan on the specified filename
YARA_output="$("${YARA_PATH}"/yara -w -r -m "$YARA_RULES" "$FILENAME")"

if [[ $YARA_output != "" ]]
then
    # Attempt to delete the file if any YARA rule matches
    if rm -rf "$FILENAME"; then
        echo "wazuh-YARA: INFO - Successfully deleted $FILENAME" >> ${LOG_FILE}
    else
        echo "wazuh-YARA: INFO - Unable to delete $FILENAME" >> ${LOG_FILE}
    fi

    # Flag to check if API key is invalid
    api_key_invalid=false

    # Iterate every detected rule
    while read -r line; do
        # Extract the description from the line using regex
        description=$(echo "$line" | grep -oP '(?<=description=").*?(?=")')
        if [[ $description != "" ]]; then
            # Prepare the message payload for ChatGPT
            payload=$(jq -n \
                --arg desc "$description" \
                --arg model "$OPENAI_MODEL" \
                '{
                    model: $model,
                    messages: [
                        {
                            role: "system",
                            content: "In one paragraph, tell me about the impact and how to mitigate \($desc)"
                        }
                    ],
                    temperature: 1,
                    max_tokens: 256,
                    top_p: 1,
                    frequency_penalty: 0,
                    presence_penalty: 0
                }')

            # Query ChatGPT for more information
            chatgpt_response=$(curl -s -X POST "https://api.openai.com/v1/chat/completions" \
                -H "Content-Type: application/json" \
                -H "Authorization: Bearer $API_KEY" \
                -d "$payload")

            # Check for invalid API key error
            if echo "$chatgpt_response" | grep -q "invalid_request_error"; then
                api_key_invalid=true
                echo "wazuh-YARA: ERROR - Invalid ChatGPT API key" >> ${LOG_FILE}
                # Log Yara scan result without ChatGPT response
                echo "wazuh-YARA: INFO - Scan result: $line | chatgpt_response: none" >> ${LOG_FILE}
            else
                # Extract the response text from ChatGPT API response
                response_text=$(echo "$chatgpt_response" | jq -r '.choices[0].message.content')

                # Check if the response text is null and handle the error
                if [[ $response_text == "null" ]]; then
                    echo "wazuh-YARA: ERROR - ChatGPT API returned null response: $chatgpt_response" >> ${LOG_FILE}
                else
                    # Combine the YARA scan output and ChatGPT response
                    combined_output="wazuh-YARA: INFO - Scan result: $line | chatgpt_response: $response_text"

                    # Append the combined output to the log file
                    echo "$combined_output" >> ${LOG_FILE}
                fi
            fi
        else
            echo "wazuh-YARA: INFO - Scan result: $line" >> ${LOG_FILE}
        fi
    done <<< "$YARA_output"

    # If API key was invalid, log a specific message
    if $api_key_invalid; then
        echo "wazuh-YARA: INFO - API key is invalid. ChatGPT response omitted." >> ${LOG_FILE}
    fi
else
    echo "wazuh-YARA: INFO - No YARA rule matched." >> ${LOG_FILE}
fi

exit 0;

Note

If the supplied <API_KEY> is invalid, Wazuh triggers an alert with the value of the chatgpt_response field set to None. Logs about the invalid API key are in the /var/ossec/logs/active-responses.log file.

Change the owner of the yara.sh script to root:wazuh, and the file permissions to 750:

$ sudo chown root:wazuh /var/ossec/active-response/bin/yara.sh
$ sudo chmod 750 /var/ossec/active-response/bin/yara.sh

Add the following within the <syscheck> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file to monitor the /home directory:
```
<directories realtime="yes">/home</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
$ sudo systemctl restart wazuh-agent
```

Windows 11 endpoint

Perform the following steps to install Python, YARA, and download YARA rules.

Download the Python executable installer from the official Python website.
Run the Python installer once downloaded, and make sure to check the following boxes:
- Install launcher for all users
- Add python.exe to PATH. This places the Python interpreter in the execution path.
Download and install the latest Visual C++ Redistributable package.

Open PowerShell with administrator privileges to download and extract YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.1/yara-v4.5.1-2298-win64.zip -OutFile yara-v4.5.1-2298-win64.zip
> Expand-Archive yara-v4.5.1-2298-win64.zip; Remove-Item yara-v4.5.1-2298-win64.zip

Create a directory called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA executable into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\yara-v4.5.1-2298-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Download YARA rules using valhallaAPI. Valhalla is a YARA and Sigma rule repository provided by Nextron Systems:

> python -m pip install valhallaAPI
> python -c "from valhallaAPI.valhalla import ValhallaAPI; v = ValhallaAPI(api_key='1111111111111111111111111111111111111111111111111111111111111111'); response = v.get_rules_text(); open('yara_rules.yar', 'w').write(response)"
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

Note

If you use a custom YARA rule, ensure that the description field in the YARA rule metadata is present, as this field is required to enrich the alert with ChatGPT.

Create a script yara.py in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This script runs a YARA scan against any file modified or added to the monitored directory. It also queries ChatGPT to enrich the logs and attempts to remove malware files detected by YARA. Replace <API_KEY> with your OpenAI API key and <OPENAI_MODEL> with your preferred OpenAI model. The model used in this POC guide is gpt-4-turbo:

import os
import subprocess
import json
import re
import requests

API_KEY = '<API_KEY>'
OPENAI_MODEL='<OPENAI_MODEL>' #for example gpt-4-turbo

# Determine OS architecture and set log file path
if os.environ['PROCESSOR_ARCHITECTURE'].endswith('86'):
    log_file_path = os.path.join(os.environ['ProgramFiles'], 'ossec-agent', 'active-response', 'active-responses.log')
else:
    log_file_path = os.path.join(os.environ['ProgramFiles(x86)'], 'ossec-agent', 'active-response', 'active-responses.log')

def log_message(message):
    with open(log_file_path, 'a') as log_file:
        log_file.write(message + '\n')

def read_input():
    return input()

def get_syscheck_file_path(json_file_path):
    with open(json_file_path, 'r') as json_file:
        data = json.load(json_file)
        return data['parameters']['alert']['syscheck']['path']

def run_yara_scan(yara_exe_path, yara_rules_path, syscheck_file_path):
    try:
        result = subprocess.run([yara_exe_path, '-m', yara_rules_path, syscheck_file_path], capture_output=True, text=True)
        return result.stdout.strip()
    except Exception as e:
        log_message(f"Error running Yara scan: {str(e)}")
        return None

def extract_description(yara_output):
    match = re.search(r'description="([^"]+)"', yara_output)
    if match:
        return match.group(1)
    else:
        return None

def query_chatgpt(description):
    headers = {
        'Authorization': f'Bearer {API_KEY}',
        'Content-Type': 'application/json'
    }
    data = {
        'model': OPENAI_MODEL,
        'messages': [{'role': 'system', 'content': f'In one paragraph, tell me about the impact and how to mitigate {description}'}],
        'temperature': 1,
        'max_tokens': 256,
        'top_p': 1,
        'frequency_penalty': 0,
        'presence_penalty': 0
    }
    response = requests.post('https://api.openai.com/v1/chat/completions', headers=headers, json=data)
    if response.status_code == 200:
        return response.json()['choices'][0]['message']['content']
    elif response.status_code == 401:  # Unauthorized (invalid API key)
        log_message("wazuh-YARA: ERROR - Invalid ChatGPT API key")
        return None
    else:
        log_message(f"Error querying ChatGPT: {response.status_code} {response.text}")
        return None

def main():
    json_file_path = r"C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
    yara_exe_path = r"C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
    yara_rules_path = r"C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"

    input_data = read_input()

    with open(json_file_path, 'w') as json_file:
        json_file.write(input_data)

    syscheck_file_path = get_syscheck_file_path(json_file_path)

    yara_output = run_yara_scan(yara_exe_path, yara_rules_path, syscheck_file_path)
    if yara_output is not None:
        description = extract_description(yara_output)

        if description:
            chatgpt_response = query_chatgpt(description)
            if chatgpt_response:
                combined_output = f"wazuh-YARA: INFO - Scan result: {yara_output} | chatgpt_response: {chatgpt_response}"
                log_message(combined_output)
            else:
                # Log the Yara scan result without the ChatGPT response
                log_message(f"wazuh-YARA: INFO - Scan result: {yara_output} | chatgpt_response: None")

            # Delete the scanned file if a description is found
            try:
                os.remove(syscheck_file_path)
                if not os.path.exists(syscheck_file_path):
                    log_message(f"wazuh-YARA: INFO - Successfully deleted {syscheck_file_path}")
                else:
                    log_message(f"wazuh-YARA: INFO - Unable to delete {syscheck_file_path}")
            except Exception as e:
                log_message(f"Error deleting file: {str(e)}")
        else:
            log_message("Failed to extract description from Yara output.")
    else:
        log_message("Yara scan returned no output.")

if __name__ == "__main__":
    main()

Note

If the supplied <API_KEY> is invalid, Wazuh triggers an alert with the value of the chatgpt_response field set to None. You can find logs about the invalid API key in the C:\Program Files (x86)\ossec-agent\active-response\active-response.log file.

Run the following command using PowerShell to convert the yara.py script to an executable file:
```
> pip install pyinstaller
> pyinstaller -F "C:\Program Files (x86)\ossec-agent\active-response\bin\yara.py"
```
This creates a yara.exe executable in the C:\Users\<USER>\dist\ directory.

Note

If you run the above commands as Administrator, the executable file will be in the C:\Windows\System32\dist directory.
Copy the yara.exe executable file to C:\Program Files (x86)\ossec-agent\active-response\bin\ directory on the monitored endpoint.
Add the following within the <syscheck> block of the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf configuration file to monitor the Users directory:
```
<directories realtime="yes">C:\Users\*\Downloads</directories>
```
Restart the Wazuh agent to apply the configuration changes:
```
> Restart-Service -Name wazuh
```

Wazuh server

Perform the following steps on the Wazuh server to configure custom rules, decoders, and the Active Response module.

Add the following decoders to the Wazuh server /var/ossec/etc/decoders/local_decoder.xml file to parse the data in YARA scan results:

<!--
  YARA Decoder
-->

<decoder name="YARA_decoder">
  <prematch>wazuh-YARA:</prematch>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">wazuh-YARA: (\S+)</regex>
  <order>YARA.log_type</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">Scan result: (\S+)\s+</regex>
  <order>YARA.rule_name</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">\[description="([^"]+)",</regex>
  <order>YARA.rule_description</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">author="([^"]+)",</regex>
  <order>YARA.rule_author</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">reference="([^"]+)",</regex>
  <order>YARA.reference</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">date="([^"]+)",</regex>
  <order>YARA.published_date</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">score =(\d+),</regex>
  <order>YARA.threat_score</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">customer="([^"]+)",</regex>
  <order>YARA.api_customer</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">hash1="([^"]+)",</regex>
  <order>YARA.file_hash</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">tags="([^"]+)",</regex>
  <order>YARA.tags</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">minimum_YARA="([^"]+)"\]</regex>
  <order>YARA.minimum_YARA_version</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">\] (.*) \|</regex>
  <order>YARA.scanned_file</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">chatgpt_response: (.*)</regex>
  <order>YARA.chatgpt_response</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">Successfully deleted (.*)</regex>
  <order>YARA.file_deleted</order>
</decoder>

<decoder name="YARA_child">
  <parent>YARA_decoder</parent>
  <regex type="pcre2">Unable to delete (.*)</regex>
  <order>YARA.file_not_deleted</order>
</decoder>

Add the following rules to the /var/ossec/etc/rules/local_rules.xml file. The rules detect FIM events in the monitored directory. This triggers the YARA Active response script to delete a file if identified as a malicious file.

<group name="syscheck,">
  <rule id="100300" level="5">
    <if_sid>550</if_sid>
    <field name="file">/home</field>
    <description>File modified in /home directory.</description>
  </rule>

  <rule id="100301" level="5">
    <if_sid>554</if_sid>
    <field name="file">/home</field>
    <description>File added to /home directory.</description>
  </rule>
  <rule id="100302" level="5">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the downloads directory.</description>
  </rule>

  <rule id="100303" level="5">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the downloads directory.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>YARA_decoder</decoded_as>
    <description>YARA grouping rule</description>
  </rule>
  <rule id="108001" level="10">
    <if_sid>108000</if_sid>
    <match>wazuh-YARA: INFO - Scan result: </match>
    <description>File "$(YARA.scanned_file)" is a positive match for YARA rule: $(YARA.rule_name)</description>
  </rule>

  <rule id="108002" level="5">
    <if_sid>108000</if_sid>
    <field name="yara.file_deleted">\.</field>
    <description>Active response successfully removed malicious file "$(YARA.file_deleted)"</description>
  </rule>

  <rule id="108003" level="12">
    <if_sid>108000</if_sid>
    <field name="YARA.file_not_deleted">\.</field>
    <description>Active response unable to delete malicious file "$(YARA.file_not_deleted)"</description>
  </rule>
</group>

Add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf configuration file. This configures the Active Response module to trigger after the rules with ID 100300, 100301, 100302, and 100303 are fired:

<ossec_config>
  <command>
    <name>yara_windows</name>
    <executable>yara.exe</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <command>
    <name>yara_linux</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /usr/local/bin -yara_rules /var/ossec/active-response/yara/rules/yara_rules.yar</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>yara_linux</command>
    <location>local</location>
    <rules_id>100300,100301</rules_id>
  </active-response>

  <active-response>
    <disabled>no</disabled>
    <command>yara_windows</command>
    <location>local</location>
    <rules_id>100302,100303</rules_id>
  </active-response>
</ossec_config>

Restart the Wazuh manager to apply the configuration changes:
```
$ sudo systemctl restart wazuh-manager
```

Testing the configuration

Ubuntu 22.04 endpoint

Run the following commands on the Ubuntu endpoint to download malware samples to the monitored /home directory:

# curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/mirai" > /home/mirai
# curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/xbash" > /home/xbash
# curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/webshell" > /home/webshell

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Modules > Security events tab and add the rule.groups:yara filter in the search bar to query the alerts.

As seen in the image, ChatGPT provides more context to the malicious file detected by YARA. Further insight such as origin, attack vectors, and impact of the malicious file can be seen in the yara.chatgpt_response field.

The below image shows an example of an alert triggered when the provided ChatGPT API key is invalid or a matched YARA rule does not contain a description.

Windows 11 endpoint

Run the following commands via PowerShell to download malware samples to the monitored C:\Users\*\Downloads directory:

> curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/mirai" -o   $env:USERPROFILE\Downloads\mirai
> curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/xbash" -o   $env:USERPROFILE\Downloads\xbash
> curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/5.0/resources/samples/webshell" -o $env:USERPROFILE\Downloads\webshell

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filter in the search bar to query the alerts.

rule.groups:yara

As seen in the image, ChatGPT provides more context to the malicious file detected by YARA. Further insight, such as origin, attack vectors, and impact of the malicious file, can be seen in the yara.chatgpt_response field.

The below image shows an example of an alert triggered when the provided ChatGPT API key is invalid or a matched YARA rule does not contain a description.

Upgrade guide

This guide includes instructions on how to upgrade the Wazuh central components (server, indexer, and dashboard) and the Wazuh agent.

Wazuh components compatibility

All central Wazuh components must have identical version numbers, including the patch level, for proper operation. Additionally, the Wazuh manager must always be the same version or newer than the Wazuh agents.

Note that Wazuh indexer 5.0.0 is specifically compatible with Filebeat-OSS 7.10.2.

Upgrade the Wazuh central components

The Wazuh central components section includes instructions on how to upgrade the Wazuh server, the Wazuh indexer, and the Wazuh dashboard. These instructions apply to both all-in-one deployments and multi-node cluster deployments.

Upgrade the Wazuh agents

You can upgrade the Wazuh agents either remotely or locally. For remote upgrades, you can use either the Wazuh manager (agent_upgrade tool ) or the Wazuh API (via the Wazuh dashboard or a command-line tool). For details, refer to the remote agent upgrade section.

To perform the upgrade locally, select your operating system and follow the instructions.

Linux

Windows

macOS

Wazuh central components

This section guides you through the upgrade process of the Wazuh indexer, the Wazuh server, and the Wazuh dashboard.

All-in-one deployments: Execute all commands and configuration actions on the same node since all components run on a single system.
Multi-node cluster deployments: Run commands and apply configurations on the respective node where the component being upgraded is located.

Warning

Downgrading to version 4.11 and earlier is not possible. Since version 4.12.0, Wazuh uses a newer version of Apache Lucene.

Apache Lucene does not support downgrades, meaning once you upgrade to Wazuh 4.12.0 or later, you cannot roll back to 4.11 and earlier versions without a fresh installation of the indexer.

To avoid data loss, create an index snapshot before upgrading. For more details, refer to the Opensearch documentation.

Note

Since Wazuh 5.0, the following Rootcheck configuration options and database files have been removed:

File check options: <check_files>, <rootkit_files>, and the database file rootkit_files.txt.
Trojan scan options: <check_trojans>, <rootkit_trojans>, and the database file rootkit_trojans.txt.
Policy check options: <check_unixaudit>, <check_winaudit>, <check_winapps>, <check_winmalware>, and the database files system_audit_rcl.txt, system_audit_ssh.txt, win_applications_rcl.txt, win_audit_rcl.txt, and win_malware_rcl.txt.

These functionalities overlap with, or are replaced by, the Security Configuration Assessment (SCA) and File Integrity Monitoring (FIM) capabilities. If any of these options are configured in your ossec.conf file, remove them before upgrading to avoid configuration parsing warnings.

Preparing the upgrade

Perform the steps below before upgrading any of the Wazuh components. In case Wazuh is installed in a multi-node cluster configuration, repeat the following steps for every node.

Ensure you have added the Wazuh repository to every Wazuh indexer, server, and dashboard node before proceeding to perform the upgrade actions.

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

For RHEL-compatible systems version 8 and earlier, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

For RHEL-compatible systems version 9 and later, use the following command:

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\npriority=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

(Recommended) Export customizations from the Wazuh dashboard. This step helps to preserve visualizations, dashboards, and other saved objects in case there are any issues during the upgrade process.
1. Navigate to Dashboard management > Dashboards Management > Saved objects on the Wazuh dashboard.
2. Select which objects to export and click Export, or click Export all objects to export everything.

Stop the Filebeat and Wazuh dashboard services if installed in the node:

# systemctl stop filebeat
# systemctl stop wazuh-dashboard

# service filebeat stop
# service wazuh-dashboard stop

Upgrading the Wazuh indexer

The Wazuh indexer cluster remains operational throughout the upgrade. The rolling upgrade process allows nodes to be updated one at a time, ensuring continuous service availability and minimizing disruptions. The steps detailed in the following sections apply to both single-node and multi-node Wazuh indexer clusters.

Preparing the Wazuh indexer cluster for upgrade

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

Backup the existing Wazuh indexer security configuration files:

# /usr/share/wazuh-indexer/bin/indexer-security-init.sh --options "-backup /etc/wazuh-indexer/opensearch-security -icl -nhnv"

Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.2
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Will retrieve '/config' into /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/opensearch-security/config.yml
Will retrieve '/roles' into /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/opensearch-security/roles.yml
Will retrieve '/rolesmapping' into /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
Will retrieve '/internalusers' into /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/opensearch-security/internal_users.yml
Will retrieve '/actiongroups' into /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/opensearch-security/action_groups.yml
Will retrieve '/tenants' into /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/opensearch-security/tenants.yml
Will retrieve '/nodesdn' into /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
Will retrieve '/whitelist' into /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/opensearch-security/whitelist.yml
Will retrieve '/allowlist' into /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/opensearch-security/allowlist.yml
Will retrieve '/audit' into /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/opensearch-security/audit.yml

Disable shard replication to prevent shard replicas from being created while Wazuh indexer nodes are being taken offline for the upgrade.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings"  -u <USERNAME> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'

{
  "acknowledged" : true,
  "persistent" : {
    "cluster" : {
      "routing" : {
        "allocation" : {
          "enable" : "primaries"
        }
      }
    }
  },
  "transient" : {}
}

Perform a flush operation on the cluster to commit transaction log entries to the index.

# curl -X POST "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_flush" -u <USERNAME> -k

{
   "_shards" : {
      "total" : 19,
      "successful" : 19,
      "failed" : 0
   }
}

Run the following command on the Wazuh manager node(s) if running a single-node Wazuh indexer cluster.
# systemctl stop wazuh-manager
# service wazuh-manager stop

Upgrading the Wazuh indexer nodes

Perform the following steps on each Wazuh indexer node to upgrade them. Upgrade nodes with the cluster_manager role last to maintain cluster connectivity among online nodes.

Note

You can check the role of Wazuh indexer nodes in the cluster using the following command:

# curl -k -u <USERNAME> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Stop the Wazuh indexer service.

# systemctl stop wazuh-indexer

# service wazuh-indexer stop

Backup the /etc/wazuh-indexer/jvm.options file to preserve your custom JVM settings. Create a copy of the file using the following command:
```
# cp /etc/wazuh-indexer/jvm.options /etc/wazuh-indexer/jvm.options.old
```
Upgrade the Wazuh indexer to the latest version.
# yum upgrade wazuh-indexer
# apt-get install wazuh-indexer
Note

When prompted, choose to replace the /etc/wazuh-indexer/jvm.options file with the updated version.
Manually reapply any custom settings to the /etc/wazuh-indexer/jvm.options file from your backup file.

Restart the Wazuh indexer service.

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system:

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

Repeat steps 1 to 5 above on all Wazuh indexer nodes before proceeding to the post-upgrade actions.

Post-upgrade actions

Perform the following steps on any of the Wazuh indexer nodes replacing <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD>.

Run the indexer-security-init.sh script to apply the security configuration files from backup into the new Wazuh indexer:

# /usr/share/wazuh-indexer/bin/indexer-security-init.sh

Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.3
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success

Check that the newly upgraded Wazuh indexer nodes are in the cluster.

# curl -k -u <USERNAME> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

Re-enable shard allocation.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cluster/settings" -u <USERNAME> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}
'

{
  "acknowledged" : true,
  "persistent" : {
    "cluster" : {
      "routing" : {
        "allocation" : {
          "enable" : "all"
        }
      }
    }
  },
  "transient" : {}
}

Check the status of the Wazuh indexer cluster again to see if the shard allocation has finished.

# curl -k -u <USERNAME> https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?v

ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
18.0.3           34          86  32    6.67    5.30     2.53 dimr      cluster_manager,data,ingest,remote_cluster_client -               wazuh2.indexer
18.0.4           21          86  32    6.67    5.30     2.53 dimr      cluster_manager,data,ingest,remote_cluster_client *               wazuh1.indexer
18.0.2           16          86  32    6.67    5.30     2.53 dimr      cluster_manager,data,ingest,remote_cluster_client -               wazuh3.indexer

Note

Note that the upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

Run the following command on each Wazuh indexer node to list installed plugins and identify those that require an update:
```
# /usr/share/wazuh-indexer/bin/opensearch-plugin list
```
In the output, plugins that require an update will be labeled as "outdated".

Remove the outdated plugins and reinstall the latest version replacing <PLUGIN_NAME> with the name of the plugin:

# /usr/share/wazuh-indexer/bin/opensearch-plugin remove <PLUGIN_NAME>
# /usr/share/wazuh-indexer/bin/opensearch-plugin install <PLUGIN_NAME>

Upgrading the Wazuh server

When upgrading a multi-node Wazuh manager cluster, run the upgrade in every node. Start with the master node to reduce server downtime. To successfully upgrade the Wazuh server, follow these steps in order:

Upgrade the Wazuh manager.
Configure the vulnerability detection. (if required based on the version you are upgrading from).
Configure Filebeat.

Note

Upgrading from Wazuh 4.2.x or lower creates the wazuh operating system user and group to replace ossec. To avoid upgrade conflicts, make sure that the wazuh user and group are not present in your operating system.

Upgrading the Wazuh manager

Upgrade the Wazuh manager to the latest version:
# yum upgrade wazuh-manager
# apt-get install wazuh-manager
Warning

If the /var/ossec/etc/ossec.conf configuration file was modified, it will not be replaced by the upgrade. You will therefore have to add the settings of the new capabilities manually. More information can be found in the User manual.

Run the following command on the Wazuh manager node(s) to start the Wazuh manager service if you stopped it earlier:

# systemctl daemon-reload
# systemctl enable wazuh-manager
# systemctl start wazuh-manager

# service wazuh-manager start

Configuring CDB lists

When upgrading from Wazuh 4.12.x or earlier, follow these steps to configure the newly added CDB lists.

Edit the /var/ossec/etc/ossec.conf file and update the <ruleset> block with the CDB lists highlighted below.

<ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/malicious-ioc/malware-hashes</list>
    <list>etc/lists/malicious-ioc/malicious-ip</list>
    <list>etc/lists/malicious-ioc/malicious-domains</list>
    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
</ruleset>

Restart the Wazuh manager to apply the configuration changes
# systemctl restart wazuh-manager
# service wazuh-manager restart

Configuring the vulnerability detection and indexer connector

The Wazuh Inventory Harvester and Vulnerability Detection modules rely on the indexer connector setting to forward system inventory data and detected vulnerabilities to the Wazuh indexer.

If upgrading from version 4.8.x or later, skip the vulnerability detection and indexer connector configurations and proceed to Configuring Filebeat. No action is needed as the vulnerability detection and indexer connector blocks are already configured.

When upgrading from Wazuh version 4.7.x or earlier, follow these steps to configure the vulnerability detection and indexer connector blocks.

Update the configuration file

Edit the /var/ossec/etc/ossec.conf file to include the new <vulnerability-detection> block. Remove the old <vulnerability-detector> block if it exists.

The updated configuration enables the Wazuh Vulnerability Detection module to index vulnerabilities and alerts, with the vulnerability feed refreshing every 60 minutes. Add the following block to the configuration file:
```
<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
```
Configure the indexer block
1. Ensure the <indexer> block contains the details of your Wazuh indexer host. During the upgrade, a default <indexer> configuration is added under <ossec_conf> if none exists in /var/ossec/etc/ossec.conf. By default, the configuration includes one host with the IP address 0.0.0.0:
```
<indexer>
   <enabled>yes</enabled>
   <hosts>
      <host>https://0.0.0.0:9200</host>
   </hosts>
   <ssl>
      <certificate_authorities>
         <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
   </ssl>
</indexer>
```
  Replace 0.0.0.0 with the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml. Ensure that the <certificate> and <key> names match the files located in /etc/filebeat/certs/.
2. If using a Wazuh indexer cluster, add a <host> entry in the Wazuh manager /var/ossec/etc/ossec.conf file for each node in the cluster. For example, for a two-node configuration:
```
<hosts>
   <host>https://10.0.0.1:9200</host>
   <host>https://10.0.0.2:9200</host>
</hosts>
```
  The Wazuh server will prioritize reporting to the first indexer node in the list and switch to the next available node if it becomes unavailable.
Store Wazuh indexer credentials

Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
```
# echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
```
If you have forgotten your Wazuh indexer password, refer to the password management guide to reset it.
Restart the Wazuh manager to apply the configuration changes
# systemctl restart wazuh-manager
# service wazuh-manager restart

Configuring Filebeat

When upgrading Wazuh, you must also update the Wazuh Filebeat module and the alerts template to ensure compatibility with the latest Wazuh indexer version. Follow these steps to configure Filebeat properly:

Download the Wazuh module for Filebeat:

# curl -s https://packages.wazuh.com/5.x/filebeat/wazuh-filebeat-0.5.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module

Download the alerts template:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v5.0.0/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go+r /etc/filebeat/wazuh-template.json

Backup the /etc/filebeat/filebeat.yml file to preserve your custom Filebeat configuration settings. Create a copy of the file using the following command:
```
# cp /etc/filebeat/filebeat.yml  /etc/filebeat/filebeat.yml.old
```

Upgrade Filebeat to the latest version:

# yum upgrade filebeat

# apt-get install filebeat

Restore your custom Filebeat configuration settings:

# cp /etc/filebeat/filebeat.yml.old  /etc/filebeat/filebeat.yml

Restart Filebeat:

# systemctl daemon-reload
# systemctl enable filebeat
# systemctl start filebeat

Choose one option according to the OS used:

Debian based OS

# update-rc.d filebeat defaults 95 10
# service filebeat start

RPM based OS

# chkconfig --add filebeat
# service filebeat start

Upload the new Wazuh template and pipelines for Filebeat:

# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

If you are upgrading from Wazuh versions v4.8.x or v4.9.x, manually update the wazuh-states-vulnerabilities-* mappings using the following command. Replace <WAZUH_INDEXER_IP_ADDRESS>, <USERNAME>, and <PASSWORD> with the values applicable to your deployment.

Skip this step if upgrading from other versions.

curl -X PUT "https://<WAZUH_INDEXER_IP_ADDRESS>:9200/wazuh-states-vulnerabilities-*/_mapping"  -u <USERNAME> -k -H 'Content-Type: application/json' -d'
{
  "properties": {
    "vulnerability": {
      "properties": {
        "under_evaluation": {
          "type": "boolean"
        },
        "scanner": {
          "properties": {
            "source": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    }
  }
}
'

Upgrading the Wazuh dashboard

Backup the /etc/wazuh-dashboard/opensearch_dashboards.yml file to save your settings. For example, create a copy of the file using the following command:

# cp /etc/wazuh-dashboard/opensearch_dashboards.yml /etc/wazuh-dashboard/opensearch_dashboards.yml.old

Upgrade the Wazuh dashboard.
# yum upgrade wazuh-dashboard
# apt-get install wazuh-dashboard
Note

When prompted, choose to replace the /etc/wazuh-dashboard/opensearch_dashboards.yml file with the updated version.
Manually reapply any configuration changes to the /etc/wazuh-dashboard/opensearch_dashboards.yml file. Ensure that the values of server.ssl.key and server.ssl.certificate match the files located in /etc/wazuh-dashboard/certs/.
Ensure the value of uiSettings.overrides.defaultRoute in the /etc/wazuh-dashboard/opensearch_dashboards.yml file is set to /app/wz-home as shown below:
```
uiSettings.overrides.defaultRoute: /app/wz-home
```

Restart the Wazuh dashboard:

# systemctl daemon-reload
# systemctl enable wazuh-dashboard
# systemctl start wazuh-dashboard

Choose one option according to your operating system:

RPM-based operating system:

# chkconfig --add wazuh-dashboard
# service wazuh-dashboard start

Debian-based operating system:

# update-rc.d wazuh-dashboard defaults 95 10
# service wazuh-dashboard start

You can now access the Wazuh dashboard via: https://<DASHBOARD_IP_ADDRESS>/app/wz-home.

Import the saved customizations exported while preparing the upgrade.
1. Navigate to Dashboard management > Dashboard Management > Saved objects on the Wazuh dashboard.
2. Click Import, add the ndjson file and click Import.

Note

Note that the upgrade process doesn't update plugins installed manually. Outdated plugins might cause the upgrade to fail.

Run the following command on the Wazuh dashboard server to list installed plugins and identify those that require an update:
```
# sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list
```
In the output, plugins that require an update will be labeled as "outdated".

Remove the outdated plugins and reinstall the latest version replacing <PLUGIN_NAME> with the name of the plugin:

# sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin remove <PLUGIN_NAME>
# sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install <PLUGIN_NAME>

Next steps

The Wazuh server, indexer, and dashboard are now successfully upgraded. You can verify the versions by running the following commands on the node(s) where the central components are installed:

# yum list installed wazuh-indexer
# yum list installed wazuh-manager
# yum list installed wazuh-dashboard

# apt list --installed wazuh-indexer
# apt list --installed wazuh-manager
# apt list --installed wazuh-dashboard

Next, upgrade the Wazuh agents by following the instructions in Upgrading the Wazuh agent.

Wazuh agent

The following sections include instructions to upgrade the Wazuh agent to the latest available version. It is possible to upgrade the Wazuh agents either remotely from the Wazuh manager or locally.

For remote upgrades, you can use either the Wazuh manager (agent_upgrade tool) or the Wazuh API (via the Wazuh dashboard or a command-line tool). For details, refer to the Remote agent upgrade section.

To perform the upgrade locally, select your operating system and follow the instructions.

Upgrading Wazuh agents on Linux endpoints

Select your package manager and follow the instructions to upgrade the Wazuh agent locally.

Note

You need root user privileges to run all the commands described below.

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the Wazuh repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Upgrade the Wazuh agent to the latest version.

# apt-get update
# apt-get install wazuh-agent

It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues as the Wazuh agent should always be in the same or an older version than the Wazuh manager. Skip this step if the package is set to a hold state.
```
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# apt-get update
```

Note

For Debian 7, 8, and Ubuntu 14 systems import the GCP key and add the Wazuh repository (steps 1 and 2) using the following commands.

# apt-get install gnupg apt-transport-https
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# echo "deb https://packages.wazuh.com/5.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the Wazuh repository.

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
protect=1
EOF

Clean the YUM cache.
```
# yum clean all
```
Upgrade the Wazuh agent to the latest version.
```
# yum upgrade wazuh-agent
```
It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues as the Wazuh agent should always be in the same or an older version than the Wazuh manager.
```
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
```

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the Wazuh repository.

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
priority=1
EOF

Clean the DNF cache.
```
# dnf clean all
```
Upgrade the Wazuh agent to the latest version.
```
# dnf upgrade wazuh-agent
```
It is recommended to disable the Wazuh repository in order to avoid undesired upgrades and compatibility issues as the Wazuh agent should always be in the same or an older version than the Wazuh manager.
```
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
```

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the Wazuh repository.

# cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/5.x/yum/
protect=1
EOF

Refresh the repository.
```
# zypper refresh
```
Upgrade the Wazuh agent to the latest version.
```
# zypper update wazuh-agent
```
It is recommended to disable the Wazuh repository to avoid undesired upgrades and compatibility issues as the Wazuh agent should always be in the same or an older version than the Wazuh manager.
```
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/wazuh.repo
```

Upgrading Wazuh agents on Windows endpoints

Follow these steps to upgrade Wazuh agents locally on Windows endpoints.

Note

You need administrator privileges to upgrade the agent.

Download the latest Windows installer.
Run the Windows installer by using the command line interface (CLI) or the graphical user interface (GUI).
To upgrade the Wazuh agent from the command line, run the installer using Windows PowerShell or the command prompt. The /q argument is used for unattended installations.
# .\wazuh-agent-5.0.0-1.msi /q
Open the installer and follow the instructions to upgrade the Wazuh agent.

Upgrading Wazuh agents on macOS endpoints

Follow these steps to upgrade Wazuh agents locally on macOS endpoints.

Note

You need administrator privileges to upgrade the agent.

Download the latest macOS installer:
- Intel: wazuh-agent-5.0.0-1.intel64.pkg.
- Apple silicon: wazuh-agent-5.0.0-1.arm64.pkg.
Run the macOS installer by using the command line interface (CLI) or the graphical user interface (GUI).
To upgrade the Wazuh agent by using the command line, select your architecture, and run the installer:
# installer -pkg wazuh-agent-5.0.0-1.intel64.pkg -target /
# installer -pkg wazuh-agent-5.0.0-1.arm64.pkg -target /

Note

Packages earlier than 4.5.1 are not available for ARM64 architectures.
Using the GUI will perform a simple upgrade. Double click on the downloaded file and follow the wizard. If you are not sure how to answer some of the prompts, simply use the default answers.

Troubleshooting

This section contains common issues that might occur when upgrading the Wazuh central components and provides steps to resolve them.

Wazuh-DB backup restoration

Wazuh by default performs automatic backups of the global.db database. These snapshots may be useful to recover critical information such as agent keys, agent synchronization information, and FIM event data among others. Wazuh-DB will restore the last backup available in case of failure during the upgrade. If this process also fails, the restoration must be done manually.

Manual restoration process

Stop the Wazuh manager.

# systemctl stop wazuh-manager

# service wazuh-manager stop

Locate the backup to restore. It is stored in /var/ossec/backup/db/ with a name format similar to global.db-backup-TIMESTAMP-pre_upgrade.gz.

Note

This process is valid for all the backups in the folder. Snapshot names containing the special tag pre_upgrade were created right before upgrading the Wazuh server. Any other snapshot is a periodic backup created according to the backup setting.
Decompress the backup file. Always use the -k flag to preserve the original file:
```
# gzip -dk WAZUH_HOME/backup/db/global.db-backup-TIMESTAMP-pre_upgrade.gz
```

Remove the current global.db database and move the backup to the right location:

# rm  WAZUH_HOME/queue/db/global.db
# mv  WAZUH_HOME/backup/db/global.db-backup-TIMESTAMP-pre_upgrade WAZUH_HOME/queue/db/global.db

Start the Wazuh manager.

# systemctl start wazuh-manager

# service wazuh-manager start

Wazuh dashboard server is not ready yet

This message typically appears right after starting or restarting the Wazuh dashboard. However, it may also indicate one of the following issues:

The Wazuh dashboard service is encountering an error and repeatedly restarting.
The Wazuh dashboard cannot communicate with the Wazuh indexer.
The Wazuh indexer service is not running or has encountered an error.

Steps to diagnose and fix the issue

Ensure the Wazuh dashboard service is active. Run the following command on the Wazuh dashboard node to check the status:
```
# systemctl status wazuh-dashboard
```
Check the Wazuh dashboard logs for errors. Run the following command on the Wazuh dashboard node:
```
# journalctl -u wazuh-dashboard | grep -i -E "error|warn"
```
Ensure the Wazuh dashboard is correctly configured to communicate with the Wazuh indexer. Open the dashboard /etc/wazuh-dashboard/opensearch_dashboards.yml file and verify the Wazuh indexer IP address configured in the opensearch.hosts field:
```
opensearch.hosts: https://<WAZUH_INDEXER_IP_ADDRESS>:9200
```
Check the connectivity between the Wazuh dashboard and the Wazuh indexer. Replace <WAZUH_INDEXER_IP_ADDRESS> and run the following command on the Wazuh dashboard node:
```
# curl -v telnet://<WAZUH_INDEXER_IP_ADDRESS>:9200
```
Ensure the Wazuh indexer service is active. Run the following command on the Wazuh indexer node to check the status:
```
# systemctl status wazuh-indexer
```
If the service is down, investigate potential errors.
Replace <WAZUH_INDEXER_CLUSTER_NAME> and run the following command on the Wazuh indexer node to check the indexer logs for errors:
```
# cat /var/log/wazuh-indexer/<WAZUH_INDEXER_CLUSTER_NAME>.log | grep -E "ERROR|WARN|Caused"
```

The 'vulnerability-detector' configuration is deprecated

This warning occurs because upgrading the Wazuh manager does not modify the /var/ossec/etc/ossec.conf file, preserving the previous Wazuh Vulnerability Detection module configuration. Additionally, warnings about invalid configurations for interval, min_full_scan_interval, run_on_start and provider elements may appear. To resolve these issues, update the configuration as outlined in Configuration.

No username and password found in the keystore

To ensure alerts and vulnerabilities are indexed and displayed on the Wazuh dashboard, add indexer credentials to the manager keystore.

Run the following commands to store the credentials securely:

# echo '<INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
# echo '<INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

If you've forgotten your Wazuh indexer password, refer to the password management guide to reset it.

IndexerConnector initialization failed

This warning may indicate incorrect keystore credentials, a configuration issue, or a certificate error. Verify that the IP address, port, and certificate paths are correctly configured in the <indexer> section of /var/ossec/etc/ossec.conf.

After resolving the issue and successfully connecting the Wazuh manager to the indexer, you should see a log like this:

INFO: IndexerConnector initialized successfully for index: ...

If the error persists, enable wazuh_modules.debug=2 temporarily in /var/ossec/etc/local_internal_options.conf for more details.

Vulnerability detection seems to be disabled or has a problem

This warning suggests that the Wazuh Vulnerability Detection module might be disabled or misconfigured. To troubleshoot, follow these steps:

Ensure the vulnerability-detection module is enabled in /var/ossec/etc/ossec.conf.
Locate the <indexer> block in /var/ossec/etc/ossec.conf and confirm there are no misconfigurations or duplicate <indexer> sections.
Verify the wazuh-states-vulnerabilities-* index is correctly created. Ensure it is present and its health status is green by navigating to Indexer Management > Index Management > Indexes on the Wazuh dashboard.
If the index wasn’t created, check the Wazuh manager logs for errors or warnings using the following command:
```
# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
```

Application Not Found

If you see the message Application Not Found when accessing the Wazuh dashboard after upgrading, it may be because the configuration file /etc/wazuh-dashboard/opensearch_dashboards.yml wasn’t updated with the latest changes.

To fix this issue, update the uiSettings.overrides.defaultRoute setting in the /etc/wazuh-dashboard/opensearch_dashboards.yml file to the following value:

uiSettings.overrides.defaultRoute: /app/wz-home

SSO issue when upgrading from Wazuh 4.8 and earlier

If upgrading from Wazuh 4.8 or earlier, update the exchange_key value in /etc/wazuh-indexer/opensearch-security/config.yml.

Previously, exchange_key was set by copying the X.509 Certificate blob, excluding the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Starting with Wazuh 4.9.0, exchange_key must be a 64-character random alphanumeric string.

For guidance, refer to the first step of the Wazuh indexer configuration in the Single sign-on (SSO) guides for platforms like Okta, Microsoft Entra ID, PingOne, Google, Jumpcloud, OneLogin, and Keycloack.

None of the above solutions are fixing my problem

We have a welcoming community ready to assist with most Wazuh deployment and usage issues. Visit any of the Wazuh community channels for support.

You can also report issues directly on our GitHub repositories under the Wazuh organization.

When reporting a problem, include detailed information such as the version, operating system, and relevant logs to help us assist you effectively.

Integrations guide: Elastic, OpenSearch, Splunk, Amazon Security Lake

Wazuh offers extensive compatibility and robust integration features that allow users to connect it with other security solutions and platforms. Integrating Wazuh with other security solutions enables users to manage Wazuh data in diverse ways.

Elastic, OpenSearch, and Splunk are software platforms designed for search, analytics, and data management. They are used to collect, index, search, and analyze large volumes of data in real-time and historical contexts.

Amazon Security Lake is a service designed to help organizations collect, manage, and analyze security data from various sources. Its primary purpose is to centralize security data, making it easier to detect, investigate, and respond to security threats.

Up to Wazuh v4.5, the following integrated applications allow users to manage Wazuh and its security data using third-party platforms:

However, from version 4.6, we will not develop these integrated applications any longer. We will only support them with critical security updates. In this document, we describe new methods of integrating your Wazuh deployment with the following third-party security platforms:

Integration methods

We describe how to configure the following integration alternatives for each of the security platforms mentioned above:

Wazuh indexer integration
Wazuh server integration

Additionally, we demonstrate how to import the provided dashboards for these platforms.

Wazuh indexer integration

The Wazuh agent collects security data from monitored endpoints. These data are analyzed by the Wazuh server and indexed in the Wazuh indexer. The Wazuh indexer integration forwards analyzed security data from the Wazuh indexer to the third-party security platform indexer in the form of indexes. Indexes are collections of documents with similar properties.

Wazuh indexer integration requires a running Wazuh indexer and uses Logstash as a data forwarder for forwarding alerts to a third-party security platform. Logstash forwards the alerts generated after querying the Wazuh indexer. This integration requires that you install Logstash on a dedicated server or on the server hosting the third-party indexer.

We recommend the Wazuh indexer integration if you want to continue analyzing security data in Wazuh and archive it in a data lake for storage or out-of-band analysis. The Wazuh indexer and third-party platform indexer both create indexes for the same alerts. This integration results in the redundancy of indexes which can lead to high resource costs.

Wazuh server integration

The Wazuh agent collects security data from monitored endpoints. The Wazuh server analyzes the data and generates alerts on the Wazuh dashboard. Wazuh stores security alerts locally in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json alerts files. The Wazuh server integration operates by reading the /var/ossec/logs/alerts/alerts.json file and forwarding the alerts to the third-party platform using a data forwarder.

We recommend Wazuh server integration over indexer integration if you don’t have enough resources for hosting both the third-party security platform indexer and the Wazuh indexer. This is particularly relevant for users operating Wazuh at a large scale, generating numerous alerts.

To implement the Wazuh server integration, a data forwarder must be installed on the same system as the Wazuh server. In multi-node configurations, the data forwarder should be installed on each Wazuh server node.

Note

To make sure Wazuh logs the alerts to /var/ossec/logs/alerts/alerts.json, check that the jsonout_output option in the Wazuh server configuration /var/ossec/etc/ossec.conf file is set to yes.

Integration considerations

Data forwarders

Third-party security platforms typically have a dedicated data collector or data forwarder which is required for implementing these integrations. These forwarders facilitate the data flow from the Wazuh indexer or server to the third-party security platforms.

In the Wazuh indexer integration alternative, the forwarder executes periodic queries to the Wazuh indexer. These queries are performed in blocks, with the time range of each query matching the specified query period. Consequently, there may be a delay in the arrival of alerts at the destination, depending on the frequency set for querying new alerts.

In the Wazuh server integration, the forwarder periodically checks the Wazuh alerts file. If it detects changes since the last read, it loads all the new alerts and sends them to the third-party platform.

Similarly, checking for new alerts periodically means that the alerts reach the destination with a delay. This delay depends on the frequency established to check for new alerts.

We discuss the data forwarders that we use in the integration alternatives.

There are several ways to ingest data into third-party indexers, which include using content sources, Elastic Agent, Beats, or Logstash. Each method has different trade-offs and use cases. In this documentation, we consider only Logstash and Splunk Forwarder and explain our considerations.

Logstash

Elastic Logstash is a free and open server-side data processing pipeline that ingests data from multiple sources, transforms it, and then sends it to your desired destination. Logstash has an Apache 2.0 license base and non-open source extensions under the x-pack denomination. Logstash supports scheduling queries at intervals of up to a second.

Logstash supports reading data from indexes using an input plugin and supports transformations with an output plugin. In summary, Logstash is the most compatible data forwarder for the Wazuh indexer and server integrations.

Splunk Forwarder

Splunk forwarder is a powerful data collection and forwarding tool provided by Splunk. It serves as an agent that collects data from various sources, transforms it if necessary, and sends it to the Splunk indexing infrastructure for further analysis and visualization.

The Splunk forwarder supports data collection from diverse sources such as log files, metrics, network devices, and APIs. It provides robust mechanisms to parse, filter, and enrich the collected data before sending it to the Splunk indexers. This enables users to extract relevant information, apply custom formatting, and enhance the data's overall quality and usefulness.

Redistributable dashboards

In this guide you can find configuration steps to set your integration and use the dashboards we provide for third-party security platforms. These dashboards help you get insights from your security data using these platforms.

Capacity planning

When integrating Wazuh with other security solutions, you need to carefully plan your storage resources and escalation needs beforehand. While the details on capacity planning are out of the scope of this guide, here are a few considerations.

When using the Wazuh indexer integration, you need to put the following points into consideration:

The disk space available on the third-party endpoint.
The network bandwidth the third-party indexer needs to ingest the collected data.
The network bandwidth the data forwarder uses to forward the security data.
The scalability of the data forwarder infrastructure to read all the data from the Wazuh indexer and forward it to the third-party security platform.

When using the Wazuh server integration, you need to put the following points into consideration:

The disk space each Wazuh server must have to forward the data.
The network bandwidth the Wazuh server and the third-party security platform need to receive and forward the security data respectively.
The additional CPU/RAM resources the data forwarder requires to work.
The disk space on the destination platform to accommodate the forwarded data it receives.

After the integration, you might have the same data in both Wazuh and third-party security platforms. To minimize the amount of duplicated data, you can archive the data from the Wazuh server or indexer for storage or later analysis. Also, you need to plan backups and recovery of data in case of failure.

Elastic Stack integration

Elasticsearch is the central component of the Elastic Stack, (commonly referred to as the ELK Stack - Elasticsearch, Logstash, and Kibana), which is a set of free and open tools for data ingestion, enrichment, storage, analysis, and visualization.

In this guide, you can find out how to integrate Wazuh with Elastic in the following ways:

Wazuh indexer integration using Logstash
Wazuh server integration using Logstash

Wazuh indexer integration using Logstash

Perform all the steps described below on your Logstash server. You must install Logstash on a dedicated server or on the server hosting the third-party indexer. We performed the steps on a Linux operating system. Logstash forwards the data from the Wazuh indexer to Elasticsearch in the form of indexes.

Learn more about the Wazuh indexer integration and its necessary considerations.

Installing Logstash

Perform the following steps to install Logstash and the required plugin.

Follow the Elastic documentation to install Logstash. Ensure that you consider the requirements and performance tuning guidelines for running Logstash.

Note

Ensure all components of your ELK (Elasticsearch, Logstash, and Kibana) stack are the same version to avoid compatibility issues.
Run the following command to install the logstash-input-opensearch plugin. This plugin reads data from the Wazuh indexer into the Logstash pipeline.
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch
```
Copy the Wazuh indexer and Elasticsearch root certificates to the Logstash server.

Note

You can add the certificates to any directory of your choice. For example, we added them in /etc/logstash/wazuh-indexer-certs and /etc/logstash/elasticsearch-certs respectively.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem
$ sudo chmod -R 755 </PATH/TO/LOCAL/ELASTICSEARCH/CERTIFICATE>/root-ca.pem
```
Replace </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem and </PATH/TO/LOCAL/ELASTICSEARCH/CERTIFICATE>/root-ca.pem with your Wazuh indexer and Elasticsearch certificate local paths on the Logstash endpoint respectively.

Configuring new indexes

You must define the mappings between the data and the index types to ensure Elasticsearch indexes your data correctly. Elasticsearch can infer these mappings, but we recommend that you explicitly configure them. Wazuh provides a set of mappings to ensure Elasticsearch indexes the data correctly.

You need to use the logstash/es_template.json template to configure this index initialization for your Elasticsearch platform. The refresh_interval is set to 5s in the template we provide.

Create a /etc/logstash/templates/ directory and download the template as wazuh.json using the following commands:

$ sudo mkdir /etc/logstash/templates
$ sudo curl -o /etc/logstash/templates/wazuh.json https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-template.json

In Elasticsearch, the indexes support up to 1000 fields by default. However, Wazuh logs might contain even more than this number of fields. To solve this issue, the provided wazuh.json template has the fields set to 10000 by default as shown below:

...
"template": {
  ...
  "settings": {
        ...
        "mapping": {
         "total_fields": {
            "limit": 10000
         }
        }
        ...
  }
  ...
}
...

You can further increase this value by following the creating an index template documentation.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data from the Wazuh indexes and send them to Elasticsearch.

The Logstash pipeline requires access to the following secret values:

Wazuh indexer credentials
Elasticsearch credentials

We use the Logstash keystore to securely store these values.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store the credentials of the Wazuh indexer and Elasticsearch in the Logstash keystore.

Note

When you run each of the commands, you will be prompted to enter your credentials and the credentials will not be visible as you enter them.

ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD, WAZUH_INDEXER_USERNAME, and WAZUH_INDEXER_PASSWORD are keys representing the secret values you are adding to the Logstash keystore. These keys will be used in the Logstash pipeline.
1. Create a new Logstash keystore:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
```
2. Store your Elasticsearch username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ELASTICSEARCH_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ELASTICSEARCH_PASSWORD
```
3. Store your Wazuh indexer administrator username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD
```
Where:
- ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD are keys representing your Elasticsearch username and password respectively.
- WAZUH_INDEXER_USERNAME and WAZUH_INDEXER_PASSWORD are keys representing your Wazuh indexer administrator username and password respectively.
Perform the following steps to configure the Logstash pipeline.
1. Create the configuration file wazuh-elasticsearch.conf in /etc/logstash/conf.d/ folder:
```
$ sudo touch /etc/logstash/conf.d/wazuh-elasticsearch.conf
```
2. Add the following configuration to the wazuh-elasticsearch.conf file. This sets the parameters required to run Logstash.
```
input {
  opensearch {
   hosts =>  ["<WAZUH_INDEXER_ADDRESS>:9200"]
   user  =>  "${WAZUH_INDEXER_USERNAME}"
   password  =>  "${WAZUH_INDEXER_PASSWORD}"
   index =>  "wazuh-alerts-4.x-*"
   ssl => true
   ca_file => "</PATH/TO/LOCAL/WAZUH_INDEXER>/root-ca.pem"
   query =>  '{
       "query": {
          "range": {
             "@timestamp": {
                "gt": "now-1m"
             }
          }
       }
   }'
   schedule => "* * * * *"
  }
}

output {
    elasticsearch {
         hosts => "<ELASTICSEARCH_ADDRESS>"
         index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
         user => '${ELASTICSEARCH_USERNAME}'
         password => '${ELASTICSEARCH_PASSWORD}'
         ssl => true
         cacert => "</PATH/TO/LOCAL/ELASTICSEARCH>/root-ca.pem"
         template => "/etc/logstash/templates/wazuh.json"
         template_name => "wazuh"
         template_overwrite => true
    }
}
```
  Where:
  - <WAZUH_INDEXER_ADDRESS> is your Wazuh indexer address or addresses in case of cluster deployment.
  - <ELASTICSEARCH_ADDRESS> is your Elasticsearch IP address.
  - </PATH/TO/LOCAL/WAZUH_INDEXER>/root-ca.pem is your Wazuh indexer certificate local path on the Logstash server. For example, you can use /etc/logstash/wazuh-indexer-certs/root-ca.pem which is the Wazuh indexer root certificate that was copied earlier.
  - </PATH/TO/LOCAL/ELASTICSEARCH>/root-ca.pem is your Elasticsearch certificate local path on the Logstash server. For example, you can use /etc/logstash/elasticsearch-certs/root-ca.pem which is the Elasticsearch certificate that was copied earlier.
  Note
  
  For testing purposes, you can avoid SSL verification by replacing cacert => "</PATH/TO/LOCAL/ELASTICSEARCH>/root-ca.pem" with ssl_certificate_verification => false.
  
  If you are using composable index templates and the _index_template API, set the optional parameter legacy_template => false.

Running Logstash

Once you have everything set, run Logstash from CLI with your configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the executable, the pipeline, and the configuration files.

Ensure that Wazuh indexer RESTful API port (9200) is open on your Wazuh indexer. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as a service:
```
$ sudo systemctl enable logstash.service
$ sudo systemctl start logstash.service
```

Check Elastic documentation for more details on setting up and running Logstash.

Note

Any data indexed before the configuration is complete will not be forwarded to the Elastic indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance stores events generated when Logstash runs. View this file in case you need to troubleshoot.

After Logstash is successfully running, check how to configure the Wazuh alert index pattern and verify the integration.

Wazuh server integration using Logstash

Perform all the steps below on your Wazuh server. Learn more about the Wazuh server integration and its necessary considerations.

Installing Logstash

We use Logstash to forward security data in the /var/ossec/logs/alerts/alerts.json alerts file from the Wazuh server to the Elasticsearch indexes.

Perform the following steps to install Logstash and the required plugin.

Follow the Elastic documentation to install Logstash. Ensure that you consider the requirements and performance tuning guidelines for running Logstash.

Note

Ensure all components of your ELK (Elasticsearch, Logstash, and Kibana) stack are the same version to avoid compatibility issues.
Run the following command to install the logstash-output-elasticsearch plugin. This plugin allows Logstash to write data into Elasticsearch.
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-output-elasticsearch
```
Copy the Elasticsearch root certificate to the Wazuh server. You can add the certificate to any directory of your choice. In our case, we add it in /etc/logstash/elasticsearch-certs directory.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/ELASTICSEARCH/CERTIFICATE>/root-ca.pem
```
Replace </PATH/TO/LOCAL/ELASTICSEARCH/CERTIFICATE>/root-ca.pem with your Elasticsearch certificate local path on the Wazuh server.

Configuring new indexes

You need to use the logstash/es_template.json template to configure this index initialization for your Elasticsearch platform. The refresh_interval is set to 5s in the template we provide.

Create a /etc/logstash/templates/ directory and download the template as wazuh.json using the following commands:

$ sudo mkdir /etc/logstash/templates
$ sudo curl -o /etc/logstash/templates/wazuh.json https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-template.json

...
"template": {
  ...
  "settings": {
        ...
        "mapping": {
         "total_fields": {
            "limit": 10000
         }
        }
        ...
  }
  ...
}
...

You can further increase this value by following the creating an index template documentation.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data in the Wazuh /var/ossec/logs/alerts/alerts.json alert file and send them to Elasticsearch.

The Logstash pipeline requires access to your Elasticsearch credentials.

We use the Logstash keystore to securely store these values.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store the credentials of Elasticsearch.

Note

When you run each of the commands, you will be prompted to enter your credentials and the credentials will not be visible as you enter them.

ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD are keys representing the secret values you are adding to the Logstash keystore. These keys will be used in the Logstash pipeline.
1. Create a new Logstash keystore:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
```
2. Store your Elasticsearch username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ELASTICSEARCH_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ELASTICSEARCH_PASSWORD
```
  Where ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD are keys representing your Elasticsearch username and password respectively.

Perform the following steps to configure the Logstash pipeline.

Create the configuration file wazuh-elasticsearch.conf in /etc/logstash/conf.d/ folder:
```
$ sudo touch /etc/logstash/conf.d/wazuh-elasticsearch.conf
```

Add the following configuration to the wazuh-elasticsearch.conf file. This sets the parameters required to run Logstash.

input {
  file {
    id => "wazuh_alerts"
    codec => "json"
    start_position => "beginning"
    stat_interval => "1 second"
    path => "/var/ossec/logs/alerts/alerts.json"
    mode => "tail"
    ecs_compatibility => "disabled"
  }
}

output {
    elasticsearch {
         hosts => "<ELASTICSEARCH_ADDRESS>"
         index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
         user => '${ELASTICSEARCH_USERNAME}'
         password => '${ELASTICSEARCH_PASSWORD}'
         ssl => true
         cacert => "</PATH/TO/LOCAL/ELASTICSEARCH>/root-ca.pem"
         template => "/etc/logstash/templates/wazuh.json"
         template_name => "wazuh"
         template_overwrite => true
    }
}

Where:

<ELASTICSEARCH_ADDRESS> is your Elasticsearch IP address.
</PATH/TO/LOCAL/ELASTICSEARCH>/root-ca.pem is your Elasticsearch root certificate local path on the Wazuh server. For example, you can use /etc/logstash/elasticsearch-certs/root-ca.pem which is the Elasticsearch root certificate that was copied earlier.

Note

For testing purposes, you can avoid SSL verification by replacing cacert => "/PATH/TO/LOCAL/ELASTICSEARCH/root-ca.pem" with ssl_certificate_verification => false.

By default the /var/ossec/logs/alerts/alerts.json file is owned by the wazuh user with restrictive permissions. You must add the logstash user to the wazuh group so it can read the file when running Logstash as a service:
```
$ sudo usermod -a -G wazuh logstash
```

Running Logstash

Once you have everything set, run Logstash from CLI with your configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-elasticsearch.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the executable, the pipeline, and the configuration files.

Ensure that Wazuh server RESTful API port (55000) is open on your Wazuh server. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as a service:
```
$ sudo systemctl enable logstash.service
$ sudo systemctl start logstash.service
```

Note

Any data indexed before the configuration is complete would not be forwarded to the Elastic indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance stores events generated when Logstash runs. View this file in case you need to troubleshoot.

Check Elastic documentation for more details on setting up and running Logstash.

Configuring the Wazuh alerts index pattern in Elastic

In Kibana, do the following to create the index pattern name for the Wazuh alerts.

Select ☰ > Management > Stack Management.
Choose Kibana > Data Views and select Create data view.
Enter a name for the data view and define wazuh-alerts-* as the index pattern name.
Select timestamp in the Timestamp fields dropdown menu. Then Save data view to Kibana.
Open the menu and select Discover under Analytics.
Select ☰ > Analytics > Discover.

Verifying the integration

To check the integration with Elasticsearch, navigate to Discover in Kibana and verify that you can find the Wazuh security data with the data view name you entered.

Elastic dashboards

Wazuh provides several dashboards for Elastic Stack. After finishing with the Elasticsearch integration setup, these dashboards display your Wazuh alerts in Elastic.

Importing these dashboards defines the index pattern name wazuh-alerts-*. The index pattern name is necessary for creating index names and receiving the alerts. We recommend using wazuh-alerts-4.x-%{+YYYY.MM.dd}.

Follow the next steps to import the Wazuh dashboards for Elastic.

Run the command below to download the Wazuh dashboard file for Elastic.

If you are accessing the Elastic dashboard (Kibana) from a Linux or macOS system:

# wget https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-dashboards.ndjson

If you are accessing the Elastic dashboard (Kibana) from a Windows system, run the following command in Powershell:

# Invoke-WebRequest -Uri "https://packages.wazuh.com/integrations/elastic/4.x-8.x/dashboards/wz-es-4.x-8.x-dashboards.ndjson" -OutFile "allDashboards.ndjson"

Navigate to Management > Stack management in Kibana.
Click on Saved Objects and click Import.
Click on the Import icon, browse your files, and select the dashboard file.
Click the Import button to start importing.
To find the imported dashboards, select Analytics > Dashboard.

OpenSearch integration

OpenSearch is a distributed, community-driven, Apache 2.0-licensed, 100% open source search and analytics suite used for a broad set of use cases like real-time application monitoring, log analytics, and website search. OpenSearch is a fork from Elasticsearch. They have many similarities in configuration and integration steps.

In this guide, you can find out how to integrate Wazuh with OpenSearch in the following ways:

Wazuh indexer integration using Logstash
Wazuh server integration using Logstash

Wazuh indexer integration using Logstash

Perform the steps below on your Logstash server. You must install Logstash on a dedicated server or on the server hosting the third-party indexer. We performed these steps on a Linux operating system. Logstash forwards the data from the Wazuh indexer to OpenSearch in the form of indexes.

Learn more about the Wazuh indexer integration and its necessary considerations.

Installing Logstash

Perform the following steps to install Logstash and the required plugins. Ensure your Logstash and OpenSearch versions are compatible.

Follow the Elastic documentation to install Logstash.
Install the logstash-input-opensearch plugin and the logstash-output-opensearch plugin using the following command. These plugins allow reading the data from the Wazuh indexer into the Logstash pipeline and writing the data into OpenSearch.
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch logstash-output-opensearch
```
Copy the Wazuh indexer and OpenSearch root certificates on the Logstash server.

Note

You can add the certificates to any directory of your choice. For example, we added them in /etc/logstash/wazuh-indexer-certs and /etc/logstash/opensearch-certs respectively.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem
$ sudo chmod -R 755 </PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem
```
Replace </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem and </PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem with your Wazuh indexer and Opensearch certificate local path on the Logstash endpoint respectively.

Configuring new indexes

You must define the mappings between the data and the index types to ensure OpenSearch indexes your data correctly. OpenSearch can infer these mappings, but we recommend that you explicitly configure them. Wazuh provides a set of mappings to ensure OpenSearch indexes the data correctly.

You need to use the logstash/os_template.json template to configure this index initialization for your OpenSearch platform.

Create a /etc/logstash/templates/ directory and download the template as wazuh.json using the following commands:

# mkdir /etc/logstash/templates
# curl -o /etc/logstash/templates/wazuh.json https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-template.json

In OpenSearch, the indexes support up to 1000 fields by default. However, Wazuh logs might contain even more than this number of fields. To solve this issue, the provided wazuh.json template has the fields set to 10000 by default as shown below:

...
"template": {
  ...
  "settings": {
        ...
        "mapping": {
         "total_fields": {
            "limit": 10000
         }
        }
        ...
  }
  ...
}
...

You can further increase this value by following the creating an index template documentation.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data from the Wazuh indexes and send them to OpenSearch.

The Logstash pipeline requires access to the following secret values:

Wazuh indexer credentials
OpenSearch credentials

We use the Logstash keystore to securely store these values.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store the credentials of the Wazuh indexer and OpenSearch in the Logstash keystore.

Note

When you run each of the commands, you will be prompted to enter your credentials and the credentials will not be visible as you enter them.

OPENSEARCH_USERNAME, OPENSEARCH_PASSWORD, WAZUH_INDEXER_USERNAME, and WAZUH_INDEXER_PASSWORD are keys representing the secret values you are adding to the Logstash keystore. These keys will be used in the Logstash pipeline.
1. Create a new Logstash keystore:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
```
2. Store your OpenSearch username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_PASSWORD
```
3. Store your Wazuh indexer administrator username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD
```
Where:
- OPENSEARCH_USERNAME and OPENSEARCH_PASSWORD are keys representing your OpenSearch username and password respectively.
- WAZUH_INDEXER_USERNAME and WAZUH_INDEXER_PASSWORD are keys representing your Wazuh indexer administrator username and password respectively.
Perform the following steps to configure the Logstash pipeline.
1. Create the configuration file wazuh-opensearch.conf in /etc/logstash/conf.d/ folder:
```
$ sudo touch /etc/logstash/conf.d/wazuh-opensearch.conf
```
2. Add the following configuration to the wazuh-opensearch.conf file. This sets the parameters required to run Logstash.
```
input {
  opensearch {
   hosts =>  ["<WAZUH_INDEXER_ADDRESS>:9200"]
   user  =>  "${WAZUH_INDEXER_USERNAME}"
   password  =>  "${WAZUH_INDEXER_PASSWORD}"
   index =>  "wazuh-alerts-4.x-*"
   ssl => true
   ca_file => "</PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem"
   query =>  '{
       "query": {
          "range": {
             "@timestamp": {
                "gt": "now-1m"
             }
          }
       }
   }'
   schedule => "* * * * *"
  }
}

output {
    opensearch {
      hosts => ["<OPENSEARCH_ADDRESS>"]
      auth_type => {
         type => 'basic'
         user => '${OPENSEARCH_USERNAME}'
         password => '${OPENSEARCH_PASSWORD}'
      }
      index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
      cacert => "</PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem"
      ssl => true
      template => "/etc/logstash/templates/wazuh.json"
      template_name => "wazuh"
      template_overwrite => true
      legacy_template => false
    }
}
```
  Where:
  - <WAZUH_INDEXER_ADDRESS> is your Wazuh indexer address or addresses in case of cluster deployment.
  - <OPENSEARCH_ADDRESS> is your OpenSearch address.
  - </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem is your Wazuh indexer certificate local path on the Wazuh server. For example, you can use /etc/logstash/wazuh-indexer-certs/root-ca.pem which is the Wazuh indexer root certificate that was copied earlier.
  - </PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem is your OpenSearch certificate local path on the Wazuh server. For example, you can use /etc/logstash/opensearch-certs/root-ca.pem which is the OpenSearch certificate that was copied earlier.
  Note
  
  For testing purposes, you can avoid SSL verification by replacing cacert => "</PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem" with ssl_certificate_verification => false.
  
  If you aren't using composable index templates and the _index_template API, remove the legacy_template => false parameter.

Running Logstash

Once you have everything set, run Logstash from CLI with your configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-opensearch.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the Logstash executable, the pipeline, and the configuration files.

Ensure that Wazuh indexer RESTful API port (9200) is open on your Wazuh indexer. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as service:
```
$ sudo systemctl enable logstash
$ sudo systemctl start logstash
```

Check Elastic documentation for more details on setting up and running Logstash.

Note

Any data indexed before the configuration is complete would not be forwarded to the OpenSearch indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance stores events produced when Logstash runs. View this file in case you need to troubleshoot.

After Logstash is successfully running, check how to configure the Wazuh alert index pattern and verify the integration.

Wazuh server integration using Logstash

Perform all the steps below on your Wazuh server. Learn more about the Wazuh server integration and its necessary considerations.

Installing Logstash

We use Logstash to forward security data in the /var/ossec/logs/alerts/alerts.json alerts file from the Wazuh server to the OpenSearch indexes.

Perform the following steps to install Logstash and the required plugin.

Follow the Elastic documentation to install Logstash on the Wazuh server.
Run the following command to install the logstash-output-opensearch plugin. This plugin allows Logstash to write the data into OpenSearch.
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-output-opensearch
```
Copy the OpenSearch root certificate to the Wazuh server. You can add the certificate to any directory of your choice. In our case, we add it in the /etc/logstash/opensearch-certs directory.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem
```
Replace </PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem with your OpenSearch certificate local path on the Wazuh server.

Configuring new indexes

You must define the mappings between the data and the index types to ensure Opensearch indexes your data correctly. Opensearch can infer these mappings, but we recommend that you explicitly configure them. Wazuh provides a set of mappings to ensure Opensearch indexes the data correctly.

You need to use the logstash/os_template.json template to configure this index initialization for your Opensearch platform. The refresh_interval is set to 5s in the template we provide.

Create a /etc/logstash/templates/ directory and download the template as wazuh.json using the following commands:

# mkdir /etc/logstash/templates
# curl -o /etc/logstash/templates/wazuh.json https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-template.json

...
"template": {
  ...
  "settings": {
        ...
        "mapping": {
         "total_fields": {
            "limit": 10000
         }
        }
        ...
  }
  ...
}
...

You can further increase this value by following the creating an index template documentation.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data in the Wazuh /var/ossec/logs/alerts/alerts.json alerts file and send them to OpenSearch.

The Logstash pipeline requires access to your OpenSearch credentials.

We use the Logstash keystore to securely store these values.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store the credentials of OpenSearch.

Note

When you run each of the commands, you will be prompted to enter your credentials and the credentials will not be visible as you enter them.

OPENSEARCH_USERNAME and OPENSEARCH_PASSWORD are keys representing the secret values you are adding to the Logstash keystore. These keys will be used in the Logstash pipeline.
1. Create a new Logstash keystore:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
```
2. Store your OpenSearch username and password:
```
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add OPENSEARCH_PASSWORD
```
  Where OPENSEARCH_USERNAME and OPENSEARCH_PASSWORD are keys representing your OpenSearch username and password respectively.

Perform the following steps to configure the Logstash pipeline.

Create the configuration file wazuh-opensearch.conf in /etc/logstash/conf.d/ folder:
```
$ sudo touch /etc/logstash/conf.d/wazuh-opensearch.conf
```

Add the following configuration to the wazuh-opensearch.conf file. This sets the parameters required to run Logstash.

input {
  file {
    id => "wazuh_alerts"
    codec => "json"
    start_position => "beginning"
    stat_interval => "1 second"
    path => "/var/ossec/logs/alerts/alerts.json"
    mode => "tail"
    ecs_compatibility => "disabled"
  }
}

output {
    opensearch {
      hosts => ["<OPENSEARCH_ADDRESS>"]
      auth_type => {
         type => 'basic'
         user => '${OPENSEARCH_USERNAME}'
         password => '${OPENSEARCH_PASSWORD}'
      }
      index  => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
      cacert => "</PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem"
      ssl => true
      template => "/etc/logstash/templates/wazuh.json"
      template_name => "wazuh"
      template_overwrite => true
      legacy_template => false
    }
}

Where:

<OPENSEARCH_ADDRESS> is your OpenSearch IP address.
</PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem is your OpenSearch certificate local path on the Wazuh server. In our case, we used /etc/logstash/opensearch-certs/root-ca.pem.

Note

For testing purposes, you can avoid SSL verification by replacing cacert => "</PATH/TO/LOCAL/OPENSEARCH/CERTIFICATE>/root-ca.pem" with ssl_certificate_verification => false.

If you aren't using composable index templates and the _index_template API, remove the legacy_template => false parameter.

By default the /var/ossec/logs/alerts/alerts.json file is owned by the wazuh user with restrictive permissions. You must add the logstash user to the wazuh group so it can read the file when running Logstash as a service:
```
$ sudo usermod -a -G wazuh logstash
```

Running Logstash

Once you have everything set, run Logstash from CLI with your configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-opensearch.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the executable, the pipeline, and the configuration files.

Ensure that Wazuh server RESTful API port (55000) is open on your Wazuh server. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as a service:
```
$ sudo systemctl enable logstash
$ sudo systemctl start logstash
```

Note

Any data indexed before the configuration is complete would not be forwarded to the OpenSearch indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance stores events generated when Logstash runs. View this file in case you need to troubleshoot.

Check Elastic documentation for more details on setting up and running Logstash.

Configuring the Wazuh alerts index pattern in OpenSearch

In Opensearch Dashboards, do the following to create the index pattern name for the Wazuh alerts.

Select ☰ > Management > Dashboards Management.
Choose Index Patterns and select Create index pattern.
Define wazuh-alerts-* as the index pattern name.
Select timestamp as the primary time field for use with the global time filter. Then Create the index pattern.
Open the menu and select Discover under OpenSearch Dashboards.

Verifying the integration

To check the integration with OpenSearch, navigate to Discover in OpenSearch Dashboards and verify that you can find the Wazuh security data within the index pattern wazuh-alerts-4.x*.

OpenSearch dashboards

Wazuh provides several dashboards for OpenSearch. After finishing with the OpenSearch integration setup, these dashboards display your Wazuh alerts in OpenSearch.

Importing these dashboards defines the index pattern name wazuh-alerts-*. The index pattern name is necessary for creating index names and receiving alerts.

Follow the next steps to import the Wazuh dashboards for OpenSearch.

Run the command below to download the Wazuh dashboard file for OpenSearch.

If you are accessing the OpenSearch dashboard from a Linux or macOS system:

# wget https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-dashboards.ndjson

If you are accessing the Opensearch dashboard from a Windows system (run the command using Powershell):

# Invoke-WebRequest -Uri "https://packages.wazuh.com/integrations/opensearch/4.x-2.x/dashboards/wz-os-4.x-2.x-dashboards.ndjson" -OutFile "allDashboards.ndjson"

In OpenSearch Dashboards, navigate to Management > Dashboards management.
Click on Saved Objects and click Import.
Click on the Import icon, browse your files, and select the dashboard file.
Click the Import button to start importing then click Done.
To find the imported dashboards, navigate to Dashboard under OpenSearch Dashboards.

Splunk integration

Splunk is a security platform that enables you to collect, search, analyze, visualize, and report real-time and historical data. Splunk indexes the data stream and parses it into a series of individual events that you can view and search.

Splunk users connect to Splunk through the command-line interface or through Splunk Web to administer their deployment. Splunk enables users to also manage, create knowledge objects, run searches, and create pivots and reports.

Wazuh integrates with Splunk in these ways:

Wazuh indexer integration using Logstash
Wazuh server integration
- Using Logstash
- Using the Splunk forwarder

Wazuh indexer integration using Logstash

Before configuring Logstash, you need to set up the Splunk indexer to receive the forwarded events. Learn more about the Wazuh indexer integration and its necessary considerations.

Configuring the Splunk indexer

To complete the integration from the Wazuh indexer to Splunk, you must first configure Splunk to:

Enable the HTTP Event Collector.
Define the wazuh-alerts Splunk index to store your logs.
Create your Event Collector token.

Check the Splunk set up and use HTTP Event Collector documentation to set up the configuration, as seen below.

Installing Logstash

You must install Logstash on a dedicated server or on the server hosting the third-party indexer.

Perform the following steps on your Logstash server to set up your forwarder.

Follow the Elastic documentation to install Logstash. Ensure that you consider the requirements and performance tuning guidelines for running Logstash.
Run the following command to install the logstash-input-opensearch plugin. This plugin reads data from the Wazuh indexer into the Logstash pipeline.
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch
```
Copy the Wazuh indexer and Splunk root certificates to the Logstash server.

Note

You can add the certificates to any directory of your choice. For example, we added them in /etc/logstash/wazuh-indexer-certs and /etc/logstash/splunk-certs respectively.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem
$ sudo chmod -R 755 </PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem
```
Replace </PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem and </PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem with your Wazuh indexer and Splunk certificate local paths on the Logstash endpoint respectively.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data from the Wazuh indexes and send them to Splunk.

The Logstash pipeline requires access to the following secret values:

Wazuh indexer credentials
Splunk Event Collector token

To securely store these values, you can use the Logstash keystore.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"' | sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store these values. When prompted, input your own values as follows:

$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_USERNAME
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add WAZUH_INDEXER_PASSWORD
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add SPLUNK_AUTH

Where:

WAZUH_INDEXER_USERNAME and WAZUH_INDEXER_PASSWORD are keys representing your Wazuh indexer administrator username and password respectively.
SPLUNK_AUTH is your Splunk Event Collector token.

Perform the following steps to configure the Logstash pipeline.

Create the configuration file wazuh-splunk.conf in /etc/logstash/conf.d/ directory.
```
$ sudo touch /etc/logstash/conf.d/wazuh-splunk.conf
```

Edit the file and add the following configuration. This sets the parameters required to run Logstash.

input {
  opensearch {
   hosts =>  ["<WAZUH_INDEXER_ADDRESS>:9200"]
   user  =>  "${WAZUH_INDEXER_USERNAME}"
   password  =>  "${WAZUH_INDEXER_PASSWORD}"
   index =>  "wazuh-alerts-4.x-*"
   ssl => true
   ca_file => "</PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem"
   query =>  '{
       "query": {
          "range": {
             "@timestamp": {
                "gt": "now-1m"
             }
          }
       }
   }'
   schedule => "* * * * *"
  }
}
output {
   http {
      format => "json" # format of forwarded logs
      http_method => "post" # HTTP method used to forward logs
      url => "<SPLUNK_URL>:8088/services/collector/raw" # endpoint to forward logs to
      headers => ["Authorization", "Splunk ${SPLUNK_AUTH}"]
      cacert => "</PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem"
   }
}

Where:

<WAZUH_INDEXER_ADDRESS> is your Wazuh indexer address or addresses in case of cluster deployment.
<SPLUNK_URL> is your Splunk URL.
</PATH/TO/LOCAL/WAZUH_INDEXER/CERTIFICATE>/root-ca.pem is your Wazuh indexer certificate local path on the Logstash server. In our case we used /etc/logstash/wazuh-indexer-certs/root-ca.pem.
</PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem is your Splunk certificate local path on the Logstash server. In our case, we used /etc/logstash/splunk-certs/ca.pem.

Note

For testing purposes, you can avoid SSL verification by replacing the line cacert => "/PATH/TO/LOCAL/SPLUNK/ca.pem" with ssl_verification_mode => "none".

Running Logstash

Once you have everything set, start Logstash from the command line with its configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-splunk.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the executable, the pipeline, and the settings files.

Ensure that Wazuh indexer RESTful API port (9200) is open on your Wazuh indexer. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as a service:
```
$ sudo systemctl enable logstash
$ sudo systemctl start logstash
```

Check Elastic documentation for more details on setting up and running Logstash.

Note

Any data indexed before the configuration is complete would not be forwarded to the Splunk indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance has logs that you can check in case something fails.

After Logstash is successfully running, check how to verify the integration.

Wazuh server integration using Logstash

Before configuring Logstash, you need to set up the Splunk indexer to receive the forwarded events. Learn more about the Wazuh server integration and its necessary considerations.

Configuring Splunk indexer

First, set up Splunk as follows:

Enable HTTP Event Collector.
Define the wazuh-alerts Splunk index to store your logs.
Create your Event Collector token.

Check the Splunk set up and use HTTP Event Collector documentation to achieve this.

Installing Logstash

Logstash must forward the data from the Wazuh server to the Splunk indexes created previously.

Follow the Elastic documentation to install Logstash on the same system as the Wazuh server.
Copy the Splunk root certificates to the Wazuh server.

Note

You can add the certificates to any directory of your choice. For example, we added them in /etc/logstash/splunk-certs.
Give the logstash user the necessary permissions to read the copied certificates:
```
$ sudo chmod -R 755 </PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem
```
Replace </PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem with your Splunk certificate local path on the Wazuh server.

Configuring a pipeline

A Logstash pipeline allows Logstash to use plugins to read the data in the Wazuh /var/ossec/logs/alerts/alerts.json alerts file and send them to Splunk.

The Logstash pipeline requires access to your Splunk Event Collector Token.

To securely store these values, you can use the Logstash keystore.

Run the following commands on your Logstash server to set a keystore password:

$ set +o history
$ echo 'LOGSTASH_KEYSTORE_PASS="<MY_KEYSTORE_PASSWORD>"'| sudo tee /etc/sysconfig/logstash
$ export LOGSTASH_KEYSTORE_PASS=<MY_KEYSTORE_PASSWORD>
$ set -o history
$ sudo chown root /etc/sysconfig/logstash
$ sudo chmod 600 /etc/sysconfig/logstash
$ sudo systemctl start logstash

Where <MY_KEYSTORE_PASSWORD> is your keystore password.

Note

You need to create the /etc/sysconfig folder if it does not exist on your server.

Run the following commands to securely store these values. When prompted, input your own values. Where SPLUNK_AUTH is your Splunk Event Collector token.

$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
$ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add SPLUNK_AUTH

Configuring the pipeline with the Tail mode and the JSON codec for the file input plugin allows Logstash to read the Wazuh alerts file.

To configure the Logstash pipeline do the following.

Copy the Splunk root certificates to the Wazuh server. You can add the certificate to any directory of your choice. In our case, we add it in the /etc/logstash/splunk-certs directory.
Create the configuration file wazuh-splunk.conf in /etc/logstash/conf.d/ directory:
```
$ sudo touch /etc/logstash/conf.d/wazuh-splunk.conf
```

Edit the wazuh-splunk.conf file and add the following configuration. This sets the parameters required to run logstash.

input {
  file {
    id => "wazuh_alerts"
    codec => "json"
    start_position => "beginning"
    stat_interval => "1 second"
    path => "/var/ossec/logs/alerts/alerts.json"
    mode => "tail"
    ecs_compatibility => "disabled"
  }
}
output {
   http {
      format => "json" # format of forwarded logs
      http_method => "post" # HTTP method used to <SPLUNK_URL>forward logs
      url => "<SPLUNK_URL>:8088/services/collector/raw" # endpoint to forward logs to
      headers => ["Authorization", "Splunk ${SPLUNK_AUTH}"]
      cacert => "</PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem"
   }
}

Where:

<SPLUNK_URL> is your Splunk URL.
</PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem is your Splunk certificate local path on the Logstash server. In our case we used /etc/logstash/splunk-certs/ca.pem.

Note

For testing purposes, you can avoid SSL verification by replacing the line cacert => "</PATH/TO/LOCAL/SPLUNK/CERTIFICATE>/ca.pem" with ssl_verification_mode => "none".

By default, the /var/ossec/logs/alerts/alerts.json file is owned by the wazuh user with restrictive permissions. You must add the logstash user to the wazuh group so it can read the file when running Logstash as a service:
```
$ sudo usermod -a -G wazuh logstash
```

Running Logstash

Once you have everything set, start Logstash with its configuration:
```
$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-splunk.conf --path.settings /etc/logstash/
```
Make sure to use your own paths for the executable, the pipeline, and the settings files.

Ensure that Wazuh server RESTful API port (55000) is open on your Wazuh server. To verify that the necessary ports for Wazuh component communication are open, refer to the list of required ports.
After confirming that the configuration loads correctly without errors, cancel the command and run Logstash as a service. This way Logstash is not dependent on the lifecycle of the terminal it's running on. You can now enable and run Logstash as a service:
```
$ sudo systemctl enable logstash
$ sudo systemctl start logstash
```

Check Elastic documentation for more details on setting up and running Logstash.

Note

Any data indexed before the configuration is complete would not be forwarded to the Splunk indexes.

The /var/log/logstash/logstash-plain.log file in the Logstash instance has logs that you can check in case something fails.

After Logstash is successfully running, check how to verify the integration.

Wazuh server integration using the Splunk forwarder

Before configuring the Splunk forwarder, you need to configure the Splunk indexer to receive the forwarded events. For this, you need to perform the following tasks on your Splunk server instance:

Set a receiving port.
Create the wazuh-alerts Splunk indexes.

Configuring Splunk indexer

Configuring the receiving port

Perform the following actions in Splunk Web:

Go to Settings > Forwarding and receiving.
Under Receive data, click Add new.
Enter 9997 in the Listen on this port input box and click Save.

Alternatively, you can configure the receiving port in the following way.

Edit /opt/splunk/etc/system/local/inputs.conf on the Splunk server to add the following configuration:

[splunktcp://9997]
connection_host = none

For more details, visit enable a receiver section in the Splunk documentation.

Configuring indexes

Perform the following actions to configure the wazuh-alerts indexes in Splunk Web.

Go to Settings > Indexes > New Index.
Enter wazuh-alerts in Index name and click Save.

Alternatively, you can add the following configuration to the /opt/splunk/etc/system/local/indexes.conf file on the Splunk server to create the indexes:

[wazuh-alerts]
coldPath = $SPLUNK_DB/wazuh/colddb
enableDataIntegrityControl = 1
enableTsidxReduction = 1
homePath = $SPLUNK_DB/wazuh/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wazuh/thaweddb
timePeriodInSecBeforeTsidxReduction = 15552000
tsidxReductionCheckPeriodInSec =

Installing Splunk forwarder on the Wazuh server

The Splunk forwarder must stream the data from the Wazuh server to the Splunk indexes created previously.

Follow the Splunk documentation to install the Splunk universal forwarder on the Wazuh Server.

Note

In Cloud instances, you need to configure the credentials for the Splunk forwarder. Check the configure the Splunk Cloud Platform universal forwarder credentials package documentation to learn how to do this.

Configuring the Splunk forwarder

Set the following configuration in /opt/splunkforwarder/etc/system/local/inputs.conf file. This configures the Splunk forwarder to monitor the Wazuh /var/ossec/logs/alerts/alerts.json alerts file. Where <WAZUH_SERVER_HOST> is a name of your choice.
```
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = <WAZUH_SERVER_HOST>
index = wazuh-alerts
sourcetype = wazuh-alerts
```

Set the following configuration in the /opt/splunkforwarder/etc/system/local/props.conf file to parse the data forwarded to Splunk:

[wazuh-alerts]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true

Set the following configuration in the /opt/splunkforwarder/etc/system/local/outputs.conf file to define how the alerts are forwarded to Splunk. Where <SPLUNK_INDEXER_ADDRESS> is your Splunk server IP address. For Cloud instances, the Splunk indexer address is the cloud instance address.
```
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <SPLUNK_INDEXER_ADDRESS>:9997

[tcpout-server://<SPLUNK_INDEXER_ADDRESS>:9997]
```

Running the forwarder

Start the Splunk Forwarder following Splunk documentation.

Run the following command to verify the connection is established:

$ sudo /opt/splunkforwarder/bin/splunk list forward-server

Active forwards:
     <SPLUNK_INDEXER_ADDRESS>:9997
Configured but inactive forwards:
     None

Note

The /opt/splunkforwarder/var/log/splunk/splunkd.log file in the forwarder instance has logs that you can check in case something fails.

Verifying the integration

To check the integration with Splunk, access Splunk Web and search for the wazuh-alerts Splunk index as follows.

Go to Search & Reporting.
Enter index="wazuh-alerts" and run the search.

Splunk dashboards

Wazuh provides several dashboards for Splunk.

After you complete the Splunk integration, you can use these dashboards to display your Wazuh alerts in Splunk.

To import the Wazuh dashboards for Splunk, repeat the following steps for each dashboard file you want to use.

Download the dashboard file that you need from the list of Splunk dashboards provided above.
Navigate to Search & Reporting in Splunk Web.
Click Dashboards and click Create New Dashboard.
Enter a dashboard title and select Dashboard Studio.

Note

The dashboard title you enter here will be overwritten with the original title set in the dashboard template.
Select Grid and click on Create.
Click on the </> Source icon.
Paste your dashboard file content, replacing everything in the source.
Click Back and click Save.

Amazon Security Lake integration

Note

This document guides you through setting up Wazuh as a data source for AWS Security Lake. To configure Wazuh as a subscriber to Amazon Security Lake, refer to Wazuh as a subscriber.

Wazuh Security Events can be converted to OCSF events and Parquet format, required by Amazon Security Lake, by using an AWS Lambda Python function, a Logstash instance and an AWS S3 bucket.

A properly configured Logstash instance can send the Wazuh Security events to an AWS S3 bucket, automatically invoking the AWS Lambda function that will transform and send the events to the Amazon Security lake dedicated S3 bucket.

The diagram below illustrates the process of converting Wazuh Security Events to OCSF events and to Parquet format for Amazon Security Lake.

Prerequisites

Amazon Security Lake is enabled.
At least one up and running Wazuh Indexer instance with populated wazuh-alerts-5.x-* indices.
A Logstash instance.
An S3 bucket to store raw events.
An AWS Lambda function, using the Python 3.12 runtime.
(Optional) An S3 bucket to store OCSF events, mapped from raw events.

AWS configuration

Enabling Amazon Security Lake

If you haven't already, ensure that you have enabled Amazon Security Lake by following the instructions at Getting started - Amazon Security Lake.

For multiple AWS accounts, we strongly encourage you to use AWS Organizations and set up Amazon Security Lake at the Organization level.

Creating an S3 bucket to store events

Follow the official documentation to create an S3 bucket within your organization. Use a descriptive name, for example: wazuh-aws-security-lake-raw.

Creating a Custom Source in Amazon Security Lake

Configure a custom source for Amazon Security Lake via the AWS console. Follow the official documentation to register Wazuh as a custom source.

To create the custom source:

Log into your AWS console and navigate to Security Lake.
Navigate to Custom Sources, and click Create custom source.
Enter a descriptive name for your custom source. For example, wazuh.
Choose Security Finding as the OCSF Event class.
For AWS account with permission to write data, enter the AWS account ID and External ID of the custom source that will write logs and events to the data lake.
For Service Access, create and use a new service role or use an existing service role that gives Security Lake permission to invoke AWS Glue.
Click on Create. Upon creation, Amazon Security Lake automatically creates an AWS Service Role with permissions to push files into the Security Lake bucket, under the proper prefix named after the custom source name. An AWS Glue Crawler is also created to populate the AWS Glue Data Catalog automatically.
Finally, collect the S3 bucket details, as these will be needed in the next step. Make sure you have the following information:
- The Amazon Security Lake S3 region.
- The S3 bucket name (e.g, aws-security-data-lake-us-east-1-AAABBBCCCDDD).

Creating an AWS Lambda function

Follow the official documentation to create an AWS Lambda function:

Select Python 3.12 as the runtime.
Configure the Lambda to use 512 MB of memory and 30 seconds timeout.
Configure a trigger so every object with .txt extension uploaded to the S3 bucket created previously invokes the Lambda function.
Create a zip deployment package and upload it to the S3 bucket created previously as per these instructions. The code is hosted in the Wazuh Indexer repository. Use the Makefile to generate the zip package wazuh_to_amazon_security_lake.zip.
```
$ git clone https://github.com/wazuh/wazuh-indexer.git && cd wazuh-indexer
$ git checkout v5.0.0
$ cd integrations/amazon-security-lake
$ make
```

Configure the Lambda with these environment variables.

Environment variable	Required	Value
AWS_BUCKET	True	The name of the Amazon S3 bucket in which Security Lake stores your custom source data
SOURCE_LOCATION	True	The Data source name of the Custom Source
ACCOUNT_ID	True	Enter the ID that you specified when creating your Amazon Security Lake custom source
REGION	True	AWS Region to which the data is written
S3_BUCKET_OCSF	False	S3 bucket to which the mapped events are written
OCSF_CLASS	False	The OCSF class to map the events into. Can be `SECURITY_FINDING` (default) or `DETECTION_FINDING`.

Note

The DETECTION_FINDING class is not supported by Amazon Security Lake yet.

Validation

To validate that the Lambda function is properly configured and works as expected, create a test file with the following command.

$ touch "$(date +'%Y%m%d')_ls.s3.wazuh-test-events.$(date +'%Y-%m-%dT%H.%M').part00.txt"

Add the sample events below to the file and upload it to the S3 bucket.

{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:20:46.976+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80791","description":"Audit: Command: /usr/sbin/crond"},"location":"","agent":{"id":"004","ip":"47.204.15.21","name":"Ubuntu"},"data":{"audit":{"type":"NORMAL","file":{"name":"/etc/sample/file"},"success":"yes","command":"cron","exe":"/usr/sbin/crond","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:20:46.976Z"}
{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:03.034+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80790","description":"Audit: Command: /usr/sbin/bash"},"location":"","agent":{"id":"007","ip":"24.273.97.14","name":"Debian"},"data":{"audit":{"type":"PATH","file":{"name":"/bin/bash"},"success":"yes","command":"bash","exe":"/usr/sbin/bash","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:03.034Z"}
{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:08.087+0000","rule":{"id":"1740","mail":false,"description":"Sample alert 1","groups":["ciscat"],"level":9},"location":"","agent":{"id":"006","ip":"207.45.34.78","name":"Windows"},"data":{"cis":{"rule_title":"CIS-CAT 5","timestamp":"2024-04-22T14:22:08.087+0000","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","result":"notchecked","pass":52,"fail":0,"group":"Access, Authentication and Authorization","unknown":61,"score":79,"notchecked":1,"@timestamp":"2024-04-22T14:22:08.087+0000"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:08.087Z"}

A successful execution of the Lambda function will map these events into the OCSF Security Finding Class and write them to the Amazon Security Lake S3 bucket in Parquet format, properly partitioned based on the Custom Source name, Account ID, AWS Region and date, as described in the official documentation.

Installing and configuring Logstash

Install Logstash on a dedicated server or on the server hosting the Wazuh Indexer. Logstash forwards the data from the Wazuh Indexer to the AWS S3 bucket created previously.

Follow the official documentation to install Logstash.
Install the logstash-input-opensearch plugin (this one is installed by default in most cases).
```
$ sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch
```
Copy the Wazuh Indexer root certificate on the Logstash server, to any folder of your choice (e.g, /usr/share/logstash/root-ca.pem).

Grant the logstash user the required permission to access certificates, log directories, data directories, and configuration files.

$ sudo chmod 755 </PATH/TO/LOGSTASH_CERTS>/root-ca.pem
$ sudo chown -R logstash:logstash /var/log/logstash
$ sudo chmod -R 755 /var/log/logstash
$ sudo chown -R logstash:logstash /var/lib/logstash
$ sudo chown -R logstash:logstash /etc/logstash

Configuring the Logstash pipeline

A Logstash pipeline allows Logstash to use plugins to read the data from the Wazuh Indexer and send them to an AWS S3 bucket.

The Logstash pipeline requires access to the following secrets:

Wazuh Indexer credentials: INDEXER_USERNAME and INDEXER_PASSWORD.
AWS credentials for the account with permissions to write to the S3 bucket: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
AWS S3 bucket details: AWS_REGION and S3_BUCKET (the S3 bucket name for raw events).

Use the Logstash keystore to securely store these values.
Create the configuration file indexer-to-s3.conf in the /etc/logstash/conf.d/ folder:
```
$ sudo touch /etc/logstash/conf.d/indexer-to-s3.conf
```

Add the following configuration to the indexer-to-s3.conf file.

input {
    opensearch {
        hosts =>  ["<WAZUH_INDEXER_ADDRESS>:9200"]
        user  =>  "${INDEXER_USERNAME}"
        password  =>  "${INDEXER_PASSWORD}"
        ssl => true
        ca_file => "</PATH/TO/LOGSTASH_CERTS>/root-ca.pem"
        index =>  "wazuh-alerts-4.x-*"
        query =>  '{
            "query": {
                "range": {
                    "@timestamp": {
                    "gt": "now-5m"
                    }
                }
            }
        }'
        schedule => "*/5 * * * *"
    }
}

output {
    stdout {
        id => "output.stdout"
        codec => json_lines
    }
    s3 {
        id => "output.s3"
        access_key_id => "${AWS_ACCESS_KEY_ID}"
        secret_access_key => "${AWS_SECRET_ACCESS_KEY}"
        region => "${AWS_REGION}"
        bucket => "${S3_BUCKET}"
        codec => "json_lines"
        retry_count => 0
        validate_credentials_on_root_bucket => false
        prefix => "%{+YYYY}%{+MM}%{+dd}"
        server_side_encryption => true
        server_side_encryption_algorithm => "AES256"
        additional_settings => {
        "force_path_style" => true
        }
        time_file => 5
    }
}

Running Logstash

Run Logstash from the CLI with your configuration:

Logstash 8.x and earlier versions:

$ sudo systemctl stop logstash
$ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit

Logstash 9.x and later versions:

$  sudo systemctl stop logstash
$ sudo -u logstash /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit

After confirming that the configuration loads correctly without errors, run Logstash as a service.
```
$ sudo systemctl enable logstash
$ sudo systemctl start logstash
```

OCSF Mapping

The integration maps Wazuh Security Events to the OCSF v1.1.0 Security Finding (2001) Class.

The tables below represent how the Wazuh Security Events are mapped into the OCSF Security Finding Class.

Note

This does not reflect any transformations or evaluations of the data. Some data evaluation and transformation will be necessary for a correct representation in OCSF that matches all requirements.

Metadata

OCSF Key	OCSF Value Type	Value
category_uid	Integer	2
category_name	String	"Findings"
class_uid	Integer	2001
class_name	String	"Security Finding"
type_uid	Long	200101
metadata.product.name	String	"Wazuh"
metadata.product.vendor_name	String	"Wazuh, Inc."
metadata.product.version	String	"4.9.0"
metadata.product.lang	String	"en"
metadata.log_name	String	"Security events"
metadata.log_provider	String	"Wazuh"

Security events

OCSF Key	OCSF Value Type	Wazuh Event Value
activity_id	Integer	1
time	Timestamp	timestamp
message	String	rule.description
count	Integer	rule.firedtimes
finding.uid	String	id
finding.title	String	rule.description
finding.types	String Array	input.type
analytic.category	String	rule.groups
analytic.name	String	decoder.name
analytic.type	String	"Rule"
analytic.type_id	Integer	1
analytic.uid	String	rule.id
risk_score	Integer	rule.level
attacks.tactic.name	String	rule.mitre.tactic
attacks.technique.name	String	rule.mitre.technique
attacks.technique.uid	String	rule.mitre.id
attacks.version	String	"v13.1"
nist	String Array	rule.nist_800_53
severity_id	Integer	convert(rule.level)
status_id	Integer	99
resources.name	String	agent.name
resources.uid	String	agent.id
data_sources	String Array	['_index', 'location', 'manager.name']
raw_data	String	full_log

Troubleshooting

Issue	Resolution
The Wazuh alert data is available in the Amazon Security Lake S3 bucket, but the Glue Crawler fails to parse the data into the Security Lake.	This issue typically occurs when the custom source that is created for the integration is using the wrong event class. Make sure you create the custom source with the Security Finding event class.
The Wazuh alerts data is available in the Auxiliar S3 bucket, but the Lambda function does not trigger or fails.	This usually happens if the Lambda is not properly configured, or if the data is not in the correct format. Test the Lambda following this guide.
Logstash fails to start with the message: `Path "/var/lib/logstash/queue" must be a writable directory. It is not writable.`	The logstash user does not have permission to write to one or more required directories. Grant the necessary permissions: sudo chown -R logstash:logstash /var/log/logstash sudo chmod -R 755 /var/log/logstash sudo chown -R logstash:logstash /var/lib/logstash sudo chown -R logstash:logstash /etc/logstash
Logstash 9.0+ fails with: `Running Logstash as a superuser is not allowed`	Starting from Logstash 9.0, running as the root user is blocked for security reasons. Run Logstash using the logstash system account: sudo -u logstash /usr/share/logstash/bin/logstash \ -f /etc/logstash/conf.d/indexer-to-s3.conf \ --path.settings /etc/logstash --config.test_and_exit

Backup guide

In this section you can find instructions on how to create and restore a backup of your Wazuh installation.

To do this backup, copy the key files to a designated folder while preserving file permissions, ownership, and directory structure. This ensures you can later restore your Wazuh data, certificates, and configurations by transferring the files back to their original locations. This method is particularly useful when migrating your Wazuh installation to a new system.

Creating a backup

This guide explains how to create a backup of your Wazuh files, such as logs, and configurations. Backing up Wazuh files is useful when migrating your Wazuh installation to a different system.

The Restoring Wazuh from backup documentation provides a guide to restore a backup of your Wazuh central components and Wazuh agent files.

Wazuh central components

To create a backup of the central components of your Wazuh installation, follow these steps. Repeat them on every cluster node you want to back up.

Note

You need root user privileges to execute the commands below.

Preparing the backup

Create the destination folder to store the files. For version control, add the date and time of the backup to the name of the folder.
```
# bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
# mkdir -p $bkp_folder && echo $bkp_folder
```

Save the host information.

# cat /etc/*release* > $bkp_folder/host-info.txt
# echo -e "\n$(hostname): $(hostname -I)" >> $bkp_folder/host-info.txt

Backing up the Wazuh server

Back up the Wazuh server data and configuration files.

# rsync -aREz \
/etc/filebeat/ \
/etc/postfix/ \
/var/ossec/api/configuration/ \
/var/ossec/etc/client.keys \
/var/ossec/etc/sslmanager* \
/var/ossec/etc/ossec.conf \
/var/ossec/etc/internal_options.conf \
/var/ossec/etc/local_internal_options.conf \
/var/ossec/etc/rules/local_rules.xml \
/var/ossec/etc/decoders/local_decoder.xml \
/var/ossec/etc/shared/ \
/var/ossec/logs/ \
/var/ossec/queue/agentless/ \
/var/ossec/queue/agents-timestamp \
/var/ossec/queue/fts/ \
/var/ossec/queue/rids/ \
/var/ossec/stats/ \
/var/ossec/var/multigroups/ $bkp_folder

If present, back up certificates and additional configuration files.

# rsync -aREz \
/var/ossec/etc/*.pem \
/var/ossec/etc/authd.pass $bkp_folder

Back up your custom files. If you have custom active responses, CDB lists, integrations, or wodles, adapt the following command accordingly.

# rsync -aREz \
/var/ossec/active-response/bin/<custom_AR_script> \
/var/ossec/etc/lists/<user_cdb_list>.cdb \
/var/ossec/integrations/<custom_integration_script> \
/var/ossec/wodles/<custom_wodle_script> $bkp_folder

Stop the Wazuh manager service to prevent modification attempts while copying the Wazuh databases.
# systemctl stop wazuh-manager
# service wazuh-manager stop
Back up the Wazuh databases. They hold collected data from agents.
```
# rsync -aREz \
/var/ossec/queue/db/ $bkp_folder
```

Start the Wazuh manager service.

# systemctl start wazuh-manager

# service wazuh-manager start

Backing up the Wazuh indexer and dashboard

Back up the Wazuh indexer certificates and configuration files.

# rsync -aREz \
/etc/wazuh-indexer/certs/ \
/etc/wazuh-indexer/jvm.options \
/etc/wazuh-indexer/jvm.options.d \
/etc/wazuh-indexer/log4j2.properties \
/etc/wazuh-indexer/opensearch.yml \
/etc/wazuh-indexer/opensearch.keystore \
/etc/wazuh-indexer/opensearch-observability/ \
/etc/wazuh-indexer/opensearch-reports-scheduler/ \
/etc/wazuh-indexer/opensearch-security/ \
/usr/lib/sysctl.d/wazuh-indexer.conf $bkp_folder

Back up the Wazuh dashboard certificates and configuration files.

# rsync -aREz \
/etc/wazuh-dashboard/certs/ \
/etc/wazuh-dashboard/opensearch_dashboards.yml \
/usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore \
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml $bkp_folder

If present, back up your downloads and custom images.

# rsync -aREz \
/usr/share/wazuh-dashboard/data/wazuh/downloads/ \
/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/ $bkp_folder

Note

While you're already backing up alert files, consider backing up the cluster indices and state as well. State includes cluster settings, node information, index metadata, and shard allocation.

Check the backup

Verify that the Wazuh manager is active and list all the backed up files:

# systemctl status wazuh-manager

# service wazuh-manager status

# find $bkp_folder -type f | sed "s|$bkp_folder/||" | less

Wazuh agent

To create a backup of your Wazuh agent installation follow these steps.

Note

You need elevated privileges to execute the commands below.

Preparing the backup

On the agent machine you're doing the back up for, run the following commands to create the destination folder where to store the files. These commands use date and time references for the folder name to keep files separated from old backups you might have.

# bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
# mkdir -p $bkp_folder && echo $bkp_folder

> $timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
> mkdir %bkp_folder% ; echo %bkp_folder%
> $bkp_folder = Join-Path -Path $env:USERPROFILE -ChildPath "wazuh_files_backup\$timestamp"

# bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
# mkdir -p $bkp_folder && echo $bkp_folder

Backing up a Wazuh agent

Back up Wazuh agent data, certificates, and configuration files.

# rsync -aREz \
/var/ossec/etc/client.keys \
/var/ossec/etc/ossec.conf \
/var/ossec/etc/internal_options.conf \
/var/ossec/etc/local_internal_options.conf \
/var/ossec/etc/*.pem \
/var/ossec/logs/ \
/var/ossec/queue/rids/ $bkp_folder

> New-Item -Path $bkp_folder -ItemType Directory -Force | Out-Null
> Write-Output $bkp_folder
> Copy-Item "C:\Program Files (x86)\ossec-agent\client.keys" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\ossec.conf" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\internal_options.conf" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\local_internal_options.conf" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\*.pem" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\ossec.log" $bkp_folder -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\logs\*"  "$bkp_folder\logs\" -Recurse -Force
> Copy-Item "C:\Program Files (x86)\ossec-agent\rids" "$bkp_folder\rids" -Recurse -Force

# rsync -aREz \
/Library/Ossec/etc/client.keys \
/Library/Ossec/etc/ossec.conf \
/Library/Ossec/etc/internal_options.conf \
/Library/Ossec/etc/local_internal_options.conf \
/Library/Ossec/etc/*.pem \
/Library/Ossec/logs/ \
/Library/Ossec/queue/rids/ $bkp_folder

Back up your custom files such as local SCA policies, active response scripts, and wodles.

# rsync -aREz /var/ossec/etc/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> $bkp_folder
# rsync -aREz /var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> $bkp_folder
# rsync -aREz /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> $bkp_folder

# Example variables - replace with your actual file names and folders

$SCA_DIRECTORY = "sca"
$CUSTOM_SCA_FILE = "custom_sca.yml"
$CUSTOM_ACTIVE_RESPONSE_SCRIPT = "my_response.ps1"
$CUSTOM_WODLE_SCRIPT = "custom_wodle.py"

> Copy-Item "$SCA_DIRECTORY\$CUSTOM_SCA_FILE" "C:\Program Files (x86)\ossec-agent\$SCA_DIRECTORY" -Recurse -Force
> Copy-Item "active-response\bin\$CUSTOM_ACTIVE_RESPONSE_SCRIPT" "C:\Program Files (x86)\ossec-agent\active-response\bin" -Recurse -Force
> Copy-Item "wodles\$CUSTOM_WODLE_SCRIPT" "C:\Program Files (x86)\ossec-agent\wodles" -Recurse -Force

# rsync -aREz /Library/Ossec/etc/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> $bkp_folder
# rsync -aREz /Library/Ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> $bkp_folder
# rsync -aREz /Library/Ossec/wodles/<CUSTOM_WODLE_SCRIPT> $bkp_folder

Checking the backup

Check everything is in place and working

# find $bkp_folder -type f | sed "s|$bkp_folder/||" | less

> tree (Get-ChildItem "$env:USERPROFILE\wazuh_files_backup" -Directory | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -ExpandProperty FullName) /f

# find $bkp_folder -type f | sed "s|$bkp_folder/||" | less

Restoring Wazuh from backup

This guide explains how to restore a backup of your Wazuh files, such as logs, and configurations. Restoring Wazuh files can be useful when migrating your Wazuh installation to a different system. To carry out this restoration, you first need to back up the necessary files. The Creating a backup documentation provides a guide that you can follow in creating a backup of the Wazuh central components and Wazuh agent data.

Note

This guide is designed specifically for restoration from a backup of the same version.

Wazuh central components

Perform the following actions to restore the Wazuh central components data, depending on your deployment type.

Note

For a multi-node setup, there should be a backup file for each node within the cluster. You need root user privileges to execute the commands below.

Single-node data restoration

You need to have a new installation of Wazuh. Follow the Quickstart guide to perform a fresh installation of the Wazuh central components on a new server.

The actions below will guide you through the data restoration process for a single-node deployment.

Preparing the data restoration

Compress the files generated after performing Wazuh files backup and transfer them to the new server:
```
# tar -cvzf wazuh_central_components.tar.gz ~/wazuh_files_backup/
```
Move the compressed file to the root / directory of your node:
```
# mv wazuh_central_components.tar.gz /
# cd /
```
Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files:
```
# tar -xzvf wazuh_central_components.tar.gz
# cd ~/wazuh_files_backup/<DATE_TIME>
```

Restoring Wazuh indexer files

Perform the following steps to restore the Wazuh indexer files on the new server.

Stop the Wazuh indexer to prevent any modifications to the Wazuh indexer files during the restoration process:
```
# systemctl stop wazuh-indexer
```

Restore the Wazuh indexer configuration files and change the file permissions and ownerships accordingly:

# sudo cp etc/wazuh-indexer/jvm.options /etc/wazuh-indexer/jvm.options
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/jvm.options
# sudo cp -r etc/wazuh-indexer/jvm.options.d/* /etc/wazuh-indexer/jvm.options.d/
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/jvm.options.d
# sudo cp etc/wazuh-indexer/log4j2.properties /etc/wazuh-indexer/log4j2.properties
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/log4j2.properties
# sudo cp etc/wazuh-indexer/opensearch.keystore /etc/wazuh-indexer/opensearch.keystore
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch.keystore
# sudo cp -r etc/wazuh-indexer/opensearch-observability/* /etc/wazuh-indexer/opensearch-observability/
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-observability/
# sudo cp -r etc/wazuh-indexer/opensearch-reports-scheduler/* /etc/wazuh-indexer/opensearch-reports-scheduler/
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-reports-scheduler/
# sudo cp usr/lib/sysctl.d/wazuh-indexer.conf /usr/lib/sysctl.d/wazuh-indexer.conf

Start the Wazuh indexer service:
```
# systemctl start wazuh-indexer
```

Restoring Wazuh server files

Perform the following steps to restore the Wazuh server files on the new server.

Stop the Wazuh manager and Filebeat to prevent any modification to the Wazuh server files during the restore process:
```
# systemctl stop filebeat
# systemctl stop wazuh-manager
```

Copy the Wazuh server data and configuration files, and change the file permissions and ownerships accordingly:

# sudo cp etc/filebeat/filebeat.reference.yml /etc/filebeat/
# sudo cp etc/filebeat/fields.yml /etc/filebeat/
# sudo cp -r etc/filebeat/modules.d/* /etc/filebeat/modules.d/
# sudo cp -r etc/postfix/* /etc/postfix/
# sudo cp var/ossec/etc/client.keys /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/client.keys
# sudo cp -r var/ossec/etc/sslmanager* /var/ossec/etc/
# sudo cp var/ossec/etc/ossec.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/ossec.conf
# sudo cp var/ossec/etc/internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/internal_options.conf
# sudo cp var/ossec/etc/local_internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/local_internal_options.conf
# sudo cp -r var/ossec/etc/rules/* /var/ossec/etc/rules/
# chown -R wazuh:wazuh /var/ossec/etc/rules/
# sudo cp -r var/ossec/etc/decoders/* /var/ossec/etc/decoders
# chown -R wazuh:wazuh /var/ossec/etc/decoders/
# sudo cp -r var/ossec/etc/shared/* /var/ossec/etc/shared/
# chown -R wazuh:wazuh /var/ossec/etc/shared/
# chown root:wazuh /var/ossec/etc/shared/ar.conf
# sudo cp -r var/ossec/logs/* /var/ossec/logs/
# chown -R wazuh:wazuh /var/ossec/logs/
# sudo cp -r var/ossec/queue/agentless/*  /var/ossec/queue/agentless/
# chown -R wazuh:wazuh /var/ossec/queue/agentless/
# sudo cp var/ossec/queue/agents-timestamp /var/ossec/queue/
# chown root:wazuh /var/ossec/queue/agents-timestamp
# sudo cp -r var/ossec/queue/fts/* /var/ossec/queue/fts/
# chown -R wazuh:wazuh /var/ossec/queue/fts/
# sudo cp -r var/ossec/queue/rids/* /var/ossec/queue/rids/
# chown -R wazuh:wazuh /var/ossec/queue/rids/
# sudo cp -r var/ossec/stats/* /var/ossec/stats/
# chown -R wazuh:wazuh /var/ossec/stats/
# sudo cp -r var/ossec/var/multigroups/* /var/ossec/var/multigroups/
# chown -R wazuh:wazuh /var/ossec/var/multigroups/

Restore certificates for Wazuh agent and Wazuh server communication, and additional configuration files if present:

# sudo cp -r var/ossec/etc/*.pem /var/ossec/etc/
# chown -R root:wazuh /var/ossec/etc/*.pem
# sudo cp var/ossec/etc/authd.pass /var/ossec/etc/
# chown -R root:wazuh /var/ossec/etc/authd.pass

Restore your custom files. If you have custom active response scripts, CDB lists, integrations, or wodles, adapt the following commands accordingly:

# sudo cp var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> /var/ossec/active-response/bin/
# chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT>
# sudo cp var/ossec/etc/lists/<USER_CDB_LIST>.cdb /var/ossec/etc/lists/
# chown root:wazuh /var/ossec/etc/lists/<USER_CDB_LIST>.cdb
# sudo cp var/ossec/integrations/<CUSTOM_INTEGRATION_SCRIPT> /var/ossec/integrations/
# chown root:wazuh /var/ossec/integrations/<CUSTOM_INTEGRATION_SCRIPT>
# sudo cp var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> /var/ossec/wodles/
# chown root:wazuh /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT>

Restore the Wazuh databases that contain collected data from the Wazuh agents:

# sudo cp var/ossec/queue/db/* /var/ossec/queue/db/
# chown -R wazuh:wazuh /var/ossec/queue/db/

Start the Filebeat service:
```
# systemctl start filebeat
```
Start the Wazuh manager service:
```
# systemctl start wazuh-manager
```

Restoring Wazuh dashboard files

Perform the following steps to restore Wazuh reports and custom images on the new server if you have any from your backup.

Restore your Wazuh reports using the following command:

# mkdir -p /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/
# sudo cp -r usr/share/wazuh-dashboard/data/wazuh/downloads/reports/* /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/
# chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/data/wazuh/downloads/

Navigate to Dashboard management > App Settings > Custom branding from the Wazuh dashboard and upload your custom images.

Restoring old logs

Wazuh, by default, compresses logs that are older than a day. While performing old log restoration in the Restoring Wazuh server files section, the old logs remain compressed.

Perform the following actions on your Wazuh server to decompress these logs and index them in the new Wazuh indexer:

Note

Restoring old logs will have a creation date of the day when the restoration is performed.

Create a Python script called recovery.py on your Wazuh server. This script decompresses all the old logs and stores them in the recovery.json file in the /tmp directory:
```
# touch recovery.py
```

Add the following content to the recovery.py script:

#!/usr/bin/env python

import gzip
import time
import json
import argparse
import re
import os
from datetime import datetime
from datetime import timedelta

def log(msg):
    now_date = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    final_msg = "{0} wazuh-reinjection: {1}".format(now_date, msg)
    print(final_msg)
    if log_file:
        f_log.write(final_msg + "\n")

EPS_MAX = 400
wazuh_path = '/var/ossec/'
max_size=1
log_file = None

parser = argparse.ArgumentParser(description='Reinjection script')
parser.add_argument('-eps','--eps', metavar='eps', type=int, required = False, help='Events per second.')
parser.add_argument('-min', '--min_timestamp', metavar='min_timestamp', type=str, required = True, help='Min timestamp. Example: 2017-12-13T23:59:06')
parser.add_argument('-max', '--max_timestamp', metavar='max_timestamp', type=str, required = True, help='Max timestamp. Example: 2017-12-13T23:59:06')
parser.add_argument('-o', '--output_file', metavar='output_file', type=str, required = True, help='Output filename.')
parser.add_argument('-log', '--log_file', metavar='log_file', type=str, required = False, help='Logs output')
parser.add_argument('-w', '--wazuh_path', metavar='wazuh_path', type=str, required = False, help='Path to Wazuh. By default:/var/ossec/')
parser.add_argument('-sz', '--max_size', metavar='max_size', type=float, required = False, help='Max output file size in Gb. Default: 1Gb. Example: 2.5')

args = parser.parse_args()

if args.log_file:
    log_file = args.log_file
    f_log = open(log_file, 'a+')


if args.max_size:
    max_size = args.max_size

if args.wazuh_path:
    wazuh_path = args.wazuh_path

output_file = args.output_file

#Gb to bytes
max_bytes = int(max_size * 1024 * 1024 * 1024)

if (max_bytes <= 0):
    log("Error: Incorrect max_size")
    exit(1)

month_dict = ['Null','Jan','Feb','Mar','Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov','Dec']

if args.eps:
    EPS_MAX = args.eps

if EPS_MAX < 0:
    log("Error: incorrect EPS")
    exit(1)

min_date = re.search('(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)T\\d\\d:\\d\\d:\\d\\d', args.min_timestamp)
if min_date:
    min_year = int(min_date.group(1))
    min_month = int(min_date.group(2))
    min_day = int(min_date.group(3))
else:
    log("Error: Incorrect min timestamp")
    exit(1)

max_date = re.search('(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)T\\d\\d:\\d\\d:\\d\\d', args.max_timestamp)
if max_date:
    max_year = int(max_date.group(1))
    max_month = int(max_date.group(2))
    max_day = int(max_date.group(3))
else:
    log("Error: Incorrect max timestamp")
    exit(1)

# Converting timestamp args to datetime
min_timestamp = datetime.strptime(args.min_timestamp, '%Y-%m-%dT%H:%M:%S')
max_timestamp = datetime.strptime(args.max_timestamp, '%Y-%m-%dT%H:%M:%S')

chunk = 0
written_alerts = 0
trimmed_alerts = open(output_file, 'w')

max_time=datetime(max_year, max_month, max_day)
current_time=datetime(min_year, min_month, min_day)

while current_time <= max_time:
    alert_file = "{0}logs/alerts/{1}/{2}/ossec-alerts-{3:02}.json.gz".format(wazuh_path,current_time.year,month_dict[current_time.month],current_time.day)

    if os.path.exists(alert_file):
        daily_alerts = 0
        compressed_alerts = gzip.open(alert_file, 'r')
        log("Reading file: "+ alert_file)
        for line in compressed_alerts:
            # Transform line to json object
            try:
                line_json = json.loads(line.decode("utf-8", "replace"))

                # Remove unnecessary part of the timestamp
                string_timestamp = line_json['timestamp'][:19]

                # Ensure timestamp integrity
                while len(line_json['timestamp'].split("+")[0]) < 23:
                    line_json['timestamp'] = line_json['timestamp'][:20] + "0" + line_json['timestamp'][20:]

                # Get the timestamp readable
                event_date = datetime.strptime(string_timestamp, '%Y-%m-%dT%H:%M:%S')

                # Check the timestamp belongs to the selected range
                if (event_date <= max_timestamp and event_date >= min_timestamp):
                    chunk+=1
                    trimmed_alerts.write(json.dumps(line_json))
                    trimmed_alerts.write("\n")
                    trimmed_alerts.flush()
                    daily_alerts += 1
                    if chunk >= EPS_MAX:
                        chunk = 0
                        time.sleep(2)
                    if os.path.getsize(output_file) >= max_bytes:
                        trimmed_alerts.close()
                        log("Output file reached max size, setting it to zero and restarting")
                        time.sleep(EPS_MAX/100)
                        trimmed_alerts = open(output_file, 'w')

            except ValueError as e:
                print("Oops! Something went wrong reading: {}".format(line))
                print("This is the error: {}".format(str(e)))

        compressed_alerts.close()
        log("Extracted {0} alerts from day {1}-{2}-{3}".format(daily_alerts,current_time.day,month_dict[current_time.month],current_time.year))
    else:
        log("Couldn't find file {}".format(alert_file))

    #Move to next file
    current_time += timedelta(days=1)

trimmed_alerts.close()

While you run the recovery.py script, you need to consider the following parameters:

usage: recovery.py [-h] [-eps eps] -min min_timestamp -max max_timestamp -o
                      output_file [-log log_file] [-w wazuh_path]
                      [-sz max_size]

  -eps eps, --eps eps   Events per second. Default: 400
  -min min_timestamp, --min_timestamp min_timestamp
                        Min timestamp. Example: 2019-11-13T08:42:17
  -max max_timestamp, --max_timestamp max_timestamp
                        Max timestamp. Example: 2019-11-13T23:59:06
  -o output_file, --output_file output_file
                        Alerts output file.
  -log log_file, --log_file log_file
                        Logs output.
  -w wazuh_path, --wazuh_path wazuh_path
                        Path to Wazuh. By default:/var/ossec/
  -sz max_size, --max_size max_size
                        Max output file size in Gb. Default: 1Gb. Example: 2.5

Run the command below to make the recovery.py script executable:
```
# chmod +x recovery.py
```
Execute the script using nohup command in the background to keep it running after the session is closed. It may take time depending on the size of the old logs.

Usage example:
```
# nohup ./recovery.py -eps 500 -min 2023-06-10T00:00:00 -max 2023-06-18T23:59:59 -o /tmp/recovery.json -log ./recovery.log -sz 2.5 &
```

Add the /tmp/recovery.json path to the Wazuh Filebeat module /usr/share/filebeat/module/wazuh/alerts/manifest.yml so that Filebeat sends the old alerts to the Wazuh indexer for indexing:

module_version: 0.1

var:
  - name: paths
    default:
      - /var/ossec/logs/alerts/alerts.json
      - /tmp/recovery.json
  - name: index_prefix
    default: wazuh-alerts-4.x-

input: config/alerts.yml

ingest_pipeline: ingest/pipeline.json

Restart Filebeat for the changes to take effect:
```
# systemctl restart filebeat
```

Verifying data restoration

Using the Wazuh dashboard, navigate to the Threat Hunting, File Integrity Monitoring, Vulnerability Detection, and any other modules to see if the data is restored successfully.

Multi-node data restoration

Perform the actions below to restore the Wazuh central components on their respective Wazuh nodes.

Preparing the data restoration

Compress the files generated after performing Wazuh files backup and transfer them to the respective new servers:
```
# tar -cvzf <SERVER_HOSTNAME>.tar.gz ~/wazuh_files_backup/
```
Where:
- <SERVER_HOSTNAME> represents the current server name. Consider adding the naming convention, _indexer, _server, _dashboard if the current hostnames don’t specify them.
Note

Make sure that Wazuh indexer compressed files are transferred to the new Wazuh indexer nodes, Wazuh server compressed files are transferred to the new Wazuh server nodes, and Wazuh dashboard compressed files are transferred to the new Wazuh dashboard nodes.
Move the compressed file to the root / directory of each node:
```
# mv <SERVER_HOSTNAME>.tar.gz /
# cd /
```
Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files:
```
# tar -xzvf <SERVER_HOSTNAME>.tar.gz
# cd ~/wazuh_files_backup/<DATE_TIME>
```

Restoring Wazuh indexer files

You need to have a new installation of Wazuh indexer. Follow the Wazuh indexer - Installation guide to perform a fresh Wazuh indexer installation.

Perform the following steps on each Wazuh indexer node.

Stop the Wazuh indexer to prevent any modification to the Wazuh indexer files during the restore process:
```
# systemctl stop wazuh-indexer
```

Restore the Wazuh indexer configuration files, and change the file permissions and ownerships accordingly:

# sudo cp etc/wazuh-indexer/jvm.options /etc/wazuh-indexer/jvm.options
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/jvm.options
# sudo cp etc/wazuh-indexer/jvm.options.d /etc/wazuh-indexer/jvm.options.d
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/jvm.options.d
# sudo cp etc/wazuh-indexer/log4j2.properties /etc/wazuh-indexer/log4j2.properties
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/log4j2.properties
# sudo cp etc/wazuh-indexer/opensearch.keystore /etc/wazuh-indexer/opensearch.keystore
# chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch.keystore
# sudo cp -r etc/wazuh-indexer/opensearch-observability/* /etc/wazuh-indexer/opensearch-observability/
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-observability/
# sudo cp -r etc/wazuh-indexer/opensearch-reports-scheduler/* /etc/wazuh-indexer/opensearch-reports-scheduler/
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-reports-scheduler/
# sudo cp usr/lib/sysctl.d/wazuh-indexer.conf /usr/lib/sysctl.d/wazuh-indexer.conf

Start the Wazuh indexer service:
```
# systemctl start wazuh-indexer
```

Restoring Wazuh server files

You need to have a new installation of a Wazuh server. Follow the Wazuh server - Installation guide to perform a multi-node Wazuh server installation. There will be at least one master node and one worker node as node types. Perform the steps below, considering your node type.

Stop the Wazuh manager and Filebeat to prevent any modification to the Wazuh server files during the restore process:
```
# systemctl stop filebeat
# systemctl stop wazuh-manager
```

Copy Wazuh server data and configuration files, and change the file permissions and ownerships accordingly:

# sudo cp etc/filebeat/filebeat.reference.yml /etc/filebeat/
# sudo cp etc/filebeat/fields.yml /etc/filebeat/
# sudo cp -r etc/filebeat/modules.d/* /etc/filebeat/modules.d/
# sudo cp -r etc/postfix/* /etc/postfix/
# sudo cp var/ossec/etc/client.keys /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/client.keys
# sudo cp -r var/ossec/etc/sslmanager* /var/ossec/etc/
# sudo cp var/ossec/etc/ossec.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/ossec.conf
# sudo cp var/ossec/etc/internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/internal_options.conf
# sudo cp var/ossec/etc/local_internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/local_internal_options.conf
# sudo cp -r var/ossec/etc/rules/* /var/ossec/etc/rules/
# chown -R wazuh:wazuh /var/ossec/etc/rules/
# sudo cp -r var/ossec/etc/decoders/* /var/ossec/etc/decoders
# chown -R wazuh:wazuh /var/ossec/etc/decoders/
# sudo cp -r var/ossec/etc/shared/*  /var/ossec/etc/shared/
# chown -R wazuh:wazuh /var/ossec/etc/shared/
# chown root:wazuh /var/ossec/etc/shared/ar.conf
# sudo cp -r var/ossec/logs/* /var/ossec/logs/
# chown -R wazuh:wazuh /var/ossec/logs/
# sudo cp -r var/ossec/queue/agentless/*  /var/ossec/queue/agentless/
# chown -R wazuh:wazuh /var/ossec/queue/agentless/
# sudo cp var/ossec/queue/agents-timestamp /var/ossec/queue/
# chown root:wazuh /var/ossec/queue/agents-timestamp
# sudo cp -r var/ossec/queue/fts/* /var/ossec/queue/fts/
# chown -R wazuh:wazuh /var/ossec/queue/fts/
# sudo cp -r var/ossec/queue/rids/* /var/ossec/queue/rids/
# chown -R wazuh:wazuh /var/ossec/queue/rids/
# sudo cp -r var/ossec/stats/* /var/ossec/stats/
# chown -R wazuh:wazuh /var/ossec/stats/
# sudo cp -r var/ossec/var/multigroups/* /var/ossec/var/multigroups/
# chown -R wazuh:wazuh /var/ossec/var/multigroups/

Restore certificates for Wazuh agent and Wazuh server communication, and additional configuration files if present:

# sudo cp -r var/ossec/etc/*.pem /var/ossec/etc/
# chown -R root:wazuh /var/ossec/etc/*.pem
# sudo cp var/ossec/etc/authd.pass /var/ossec/etc/
# chown -R root:wazuh /var/ossec/etc/authd.pass

Restore your custom files. If you have custom active response scripts, CDB lists, integrations, or wodle commands, adapt the following commands accordingly:

# sudo cp var/ossec/active-response/bin/<CUSTOM_AR_SCRIPT> /var/ossec/active-response/bin/
# chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_AR_SCRIPT>
# sudo cp var/ossec/etc/lists/<USER_CDB_LIST>.cdb /var/ossec/etc/lists/
# chown root:wazuh /var/ossec/etc/lists/<USER_CDB_LIST>.cdb
# sudo cp var/ossec/integrations/<CUSTOM_INTEGRATION_SCRIPT> /var/ossec/integrations/
# chown root:wazuh /var/ossec/integrations/<CUSTOM_INTEGRATION_SCRIPT>
# sudo cp var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> /var/ossec/wodles/
# chown root:wazuh /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT>

Restore the Wazuh databases that contain collected data from Wazuh agents:

# sudo cp var/ossec/queue/db/* /var/ossec/queue/db/
# chown -R wazuh:wazuh /var/ossec/queue/db/

Start the Filebeat service:
```
# systemctl start filebeat
```
Start the Wazuh manager service:
```
# systemctl start wazuh-manager
```

Restoring Wazuh dashboard files

You need to have a new installation of the Wazuh dashboard. Follow Wazuh dashboard - Installation guide to perform Wazuh dashboard installation.

Perform the following steps to restore Wazuh reports and custom images on the new server if you have any from your backup.

Restore your Wazuh reports using the following command:

# mkdir -p /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/
# sudo cp -r usr/share/wazuh-dashboard/data/wazuh/downloads/reports/* /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/
# chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/data/wazuh/downloads/

Navigate to Dashboard management > App Settings > Custom branding from the Wazuh dashboard and upload your custom images.

Restoring old logs

Wazuh, by default, compresses logs that are older than a day. While performing log restoration in the Restoring Wazuh server files section, the old logs remain compressed.

Perform the following actions on both master and worker nodes of your Wazuh server to decompress the old logs and re-inject them for indexing to the Wazuh indexer.

Note

Restoring old logs will have a creation date of the day when the restoration is performed.

Create a Python script called recovery.py on your Wazuh server. This script decompresses all the old logs and stores them in the recovery.json file in /tmp directory.
```
# touch recovery.py
```

Add the following content to the recovery.py script:

#!/usr/bin/env python

import gzip
import time
import json
import argparse
import re
import os
from datetime import datetime
from datetime import timedelta

def log(msg):
    now_date = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    final_msg = "{0} wazuh-reinjection: {1}".format(now_date, msg)
    print(final_msg)
    if log_file:
        f_log.write(final_msg + "\n")

EPS_MAX = 400
wazuh_path = '/var/ossec/'
max_size=1
log_file = None

parser = argparse.ArgumentParser(description='Reinjection script')
parser.add_argument('-eps','--eps', metavar='eps', type=int, required = False, help='Events per second.')
parser.add_argument('-min', '--min_timestamp', metavar='min_timestamp', type=str, required = True, help='Min timestamp. Example: 2017-12-13T23:59:06')
parser.add_argument('-max', '--max_timestamp', metavar='max_timestamp', type=str, required = True, help='Max timestamp. Example: 2017-12-13T23:59:06')
parser.add_argument('-o', '--output_file', metavar='output_file', type=str, required = True, help='Output filename.')
parser.add_argument('-log', '--log_file', metavar='log_file', type=str, required = False, help='Logs output')
parser.add_argument('-w', '--wazuh_path', metavar='wazuh_path', type=str, required = False, help='Path to Wazuh. By default:/var/ossec/')
parser.add_argument('-sz', '--max_size', metavar='max_size', type=float, required = False, help='Max output file size in Gb. Default: 1Gb. Example: 2.5')

args = parser.parse_args()

if args.log_file:
    log_file = args.log_file
    f_log = open(log_file, 'a+')


if args.max_size:
    max_size = args.max_size

if args.wazuh_path:
    wazuh_path = args.wazuh_path

output_file = args.output_file

#Gb to bytes
max_bytes = int(max_size * 1024 * 1024 * 1024)

if (max_bytes <= 0):
    log("Error: Incorrect max_size")
    exit(1)

month_dict = ['Null','Jan','Feb','Mar','Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov','Dec']

if args.eps:
    EPS_MAX = args.eps

if EPS_MAX < 0:
    log("Error: incorrect EPS")
    exit(1)

min_date = re.search('(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)T\\d\\d:\\d\\d:\\d\\d', args.min_timestamp)
if min_date:
    min_year = int(min_date.group(1))
    min_month = int(min_date.group(2))
    min_day = int(min_date.group(3))
else:
    log("Error: Incorrect min timestamp")
    exit(1)

max_date = re.search('(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)T\\d\\d:\\d\\d:\\d\\d', args.max_timestamp)
if max_date:
    max_year = int(max_date.group(1))
    max_month = int(max_date.group(2))
    max_day = int(max_date.group(3))
else:
    log("Error: Incorrect max timestamp")
    exit(1)

# Converting timestamp args to datetime
min_timestamp = datetime.strptime(args.min_timestamp, '%Y-%m-%dT%H:%M:%S')
max_timestamp = datetime.strptime(args.max_timestamp, '%Y-%m-%dT%H:%M:%S')

chunk = 0
written_alerts = 0
trimmed_alerts = open(output_file, 'w')

max_time=datetime(max_year, max_month, max_day)
current_time=datetime(min_year, min_month, min_day)

while current_time <= max_time:
    alert_file = "{0}logs/alerts/{1}/{2}/ossec-alerts-{3:02}.json.gz".format(wazuh_path,current_time.year,month_dict[current_time.month],current_time.day)

    if os.path.exists(alert_file):
        daily_alerts = 0
        compressed_alerts = gzip.open(alert_file, 'r')
        log("Reading file: "+ alert_file)
        for line in compressed_alerts:
            # Transform line to json object
            try:
                line_json = json.loads(line.decode("utf-8", "replace"))

                # Remove unnecessary part of the timestamp
                string_timestamp = line_json['timestamp'][:19]

                # Ensure timestamp integrity
                while len(line_json['timestamp'].split("+")[0]) < 23:
                    line_json['timestamp'] = line_json['timestamp'][:20] + "0" + line_json['timestamp'][20:]

                # Get the timestamp readable
                event_date = datetime.strptime(string_timestamp, '%Y-%m-%dT%H:%M:%S')

                # Check the timestamp belongs to the selected range
                if (event_date <= max_timestamp and event_date >= min_timestamp):
                    chunk+=1
                    trimmed_alerts.write(json.dumps(line_json))
                    trimmed_alerts.write("\n")
                    trimmed_alerts.flush()
                    daily_alerts += 1
                    if chunk >= EPS_MAX:
                        chunk = 0
                        time.sleep(2)
                    if os.path.getsize(output_file) >= max_bytes:
                        trimmed_alerts.close()
                        log("Output file reached max size, setting it to zero and restarting")
                        time.sleep(EPS_MAX/100)
                        trimmed_alerts = open(output_file, 'w')

            except ValueError as e:
                print("Oops! Something went wrong reading: {}".format(line))
                print("This is the error: {}".format(str(e)))

        compressed_alerts.close()
        log("Extracted {0} alerts from day {1}-{2}-{3}".format(daily_alerts,current_time.day,month_dict[current_time.month],current_time.year))
    else:
        log("Couldn't find file {}".format(alert_file))

    #Move to next file
    current_time += timedelta(days=1)

trimmed_alerts.close()

While you run the recovery.py script, you need to consider the following parameters:

usage: recovery.py [-h] [-eps eps] -min min_timestamp -max max_timestamp -o
                      output_file [-log log_file] [-w wazuh_path]
                      [-sz max_size]

  -eps eps, --eps eps   Events per second. Default: 400
  -min min_timestamp, --min_timestamp min_timestamp
                        Min timestamp. Example: 2019-11-13T08:42:17
  -max max_timestamp, --max_timestamp max_timestamp
                        Max timestamp. Example: 2019-11-13T23:59:06
  -o output_file, --output_file output_file
                        Alerts output file.
  -log log_file, --log_file log_file
                        Logs output.
  -w wazuh_path, --wazuh_path wazuh_path
                        Path to Wazuh. By default:/var/ossec/
  -sz max_size, --max_size max_size
                        Max output file size in Gb. Default: 1Gb. Example: 2.5

Run the command below to make the recovery.py script executable:
```
# chmod +x recovery.py
```
Execute the script using nohup command in the background to keep it running after the session is closed. It may take time depending on the size of the old logs.

Usage example:
```
# nohup ./recovery.py -eps 500 -min 2023-06-10T00:00:00 -max 2023-06-18T23:59:59 -o /tmp/recovery.json -log ./recovery.log -sz 2.5 &
```

Add the /tmp/recovery.json path to the Wazuh Filebeat module /usr/share/filebeat/module/wazuh/alerts/manifest.yml so that Filebeat sends the old alerts to the Wazuh indexer for indexing:

module_version: 0.1

var:
  - name: paths
    default:
      - /var/ossec/logs/alerts/alerts.json
      - /tmp/recovery.json
  - name: index_prefix
    default: wazuh-alerts-4.x-

input: config/alerts.yml

ingest_pipeline: ingest/pipeline.json

Restart Filebeat for the changes to take effect.
```
# systemctl restart filebeat
```

Verifying data restoration

Using the Wazuh dashboard, navigate to the Threat Hunting, File Integrity Monitoring, Vulnerability Detection, and any other modules to see if the data is restored successfully.

Wazuh agent

Restore your Wazuh agent installation by following these steps.

Note

You need elevated privileges to execute the commands below.

Linux

You need to have a new installation of the Wazuh agent on a Linux endpoint. Follow the Deploying Wazuh agents on Linux endpoints guide to perform a fresh Wazuh agent installation.

Preparing the data restoration

Compress the files generated after performing the Wazuh files backup and transfer them to the respective monitored endpoints.
```
# tar -cvzf wazuh_agent.tar.gz ~/wazuh_files_backup/
```
Move the compressed file to the root / directory of your node:
```
# mv wazuh_agent.tar.gz /
# cd /
```
Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files.
```
# tar -xzvf wazuh_agent.tar.gz
# cd ~/wazuh_files_backup/<DATE_TIME>
```

Restoring Wazuh agent files

Perform the steps below to restore the Wazuh agent files on a Linux endpoint.

Stop the Wazuh agent to prevent any modification to the Wazuh agent files during the restore process:
```
# systemctl stop wazuh-agent
```

Restore Wazuh agent data, certificates, and configuration files, and change the file permissions and ownerships accordingly:

# sudo cp var/ossec/etc/client.keys /var/ossec/etc/
# chown wazuh:wazuh /var/ossec/etc/client.keys
# sudo cp var/ossec/etc/ossec.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/ossec.conf
# sudo cp var/ossec/etc/internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/internal_options.conf
# sudo cp var/ossec/etc/local_internal_options.conf /var/ossec/etc/
# chown root:wazuh /var/ossec/etc/local_internal_options.conf
# sudo cp -r var/ossec/etc/*.pem /var/ossec/etc/
# chown -R root:wazuh /var/ossec/etc/*.pem
# sudo cp -r var/ossec/logs/* /var/ossec/logs/
# chown -R wazuh:wazuh /var/ossec/logs/
# sudo cp -r var/ossec/queue/rids/* /var/ossec/queue/rids/
# chown -R wazuh:wazuh /var/ossec/queue/rids/

Restore your custom files such as local SCA policies, active response scripts, and wodle commands if there are any and change the file permissions. Adapt the following command accordingly.

# sudo cp var/ossec/etc/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> /var/ossec/etc/<SCA_DIRECTORY>/
# chown wazuh:wazuh /var/ossec/etc/custom-sca-files/<CUSTOM_SCA_FILE>
# sudo cp var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> /var/ossec/active-response/bin/
# chown root:wazuh /var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT>
# sudo cp var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> /var/ossec/wodles/
# chown root:wazuh /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT>

Start the Wazuh agent service:
```
# systemctl start wazuh-agent
```

Windows

You need to have a new installation of the Wazuh agent on a Windows endpoint. Follow the Deploying Wazuh agents on Windows endpoints guide to perform a fresh Wazuh agent installation.

Preparing the data restoration

Compress the files generated after performing the Wazuh files backup and transfer them to the Downloads directory of the respective agent endpoints.
Decompress the file using 7-Zip or any of your preferred tools.

Restoring Wazuh agent files

Perform the steps below to restore Wazuh agent files on a Windows endpoint.

Stop the Wazuh agent to prevent any modification to the Wazuh agent files during the restore process by running the following command on PowerShell as an administrator:
```
> NET STOP WazuhSvc
```
Launch PowerShell as an administrator and navigate to the wazuh_files_backup/<DATE_TIME> folder that contains the backup files.

Run the following commands to copy the Wazuh agent data, certificates, and configurations:

> Copy-Item "$bkp_folder\client.keys" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\ossec.conf" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\internal_options.conf" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\local_internal_options.conf" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\*.pem" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\ossec.log" "C:\Program Files (x86)\ossec-agent" -Recurse -Force
> Copy-Item "$bkp_folder\logs\*" "C:\Program Files (x86)\ossec-agent\logs" -Recurse -Force
> Copy-Item "$bkp_folder\rids\*" "C:\Program Files (x86)\ossec-agent\rids" -Recurse -Force

You can also copy these files using the drag and drop method.

Restore your custom files, such as local SCA policies, active response scripts, and wodle commands, if there are any. Adapt the following command accordingly.

# Example variables - replace with your actual file names and folders
$SCA_DIRECTORY = "sca"
$CUSTOM_SCA_FILE = "custom_sca.yml"
$CUSTOM_ACTIVE_RESPONSE_SCRIPT = "my_response.ps1"
$CUSTOM_WODLE_SCRIPT = "custom_wodle.py"

> Copy-Item "$SCA_DIRECTORY\$CUSTOM_SCA_FILE" "C:\Program Files (x86)\ossec-agent\$SCA_DIRECTORY" -Recurse -Force
> Copy-Item "active-response\bin\$CUSTOM_ACTIVE_RESPONSE_SCRIPT" "C:\Program Files (x86)\ossec-agent\active-response\bin" -Recurse -Force
> Copy-Item "wodles\$CUSTOM_WODLE_SCRIPT" "C:\Program Files (x86)\ossec-agent\wodles" -Recurse -Force

Start the Wazuh agent service by running the following command on the Command Prompt as an administrator:
```
NET START WazuhSvc
```

macOS

You need to have a new installation of the Wazuh agent on a macOS endpoint. Follow the Deploying Wazuh agents on macOS endpoints guide to perform a fresh Wazuh agent installation.

Preparing the data restoration

Compress the files generated after performing the Wazuh files backup and transfer them to the endpoint with the Wazuh agent installed.
```
# tar -cvzf wazuh_agent.tar.gz ~/wazuh_files_backup/
```
Move the compressed file to the Downloads directory of your node:
```
# mv wazuh_agent.tar.gz ~/Downloads
# cd ~/Downloads
```
Decompress the backup files and change the current working directory to the directory based on the date and time of the backup files.
```
# tar -xzvf wazuh_agent.tar.gz
# cd wazuh_files_backup/<DATE_TIME>
```

Restoring Wazuh agent files

Perform the steps below to restore Wazuh agent files on a macOS endpoint.

Stop the Wazuh agent to prevent any modification to the Wazuh agent files during the restore process:
```
# launchctl bootout system /Library/LaunchDaemons/com.wazuh.agent.plist
```

Restore Wazuh agent data, certificates, and configuration files:

# cp Library/Ossec/etc/client.keys /Library/Ossec/etc/
# cp Library/Ossec/etc/ossec.conf /Library/Ossec/etc/
# cp Library/Ossec/etc/internal_options.conf /Library/Ossec/etc/
# cp Library/Ossec/etc/local_internal_options.conf /Library/Ossec/etc/
# cp -R Library/Ossec/etc/*.pem /Library/Ossec/etc/
# cp -R Library/Ossec/logs/* /Library/Ossec/logs/
# cp -R Library/Ossec/queue/rids/* /Library/Ossec/queue/rids/

Restore custom files, such as local SCA policies, active response, and wodle scripts, if there are any.

# sudo cp Library/Ossec/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> /Library/Ossec/<SCA_DIRECTORY>/
# sudo cp Library/Ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> /Library/Ossec/active-response/bin/
# sudo cp Library/Ossec/wodles/<CUSTOM_WODLE_SCRIPT> /Library/Ossec/wodles/

Start the Wazuh agent service:

# launchctl bootstrap system /Library/LaunchDaemons/com.wazuh.agent.plist

Verifying data restoration

Run the command below on your Wazuh server to check if the Wazuh agent is connected and active:
```
# /var/ossec/bin/agent_control -l
```

Using the Wazuh dashboard, navigate to Active agents. Select your Wazuh agent to see the data from the backup, such as Threat Hunting, Vulnerability Detection, Configuration Assessment, and others.

Wazuh Cloud service

Wazuh is a free and open source platform that delivers unified Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) capabilities. It protects workloads across on-premises, virtualized, cloud, and containerized environments.

You can deploy Wazuh in three ways:

On-premises, managed entirely by you.
In your own cloud environment, under your control.
With Wazuh Cloud, a fully managed service operated by Wazuh.

Wazuh Cloud hosts and manages all central components in a unified, secure environment. The service provides fast provisioning, automated scaling, ongoing updates, and operational management, so you can focus on security operations rather than infrastructure.

Wazuh Cloud benefits

Fully managed service: We take care of installation, scaling, updates, and monitoring of Wazuh components.
Immediate time-to-value: A ready-to-use solution, with no additional hardware or software required, driving down the cost and complexity.
High availability and scalability: A flexible infrastructure that you can tailor to meet specific needs and upgrade it to the most appropriate tier.
Wazuh AI security analyst: Automate your security analysis and receive actionable insights to help you understand and strengthen your security posture.
Security and regulatory compliance: Fully protected data, regular application of security patches and hardening practices. Compliant with PCI DSS and SOC2.
Customizable environments: Tailor retention, integrations, and resources to match your needs.
Support and monitoring: Continuous monitoring of the platform and access to Wazuh technical support.

Shared responsibility model

With Wazuh Cloud, responsibilities are divided between the service and the customer.

Managed by Wazuh

Hosting, deployment, and maintenance of Wazuh central components.
Infrastructure monitoring, scaling, and high availability.
Security of the underlying platform.
Service updates and version upgrades.

Managed by customer

Deploying and configuring Wazuh agents on your endpoints.
Defining custom detection rules, alerting policies, and integrations.
Managing access control for your users.
Responding to incidents detected in your environment.

Learn more about Wazuh Cloud in the sections below.

Getting started

Wazuh Cloud eliminates the need to deploy, configure, or maintain the Wazuh platform yourself. All central components are automatically installed, updated, and scaled by the service. This allows you to focus on securing your environment and responding to threats, rather than managing the underlying infrastructure.

The steps below guide you from account creation to monitoring your endpoints.

Sign up for a trial

You can start with a free trial to create an environment and explore Wazuh Cloud service. Wazuh provides a 14-day free trial period.

Follow these steps to create your trial environment.

Note

No credit card is required to start the free trial. See the Wazuh Cloud page for information related to the Wazuh Cloud trial experience.

Signing up

Perform the following steps to sign up for a free trial:

Go to the Wazuh Cloud page.
Select Start your free trial.
Fill in the required information and click Start free trial.
Verify your email address.

Now you are ready to create your first environment.

Creating environment

Follow these steps to set up and run your environment:

Log in to the Wazuh Cloud Console using your email address and password configured during registration.
Click Create environment.
Give your environment a name.
Fill in the use case. This information helps us understand why our users utilize our service, allowing us to improve it accordingly.
Select your preferred region for data residency. If you are not sure what to pick, select the region closest to your location to reduce latency for indexing and search requests.

Select one of the available profiles: Small, Medium or Large. If none of these predefined profiles meets your requirements, select the Custom option to customize the settings.

Metric	Small	Medium	Large
Active agents	Up to 100	Up to 250	Up to 500
Indexed data retention	1 month	3 Months	3 Months
Archived data retention	3 months	1 Year	1 Year
Average/Peak Events Per Second	100/500 EPS	250/1250 EPS	500/2500 EPS
Indexed data capacity	25 GB	250 GB	500 GB

For more details about the settings and their functionality, see the Settings section.

Note

During the trial period, some settings are limited. However, they do not prevent you from exploring and using the Wazuh Cloud platform. All restrictions are removed once you purchase the environment.

Select your pricing: Monthly or Annual. If you choose the monthly option, you will be billed monthly, whereas the annual option entails a single payment per year.
Click Start your free trial to build your environment. This process might take a few minutes.
Once your environment is ready, access the Wazuh dashboard and enroll agents to start monitoring your endpoints.

Note

If you do not enroll an agent within 3 days of starting the trial, your environment will be terminated due to inactivity.

Accessing the Wazuh dashboard

The Wazuh dashboard has a flexible and intuitive web interface that provides you access to visualizations that give you a comprehensive insight into your monitored endpoints.

Follow these steps to access the Wazuh dashboard:

Log in to the Wazuh Cloud Console.
Select the environment you want to access from the Environments page.
Click Open Wazuh to open the Wazuh dashboard.
Log in with the default credentials. You can view them by clicking Manage and selecting Default credentials on the Environments page.

Note

When accessing the Wazuh dashboard for the first time, use the default credentials. However, subsequently, you can log in using Single sign-on (SSO) if enabled or log in with the user accounts created in the Wazuh dashboard.

Changing the default credentials

For security reasons, we recommend changing the default password and creating your own users.

Follow these steps to reset the default credentials to connect to the Wazuh dashboard:

Log in to the Wazuh dashboard with the default credentials.
Click the wazuh_admin user on the top right corner.
Click Reset password.
On the Reset password page, fill in the current password and new password.
Click Reset.

Note

You can access the Wazuh dashboard directly using the URL https://<CLOUD_ID>.cloud.wazuh.com, where <CLOUD_ID> is the Cloud ID of your environment. If you have any questions about the Wazuh Cloud, see the Cloud service FAQ.

Next steps

Your Wazuh Cloud environment is ready, and you can install the Wazuh agent on the endpoints you want to monitor. See the Enroll agents section to learn how to install agents.

Enrolling agents

Enrolling agents is the process of connecting your endpoints (servers, workstations, or cloud instances) to your Wazuh Cloud environment. Once enrolled, Wazuh agents begin forwarding security telemetry such as logs, vulnerabilities, and configuration data.

Deploying agent

To start using Wazuh, you need to install a Wazuh agent on your endpoint and enroll it in your environment.

Follow these steps to deploy an agent:

Log into the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Agents management and select Summary.
Click Deploy new agent.
Follow the steps outlined on the Deploy new agent page.

Verifying agent enrollment

Once installed, the agent automatically attempts to connect to Wazuh Cloud. Verify the enrollment by following the below steps:

Log into the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Agents management and select Summary.
The list of agents are displayed on the Summary page.

Creating agent groups

Agent groups in Wazuh are used to organize and manage agents by grouping them based on criteria such as role, location, or system type. This allows for centralized management and tailored configuration, enabling you to apply rules, policies, and settings efficiently. New agents are automatically assigned to a default group called "default" if they are not placed in another group. Use the default group for basic monitoring first, then assign agents to more appropriate groups as needed.

To manage devices within your environment more efficiently, you can create groups and assign agents to these groups at the point of enrollment. Follow these steps to create groups on your dashboard:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Agents management and select Groups.
Click Add new group on the upper right corner on the Groups page.
Specify the group name and click Save new group.

Cloud service FAQ

What is Wazuh Cloud?

Wazuh Cloud hosts and manages all the Wazuh central components in a single platform. You create an environment, enroll Wazuh agents, and use capabilities such as security information and event management (SIEM) and extended detection and response (XDR).

Can I try it for free?

Yes, you can sign up for a 14-day free trial. No credit card is required.

Will I be charged when my trial is over?

No. We do not charge you during the trial. After the trial expiration, the default payment method will be charged. You will receive a reminder 7 days before the trial expiration. Make sure you add your billing information, otherwise your environment will be deleted completely on the expiration date.

Is Wazuh Cloud PCI DSS compliant?

Yes. Wazuh Cloud is validated as a PCI DSS Level 1 Service Provider.

Is Wazuh Cloud SOC 2 compliant?

Yes, Wazuh Cloud complies with SOC 2 standards.

How can I get support?

Support is included after your first payment. Contact us from the Help section in the Wazuh Cloud Console. You can also fill out this form to get help from the Wazuh team.

Where is Wazuh Cloud hosted?

Wazuh Cloud is hosted on Amazon Web Services (AWS).

What is a profile?

A profile is a predefined set of settings for a Wazuh Cloud environment. We offer three profiles: Small, Medium, and Large. They provide ready-to-use environment templates that cater to different needs and requirements. If none fits your requirements, configure the settings individually.

What is a setting?

A setting is a configuration option for a Wazuh Cloud environment. Settings define limits and functionality. For example, the Active agents setting specifies the maximum number of active agents in your environment. Your chosen settings affect pricing.

What is the indexed data?

Indexed data (previously hot storage) is the data available on the Wazuh dashboard. Wazuh ingests events from agents, indexes them, and makes them searchable and analyzable.

What is the archive data?

Wazuh archives data in an AWS S3 bucket for long‑term storage. Unlike indexed data, archive data is not searchable or analyzable. It consists of compressed files. For more information, see the Archive data section.

What happens if the tier limit is reached?

See What happens if the indexed data capacity setting is reached?.

What happens if the indexed data capacity setting is reached?

When the indexed data capacity is reached, Wazuh automatically removes the oldest events from the index. The removed data remains available as archive data. See the Archive data section to learn more.

How is indexed data rotated?

Rotation depends on two conditions: indexed data retention and indexed data capacity. For example, with 3‑month retention and 100 GB capacity, if you use 100 GB in the first month, rotation starts immediately. If you use only 20 GB, data from month one rotates at month four.

What happens if the average/peak EPS is exceeded?

If incoming events per second exceed the average/peak EPS setting, events queue. When the queue is full, Wazuh discards new events, which can cause event loss.

Can I increase the average/peak EPS?

See Adjusting environment settings.

Can I cancel at any time?

Yes. You can cancel at any time with no penalty. You can use your environment until the end of your current billing cycle, and no future charges are incurred after this period.

Your environment

The Wazuh Cloud environment contains all the Wazuh components ready for you to use.

Learn more about your environment in the sections below.

Authentication and authorization

You can use the native support for managing and authenticating users or integrate with external user management systems.

Note

You cannot log in to the Wazuh dashboard with your Wazuh Cloud account credentials. To log in to the Wazuh dashboard, use the default credentials from the Wazuh Cloud Console or credentials for a dashboard user you created.

Native support for users and roles

The Wazuh dashboard allows you to add users, create roles, and map roles to users. The following sections highlight more on this.

Creating an internal user

Follow these steps to create an internal user.

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Indexer management and select Security.
Select Internal users on the left pane, click Create internal user and complete the fields.
Click Create to complete the action.

Managing Wazuh indexer roles

Indexer roles are the core way of controlling access to your Wazuh indexer cluster. Roles contain any combination of cluster-wide permission, index-specific permissions, document and field-level security, and tenants. These roles define what a user can query, view, or manage within the indexer (logs, alerts, dashboards).

Note

You cannot customize reserved roles. Create a custom role with the same permissions or duplicate a reserved role to customize it. Then you map users to these roles so that users gain those permissions.

Follow these steps to create an indexer role using existing roles templates:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Indexer management and select Security.
Click on Roles on the left panel and select a role with the required permissions.
Click Actions at the top section and select Duplicate.
Fill in the required information on the Duplicate Role page.
Click Create to complete the process.

Mapping users to Wazuh indexer roles

Wazuh indexer role mappings are how users are granted access to indexed data in Wazuh. While indexer roles define the set of permissions available (such as searching logs, viewing alerts, or managing index patterns), role mappings connect those roles to individual users or user groups. This allows administrators to control who can query data, build dashboards, or access specific indices.

Follow these steps to map users to appropriate indexer roles:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Indexer management and select Security.
Click on Roles on the left panel and search for the role created previously.
Click the role name to open the window.
Select the Mapped users tab and click Manage mapping.
Add the internal user and click Map to confirm the action.

Managing Wazuh server roles

Wazuh server roles are the primary way of controlling access to the Wazuh platform. They define what actions a user can perform within the Wazuh server and dashboard. Server roles may include permissions to manage agents, configure rules, adjust settings, or perform read-only operations. By assigning roles, administrators can control who is allowed to view alerts, enroll or remove agents, modify security configurations, or access sensitive management functions.

Note

Policies assigned during a role creation define the permissions associated with the role. Explore the Policies pane before creating a role to understand the actions and other components that make a policy.

In most cases, the available roles are sufficient for day to day operations. However, depending on user requirements, new roles can be created.

Follow these steps to create a server role:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Server management and select Security.
On the Security page, go to the Roles pane.
Click Create role.
Provide a name for the new role and select your preferred policies from the list.
Click Create role to complete the process.

Mapping users to Wazuh server roles

Wazuh server role mappings are how permissions are assigned to users in the Wazuh platform. While server roles define what actions are possible, role mappings connect those roles to specific users or user groups. This ensures that the right people have the appropriate level of access to manage agents, configure rules, or view alerts. By managing role mappings, administrators control who can perform operational and administrative tasks within Wazuh.

Follow these steps to map users to server roles:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Server management and select Security.
On the Security page, go to the Roles mapping pane.
Click Create Role mapping.
Assign a name to the role mapping.
Select the roles you want to map the user with.
Select the internal user.
Click Save role mapping to save and map the user with the role.

Creating and setting a Wazuh admin user

Follow the steps in the Creating an internal user section to create an internal user. Once the user has been created, follow these steps to create the required indexer role and map the created user to the role:

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Indexer management and select Security.
Click Roles to open the page and search for the all_access role in the list.
Select it, click Actions and select Duplicate.
Assign a name to the new role, then click Create to confirm the action.
On the newly created role page, select the Mapped users tab and click Manage mapping.
Add the user and click Map to confirm the action.

Follow these steps to create the required server role mapping, and map the user with the role to assign admin permissions:

Click the upper-left menu icon ☰, expand Server management and select Security.
On the Security page, go to the Roles mapping pane.
Click Create Role mapping.
Assign a name to the role mapping.
Select administrator in the role field.
Select the internal user.
Click Save role mapping to save and map the user as an administrator.

Creating and setting a Wazuh read-only user

Log in to the Wazuh dashboard.
Click the upper-left menu icon ☰, expand Indexer management and select Security.
Click Roles to open the page and click Create role.
Assign a name to the new role.
Select the following options in the empty fields:
1. Cluster permissions: cluster_composite_ops_ro
2. Index: *
3. Index permissions: read
4. Tenant permissions: global_tenant and select the Read only option.
Click Create to complete the process.
On the newly created role page, select the Mapped users tab and click Manage mapping.
Add the user and click Map to confirm the action.

Follow these steps to create the required server role mapping, and map the user with the role to assign read-only permissions:

Click the upper-left menu icon ☰, expand Server management and select Security.
Go to the Roles mapping pane on the Security page.
Click Create Role mapping.
Assign a name to the role mapping.
Select readonly in the role field.
Select the internal user.
Click Save role mapping to save and map the user with the read-only role.

To add more read-only users, you can skip the role creation task and map the users to the already existing read-only role.

Integrating with external user management systems

In many organizations, user access is centrally managed through directory services such as Active Directory, Keycloak, or other identity providers. Integrating Wazuh Cloud with these external systems ensures that authentication and authorization are consistent with existing security policies. This approach simplifies user management, improves compliance, and reduces the overhead of maintaining separate accounts just for Wazuh.

Wazuh Cloud supports integration with external user management systems such as LDAP for authentication. To enable this feature, open a support ticket through the Help section in your Wazuh Cloud Console, and the Wazuh Support team will guide you through the setup process.

Settings

Every cloud environment is configured based on specific settings that define its limitations and pricing. We offer six settings, comprising four basic and two advanced settings. Advanced settings are calculated from basic settings, but you can modify them.

To monitor your environment and check whether settings are being reached, see the Monitor usage section.

Understanding environment settings

Active agents

This basic setting sets the maximum count of active Wazuh agents that the environment can support. Please note that while registering an unlimited number of Wazuh agents is possible, the active agent count is limited by this setting.

If the maximum number of active agents is reached, the environment might start to malfunction, causing instability with agent connections. Although the system can temporarily handle exceeding the active agent limit, appropriate measures will be taken if the situation persists.

Indexed data

Indexed data is the data available on the Wazuh dashboard. Wazuh ingests events from agents, indexes them, and makes them searchable and analyzable.

Two settings define indexed data behavior:

Indexed data retention: It determines the maximum duration for which data remains indexed. This is a basic setting.
Indexed data capacity: It defines the maximum size, in bytes, of the indexed data. This is an advanced setting, and the interface provides a suggestion when selecting the Indexed data retention.

Data remains indexed until retention or capacity is reached. When either is reached, rotation removes the oldest data until the condition clears.

To configure index management policies, see Index lifecycle management documentation.

Archive data

This basic setting (previously cold storage) defines how long Wazuh stores analyzed data in an AWS S3 bucket. Unlike indexed data, archive data is not searchable or analyzable. It is a set of compressed files.

When the specified retention period has passed, Wazuh removes any archived files that are older than the configured time window.

Support plan

This setting indicates whether the support level is premium or standard.

Average/Peak EPS

This advanced setting is the average and maximum number of events per second (EPS) the environment analyzes. The interface suggests a value when you select the Active agents setting.

If ingestion exceeds the peak EPS, events queue. When the queue is full, Wazuh discards new events, which causes event loss. Queueing is managed automatically by the cloud service, ensuring optimal resource utilization.

The environment is configured with the limits eps option using the following parameters:

timeframe = 1 seconds
maximum = Peak EPS / number of server nodes

The number of server nodes is automatically determined by the cloud service based on the workload. For instance, if the Average/Peak EPS setting is 100/500 EPS and there is a cluster of 2 nodes at the current time, each node can process up to 250 events per second (500 peak EPS / 2 server nodes).

Adjusting environment settings

Managing your environment settings is crucial to meeting your evolving needs and optimizing the performance of your cloud environment. While some settings can be determined upfront, such as the number of active agents, indexed data retention, archive data, and support plan, it's important to note that these requirements may change over time.

Advanced settings might be more challenging to determine in advance. While the interface provides recommendations based on our experience, your specific workload might differ. Hence, we recommend deploying, monitoring, and adjusting the settings as needed to align with your evolving requirements.

To change a setting, open a support ticket. Here is the breakdown of the process:

Upgrading a setting: If you upgrade a setting, you are charged a prorated amount for the remainder of the current billing cycle. The change takes effect immediately after payment and your next billing cycle reflects the higher cost.
Downgrading a setting: If you downgrade a setting, the change takes effect at the start of the next billing cycle, and your cost is reduced accordingly.

Before any changes or payments are made, we confirm requested changes with you before applying them to ensure accuracy and alignment with your requirements.

By monitoring your environment and making necessary adjustments to the settings, you can ensure that your cloud environment remains optimized and aligned with your evolving needs.

Limits

Wazuh Cloud defines limits for key metrics that affect performance and capacity. You cannot change these limits. If an environment reaches a limit, the service might restrict activity. Contact Wazuh Support for help.

Limit definitions

The following limits apply to specific functionality and APIs in Wazuh Cloud.

Dashboards, visualizations, and queries

This limit governs concurrent execution of dashboards, visualizations, and queries. Wazuh Cloud maintains performance and responsiveness, but user‑created queries and visualizations also affect efficiency. Optimize your queries and visualizations to improve performance.

API rate limits

APIs include rate limits to prevent abuse and maintain performance and stability. A rate limit sets the maximum requests per second for a given API. Hitting these limits is rare. They protect the system and help ensure a smooth experience.

The following APIs have rate limits:

Agent registration: This controls the maximum rate of registration requests processed per second, ensuring a seamless onboarding process for agents connecting to the Wazuh Cloud environment.
Wazuh server API: This specifies the maximum requests allowable per second to the Wazuh server API, ensuring its stability and availability.
Wazuh indexer API: This sets the maximum requests allowed per second to the Wazuh indexer API, enabling efficient retrieval and manipulation of indexed data.
Access to the Archive data: This sets the maximum requests processed per second for accessing archive data, ensuring efficient retrieval when necessary.

Limitations

Wazuh Cloud is designed as a managed service, meaning that the Wazuh team takes responsibility for infrastructure management, scaling, updates, and security hardening. While this reduces operational overhead for users, it also means that access to certain components of the platform is intentionally limited. These safeguards ensure multi-tenant security, platform stability, and compliance with industry standards.

Dashboard access only

Users interact with Wazuh Cloud exclusively through the Wazuh dashboard and the ports required for agent communication.

Restricted API access

The Wazuh Server API and Wazuh indexer API are not accessible by default.
Access to these APIs can be enabled on request through Wazuh Support.
Even when enabled, only read operations are supported; direct write operations to the indexer API are not permitted.

No CLI access

Users do not have direct command-line or shell access to the underlying cloud infrastructure. This ensures that the environment remains secure, stable, and consistent across tenants.

These restrictions are in place to protect the integrity of the platform and to provide a reliable managed service experience. If you need functionality beyond these defaults, contact Wazuh support to discuss available options.

Cancellation

To cancel your environment:

Log in to the Wazuh Cloud Console.
Go to the Environments page and select your environment.
Click Manage and select Cancel environment.
On the next prompt, you are asked to confirm if you would like to cancel the environment.
Type CANCEL in the box provided to confirm the cancellation.
Click Cancel to confirm this action.
The environment is removed at the end of the billing cycle.

Warning

The cancellation cannot be undone, and all data is completely deleted with this action.

Monitor usage

This section provides details on using your environment, helping you to optimize its performance.

Viewing environment usage metrics

To see metrics of your Wazuh Cloud environment, follow these steps:

Log in to the Wazuh Cloud Console.
Go to the Environments page and select your specific environment.
Click on the Metrics tab.

Agents metric

The Agents metric shows the number of Wazuh agents in the active, disconnected, never connected, and pending states. It also displays the limit of active agents, which is configurable through the active agents setting.

Exceeding the active agents limit might cause operational issues and decrease system stability. Though the system can handle a temporary surplus of active agents, we advise immediate action:

Upgrade the active agents setting to match the actual count.
Reduce active agents.

This ensures a smooth operation and stability of your environment.

Data indexed metric

The data indexed metric presents a histogram that shows how much security data has been indexed in your environment over time:

X-axis: time
Y-axis: indexed data volume (in gigabytes)
It also displays the date of the oldest indexed alert currently stored.

This metric helps you verify whether your indexed data capacity and indexed data retention are sufficient for your needs. The Wazuh Cloud environment automatically rotates (deletes) data when either:

The used storage exceeds the configured indexed data capacity, or
The alert date exceeds the configured indexed data retention period.

How to interpret this metric:

If your environment age is less than the configured retention period, the oldest alert date should align with the environment age.
If your environment age is greater than or equal to the retention period, the oldest alert date should align with the retention period.

In both cases, your configuration is working correctly and no action is required. If the oldest alert date does not align with either, it indicates premature data rotation. In this case, you should:

Increase the indexed data capacity, or
Adjust your rule configurations to filter out less critical events and reduce data volume.

Note

Oldest alert date never exceeds the configured retention period, rotation enforces this limit.

Monitoring the data indexed metric ensures that your storage and retention settings continue to match your operational needs. If usage trends change, you can upgrade or downgrade your environment's settings to maintain optimal performance and data availability.

Events - Dropped over time and Events - Processed vs dropped metrics

The Wazuh Cloud dashboard provides two key metrics to help you understand the efficiency of event ingestion and processing in your environment:

Events - Dropped over time: A histogram that shows the number of events lost or dropped during a given period. Drops occur when the rate of incoming events exceeds the environment's configured average/peak EPS (events per second) limit. When this happens, the event queues fill up, and additional events are discarded.
Events - Processed vs dropped: A pie chart that compares the proportion of successfully processed events against those that were dropped. This provides a quick visual summary of overall event handling performance.

Consistent or frequent event drops indicate that your environment may not be able to handle the current event rate. If this continues, important alerts could be lost, reducing visibility into your security posture.

If you observe a pattern of drops in these metrics, consider the following actions to address this:

Increase the EPS setting: Adjust the average/peak EPS configuration to better align with your actual event rate. This ensures your environment can process more events without loss.
Review agent configuration: Some agents may be sending excessive or unnecessary data. Tune their configuration to reduce noise, such as by filtering out less critical events before they are sent.
Use the leaky bucket algorithm: Implement a leaky bucket configuration on agents to smooth out event flow. This prevents sudden spikes in event bursts that could overwhelm queues and cause drops.

By combining these strategies, you can ensure that your environment remains within its processing limits, reducing the risk of lost events while maintaining efficient and reliable event ingestion.

Forward syslog events

Wazuh agents can run on a wide range of operating systems, but when it is not possible due to software incompatibilities or business restrictions, you can forward syslog events to your environment. This is a common use case for network devices such as routers or firewalls.

Since every communication with your environment is performed through the Wazuh agent, you must configure the agent to forward the syslog events. To do so, you have these options:

Rsyslog on Linux
Logstash on Windows

Rsyslog on Linux

Use rsyslog on a Linux endpoint with a Wazuh agent to log to a file and send those logs to the environment.

Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the /etc/rsyslog.conf file.
- For TCP:
```
$ModLoad imtcp
$InputTCPServerRun <PORT>
```
- For UDP:
```
$ModLoad imudp
$UDPServerRun <PORT>
```
Note

Make sure to review your firewall/SELinux configuration to allow this communication.
Configure rsyslog to forward events to a file by editing the /etc/rsyslog.conf file.
```
# Storing Messages from a Remote System into a specific File
if $fromhost-ip startswith '<REMOTE_DEVICE_IP>' then /var/log/<FILE_NAME>.log
& ~
```
To perform the following steps, make sure to replace <FILE_NAME> with the name chosen for this log and <REMOTE_DEVICE_IP> with the IP address of the remote system.
Deploy a Wazuh agent on the same endpoint with rsyslog installed.

Configure the agent to read the syslog output file by editing the /var/ossec/etc/ossec.conf file.

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/<FILE_NAME>.log</location>
</localfile>

Run the commands below to restart rsyslog and the Wazuh agent:

# systemctl restart rsyslog
# systemctl restart wazuh-agent

Logstash on Windows

Use Logstash on a Windows endpoint with a Wazuh agent to receive syslog, log to a file, and send those logs to the environment.

Install Logstash.
1. Download the Logstash ZIP package.
2. Extract the ZIP contents into a local folder, for example, to C:\logstash\.

Configure Logstash.

Create the following file: C:\logstash\config\logstash.conf

input {
   syslog {
      port => <PORT>
   }
}

output {
   file {
      path => "C:\logstash\logs\<FILE_NAME>.log"
      codec => "line"
   }
}

Ensure to replace <FILE_NAME> with the name chosen for this log.

Deploy a Wazuh agent on the same endpoint that has Logstash.

Configure the Wazuh agent to read the Logstash output file by adding the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<ossec_config>
  <localfile>
     <log_format>syslog</log_format>
     <location>C:\logstash\logs\<FILE_NAME>.log</location>
  </localfile>
</ossec_config>

Restart Logstash.
1. Run Logstash from the command line:
```
C:\logstash\bin\logstash.bat -f C:\logstash\config\logstash.conf
```
  Note
  
  Closing the terminal where Logstash is running terminates it.
2. Install Logstash as a Windows Service either using NSSM or Windows Task Scheduler.
Restart the Wazuh agent.
```
Restart-Service Wazuh
```

Agents without Internet access

In many organizations, certain systems, especially those in restricted, segmented, or highly secure networks do not have direct access to the Internet. These systems still generate important security events that need to be monitored by Wazuh.

Wazuh Cloud supports secure methods to ensure that such isolated or private network agents can still send their data to your cloud environment. This enables visibility across your infrastructure, even for systems operating in air-gapped or compliance-restricted environments. The following options are available for this purpose:

Using a forwarding proxy
Using AWS PrivateLink

Using a forwarding proxy

It is possible to access your environment using an NGINX forwarding proxy.

To achieve this configuration, follow these steps:

Deploy a new instance in a public subnet with internet access.
Install NGINX on your instance following the NGINX documentation.
Configure NGINX.
1. Add the following lines to the HTTP section in your NGINX configuration, located in the /etc/nginx/nginx.conf file. This configuration enables Nginx to extract and use the real client IP address from the X-Forwarded-For header and sets restrictions on which real IP addresses are accepted as valid.
```
http{
real_ip_header X-Forwarded-For;
set_real_ip_from <nginx_ip>;
   }
```
2. Add the following block to the end of the NGINX configuration file /etc/nginx/nginx.conf and replace <CLOUD_ID> with the Cloud ID of your environment. This configuration enables stream proxying, where incoming traffic on specific ports is forwarded to the corresponding upstream servers (master or mycluster). This is based on the port numbers, 1515 and 1514 specified in the listen directive.
```
  stream {
    upstream master {
      server <CLOUD_ID>.cloud.wazuh.com:1515;
    }
    upstream mycluster {
      server <CLOUD_ID>.cloud.wazuh.com:1514;
      }
    server {
      listen nginx_ip:1515;
      proxy_pass master;
    }
    server {
      listen nginx_ip:1514;
      proxy_pass mycluster;
    }
  }
```
3. Restart the NGINX service.
```
# systemctl restart nginx
```
4. Enroll your agent with the IP address of the NGINX instance. To learn more about registering agents, see the Enroll agents section.
  
  Example:
```
# WAZUH_MANAGER_IP=<NGINX_IP_ADDRESS> \
WAZUH_PASSWORD="<PASSWORD>" \
yum install wazuh-agent
```
  Replace <PASSWORD> with your Wazuh server enrollment password.

Using AWS PrivateLink

If your agents are deployed within AWS, you can connect them securely to your Wazuh Cloud environment without sending traffic over the public Internet. Wazuh Cloud supports AWS PrivateLink, which keeps all communication within the AWS internal network. This approach enhances security, simplifies compliance, and reduces the risk of data exposure.

Follow the below steps to connect using AWS PrivateLink:

Request your Wazuh Virtual Private Cloud (VPC) endpoint service name
1. Log in to the Wazuh Cloud Console.
2. Navigate to the Help section and contact the Wazuh Support team.
3. Request your VPC endpoint service name, which follows this format: com.amazonaws.vpce.<REGION>.vpce-svc-<AWS_SERVICE_ID>
Create a VPC endpoint in your AWS account
1. Log in to your AWS Management Console.
2. Go to VPC, select Endpoints.
3. Click Create endpoint.
4. Choose the endpoint service provided by the Wazuh team.
5. Ensure the endpoint is created in the same AWS Region as the Wazuh service. For more details, see the AWS documentation.
Wait for Wazuh to approve the connection
- Once your endpoint is created, the Wazuh team will approve the connection.
- You will receive a notification when the PrivateLink connection is ready for use.
Enroll your Wazuh agent
- When configuring your agent, replace the WAZUH_MANAGER_IP value with your endpoint’s DNS name: vpce-<AWS_ENDPOINT_ID>.vpce-svc-<AWS_SERVICE_ID>.<REGION>.vpce.amazonaws.com.
If the agents are located in a different region than your endpoint, use VPC Peerings to connect them to the endpoint service. This allows them to send data securely through the PrivateLink connection.

Example:
```
# WAZUH_MANAGER_IP=vpce-<AWS_ENDPOINT_ID>.vpce-svc-<AWS_SERVICE_ID>.<REGION>.vpce.amazonaws.com \
WAZUH_PASSWORD="<PASSWORD>>" \
yum install wazuh-agent
```
In this example, make sure to replace <PASSWORD> with your actual password.

SMTP configuration

Wazuh can be configured to send email alerts to one or more email addresses when certain rules are triggered or for daily event reports.

This configuration requires an SMTP and you can use your own SMTP or the Wazuh Cloud SMTP.

Note

If your SMTP requires authentication, you need to open a ticket through the Help section of your Wazuh Cloud Console to configure it.

The Wazuh Cloud SMTP is limited to 100 emails per hour, regardless of the email_maxperhour setting. To enable the Wazuh Cloud SMTP, configure the following settings:

<global>
  . . .
  <smtp_server>wazuh-smtp</smtp_server>
  <email_from>no-reply@wazuh.com</email_from>
  ...
</global>

The Wazuh Cloud SMTP is now successfully configured.

Custom DNS

By default, Wazuh Cloud environments are accessed through a subdomain of cloud.wazuh.com.

You can configure your environment to use your own custom domain. To do this, go to the Wazuh Cloud Console under the environment details page. You need to provide the following:

Certificate: SSL/TLS certificate for your domain
- Must use SHA2
- Must use RSA with key size of at least 2048 bits
- TLS Web Server Authentication is required if using EKU
- Must contain domain name in CN or SAN field(s)
- Must be PEM encoded
Private Key: Associated with the provided certificate
- Must not be encrypted or require a passphrase
- Must be PEM encoded
Certificate Chain: Used to sign your certificate
- Must contain all intermediate certificates in the certificate chain
- Must be signed by a trusted certificate authority
- Must be PEM encoded

After providing the above and applying the configuration, create a CNAME DNS record using the value provided by the Wazuh Cloud Console.

Note

Your Wazuh Cloud environment is still accessible through the default URL, even if you have configured a custom domain.

Technical FAQ

How can I send data to my environment?
Is it possible to change the URL to access the environment?
What happens if the tier limit is reached?
What happens if indexed data capacity setting is reached?
Can I index the archive data again?
What if I need to change the size of my tier?
What if I need to upgrade or downgrade a setting?
What happens if active agents setting is reached?
What happens if average/peak EPS setting is reached?
How do I get SSH access to my environment?
How can I update my environment?
Can I send syslog data directly to the environment?
Can I send data directly to the Wazuh indexer of my environment?
Can I integrate with my Single Sign-On (SSO) method (LDAP, Okta, Active Directories)?
Do I have access to Wazuh API?
Do I have access to Wazuh indexer API?
How can I forward my logs to another solution or SOC?
Is my environment shared with other customers?
What are the available regions?
What status can my environment have?

How can I send data to my environment?

All the communications are performed through Wazuh agents once they are registered to the environment.

Is it possible to change the URL to access the environment?

It is possible to get a new URL by opening a support ticket through the Help section on the Wazuh Cloud Console, but the previous URL is also kept.

What happens if the tier limit is reached?

See What happens if *indexed data capacity* setting is reached?

What happens if indexed data capacity setting is reached?

When the selected indexed data capacity is reached, the oldest events will be automatically removed from your index regardless of the index data time. This data is available in archive data for you to access. See the Archive data section to learn more about data logging and storage.

Can I index the archive data again?

It is possible to download the data from the archive data and re-index it into your local environments. However, it isn't possible to re-index it in your cloud environment.

What if I need to change the size of my tier?

See What if I need to upgrade or downgrade a setting?

What if I need to upgrade or downgrade a setting?

You can upgrade or downgrade a setting by contacting the Wazuh team through the Help section of your Wazuh Cloud Console. See also Adjusting environment settings.

What happens if active agents setting is reached?

If the maximum number of active agents is reached, the environment may start to malfunction, causing instability with agent connections. While the system can tolerate temporarily exceeding the limit of active agents, appropriate measures will be taken if the situation persists.

What happens if average/peak EPS setting is reached?

If the data ingestion is exceeded, events start to queue. If the queue becomes full, Wazuh discards the incoming events, which might lead to event loss. The cloud service automatically manages the queuing mechanism, ensuring optimal resource usage.

How do I get SSH access to my environment?

SSH access is not allowed for security reasons. Environments are managed from the Wazuh Cloud Console and Wazuh dashboard. See the Limitations section for more information.

How can I update my environment?

Wazuh takes care of the updates, so your environment gets the latest version of Wazuh with no downtime.

Can I send syslog data directly to the environment?

No, all the communications are performed through Wazuh agents once they are registered into the environment. However, you have alternative options. For more information on how to forward syslog events to your environment, see the Forward syslog events section.

Can I send data directly to the Wazuh indexer of my environment?

No, all the communications are performed through Wazuh agents.

Can I integrate with my Single Sign-On (SSO) method (LDAP, Okta, Active Directories)?

Yes, you can access the Wazuh WUI of your environment through your SSO tool. To perform this action, you need to contact the Wazuh Support team through the Help section of your Wazuh Cloud Console.

Do I have access to Wazuh API?

You have access to the Dev tools through your Wazuh dashboard, where you can use the server API. The Wazuh server API is not exposed, but you can contact the Wazuh team through the Help section of your Wazuh Cloud Console to allow Wazuh server API access from a specific IP address. See the Limitations section for more information.

Do I have access to Wazuh indexer API?

The Wazuh indexer API is not accessible by default. If you want to access it, contact the Wazuh team through the Help section of your Wazuh Cloud Console to authorize the connection from a specific IP address. After authorization is granted, you have access to the GET methods of the Wazuh indexer API. See the Limitations section for more information.

How can I forward my logs to another solution or SOC?

You can download your data from archive data. Then, you can push it to other solutions or Security Operations Center (SOC).

Is my environment shared with other customers?

No, your environment is isolated from other customers. That means your account is the only one with access to your environment.

What are the available regions?

Available regions:

Asia Pacific

Tokyo: ap-northeast-1
Mumbai: ap-south-1
Singapore: ap-southeast-1
Sydney: ap-southeast-2

Europe

Frankfurt: eu-central-1
London: eu-west-2

North America

Canada: ca-central-1
North Virginia: us-east-1
Ohio: us-east-2

When selecting a region to host your environment, if you are not sure which one is the best option for you, select one that is the closest to your location since this typically reduces latency for indexing and search requests.

What status can my environment have?

Status	Description
Creating	Your environment is being created.
Ready	Your environment was created successfully and is ready to use.
Failed	The creation of your environment failed.
Maintenance	Your environment is under maintenance. It will be available when finished.
Suspending	Your environment is being suspended due to lack of payment.
Suspended	Your environment is suspended.
Resuming	Your environment is resuming after suspension. It will be available soon.
Terminated	Your environment was deleted.

AI Analyst

The Wazuh AI Analyst service provides Wazuh Cloud users with insights into their security posture and offers recommendations on how to remediate threats detected within their Wazuh Cloud subscription.

This service is an automated AI-powered security analysis solution that integrates Wazuh Cloud with AI models. It leverages machine learning capabilities to process security data and deliver actionable insights to help improve organizational security.

The service provides organizations with:

Automated security analysis without manual intervention.
Insights aggregated from multiple security data sources.
Structured recommendations to improve security posture.
Regular assessments of security posture through scheduled analyses.

The service periodically sends emails and reports. You can download these reports from the Wazuh Cloud Console.

AI Analyst email

Users receive periodic emails with key performance indicators and a summary of their security posture. Each email includes:

A histogram showing the number of protected endpoints.
The volume of alerts received by the Wazuh server.
The number of active vulnerabilities.
A summary of the current security posture.
The AI Analyst report attached as a PDF.

AI Analyst report

The report includes AI-generated insights based on data from the user's Wazuh Cloud subscription. It contains the following sections:

Overall assessment
Alert analysis
Vulnerability analysis
Endpoint analysis

Overall assessment

A summary generated by the AI, providing an overall evaluation of the organization's security posture during the reporting period.

Alert analysis

Wazuh analyzes log data collected across the monitored infrastructure. Each log is evaluated against predefined security rules, each tagged with a criticality level. This section presents alert data analysis by MITRE technique and alert level, along with a summary of recommended actions.

Vulnerability analysis

Software vulnerabilities are weaknesses in code that attackers can exploit to gain unauthorized access or alter application behavior. Vulnerable software applications are commonly targeted by attackers to compromise endpoints and gain a persistent presence on targeted networks.

Endpoint analysis

Highlights the ten most active endpoints based on alert volume. This helps identify areas with elevated security activity.

Generating the report

Follow the steps below to generate the AI analyst report for your environment:

Log in to the Wazuh Cloud Console.
Go to the Environments page and select your specific environment.
Navigate to the AI Reports tab.
Click on the available report to view and download the report as a PDF file.

Data privacy and security FAQ

Is data from Wazuh Cloud subscriptions shared with third parties?

No, data from Wazuh Cloud subscriptions is not shared with third parties. Data is processed by AWS Bedrock and Anthropic's Claude model solely within the AI pipeline. It is not shared beyond that scope. Both providers follow strict data protection policies that prevent sharing of customer data with external parties.

Is data used to train AI models?

No, your data is not used to train AI models. Customer data is not used for model training or improvement, as stated in Anthropic's terms of service under AWS Bedrock. Data is only used to generate your security analysis reports and is not retained or used for any other purposes.

Can data leak to third parties?

The service implements multiple layers of security to prevent data leaks:

Encrypted data transmission.
Enterprise-grade security controls in AWS Bedrock.
Isolated processing environments for Claude.
No permanent data storage during processing.
Restricted access to authorized Wazuh service components only.

How should I use the recommendations in the AI Analyst report?

Treat AI-generated recommendations as advisory. Users are responsible for:

Reviewing and validating all AI-generated recommendations.
Acting based on internal security policies and risk assessments.
Consulting with security professionals when necessary.

The service is subject to the limitations and disclaimers outlined in AWS service terms (Section 50) and Anthropic's commercial terms of service

Service operations FAQ

How often are reports generated?

Reports are generated based on your Wazuh Cloud subscription and configuration settings.

Can I customize the analysis parameters?

Not currently. The service uses predefined parameters optimized for comprehensive security assessment.

What happens if the AI service is unavailable?

Report generation is paused during outages and resumes automatically when the service is restored.

How long are reports retained?

Reports remain available in the Wazuh Console per your subscription's data retention policy. Emails are sent to designated technical contacts and may be retained indefinitely.

What data is included in the analysis?

The analysis includes:

Security alerts and MITRE ATT&CK mappings
Vulnerability scan results
High-priority rule triggers
Endpoint activity patterns
Operating system and package vulnerability data

Can I opt out of the AI Analyst service?

Yes. You can disable the service through your Wazuh Cloud subscription settings. Contact your administrator or Wazuh Support for assistance.

Account and billing

This section describes the actions you can perform in your account using the Wazuh Cloud Console.

Edit user settings

You can edit your account preferences, such as email address and password from the Wazuh Cloud Console. You can also enable multi-factor authentication to increase security and see login method alternatives.

Configure your user profile

You can configure your name, last name, company name, country, phone number, and website.

Log in to the Wazuh Cloud Console and click the upper-right user icon to open the menu.

Go to User settings.

Fill in or edit the fields. Company and Country are required in order to continue.

Click Save to complete the action.

Update your email address

Each Wazuh Cloud account has a primary email associated with it. If needed, you can change this primary email address.

Log in to the Wazuh Cloud Console and click the upper-right user icon to open the menu.

Go to User settings.

Click Email address.

Enter a new email address and your current password, then click Save to confirm the action.

An email is sent to the new address with a link to confirm the change.

Change your Wazuh Cloud Console password

When you signed up for a Wazuh Cloud account with your email address, you selected a password that you use to log in to the console. If needed, you can change this password.

If you know your current password:

Log in to the Wazuh Cloud Console and click the upper-right user icon to open the menu.

Go to User settings.

In Change password, enter the current password and provide the new password that you want to use.

Click Save to confirm the action.

If you don’t know your current password:

Click on Forgot my password on the login page of the Wazuh Cloud Console.

Enter the primary email address for your account and click Reset password.

An email is sent to your address with a link to reset the password.

Enable multi-factor authentication

To add an extra layer of security to your Wazuh Cloud account, you can set up a Virtual MFA Device like Google authenticator.

To enable multi-factor authentication:

Log in to the Wazuh Cloud Console and click the upper-right user icon to open the menu.

Go to User settings.

Under Multi-factor authentication, click Add MFA and follow the steps described in the Set up virtual MFA device pane.

Click Enable MFA to complete the process.

If your device is lost or stolen, contact support through the Help section of the Wazuh Cloud Console.

Manage your billing details

To continue using your environment beyond the trial period, you need to add credit card details to your Wazuh Cloud account. Your credit card information is sent securely to our billing provider and stored with them.

Note

A trial environment is converted to a paid environment when the trial expires. If you do not add your credit card information before the expiration date, your environment is deleted, and all data is permanently erased. Make sure to add your credit card before the end of the trial period.

Add your billing details

To add the billing details:

Log in to the Wazuh Cloud Console.

Go to the Account section and select Billing.

Select Add billing information in the Payment method section.

Fill in the form with your billing details.

Click Save to confirm the payment method.

You can stop upcoming charges by canceling your environments.

Note

Cancellation cannot be undone, all data will be permanently deleted.

Remove your billing details

You can only remove billing details when there are no active paid environments. This means either:

There are no environments.

The only active environment is in a trial period.

All the environments have been canceled.

In order to remove your billing information:

Log in to the Wazuh Cloud Console.

Go to the Account section, select Billing, and select Payment method.

Select Delete in the Payment method. This button will be disabled if there is an active paid environment.

Confirm Delete in the pop up.

See your billing cycle and history

Information about your current billing cycle, outstanding payments, and billing receipts is available from the Wazuh Cloud Console. The billing cycle is the period between the last billing date and the current billing date, while your billing history shows an overview of all invoices issued for your account.

To see your current billing cycle information:

Log in to the Wazuh Cloud Console.

Go to the Account section and select Summary under Billing.

You can see the details about the upcoming billing for your active environments under the current billing cycle.

To see your billing history:

Log in to the Wazuh Cloud Console.

Go to the Account section, select Billing and select Invoices.

Click the invoice to download a PDF with your billing history details.

Update billing and operational contacts

You can specify billing and operational contacts in addition to the primary email address of your account.

Note

Billing and operational contacts are only for notification purposes, they cannot be used to log in to the Wazuh Cloud Console. To access the Wazuh Cloud Console, you must use the primary email address for your account.

To update billing and operational contacts:

Log in to the Wazuh Cloud Console.

Go to the Account section and select Contacts.

Add or remove contacts from the desired category.

Multiple email addresses can be specified for each category. They become effective immediately and no further confirmation from the email addresses is required.

Stop charges for an environment

You can always cancel an environment you no longer need. When performing this action, the environment is removed at the end of the billing cycle, with no new or additional charges incurred.

To stop being charged for an environment:

Log in to the Wazuh Cloud Console.

Go to the Environments page and select the environment you want to cancel.

Click Cancel environment and confirm the cancellation.

Warning

Cancellation cannot be undone, and all data is permanently deleted with this action.

Billing FAQ

When is my credit card charged?

Is my credit card information safe?

Where can I see the next payment for an environment?

What happens to my payments if I want to upgrade or downgrade a setting?

How do I view previous receipts and billing history?

How can I configure who receives receipts and billing notifications?

What are the available payment methods on Wazuh Cloud?

Can I get a refund?

What is included in my Wazuh Cloud environment?

How can I request more information?

When is my credit card charged?

Each environment is charged monthly, according to the environment's beginning date.

Is my credit card information safe?

Your credit card information is sent securely to our billing provider, Stripe, and stored there.

Where can I see the next payment for an environment?

Go to the See your billing cycle and history section to learn how to view the billing details of your environments.

What happens to my payments if I want to upgrade or downgrade a setting?

If you choose to upgrade a setting, you need to make an immediate prorated payment. The upgrade becomes effective immediately, albeit leading to an increased price for your environment. Conversely, when downgrading a setting, the change takes effect in the subsequent billing cycle, with your price adjusted accordingly. See Adjusting environment settings for further details.

How do I view previous receipts and billing history?

Go to the See your billing cycle and history section to learn how to download an overview of all invoices issued for your account.

How can I configure who receives receipts and billing notifications?

Go to Update billing and operational contacts section to learn how to configure who receives receipts and billing notifications.

What are the available payment methods on Wazuh Cloud?

Credit or debit card payments are supported. To learn more about Wazuh supported cards, see the certified payment processor list of card brands in the Stripe documentation.

Can I get a refund?

Charges are nonrefundable, but if you want to cease using an environment, you can cancel your environment anytime. No new charges are incurred beyond the current billing period. For any special considerations regarding a refund, contact us through the Help section of the Wazuh Cloud Console.

What is included in my Wazuh Cloud environment?

A full set-up of Wazuh, according to your setting, and a standard or premium support service.

How can I request more information?

You can contact the Wazuh team anytime through the Help section on your Wazuh Cloud Console.

Archive data

Wazuh provides two types of storage for your data:

Indexed data
Archive data

When Wazuh ingests and indexes events from agents, the data becomes searchable and analyzable in the Wazuh dashboard. This information is stored in indexed data, which is limited by your indexed data retention and indexed data capacity (formerly known as tier) settings. Simultaneously, the data is sent to archive data with a maximum delay of 30 minutes after initial processing by Wazuh. Archive data is stored in an AWS S3 bucket, allowing you to store logs for extended periods and meet compliance requirements. Additionally, you can reindex the data to other environments for further investigations.

Environment example for data storage

This example environment is configured with the following settings:

Indexed data retention: 3 months
Indexed data capacity (formerly known as tier): 100 GB
Archive data: 1 year

Assuming that Wazuh ingests 5GB of data daily, with 20% of events generating alerts, it indexes 1GB per day. In this scenario, the indexed data can retain alerts for up to 100 days (1GB per day - 100GB), but it will be rotated to maintain only 3 months of data as specified in the indexed data retention setting. However, all information from the past year is still accessible in the archive data according to the archive data setting.

This configuration ensures that recent alerts are readily available in the indexed data, while older data is securely stored in the archive data for compliance and historical purposes.

For more information about the archive data feature in the Wazuh Cloud service, please refer to the following sections:

Configuration

Your environment is configured by default to send Wazuh output files to archive data.

There are two Wazuh output files in JSON format:

/var/ossec/logs/archives/archives.json: If you set logall_json to yes, Wazuh stores all events in this file and sends it to archive data, regardless of whether they triggered an alert.
/var/ossec/logs/alerts/alerts.json: This file contains only events that tripped a rule with high enough priority, according to a configurable threshold. This is always sent to archive data.

Both files are delivered to archive data as soon as they are rotated and compressed. This process usually takes between 10 and 30 minutes from the moment the event is received.

The oldest files in the archive data are rotated based on the archive data setting.

Note

Files with a .log extension are never sent to archive data.

Filename format

The files are stored in a directory structure that indicates the date and time the file was delivered to the archive data.

The main path follows this format:

wazuh-cloud-cold-<REGION>/<CLOUD_ID>/<CATEGORY>[/<SUBCATEGORY>]/<YEAR>/<MONTH>/<DAY>

Each file has the following name:

<CLOUD_ID>_<CATEGORY>[_<SUBCATEGORY>]_<YYYYMMDDTHHmm>_<UniqueString>.<FORMAT>

The files include the following fields:

field	Description
`<REGION>`	The region where the environment is located.
`<CLOUD_ID>`	Cloud ID of the environment.
`<CATEGORY>`	This field must be output.
`<SUBCATEGORY>`	This field is only used by the output category and contains alerts or archives files.
`<YEAR>`	The year when the file was delivered.
`<MONTH>`	The month when the file was delivered.
`<DAY>`	The day when the file was delivered.
`<YYYYMMDDTHHmm>`	Digits of the year, month, day, hour, and minute when the file was delivered. Hours are in 24-hour format and in UTC. A log file delivered at a specific time can contain records written at any point before that time.
`<UniqueString>`	The 16-character UniqueString component of the file name prevents overwriting files. It has no meaning and log processing software should ignore it.
`<FORMAT>`	It is the encoding of the file. This field is json.gz for output files, which is a JSON text file in compressed gzip format, and tar.gz for configuration files.

Access

To access your archive data, you need an AWS token that grants permission on the AWS S3 bucket of your environment. This token can be generated using the Wazuh Cloud API.

Note

See the Wazuh Cloud CLI section to learn how to list and download your archive data automatically.

Getting your API key and the AWS token

Obtain your Wazuh Cloud API key by following the steps outlined in the API Authentication section.

Use the POST /storage/token API endpoint with your key to get a temporary AWS token. For example, the following request generates an AWS token valid for 3600 seconds that grants access to the environment archive data with ID 012345678ab.

curl -XPOST https://api.cloud.wazuh.com/v2/storage/token -H "x-api-key: <YOUR_API_KEY>" -H "Content-Type: application/json" --data '
{
   "environment_cloud_id": "012345678ab",
   "token_expiration": "3600"
}'

{
   "environment_cloud_id": "012345678ab",
   "aws": {
      "s3_path": "wazuh-cloud-cold-us-east-1/012345678ab",
      "region": "us-east-1",
      "credentials": {
         "access_key_id": "mUdT2dBjlHd...Gh7Ni1yZKR5If",
         "secret_access_key": "qEzCk63a224...5aB+e4fC1BR0G",
         "session_token": "MRg3t7HIuoA...4o4BXSAcPfUD8",
         "expires_in": 3600
      }
   }
}

Generating the AWS wazuh_cloud_storage profile

Add the token to the AWS credentials file ~/.aws/credentials.

[wazuh_cloud_storage]
aws_access_key_id = mUdT2dBjlHd...Gh7Ni1yZKR5If
aws_secret_access_key = qEzCk63a224...5aB+e4fC1BR0G
aws_session_token = MRg3t7HIuoA...4o4BXSAcPfUD8

Listing archive data

This command lists the archive data files of the environment 012345678ab.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 ls --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/

2024-04-19 17:50:06        493 012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz
2024-04-19 18:00:05      77759 012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz

Examples

Downloading archive data – Multiple files

This command downloads the archive data files of the environment 012345678ab into the /home/test/ directory.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 cp --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/ /home/test/

download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz to output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz
download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz to output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2100_kdBY42OvE9QJuiia.json.gz

Downloading archive data – Single file

This command downloads the 012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz file of the environment 012345678ab into the directory /home/test.

# aws --profile wazuh_cloud_storage --region us-east-1 s3 cp --recursive s3://wazuh-cloud-cold-us-east-1/012345678ab/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz /home/test/

download: s3://wazuh-cloud-cold-us-east-1/012345678ab/output/alerts/2024/04/19/012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz to ./012345678ab_output_alerts_20240419T2050_VqaWCpX9oPfDkRpD.json.gz

Wazuh Cloud API

Wazuh Cloud provides a Wazuh Cloud API that allows you to perform some operations with your cloud environments, such as downloading archive data.

This section provides information on the following:

Authentication

Wazuh Cloud supports only API key-based authentication.

To obtain a Wazuh Cloud API key:

Log in to the Wazuh Cloud Console.

Go to the Account section and select API Keys.

Click Generate API Key.

Provide a name and click Generate API key.

Copy the generated API key and store it in a safe place.

Note

The API key has no expiration date, so it can be used indefinitely. You might also have multiple API keys for different purposes, and you can revoke them when you no longer need them.

To revoke an API key:

Log in to the Wazuh Cloud Console.

Go to the Account section and select API Keys.

Click the trash icon under the Revoke column for any API key you want to delete.

Click Revoke Api key to confirm the action.

The deleted API is removed from the list of API keys.

Reference

CLI

The Wazuh Cloud Command Line Interface (wcloud-cli) is a tool that allows you to interact with Wazuh Cloud using commands in your command-line shell.

Requirements

To use wcloud-cli, you need to install the following components:

Python 3.x
boto3 Python package
requests Python package

Installation

Use the following command to download the CLI tool.

# curl -so ~/wcloud-cli https://packages.wazuh.com/resources/cloud/wcloud-cli && chmod 500  ~/wcloud-cli

Run it with the version argument to confirm that the installation was successful.
```
# ./wcloud-cli version
```
```
Wazuh Cloud CLI - "version": "1.0.1"
```

Configuration

You can configure the settings that the Wazuh Cloud CLI (wcloud-cli) uses to interact with Wazuh Cloud.

By default, the Wazuh Cloud CLI reads the credential information from a local file named credentials, located in the .wazuh-cloud folder of your home directory. The location of your home directory varies based on the operating system, but you can find it using the environment variables %UserProfile% in Windows, and $HOME or ~ (tilde) in Unix-based systems.

A non-default location can be specified for the config file by setting the WAZUH_CLOUD_CREDENTIALS_FILE environment variable to another local path.

Create the credentials file and add your API key.
```
# touch ~/.wazuh-cloud/credentials
```
```
[default]
wazuh_cloud_api_key_name = Test
wazuh_cloud_api_key_secret = MDAwMDAwMDQ2T047Q4JVY1Sm5dDOqpDtkCQiY89fHjuZT3c90zs2
```
The file is organized in profiles, a collection of credentials. When you specify a profile to run a command, the credentials are used to run that command. You can specify one default profile that is used when no profile is explicitly referenced.

Use the following command to test your credentials. Optionally, you can specify the profile.

# wcloud-cli test-credentials --profile <PROFILE_NAME>

The API key 'Test' in the profile 'default' is valid.

Examples

Getting S3 token for archive data

This command generates an AWS token to access the archive data of the environment with Cloud ID 012345678ab.

# wcloud-cli cold-storage get-aws-s3-token 012345678ab

Environment Cloud ID: '012345678ab'
Region: 'us-east-1'
S3 path: 'wazuh-cloud-cold-us-east-1/012345678ab'

The following AWS credentials will be valid until 2024-04-22 13:55:27:
[wazuh_cloud_storage]
aws_access_key_id = A...M
aws_secret_access_key = L...0
aws_session_token = F...Q==

Listing archive data

This command lists the archive data files of the environment 012345678ab between the specified dates.

# wcloud-cli cold-storage list 012345678ab --start 2021-05-07 --end 2021-05-07

Environment '012345678ab' files from 2021-05-07 to 2021-05-07:
012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz

Downloading archive data

This command downloads in the /home/test directory the archive data files of the environment 012345678ab between the specified dates.

# wcloud-cli cold-storage download 012345678ab /home/test --start 2021-05-07 --end 2021-05-07

Environment '012345678ab' files from 2021-05-07 to 2021-05-07:
Downloading object 012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz
Downloaded object 012345678ab/output/alerts/2021/05/07/012345678ab_output_alerts_20210507T1040_mXSoDTf5Pgyr8b8D.json.gz

Glossary

Here is a list of terms related to Wazuh Cloud.

Cloud Console

The Wazuh Cloud Console provides web-based access to manage your Wazuh Cloud environments.

Cloud ID

The Cloud ID is a unique ID for your environment on Wazuh Cloud. It is used for multiple purposes, such as Wazuh WUI access or the agent registration process.

Environment

An environment is a deployment that contains all the Wazuh components ready to use and running on Wazuh Cloud.

Archive data

Formerly known as cold storage, it's the data containing the output generated by Wazuh, such as alerts and archives. It's an AWS S3 bucket to store your logs for a longer time and meet compliance requirements.

Indexed data

Formerly known as hot storage, it's the data available on the Wazuh dashboard corresponding to the information indexed by Wazuh. This information is available as soon as Wazuh ingests and indexes the events sent by the agents, making the data searchable and analyzable.

Indexed data is calculated using the primary shards of wazuh-* indices.

Tier

The concept of a tier, which represents the size limitation, in bytes, of the indexed data (formerly known as hot storage), is no longer used. It has been replaced by the indexed data capacity setting.

Setting

In the context of Wazuh Cloud, a setting refers to each configuration option available for a cloud environment. These settings determine the limitations, functionalities, and pricing of an environment.

Profile

A profile refers to predefined settings that you can choose from when configuring your Wazuh Cloud environment. We have three profiles available: Small, Medium, and Large. These profiles are designed to simplify the process by providing preconfigured settings that cater to different needs and requirements. If none of the predefined profiles meet your specific requirements, you can configure your settings individually.

Region

A region is a geographic area where the data center of the cloud provider that hosts your environment is located. The region you select cannot be changed after you create an environment. If you are not sure what to pick, choose a region that is geographically close to you to reduce latency.

Available regions:

Asia Pacific

Tokyo: ap-northeast-1
Mumbai: ap-south-1
Singapore: ap-southeast-1
Sydney: ap-southeast-2

Europe

Frankfurt: eu-central-1
London: eu-west-2

North America

Canada: ca-central-1
North Virginia: us-east-1
Ohio: us-east-2

Wazuh Cloud API

The Wazuh Cloud API is an application programming interface used to interact with Wazuh Cloud. The Wazuh Cloud API is used, for example, to provide access to an environment's archive data.

Wazuh Cloud CLI

The Wazuh Cloud Command Line Interface is a tool that enables you to interact with Wazuh Cloud using commands in your command-line shell.

Development

This section of the documentation helps developers to understand Wazuh at the development level. It provides the technical resources required to understand the Wazuh architecture, extend its capabilities, and tailor the platform to specific operational requirements.

Contents

Client keys file

The client.keys file stores the data used to authenticate and identify Wazuh agents. A record of the client.keys file is stored on the Wazuh server and the Wazuh agent endpoints. The location depends on the operating system. The table below lists the default paths for each OS:

Operating systems	Location of the `client.keys` file
Windows	`C:\Program Files (x86)\ossec-agent\client.keys`
Linux/Unix	`/var/ossec/etc/client.keys`
macOS	`/Library/Ossec/etc/client.keys`

File format

The Wazuh manager client.keys file contains one entry per agent. The Wazuh agent client.keys file has one line, which must match an entry on the Wazuh manager. If the lines don't match, the Wazuh manager rejects the Wazuh agent.

The client.keys file is formatted as described in the table below:

<ID> <Name> <Address> <Password>

Where:

ID - represents the Wazuh agent identification number with the following considerations:

Allowed characters

Digits only

Allowed size

3 to 8 digits

Padding

0-padded

Unique value

Yes

Reserved values

ID "000"
Name - represents the name of the agent with the following considerations:

Allowed characters

Alphanumeric characters, -, _ and .

Allowed size

Up to 128 bytes

Unique value

Yes
Address - represents the allowed source IP address range in CIDR format. If the IP address is explicitly provided, the Wazuh manager will only enroll the agent if the provided IP address matches the source IP address.

Format

CIDR. Netmask is optional.

Unique value

Yes

Reserved values

None

Aliases

any = 0.0.0.0/0
Password - represents a base64 encoded string that is used for external message encryption.

Allowed characters

Printable characters

Allowed size

Up to 128 bytes

Unique value

No

Void entries

Key entries can be invalidated, causing the associated Wazuh agent to be considered as unenrolled. This can occur in the following cases:

The entire line is deleted.
The line begins with # or whitespace.
The agent name starts with # or !.

Note

The Wazuh manager needs to be stopped before invalidating a key to ensure proper un-enrolling.

Examples

Below is an example of the content of the client.keys file. The last agent 004 meets one of the conditions for a void entry because the agent name !data3 starts with !.

server1 any bb8a28997c6c3964eacb3d32308072f6661f567a41105b2b0b09f1a82331b937
dbserver 10.0.1.2 363a99a6e9c9a8b6bb766d676453538e0cb20162f84b36472d99cfbef4928440
data2 10.1.2.0/24 3d263f5cc513072fe6b63ab221d1facf132918235c97f19efd9446257d16ea4a
!data3 any ed52060a133343dbc74474c19aaad8fb7dddd9a4b5965ebbe9edb2a7

Standard Wazuh message format

This section describes the message format that Wazuh accepts and sends between its components:

Input logs: These are strings ingested by the Wazuh Logcollector module from log files, Windows events, program outputs, etc.
Standard Wazuh events: These are data sent locally between Wazuh components, usually to the Wazuh agent daemon or the Analysis daemon in the Wazuh manager.
Secure messages: These are data delivered remotely between the Agent daemon and the Remote daemon.

Input logs

Input logs are the raw messages that the Wazuh Logcollector module gathers from different sources, such as log files, Windows events, or program outputs. These logs follow the standard Syslog format or a custom format defined by the application or system generating them. In a case where the log is in a custom format, the message header is parsed by a pre-decoder.

Below is an example of a Syslog message:

Sept  9 16:06:16 localhost salute: Hello world.

When logs are in Syslog format, the pre-decoder processes and interprets the message header, extracting essential information like timestamps, hostnames, and severity levels before further analysis. In the case of the message above, the following fields are extracted:

Date: Sep 9 16:06:26
Host name: localhost
Program name: salute
Log: Hello world.

If the message is not in Syslog format, the entire log entry is treated as plain text. The strings contained in the log can then be further processed by decoders, which can be either XML-based decoders or plugin decoders. This is to extract and structure relevant information from the log for analysis.

Standard Wazuh event

Wazuh events are messages exchanged between Wazuh components on the same endpoint. One of such is the sending of events from the Remote daemon to the Analysis daemon. This communication uses the local datagram socket located at /var/ossec/queue/sockets/queue. Examples include:

Log events sent from the Wazuh Logcollector module to the Wazuh agent daemon.
File integrity monitoring events sent from the Wazuh File Integrity Monitoring (FIM) module to the Wazuh Agent daemon.
Configuration assessment events sent from the Wazuh Security Configuration Assessment (SCA) module to the Wazuh Agent daemon.

The format of these events is as follows:

<Queue>:<Location>:<Message>

Where:

Queue - is a 1-byte character and represents the event type. It defines the decoding mode for the Analysis daemon. The most common queue types are:
- 1 - Local file log, including Syslog messages, Windows event logs, outputs from commands, custom logs, and integrations.
- 2 - Remote Syslog messages, received by the Syslog server at the Remote daemon.
- 4 - Secure messages. They are events from the Remote daemon to the Analysis daemon that contain a standard Wazuh message plus the source agent ID.
- 5 - Dbsync events. Internal communication of the rsync library, messages for database synchronization between the Wazuh manager and Wazuh agents.
- 8 - Syscheck events. The Wazuh Analysis daemon parses it using the Syscheck decoder.
- 9 - Rootcheck events. The Wazuh Analysis daemon parses it using the Rootcheck decoder.
- f - Windows events. Events from Windows endpoints collected through the Wazuh agent.
- p - Security Configuration Assessment (SCA) events. SCA events collected by the SCA module from the Wazuh agents.
- d - System inventory events. System inventory events collected by the Syscollector module from the Wazuh agents.
- u - Upgraded forwarder notification. When an agent is updated via WPK, it notifies the Wazuh manager via this special queue so that the manager knows when the Wazuh agent has finished updating.
Location - is the log source, typically the path to the file where the log was collected.
Message - is the content of the log.

Example:

1:/var/log/syslog:Nov  9 16:06:26 localhost salute: Hello world.

Secure message format

Secure messages are messages sent through a network between a Wazuh agent (Agent daemon) and the Wazuh manager (Analysis daemon). These messages are:

Encrypted.
Compressed.
Randomized.
Numerated.

Step by step procedure for the secure message format

This sub-section outlines the step-by-step procedure for securing messages sent from the Wazuh agent to the Wazuh manager over a network. We show the use of block, hash, compressed data, padding, encrypted data, and payload to secure messages.

Block

The block is the result of joining a header and the input event:

<Block> = <Random> <Global counter> ":" <Local counter> ":" <Event>

Where:

Random - 5-byte 0-padded random unsigned integer.

Size

5 digits

Padding

0-padded
Global counter - Most significant part of the message counter.

Size

10 digits

Padding

0-padded
Local counter - Least significant part of the message counter.

Size

4 digits

Padding

0-padded
Event - Is the input message.

Hash

The hash is the 32-byte MD5 digest:

<Hash> = MD5(<Block>)

Compressed data

This object is the result of compressing the hash and the block (appended) through the DEFLATE algorithm, using zlib:

<CData> = Compress(<Hash> <Block>)

Padding

The compressed data is a byte array that must:

Have a size multiple of 8.
Start with one or more !.

So the <Padding> object is a string of 1 to 8 ! symbols, so that the array resulting from appending both <Padding> and <CData> has a size multiple of 8.

<Padding> = 1..8 "!"
Length(<Padding> <CData>) = 0 (mod 8)

Encrypted data

The padded data is encrypted using AES:

<Encrypted> = AES(<Padding> <CData>)

The initialization vector and the encryption key are described in the Encryption system.

Note

The default encryption method is AES, although Blowfish is available as an alternative encryption method.

Payload

The payload is the final message that will be sent to the peer (secure manager or agent). It starts with : if and only if the agent entry allows more than one host (address any or netmask different from 32), the agent ID between two ! symbols:

<Payload> =
    ":" <Encrypted>,                    if <Netmask> = 32
    "!" <Agent ID> "!:" <Encrypted>,    otherwise

Complete encryption formula

Below, we show the encryption formula used in the secure message format, using blowfish and AES encryption.

For agents with restricted address:

Blowfish encryption

":" Blowfish(<!-padding> Gzip(MD5(<Random> <Global> ":" <Local> ":" <Event>) <Random> <Global> ":" <Local> ":" <Event>))

AES encryption

"#AES:" Aes(<!-padding> Gzip(MD5(<Random> <Global> ":" <Local> ":" <Event>) <Random> <Global> ":" <Local> ":" <Event>))

For agents with unrestricted address (address any or netmask different from 32):

Blowfish encryption

"!" <ID> "!:" Blowfish(<!-padding> Gzip(MD5(<Random> <Global> ":" <Local> ":" <Event>) <Random> <Global> ":" <Local> ":" <Event>))

AES encryption

"!" <ID> "!#AES:" Aes(<!-padding> Gzip(MD5(<Random> <Global> ":" <Local> ":" <Event>) <Random> <Global> ":" <Local> ":" <Event>))

This is the encryption flow chart:

Network protocol

The procedure to send a payload via network depends on the connection protocol. Below, we show the network protocols:

UDP protocol

The datagram is the payload itself:
Send(<Payload>)

TCP protocol

Messages are not delimited by the network, so the payload size must be prefixed to the payload:
Send(<Size> <Payload>)
The Size has the following format:

Size

4 bytes

Sign

Unsigned

Endianness

Little-endian

Encryption system

The encryption system uses a constant initialization vector and an encryption key, as shown below:

Initialization vector

8-byte hexadecimal array for Blowfish method:
<IV> = FE DC BA 98 76 54 32 10
8-byte hexadecimal array for AES method:
<IV> = FE DC BA 09 87 65 43 21

Encryption key

The key is built by appending and cutting hexadecimal strings depending on some agent attributes (see Client keys file):
<Key> = MD5(<Pass>) MD5(MD5(<Name>) MD5(<ID>))[0:15]

Note

The second MD5 hash is cut to its first 15 bytes (from 0 to 14th).

Example:

<ID> = 003
<Name> = myagent
<Pass> = 2801fb64625a4ca5523395d8ab7370dbed275a227688542493c6577c3d9fdf2c

MD5(<Pass>) = 7c07f68ea8494b2f8b9fea297119350d
MD5(<Name>) = 370ca80d72402c8a4dbafa5b6888e2c5
MD5(<ID>) = e88a49bccde359f0cabb40db83ba6080
MD5(MD5(<Name>) MD5(<ID>))[0:15] = 78708afa69c1c76
<Key> = 7c07f68ea8494b2f8b9fea297119350d78708afa69c1c76

Makefile options

This section contains instructions to customize the installation of Wazuh by compiling the source code before executing the installation script. It also details the available Makefile configuration options, including descriptions, default values, and allowed values for each setting.

Compiling the source code

When following the official documentation to install the Wazuh server or the Wazuh agent from sources, the user runs the install.sh script. This script automatically compiles the source code before installing it, but some customizations can be made prior to the script execution.

To compile the code with make, the working directory must be where the Makefile resides. In this case, the /src directory of the installation folder:

# cd wazuh/src
# make deps
# make <OPTIONS>

Note

By default, the make deps command will download the necessary pre-compiled dependencies for Wazuh manager nodes. To download the dependencies for the Wazuh agent type nodes, it is necessary to indicate TARGET=agent or TARGET=winagent in case it is a Windows agent. To download the external dependencies without pre-compiled files, the make deps command needs to be executed with the EXTERNAL_SRC_ONLY=yes flag. The external dependencies will be built as part of the Wazuh compilation process.

After compiling the source code, now you can execute the installation script:

# cd ../
# ./install.sh

Warning

Some dependencies must be downloaded before compiling. If make deps is not executed before that, an error message will appear asking the user to do it.

Makefile reference

We show available targets and flags for using the Makefile command.

Available targets

deps	Downloads external dependencies, required for compiling the code. If `TARGET` is not specified, it will download the dependencies of the Wazuh manager nodes (`TARGET=server`). To download the dependencies of the Wazuh agents, it is necessary to use `TARGET=agent` or `TARGET=winagent` in case it is a Windows agent. This requires internet connectivity.
external	Compiles the external dependencies. This is done automatically when using `build`.
build	Compiles the source code. This requires external dependencies and a `TARGET` flag.
utils	Compiles the complementary tools used by Wazuh binaries.
test-rules	Runs test suite for rules and decoders.
clean	Removes all contents, including compiled files, including external dependencies, tests, and configuration.
clean-deps	Removes all external dependencies, including downloaded files.
clean-external	Removes compiled external dependencies, but won't remove downloaded files.
clean-internals	Removes all compiled internal dependencies.
clean-framework	Removes all compiled files used to build the Wazuh framework.
clean-windows	Removes all compiled files used to build the Windows agent.
clean-config	Removes all compiled configuration files.
clean-test	Removes all compiled files used for testing.

There are other targets used to get information about the Makefile, but they won't build, download or compile anything:

help	Shows information about the Makefile.
settings	Shows default values of compilation flags.

Available flags

EXTERNAL_SRC_ONLY	Along with the `make deps` command, this will download external library sources without pre-compiled files.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
TARGET	Defines the type of installation to build. The most common are `server` to compile a manager, and `agent`/`winagent` to compile linux and windows agents respectively.
	Default value	N/A
	Allowed values	server, local, hybrid, agent, winagent
V	Displays full compiler messages.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
DEBUG	Builds with symbols and without optimization.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
DEBUGAD	Enables extra debugging logging in `wazuh-analysisd`.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
INSTALLDIR	Wazuh installation path. Mandatory when compiling the python interpreter from sources using `PYTHON_SOURCE`.
	Default value	N/A
	Allowed values	Any valid absolute path.
ONEWAY	Disables the Wazuh manager ACK towards the agent. It allows connecting agents without a backward connection from the manager.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
CLEANFULL	Makes the alert mailing subject clear in the format: `<location> - <level> - <description>`
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
RESOURCES_URL	Sets the Wazuh resources URL.
	Default value	`https://packages.wazuh.com/deps/$(VERSION)`
	Allowed values	Any valid URL string.
USE_ZEROMQ	Builds with ZeroMQ support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_PRELUDE	Builds with Prelude support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_INOTIFY	Builds with Inotify support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_MSGPACK_OPT	Builds with Msgpack full optimization.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
BIG_ENDIAN	Builds with big endian support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_SELINUX	Builds with SELinux policies.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_AUDIT	Builds with audit service support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
DISABLE_JEMALLOC	Disables the integration of the jemalloc library.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
PYTHON_SOURCE	Used along with the `deps` target. Downloads the sources needed to build the python interpreter.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
USE_GEOIP	Builds with GeoIP support.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
OPTIMIZE_CPYTHON	Enable this flag to optimize the python interpreter build, which is performed when using `PYTHON_SOURCE`.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
DATABASE	Builds with database support. Allows support for MySQL or PostgreSQL.
	Default value	N/A
	Allowed values	mysql, pgsql
WAZUH_GROUP	Defines the WAZUH group.
	Default value	wazuh
	Allowed values	Any string.
WAZUH_USER	Defines the WAZUH user.
	Default value	wazuh
	Allowed values	Any string.
DISABLE_SYSC	Disables the compilation of the Syscollector module.
	Default value	N/A
	Allowed values	1, yes, YES, y, Y
IMAGE_TRUST_CHECKS	Configures the action to take when a library is not trusted in Windows. Actions available: Disabled (0), Only generate warning (1), and Shutdown the agent (2).
	Default value	1
	Allowed values	0, 1, 2
CA_NAME	Defines the name of the CA certificate.
	Default value	DigiCert Assured ID Root CA
	Allowed values	Any string.

Wazuh server cluster

Introduction
Architecture overview
Code structure
Troubleshooting

Introduction

We recommend reading: Wazuh server cluster.

In high-demand environments, Wazuh agents are enrolled at scale and at a rapid pace. A single Wazuh server node has limited capacity to process such large volumes of events, making workload distribution necessary. Therefore, horizontal scaling becomes the proper approach to balance the workload for a large number of agents.

The Wazuh server processes security events received from Wazuh agents and generates alerts. To ensure accurate event handling, all information required to receive and manage agent data must remain synchronized across Wazuh server nodes. This information includes:

Agent keys: This allows Wazuh server nodes to accept incoming connections from the Wazuh agents.
Agent shared configuration: This allows the Wazuh server nodes to send the Wazuh agents their configuration.
Agent group assignment: This allows every Wazuh server node to know which configuration to send to the Wazuh agents.
Custom decoders, rules and CDB lists: This allows the Wazuh server nodes to correctly process events from the Wazuh agents.
Agent last keep alive and OS information: This is received once a Wazuh agent connects to a Wazuh server node. This helps to know whether the Wazuh agent is reporting or not.

With this information synchronized, any node in the Wazuh server cluster can process data and generate alerts from connected Wazuh agents. This synchronization enables horizontal scaling, allowing the Wazuh environment to expand seamlessly as new agents are added.

Architecture overview

The following diagram shows a typical Wazuh server cluster architecture:

Wazuh agents are configured to report to a load balancer, which distributes network traffic across all Wazuh server nodes in the cluster. This approach allows new server nodes to be added without modifying the agent configuration, as all agents communicate through a single load balancer IP address.

Note

The Wazuh server cluster doesn't manage the load balancer.

Types of nodes

There are two types of Wazuh server cluster nodes. The node types define the tasks performed by the node within the cluster, and also defines a hierarchy of nodes used to know which information prevails when doing synchronizations.

Master

The master node is responsible for:

Receiving and managing agent registration requests.
Creating shared configuration groups.
Updating custom rules, decoders and CDB lists.
Synchronizing all this information to the workers nodes.

All the outlined responsibilities of the master node listed above is called Integrity. It is synchronized from the master to the workers even if the workers have a more recent modification time or a higher size.

Master nodes can also receive and process events from agents the same way a worker would do.

Worker

A worker node is responsible for:

Redirecting agent registration requests to the master node.
Receiving updates from the master node.
Receiving and processing events from agents.
Sending last keep alive messages from agents and remoted group assignments to the master node.

If any integrity file is modified in a worker node, its content will be replaced with the version on the master node.

Workflow

The image below shows a schema of how a master node and a worker node interact with each other in the synchronization process. Every dotted square represents a synchronization task and they all work in parallel:

Threads

The following tasks can be found in the cluster, depending on the type of node they are running on:

Thread name	Node
Keep alive - Send to master	Worker
Integrity sync
Agent info sync
Keep alive - Check workers	Master
Agent groups send
Local agent-groups
Local integrity
Sendsync
Distributed API	Both

Keep alive thread

Worker nodes in the Wazuh server cluster periodically send keep-alive messages to the master node. The master node records the timestamp of the last keep-alive received and monitors the expected interval for each worker. If a worker node fails to send a keep-alive within the defined time limit, the master marks it as disconnected and closes the connection. Once the worker node detects the disconnection, it automatically attempts to reconnect to the master node.

This mechanism helps maintain cluster stability by automatically removing nodes that are unreachable or experiencing network issues.

Integrity thread

The integrity thread is responsible for synchronizing integrity data between the Wazuh server master node and all worker nodes. The synchronization process is initiated by the worker node and occurs in the following stages:

The worker node requests permission from the master node to start the synchronization process. Permission is granted only after any ongoing synchronization process has completed. This prevents overlap between concurrent synchronization operations. Synchronization processes that take too long are considered locked due to errors. When a process is marked as locked, new integrity synchronization requests can be approved.

By default, the maximum time allowed for a synchronization process is 1000 seconds. This value can be modified with the max_locked_integrity_time variable in the cluster.json file.
The worker node sends the master node a JSON file containing the following information:
- Path
- Modification time
- Blake2b checksum
- Information showing whether the file is a merged file or not. If it is a merged file, it shows the following information:
  - The merge type
  - The filename
The master node compares the received checksums with its own and creates three different file groups:
- Missing: Files that are present in the master node but are missing in the worker node. They must be created in the worker.
- Extra: Files that are present in the worker node but missing in the master. They must be removed from the worker node.
- Shared: Files that are present in both master and worker but have a different checksum. They must be updated on the worker node with the version from the master node.
The master node then creates a ZIP package containing a JSON file with the required integrity information and any files the worker node needs to update. The maximum size of this package is defined by the max_zip_size variable in the cluster.json file. If the package exceeds this limit, the remaining files are synchronized during the next integrity synchronization cycle.
Once the worker node receives the package, it updates the necessary files. If there is no data to synchronize or there has been an error reading data from the worker, the worker is always notified about it. Also, if a timeout error occurs while the worker node is waiting to receive the zip, the master node will cancel the current task and reduce the zip size limit. The limit will gradually increase again if no new timeout errors occur.

Agent info thread

The agent info thread synchronizes the last keep-alive messages and operating system information from worker nodes with the Wazuh server master node. The synchronization process is initiated by the worker node and occurs in the following stages:

The worker node requests permission from the master node before starting synchronization. This prevents multiple synchronization processes from running at the same time.
The worker node queries the local wazuh-db service to retrieve information about agents marked as not synchronized.
The worker node sends the master node a JSON string containing the information retrieved from wazuh-db.
The master node sends the received information to its local wazuh-db service, where it is updated.

Note

If there is an error during the update process of one of the chunks in the database of the master node, the worker node is notified.

Agent groups send thread

The agent groups send thread synchronizes Wazuh agent group assignments (agent-groups) from the master node to all worker nodes in the Wazuh server cluster. Its purpose is to ensure that agent-group information stored on the master node is replicated in the databases of all worker nodes. The communication is initiated by the master node and follows these stages:

When there is new agent-groups information, the master node sends a JSON string with it to each worker node. This is done only once per worker node.
The worker nodes send the received information to their local wazuh-db service, where it is updated.
The worker nodes compare the checksum of their database with the checksum of the master node.
If the checksum has been different for 10 consecutive times, the worker node notifies the master node.
When notified, the master node sends all the agent-groups information to the worker node.
The worker node overwrites its database with the agent-groups information it has received from the master node.

Local agent-groups thread

The local agent-groups thread runs exclusively on the Wazuh server master node. It periodically queries the local wazuh-db service for any new or updated agent-group information since the last execution. The process doesn't repeat until all updated agent-group data has been successfully distributed to every worker node in the cluster.

Local integrity thread

The local integrity thread runs exclusively on the Wazuh server master node. It periodically reads all integrity files and calculates their checksums. Checksum calculation is slow and reduces performance in clusters with many worker nodes, since each worker node requires its own checksum. To optimize performance, this thread calculates the required integrity checksums once and stores them in a global variable that is periodically updated.

Sendsync thread

The sendsync thread is a Wazuh server cluster task executed exclusively on the master node. Although not shown in the workflow diagram, it enables the redirection of messages received from worker nodes to the appropriate master node services.

This mechanism allows agent registration requests to be processed even when agents are configured to connect to a worker node. In such cases, the sendsync thread receives the registration request from the worker node and forwards it to the master node's Authd service.

Distributed API thread

This thread isn't shown in the schema either. It runs in both master and worker nodes since it is independent of the node type. It is used to receive API requests and forward them to the most suitable node to process the request. The operation of this thread will be explained in later sections.

Code structure

The cluster is built on top of asyncio.Protocol. This Python framework helps us to develop asynchronous communication protocols by just defining a few functions:

connection_made: Defines what to do when a client connects to a Wazuh server and when the Wazuh server receives a new connection.
connection_lost: Defines what to do when the connection is closed. It includes an argument containing an exception in case the connection was closed due to an error.
data_received: Defines what to do when data is received from the other peers.

The Wazuh cluster protocol is defined on top of this framework. The following diagram shows all Python classes defined based on asyncio.Protocol:

The higher classes on the diagram (wazuh.core.cluster.common.Handler, wazuh.core.cluster.server.AbstractServerHandler, wazuh.core.cluster.common.WazuhCommon, and wazuh.core.cluster.client.AbstractClient) define abstract concepts of what a client and a server is. Those abstract concepts are used by the lower classes on the diagram (wazuh.core.cluster.local_server.LocalServerHandler, wazuh.core.cluster.master.MasterHandler, wazuh.core.cluster.worker.WorkerHandler and wazuh.core.cluster.local_client.LocalClientHandler) to define specific communication protocols. These specific protocols are described in the Protocols section.

There are abstract server and client classes to handle multiple connections from multiple clients and connections to the server. This way, all the logic to connect to a server or to handle multiple clients can be shared between all types of servers and clients in the cluster. These classes are shown in the diagrams below:

When the wazuh-clusterd process starts in the Wazuh server master node, it creates a Master object. Every time a new Wazuh server worker node connects to the master node, a MasterHandler object is created to handle the connection with that worker node (incoming requests, synchronization processes, etc). This means that there will always be at least a Master object and as many MasterHandler objects to match the number of connected worker nodes. The Master object is responsible for managing all MasterHandler objects created.

When the wazuh-clusterd process starts on the Wazuh server worker node, it creates a Worker object. This object is in charge of initializing worker variables to connect to the master node. A WorkerHandler object is created when connecting to the Wazuh server master node. This object is responsible for sending requests to the master node and managing synchronization processes.

Protocols

Protocol definition

The communication protocol used for all communications (both cluster and API) is defined in wazuh.core.cluster.common.Handler. Each message in the protocol has the following structure:

The protocol message has two parts:

The header: This is usually 22 bytes long. The header has four subparts:
- Counter: It specifies the message ID. This is randomly generated for every new sent request. It is very useful when receiving a response, so it indicates which sent request it is replying to.
- Payload length: It specifies the amount of data contained in the message payload. It is used to know how much data to expect to receive.
- Command: It specifies the protocol message. This string will always be 11 characters long. If the command is not 11 characters long, a padding of - is added until the string reaches the expected length. All available commands in the protocol are shown below.
- Flag message divided: This specifies whether the message has been divided depending on if the initial payload length was more than 5242880 bytes or not. The flag value can be d if the message is a divided one, or nothing if the message is the end of a divided message or a single message.
The payload: This will be 5242880 bytes long at maximum.

Wazuh cluster protocol

This communication protocol is used by all Wazuh server cluster nodes to synchronize information required to receive reports from the Wazuh agents. All communications are made through TCP. These commands are defined in wazuh.core.cluster.master.MasterHandler.process_request and in wazuh.core.cluster.worker.WorkerHandler.process_request.

Message	Received in	Arguments	Description
`hello`	Master	Node name<str> Cluster name<str> Node type<str> Wazuh version<str>	First message sent by a worker node to the master node on first connection.
`syn_i_w_m_p` `syn_a_w_m_p`	Master	None	Ask permission to start synchronization protocol. Message characters define the action to do: I (integrity), A (agent-info). W (worker), M (master), P (permission).
`syn_i_w_m` `syn_a_w_m`	Master	None or String ID<str>	Start synchronization protocol. Message characters define the action to do: I (integrity), A (agent-info). W (worker), M (master).
`syn_i_w_m_e` `syn_w_g_e` `syn_wgc_e`	Master	None or String ID<str>	End synchronization protocol. Message characters define the action to do: I (integrity), G (agent-groups send), C (agent-groups send full). W (worker), M (master), E(end)
`syn_g_m_w` `syn_g_m_w_c`	Worker	Agent-groups data <dict>	Start synchronization protocol. Message characters define the action to do: G (agent-groups recv), C (agent-groups recv full). W (worker), M (master).
`syn_i_w_m_r` `syn_w_g_err` `syn_wgc_err`	Master	Error msg<str>	Notify an error during synchronization. Message characters define the action to do: I (integrity), G (agent-groups send), C (agent-groups send full). W (worker), M (master), R/ERR (error).
`sendsync`	Master	Arguments<Dict>	Receive a message from a worker node destined for the specified daemon on the master node.
`sendsyn_res`	Worker	Request ID<str> String ID<str>	Notify the `sendsync` response is available.
`sendsyn_err`	Both	Local client ID<str> Error message<str>	Notify errors in the `sendsync` communication.
`get_nodes`	Master	Arguments<Dict>	Request sent from `cluster_control -l` from worker nodes.
`get_health`	Master	Arguments<Dict>	Request sent from `cluster_control -i` from worker nodes.
`dapi_clus`	Master	Arguments<Dict>	Receive an API call related to cluster information. This gets node information or healthcheck.
`dapi`	Both	Sender node<str> Arguments<Dict>	Receive a distributed API request. If the API call has been forwarded multiple times, the sender node contains multiple names separated by a `*` character.
`dapi_res`	Both	Request ID<str> String ID<str>	Receive a distributed API response from a previously forwarded request. Responses are sent using send long strings protocol so this request only needs the string ID.
`dapi_err`	Both	Local client ID<str> Error message<str>	Receive an error related to a previously requested distributed API request.
`syn_m_c_ok`	Worker	None	The master node verifies that the worker node integrity is correct.
`syn_m_c`	Worker	None	The master node will send the worker node integrity files to update.
`syn_m_c_e`	Worker	Error msg <str> or Task name <str> Filename <str>	Master node has finished sending integrity files. The files were received in the task name previously created by the worker node in `syn_m_c`. If the master node has issues sending/processing/receiving worker node integrity, an error message will be sent instead of the task name and filename.
`syn_m_a_e`	Worker	Arguments<Dict>	Master node has finished updating agent-info. Number of updated chunks and chunks with errors (if any) will be sent.
`syn_m_a_err`	Worker	Error msg<str>	Notify an error during agent-info synchronization.

Local protocol

This communication protocol is used by the Wazuh server API to forward requests to other Wazuh server cluster nodes. All communications are made using a Unix socket since the communication is local (from the process running the API to the process running the cluster). These commands are defined in wazuh.core.cluster.local_server.LocalServerHandler.process_request, wazuh.core.cluster.local_server.LocalServerHandlerMaster.process_request and wazuh.core.cluster.local_server.LocalServerHandlerWorker.process_request.

Message	Received in	Arguments	Description
`get_config`	Both	None	Returns active cluster configuration. Necessary for active configuration API calls.
`get_nodes`	Both	Arguments<Dict>	Request sent from `cluster_control -l`.
`get_health`	Both	Arguments<Dict>	Request sent from `cluster_control -i`.
`get_hash`	Both	None	Receive a request to obtain custom ruleset files and their hashes.
`send_file`	Both	Filepath <str>, Node name <str>	Request used to test send file protocol. Node name parameter is ignored in worker nodes (it is always sent to the master node).
`dapi`	Both	Arguments<Dict>	Receive a distributed API request from the API. When this request is received in a worker node it is forwarded to the master node and executed locally on the master node.
`dapi_fwd`	Server	Node name <str>, Arguments <Dict>	Forward a distributed API request to the specified node. To forward the request to all nodes, use `fw_all_nodes` as the node name.

Common messages

All cluster communication protocols are built on a shared abstract base. This base layer defines the core messages used to manage connections, exchange keep-alive signals, and perform other essential cluster operations. These message-handling commands are implemented in the following modules: wazuh.core.cluster.common.Handler.process_request, wazuh.core.cluster.server.AbstractServerHandler.process_request and wazuh.core.cluster.client.AbstractClient.process_request.

Message	Received in	Arguments	Description
`new_str`	Both	String length <int>	Used to start the sending long strings process.
`str_upd`	Both	String Id <str>, Data chunk <str>	Used to send a string chunk during the sending long strings process.
`err_str`	Both	String length <int>	Used to notify an error while sending a string so that the reserved space is freed.
`new_file`	Both	Filename <str>	Used to start the sending file process.
`file_upd`	Both	Filename <str>, Data chunk <str>	Used to send a file chunk during the sending file process.
`file_end`	Both	Filename <str>, File checksum <str>	Used to finish the sending file process.
`cancel_task`	Both	Task name <str>, Error msg <str>	Used to cancel the task in progress on the sending node.
`echo`	Both	Message <str>	Used to send keepalives to the peer. Replies with the same received message.
`echo-c`	Server	Message <str>	Used by the client to send keepalives to the server.
`echo-m`	Client	Message <str>	Used by the server to send keepalives to the client.
`hello`	Server	Client name <str>	First message sent by a client to the server on its first connection. The Wazuh protocol modifies this command to add extra arguments.

Cluster performance

Asynchronous tasks

A key factor contributing to the performance of the Wazuh server cluster is the use of asynchronous tasks. Similar to threads in Python, asynchronous tasks run concurrently with the main process and other tasks, but they are significantly more lightweight and faster to create. Their efficiency comes from leveraging the latency of I/O operations. This means that while one task is waiting for data to be transmitted or received through a socket, another can continue executing.

Each of the threads described in the Workflow section are implemented as asynchronous tasks. These tasks are started in wazuh.core.cluster.client.AbstractClientManager.start, wazuh.core.cluster.server.AbstractServer.start, and wazuh.core.cluster.local_server.LocalServer.start and they are all implemented using infinite loops.

In addition to the tasks already described, additional tasks are created whenever an incoming request requires more complex processing. These tasks are instantiated specifically to handle the request and are terminated once the corresponding response has been sent. This architectural approach ensures that the server is not blocked by a single request and can continue serving others efficiently.

One such task, implemented as a class, is responsible for receiving and processing files from a peer. An instance of this class is created at the start of a synchronization process and is destroyed once the process is complete. Internally, it launches an asynchronous task that remains active until all files required for synchronization have been successfully received. This asynchronous task has a callback that checks if there was an error during the synchronization process.

Multiprocessing

Asynchronous tasks are suitable for optimizing workloads and reducing I/O wait times but are unsuitable for CPU-intensive tasks because of Python's execution model. Python allows a single thread to take control of the Python interpreter through the Global Interpreter Lock (GIL). Therefore, asynchronous tasks run concurrently and not in parallel. Following the analogy of the previous section, it is as if there is effectively only one chef who has to do all the tasks. The chef can only do one at a time so if one task requires all his/her attention, the other ones are delayed.

The master node in the Wazuh server cluster executes a heavy workload, especially in large environments. Although the tasks are asynchronous, they have sections that require high CPU usage, such as calculating the hash of the files to be synchronized with the Local integrity thread. To avoid other tasks from waiting for the Python interpreter to complete the CPU-bound parts, multiprocessing is used. Using the same analogy again, multiprocessing would be equivalent to having more chefs working in the same kitchen.

Multiprocessing is implemented in the cluster process of both the Wazuh server master node and the worker nodes, and the concurrent.futures.ProcessPoolExecutor is used for this purpose. Cluster tasks can use any available process in the pool to delegate and run in parallel, the parts of their logic that are CPU intensive. With this, it is possible to take advantage of more CPU cores and increase the overall performance of the cluster process. When combined with asyncio, best results are obtained.

Child processes are created when the parent wazuh-clusterd starts. They stay in the process pool waiting for new jobs to be assigned to them. There are two child processes by default within the master node pool. This value can be changed in the process_pool_size variable in the cluster.json file. The worker nodes, on the other hand, create a single child process and this number is not modifiable. The tasks that use multiprocessing in the cluster are the following.

Master node

Local integrity thread: This calculates the hash of all the files to be synchronized. This requires high CPU usage.
Agent info thread: A section of this task sends all the Wazuh agent information to the wazuh-db. The communication is done in small chunks so as not to saturate the service socket. This turned this task into a somewhat slow process and not a good candidate for asyncio.
Integrity thread: Compressing files, which is done inside this task, is fully synchronous and can block the parent cluster process.

Worker nodes

Integrity thread: This is the only task in the Wazuh server worker nodes that uses multiprocessing. It carries out the following CPU intensive actions:
- Hash calculation: This calculates the hash of all the files to be synchronized every time Integrity check is started.
- Unzip files: This extracts files and can take too long when the zip is large.
- Process master files: This processes and moves all the files that were received from the Wazuh server master node to the appropriate destination.

Below is an example diagram of how the process pool is used in the Wazuh server master node:

Integrity synchronization process

This section explains the integrity synchronization process and how asyncio tasks are created to handle data exchanged with the peer. The diagram below outlines the complete workflow involved in integrity synchronization:

1: The sync_integrity task on the worker wakes up after sleeping during interval seconds (which is defined in the cluster.json file). The first thing it does is checking whether the previous synchronization process is finished or not using the syn_i_w_m_p command. The master replies with a boolean value specifying that the previous synchronization process is finished, and the worker can start a new one.
2: The worker starts the synchronization process using the syn_i_w_m command. When the master receives the command, it creates an asyncio task to process the received integrity from the worker. But since no file has been received yet, the task keeps waiting until the worker sends the file. The master sends the worker the task ID so the worker can notify the master to wake it up once the file has been sent.
3: The worker node starts the sending file process. Which has three steps: new_file, file_upd and file_end.
4: The worker notifies the master that the integrity file has already been sent. At that moment, the master wakes the previously created task up and compares the worker files with its own. In this example the master finds out the worker's integrity is outdated.
5: The master starts a sync integrity process with the worker using the syn_m_c command. The worker creates a task to process the integrity received from the master, but the task is sleeping since it has not been received yet. This is the same process the worker has done with the master but changing directions.
6: The master sends all information to the worker through the sending file process.
7: The master notifies the worker that the integrity information has already been sent using the syn_m_c_e command. The worker wakes the previously created task up to process and update the required files.

To sum up, asynchronous tasks are created only when the received request needs to wait for some data to be available (for example, synchronization tasks waiting for the zip file from the other peer). If the request can be solved instantly, no asynchronous tasks are created for it.

Distributed API requests

Another example that can show how asynchronous tasks are used is Distributed API requests. Before explaining the example, we review the different type of requests that can be done in the distributed API:

local_any: The request can be solved by any Wazuh server node. These requests are usually information that the Wazuh server master node distributes to all nodes such as rules, decoders or CDB lists. These requests will never be forwarded or solved remotely.
local_master: The request can be solved by the Wazuh server master node. These requests are usually information about the global status and management of the cluster such as agent information/status/management, agent groups management, cluster information, etc.
distributed_master: The Wazuh server master node must forward the request to the most suitable node to solve it.

The type association with every endpoint can be found here: API controllers.

Imagine a Wazuh server cluster with two nodes, where there is an agent reporting to the worker node with ID: 020. The following diagram shows the process of running a distributed API request by requesting the GET/sca/020 API endpoint:

1: The user does an API request. The API server receives the connection and calls distribute_function. Since the requested endpoint is distributed_master the worker node realizes it can't solve the request locally and proceeds to forward the request to the master node.
2: The API server doesn't have direct contact with the Wazuh server cluster master node. So the API process forwards the request to a Unix socket, because the cluster has to receive API requests locally. This Unix server is running inside the cluster process, so it can send requests to the master node. In order to identify the API request when the master node sends a response back, the local server adds an ID (local_client1 in this example).
3: When the master node receives the API request, it is added to a queue where all pending requests from all nodes are stored. Since this queue is shared with all other nodes, the master node adds the node ID to the request (node2 in this example).
4: The master node pops the received request out of its queue. It then realizes that agent 020 is reporting in the worker node node2, so it forwards the request to node2. This is because the master node is the one with the most updated information about the agent.
5: The master node creates a new request to get the necessary information from the worker node. This request includes a new ID (request1 in the example) so the master can identify the response when the worker sends it. The original request sent by the worker node remains in the master node awaiting to be solved.
6: The worker node receives the request from the master node and adds it to its request queue. The worker solves the request locally and sends the request response to the master using the long string process. Once the response has been sent, the worker notifies the master using the dapi_res command. The task_id is necessary since the master can receive multiple long strings at the same time and it needs a way to identify each one.
7: Once the master node receives the required information from the worker node, it is able to solve the originally received request from the worker node. The master node notifies the distributed API that the response has already been received.
8: The master node uses the long string process to send the response to the worker node.
9: The worker node receives the response from the master node and starts a new send long string process to forward it to the API process. Once the API receives the response over the Unix socket connection it had with the cluster process, the response is returned to the user.

In summary, asynchronous tasks are created to forward requests from one node to the other, enabling Wazuh server nodes to be available to receive new requests. None of the objects shown in the diagram remain blocked waiting for a response, they just wait to be notified when the response is available. That is achieved using Events.

Why is it necessary to forward the request to the master node if the agent was reporting to the worker node where the request was originally done? The worker nodes do not have a global vision of the cluster state. If an agent switches from one cluster node to another, worker nodes remain unaware of the change because they are not notified about it.

Only the master receives the agent-info data from all worker nodes. It is the only cluster node that knows where an agent is really reporting. This is why all API requests are always forwarded to the master node, except the local_any ones.

Troubleshooting

The Wazuh server cluster has different components working together including; a network protocol, input/output (I/O) and some Wazuh specific logic. All these components log their progress in logs/cluster.log file. To make things easier for developers, each component includes a log tag to help developers see which exact component logged the event. The following is an example of how the log file looks:

2021/03/29 07:05:26 INFO: [Worker worker1] [Integrity check] Starting. Received metadata of 12 files.
2021/03/29 07:05:26 INFO: [Worker worker1] [Integrity check] Finished in 0.016s. Sync required.
2021/03/29 07:05:26 INFO: [Worker worker1] [Integrity sync] Starting.
2021/03/29 07:05:26 INFO: [Worker worker1] [Integrity sync] Files to create in worker: 0 | Files to update in worker: 0 | Files to delete in worker: 1 | Files to receive: 0
2021/03/29 07:05:26 INFO: [Worker worker1] [Integrity sync] Finished in 0.015838s.
2021/03/29 07:05:27 INFO: [Master] [Local integrity] Starting.
2021/03/29 07:05:27 INFO: [Master] [Local integrity] Finished in 0.013s. Calculated metadata of 11 files.
2021/03/29 07:05:27 INFO: [Worker worker1] [Agent-info sync] Starting.
2021/03/29 07:05:27 INFO: [Worker worker1] [Agent-info sync] Finished in 0.001s (0 chunks received).
2021/03/29 07:05:31 INFO: [Master] [D API] Receiving request: check_user_master from worker1 (237771)

When an error occurs in the cluster, it appears in the logs under the ERROR: tag. A good first step when troubleshooting cluster issues is to check the following:

# grep -i error /var/ossec/logs/cluster.log

2019/04/10 15:37:58 wazuh-clusterd: ERROR: [Cluster] [Main] Could not get checksum of file client.keys: [Errno 13] Permission denied: '/var/ossec/etc/client.keys'

If the error log message doesn't provide enough detail to identify the issue, you can enable traceback logging by setting the log level to DEBUG2. To do this, run the following command:

# sed -i "s:wazuh_clusterd.debug=1:wazuh_clusterd.debug=2:g" /var/ossec/etc/internal_options.conf
# systemctl restart wazuh-manager
# grep -i error /var/ossec/logs/cluster.log -A 10

2019/04/10 15:50:37 wazuh-clusterd: ERROR: [Cluster] [Main] Could not get checksum of file client.keys: [Errno 13] Permission denied: '/var/ossec/etc/client.keys'
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-5.0.0-py3.7.egg/wazuh/core/cluster/cluster.py", line 217, in walk_dir
    entry_metadata['blake2b'] = blake2b(os.path.join(common.ossec_path, full_path))
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-5.0.0-py3.7.egg/wazuh/core/utils.py", line 555, in blake2b
    with open(fname, "rb") as f:
PermissionError: [Errno 13] Permission denied: '/var/ossec/etc/client.keys'

Having the traceback usually helps to understand what is happening.

There are two ways of configuring the log level:

Modifying the wazuh_clusterd.debug variable in the internal_options.conf file.
Using the argument -d in the wazuh-clusterd binary.

Wazuh package generation

Package generation involves compiling code, bundling necessary files and dependencies that can be distributed and installed in various operating environments. This guide describes how to generate Wazuh packages for different operating systems and platforms. The Wazuh server, indexer, and dashboard components can be deployed on a virtual machine and converted into an OVA-formatted VM using an automated script. You can also individually compile the Wazuh server, indexer, and dashboard packages into DEB and RPM Linux packages.

You can generate the Wazuh agent package for Linux, macOS, and Windows operating systems. It can also be generated as a Wazuh signed package (WPK) file for Linux, macOS, and Windows operating systems, which allows for remote upgrade of the Wazuh agents.

The Wazuh package generation guide is useful for developers who need to customize the Wazuh components to suit their needs. Wazuh is open source, so the package creation process is publicly available for anyone who requires it. However, most Wazuh users do not need to build packages because the official releases provide everything needed for standard use.

Contents

Virtual machine

In this section, we describe how to create a virtual machine (VM) in Open Virtual Appliance (OVA) format with the Wazuh server, dashboard, and indexer components pre-installed. The wazuh-virtual-machines/ova/generate_ova.sh script automates the creation of the VM. The VM works with any hypervisor, allowing quick setup of a single-node Wazuh deployment.

Requirements

You need a system with a minimum of 4 CPU cores and 8 GB of RAM to build the virtual machine. Ensure that these dependencies are installed on the system:

Creating the Wazuh VM

Follow the steps below to create the Wazuh virtual machine:

Clone the wazuh-virtual-machines repository and navigate to the ova/ directory. Select the version, for example, v5.0.0.

$ git clone https://github.com/wazuh/wazuh-virtual-machines && cd wazuh-virtual-machines/ova/ && git checkout v5.0.0

Execute the generate_ova.sh script to create the VM.

$ ./generate_ova.sh

. . .
Exporting ova
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully exported 1 machine(s).
==> default: Destroying VM and associated drives...
wazuh-4.11.1.ovf
wazuh-4.11.1-disk001.vmdk
Setting up ova for VMware ESXi
Standardizing OVA
Setting OVA to default
wazuh-4.11.1.ovf
wazuh-4.11.1-disk001.vmdk
OVF extracted
mv: '/home/ubuntu/wazuh-virtual-machines/ova/new-ova/wazuh-4.11.1.ovf' and '/home/ubuntu/wazuh-virtual-machines/ova/new-ova/wazuh-4.11.1.ovf' are the same file
Files renamed
OVF Version changed
OVF Size changed
Manifest changed
wazuh-4.11.1.ovf
wazuh-4.11.1-disk-1.vmdk
wazuh-4.11.1.mf
New OVA created
Cleaned temporary directory
Process finished
. . .

The above command builds a VM with Wazuh central components. It uses production packages by default. If you are building a pre-release version, you must select the development package dev instead.

$ ./generate_ova.sh -r dev

The -r or --repository option selects the stage to use for the packages. For example:

prod: Packages released for production environments.
dev: Pre-release packages for testing and development purposes.

The generated virtual machine can be found in the /wazuh-virtual-machines/ova/output directory in .ova format.

Run the following command to check all available options:

$ ./generate_ova.sh -h

Usage: packages/generate_package.sh [OPTIONS]

  -b, --branch <branch>      [Optional] Select Git branch.
  -t, --target <target>      [Required] Target package to build: manager or agent.
  -a, --architecture <arch>  [Optional] Target architecture of the package [amd64/i386/ppc64le/arm64/armhf].
  -j, --jobs <number>        [Optional] Change number of parallel jobs when compiling the manager or agent. By default: 2.
  -r, --revision <rev>       [Optional] Package revision. By default: 0.
  -s, --store <path>         [Optional] Set the destination path of package. By default, an output folder will be created.
  -p, --path <path>          [Optional] Installation path for the package. By default: /var/ossec.
  -d, --debug                [Optional] Build the binaries with debug symbols. By default: no.
  -c, --checksum             [Optional] Generate checksum on the same directory than the package. By default: no.
  -l, --legacy               [Optional only for RPM] Build package for CentOS 5.
  --dont-build-docker        [Optional] Locally built docker image will be used instead of generating a new one.
  --tag                      [Optional] Tag to use with the docker image.
  --sources <path>           [Optional] Absolute path containing wazuh source code. This option will use local source code instead of downloading it from GitHub. By default use the script path.
  --is_stage                 [Optional] Use release name in package.
  --system                   [Optional] Select Package OS [rpm, deb]. By default is 'deb'.
  --src                      [Optional] Generate the source package in the destination directory.
  --future                   [Optional] Build test future package x.30.0 Used for development purposes.
  -h, --help                 Show this help.

Wazuh server

Wazuh provides an automated way of building DEB and RPM Wazuh server packages using Docker. Follow the steps below to create a Debian or RPM Wazuh server package:

Requirements

Ensure that these dependencies are installed on the system:

Docker
Git

Creating the Wazuh server package

Follow the steps below to create the Wazuh server package:

Clone the wazuh repository from GitHub and navigate to the packages/ directory. Select a version, for example, v5.0.0.
```
$ git clone https://github.com/wazuh/wazuh && cd wazuh/packages && git checkout v5.0.0
```
Run the below command to build a DEB or an RPM Wazuh server package:
Note

Use the following architecture equivalences:
- amd64 -> x86_64
- arm64 -> aarch64
- armhf -> armv7hl
# ./generate_package.sh -s /tmp -t manager -a amd64 -r my_rev --system deb
This command generates a Wazuh manager v5.0.0 DEB package with revision my_rev for x86_64 systems.
# ./generate_package.sh -s /tmp -t manager -a amd64 -r my_rev --system rpm
This command generates a Wazuh manager v5.0.0 RPM package with revision my_rev for x86_64 systems.

You can run the generate_package.sh script with the -h flag to explore your desired options:

$ ./generate_package.sh -h

Wazuh indexer

Wazuh provides an automated way of building the Wazuh indexer package. The package generation process is orchestrated by two scripts, which are located in the wazuh-indexer/packaging_scripts directory of the wazuh-indexer repository. The generation process is separated into two stages:

Build stage: In this stage, the Java application is compiled and bundled into a package using the build.sh script.
Assemble stage: In this stage, plugins and configuration files are added to the package from the previous step using the assemble.sh script. The package is then ready for deployment in production.

Note

Official packages are built through a GitHub Actions pipeline, but the process is designed to be flexible and adaptable, and not strictly tied to GitHub Actions. Additionally, act enables local testing and debugging of GitHub Actions workflows. The packages can also be built directly in a local Linux environment.

Prerequisites

Clone the wazuh-indexer repository and navigate to the wazuh-indexer/ directory. Select the version, for example, v5.0.0.
```
$ git clone https://github.com/wazuh/wazuh-indexer && cd wazuh-indexer && git checkout v5.0.0
```

Build stage

Docker environment

Follow the steps below to build the Wazuh indexer package using the provided Docker environment:

Run the ci.sh script to start the provisioned containers for package generation:
```
$ cd docker/ci/ && bash ./ci.sh up
```
Note

The provisioned container can be further managed using: ./ci.sh {up|down|stop}.

Run the following command to build the Wazuh indexer package using the Docker container:

$ docker exec -it wi-build_v5.0.0 bash packaging_scripts/build.sh -a x64 -d rpm

$ docker exec -it wi-build_v5.0.0 bash packaging_scripts/build.sh -a x64 -d deb

$ docker exec -it wi-build_v5.0.0 bash packaging_scripts/build.sh -a x64 -d tar

The generated package is sent to the wazuh-indexer/artifacts/dist directory.

Local package generation

For local package generation, use the build.sh script. Take a look at the build.yml workflow file for an example of usage.

# bash packaging_scripts/build.sh -a x64 -d tar -n $(bash packaging_scripts/baptizer.sh -a x64 -d tar -m)

The generated package is sent to the wazuh-indexer/artifacts/dist folder.

Assembly stage

Docker environment

Follow the steps below to assemble the generated Wazuh indexer package using the provided Docker environment:

Navigate to the wazuh-indexer/artifacts/dist directory to access the created packages from the build stage:
```
$ cd ../../artifacts/dist
```

Run the following commands to assemble the packages using the Docker container provisioned in the build stage with the ci.sh script:

# docker exec -it wi-assemble_5.0.0 bash packaging_scripts/assemble.sh -a x64 -d rpm

# docker exec -it wi-assemble_5.0.0 bash packaging_scripts/assemble.sh -a x64 -d deb

# docker exec -it wi-assemble_5.0.0 bash packaging_scripts/assemble.sh -a x64 -d tar

Local package generation

Follow the steps below to assemble the generated package locally for both RPM and DEB environments.

Note

Set the environment variable TEST=true to assemble a package with a minimal set of plugins. This will speed up the assembly process.

The assemble.sh script will use the output from the build.sh script and use it as a base to bundle together a final package containing the plugins, the production configuration, and the service files.

The script will:

Extract the RPM package using rpm2cpio and cpio tools.

By default, rpm2cpio and cpio tools expect the package to be in wazuh-indexer/artifacts/tmp/rpm. The script creates the required folder structure, copying also the min package and the SPEC file.

Current folder loadout at this stage:
```
/rpm/$ARCH
    /etc
    /usr
    /var
    wazuh-indexer-min-*.rpm
    wazuh-indexer.rpm.spec
```
usr, etc and var folders contain wazuh-indexer files, extracted from wazuh-indexer-min-*.rpm.

wazuh-indexer.rpm.spec is copied from wazuh-indexer/distribution/packages/src/rpm/wazuh-indexer.rpm.spec.

The wazuh-indexer-performance-analyzer.service file is also copied from the same folder. It is a dependency of the SPEC file.
Install the plugins using the opensearch-plugin CLI tool.
Set up configuration files. They are included in min-package. Default files are overwritten.
Bundle an RPM file with rpmbuild and the SPEC file wazuh-indexer.rpm.spec.

rpmbuild is part of the rpm OS package. rpmbuild is invoked from wazuh-indexer/artifacts/tmp/rpm.

It creates the {BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP} folders and applies the rules in the SPEC file.

If successful, rpmbuild will generate the package in the RPMS/ folder.

The script will copy it to wazuh-indexer/artifacts/dist and cleanly remove the tmp\ folder and its contents.

Current folder loadout at this stage:
```
/rpm/$ARCH
    /{BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP}
    /etc
    /usr
    /var
    wazuh-indexer-min-*.rpm
    wazuh-indexer.rpm.spec
```

For DEB packages, the assemble.sh script will perform the following operations:

Extract the DEB package using ar and tar tools.

By default, the ar and tar tools expect the package to be in the wazuh-indexer/artifacts/tmp/deb directory. The script creates the required folder structure, copying also the min package and the Makefile.

Current folder loadout at this stage:
```
artifacts/
|-- dist
|   |-- wazuh-indexer-min_5.0.0_amd64.deb
`-- tmp
    `-- deb
        |-- Makefile
        |-- data.tar.gz
        |-- debmake_install.sh
        |-- etc
        |-- usr
        |-- var
        `-- wazuh-indexer-min_5.0.0_amd64.deb
```
usr, etc and var folders contain wazuh-indexer files, extracted from wazuh-indexer-min-*.deb directory.

Makefile and the debmake_install are copied over from wazuh-indexer/distribution/packages/src/deb directory.

The wazuh-indexer-performance-analyzer.service file is also copied from the same folder. It is a dependency of the SPEC file.
Install the plugins using the opensearch-plugin CLI tool.
Set up configuration files. They are included in min-package. The default files are overwritten.

Bundle a DEB file with debmake and the Makefile.

debmake and other dependencies can be installed using the provision.sh script. The script is invoked by the GitHub Workflow.

Current folder loadout at this stage:

artifacts/
|-- artifact_name.txt
|-- dist
|   |-- wazuh-indexer-min_5.0.0_amd64.deb
|   `-- wazuh-indexer_5.0.0_amd64.deb
`-- tmp
    `-- deb
        |-- Makefile
        |-- data.tar.gz
        |-- debmake_install.sh
        |-- etc
        |-- usr
        |-- var
        |-- wazuh-indexer-min_5.0.0_amd64.deb
        `-- debian/
            | -- control
            | -- copyright
            | -- rules
            | -- preinst
            | -- prerm
            | -- postinst

The assembly process for tarballs consists on:

Extraction of the minimal package
Bundling of plugins
Addition of Wazuh configuration files and tooling
Compression

# bash packaging_scripts/assemble.sh -a x64 -d tar -r 1

Build and assemble scripts reference

The package generation process is guided through bash scripts. Below is a reference showing their inputs, outputs, and code:

scripts:
   - file: build.sh
     description: |
        generates a distribution package by running the appropiate Gradle task
        depending on the parameters.
     inputs:
        architecture: [x64, arm64] # Note: we only build x86_64 packages
        distribution: [tar, deb, rpm]
        name: the name of the package to be generated.
     outputs:
        package: minimal wazuh-indexer package for the required distribution.

   - file: assemble.sh
     description: |
        bundles the wazuh-indexer package generated in by build.sh with plugins,
        configuration files and demo certificates (certificates yet to come).
     inputs:
        architecture: [x64, arm64] # Note: we only build x86_64 packages
        distribution: [tar, deb, rpm]
        revision: revision number. 0 by default.
     outputs:
        package: wazuh-indexer package.

   - file: provision.sh
     description: Provision script for the assembly of DEB packages.

   - file: baptizer.sh
     description: generate the wazuh-indexer package name depending on the parameters.
     inputs:
        architecture: [x64, arm64] # Note: we only build x86_64 packages
        distribution: [tar, deb, rpm]
        revision: revision number. 0 by default.
        is_release: if set, uses release naming convention.
        is_min: if set, the package name will start by `wazuh-indexer-min`. Used on the build stage.
     outputs:
        package: the name of the wazuh-indexer package

Wazuh dashboard

Wazuh provides an automated way of building the Wazuh dashboard package locally and using a Docker image. The build-packages.sh script, located in the dev-tools/build-packages/ folder in the wazuh-dashboard repository, orchestrates the Wazuh dashboard package generation process. This script bundles plugins into a single application and supports tar, rpm, and deb distributions. It accepts the following parameters:

version
revision
distribution
wazuh-dashboard, wazuh-dashboard-plugins, wazuh-security-dashboards-plugin, and wazuh-dashboard-reporting package paths.

Note

Official packages are built through a GitHub Actions pipeline, but the process is designed to be flexible, adaptable, and not strictly tied to GitHub Actions. Additionally, act enables local testing and debugging of GitHub Actions workflows. The packages can also be built directly in a local Linux environment.

Building locally

This section shows how to build the DEB or RPM Wazuh dashboard package locally using NVM and Yarn.

Requirements

Ensure that these dependencies are installed on the system.

Docker: Refer to the Docker installation guide.
NVM (Node Version Manager): Refer to the NVM installation guide.
Yarn v1.22.22 (Node Package Manager): Refer to the Yarn installation guide.
Utilities. Ensure that the following are installed:
- zip
- unzip
- gzip
- brotli
- curl

Generating zip packages

To use the build-packages.sh script, you first need to generate the packages from these repositories:

wazuh-dashboard
wazuh-security-dashboards-plugin
wazuh-dashboard-plugins
wazuh-dashboard-reporting

Follow the steps below to build the packages:

Clone the wazuh-dashboard repository, navigate to the wazuh-dashboard/ directory, and build the application:

$ git clone -b v5.0.0 https://github.com/wazuh/wazuh-dashboard.git && cd wazuh-dashboard/
$ nvm install $(cat .nvmrc)
$ nvm use $(cat .nvmrc)
$ yarn osd bootstrap
$ yarn build-platform --linux --skip-os-packages --release

Clone the wazuh-security-dashboards-plugin repository in the wazuh-dashboard/plugins folder and build the plugin:

Note

Run the following commands while in the wazuh-dashboard/ directory.
```
$ cd plugins/
$ git clone -b v5.0.0 https://github.com/wazuh/wazuh-security-dashboards-plugin.git
$ cd wazuh-security-dashboards-plugin/
$ yarn
$ yarn build
```

Clone the wazuh-dashboard-plugins repository in the wazuh-dashboard/plugins folder, move into the wazuh-dashboard-plugins/ folder, and build the plugins:

Note

The yarn build command requires an entry specifying the OpenSearch Dashboard version. This version can be obtained from the wazuh-dashboard-plugins/package.json file.

$ cd ../
$ git clone -b v5.0.0 https://github.com/wazuh/wazuh-dashboard-plugins.git
$ cd wazuh-dashboard-plugins/
$ nvm install $(cat .nvmrc)
$ nvm use $(cat .nvmrc)
$ cp -r plugins/* ../
$ cd ../main
$ yarn
$ yarn build
$ cd ../wazuh-core/
$ yarn
$ yarn build
$ cd ../wazuh-check-updates/
$ yarn
$ yarn build

Clone the wazuh-dashboard-reporting repository in the wazuh-dashboard/plugins folder and build the plugin:

Note

Run the following commands while in the wazuh-dashboard/ directory.
```
$ cd plugins/
$ git clone -b v5.0.0 https://github.com/wazuh/wazuh-dashboard-reporting.git
$ cd wazuh-dashboard-reporting/
$ yarn
$ yarn build
```

Zip the packages and move them to the packages folder

$ cd ../../../
$ mkdir packages
$ cd packages
$ zip -r -j ./dashboard-package.zip ../wazuh-dashboard/target/opensearch-dashboards-2.*.*-linux-x64.tar.gz
$ zip -r -j ./security-package.zip ../wazuh-dashboard/plugins/wazuh-security-dashboards-plugin/build/security-dashboards-2.*.*.0.zip
$ zip -r -j ./wazuh-package.zip ../wazuh-dashboard/plugins/wazuh-check-updates/build/wazuhCheckUpdates-2.*.*.zip ../wazuh-dashboard/plugins/main/build/wazuh-2.*.*.zip ../wazuh-dashboard/plugins/wazuh-core/build/wazuhCore-2.*.*.zip
$ zip -j ./reporting-package.zip ../wazuh-dashboard/plugins/wazuh-dashboard-reporting/build/reportsDashboards-*.*.*.zip
$ ls

After completing the previous steps, you will have four packages in the packages folder:

dashboard-package.zip
security-package.zip
wazuh-package.zip
reporting-package.zip

Using the script

Run the build-packages.sh script in the dev-tools/build-packages/ folder of the repository. The script requires the following parameters:

-c, --commit-sha: Commit SHA identifier for the build (see Generating the commit SHA below).
-r: Revision of the package.
--deb or --rpm: Distribution of the package.
-a: Path to the wazuh-package.zip.
-s: Path to the security-package.zip.
-b: Path to the dashboard-package.zip.
-rp: Path to the reporting-package.zip.

$ cd ../wazuh-dashboard/dev-tools/build-packages/
$ ./build-packages.sh --commit-sha <COMMIT_SHA> -r <REVISION> --<DISTRIBUTION> -a file:///<PATH_TO_wazuh-package.zip> -s file:///<PATH_TO_security-package.zip> -b file:///<PATH_TO_dashboard-package.zip> -rp file:///<PATH_TO_reporting-package.zip>

Where --<DISTRIBUTION> is either --deb or --rpm.

Replace the placeholders as shown in the example below.

Example:

$ cd ../wazuh-dashboard/dev-tools/build-packages/
$ ./build-packages.sh --commit-sha c68286b87-b917f56ac-970c46953-a68286b87 -r 1 --deb -a file:///packages/wazuh-package.zip -s file:///packages/security-package.zip -b file:///packages/dashboard-package.zip -rp file:///packages/reporting-package.zip

The script generates the package in the output folder of the same directory where it is located. To see the generated package, run the command: ls output/deb.

Generating the commit SHA

Run the following command in each relevant repository to obtain individual SHAs. Ensure you are on the correct branch in each repository.

$ git rev-parse --short HEAD

Repository	SHA Variable
wazuh-dashboard	`<DASHBOARD_COMMIT_SHA>`
wazuh-dashboard-plugins	`<PLUGINS_COMMIT_SHA>`
wazuh-security-dashboards-plugin	`<SECURITY_COMMIT_SHA>`
wazuh-dashboard-reporting	`<REPORTING_COMMIT_SHA>`

Concatenate individual SHAs in the following format. The resulting commit SHA is used for package versioning and build tracking.
```
<DASHBOARD_COMMIT_SHA>-<PLUGINS_COMMIT_SHA>-<SECURITY_COMMIT_SHA>-<REPORTING_COMMIT_SHA>
```
Example:
```
c68286b87-b917f56ac-970c46953-a68286b87
```

Build with Docker image

With this option, you can create an image that has the package in tar.gz format, and then, if desired you can use the created package to generate the deb or rpm file.

Requirements

Ensure that these dependencies are installed on the system.

Docker: Refer to Docker installation guide.
Internet connection to download the Docker images for the first time.
Utilities: Ensure the following are available:
- jq
- curl

Building the Wazuh dashboard package using Docker

Clone the wazuh-dashboard repository, navigate to the wazuh-dashboard/dev-tools/build-packages/ directory, and build the application.
```
$ git clone -b v5.0.0 https://github.com/wazuh/wazuh-dashboard.git
$ cd wazuh-dashboard/dev-tools/build-packages/
```

Build the Docker image with the following parameters:

NODE_VERSION: Node version to use in the .nvmrc file.
WAZUH_DASHBOARDS_BRANCH: Branch of the Wazuh dashboards repository.
WAZUH_DASHBOARDS_PLUGINS: Branch of the Wazuh dashboards Plugins repository.
WAZUH_SECURITY_DASHBOARDS_PLUGIN_BRANCH: Branch of the Wazuh Security Dashboards Plugin repository.
WAZUH_DASHBOARD_REPORTING_BRANCH: Branch of the Wazuh dashboard reporting repository.
OPENSEARCH_DASHBOARDS_VERSION: Version of the OpenSearch Dashboards. You can find the version in the package.json file of the Wazuh dashboards repository.
-t: Tag of the image.

$ docker build \
--build-arg NODE_VERSION=<NODE_VERSION> \
--build-arg WAZUH_DASHBOARDS_BRANCH=<BRANCH_OF_wazuh-dashboard> \
--build-arg WAZUH_DASHBOARDS_PLUGINS=<BRANCH_OF_wazuh-dashboard-plugins> \
--build-arg WAZUH_SECURITY_DASHBOARDS_PLUGIN_BRANCH=<BRANCH_OF_wazuh-security-dashboards-plugin> \
--build-arg WAZUH_DASHBOARD_REPORTING_BRANCH=<BRANCH_OF_wazuh-dashboard-reporting> \
--build-arg OPENSEARCH_DASHBOARDS_VERSION=<OPENSEARCH_DASHBOARDS_VERSION> \
-t <TAG_OF_IMAGE> \
-f wazuh-dashboard.Dockerfile .

Replace the placeholders as shown in the example below.

$ docker build \
--build-arg NODE_VERSION=$(cat ../../.nvmrc) \
--build-arg WAZUH_DASHBOARDS_BRANCH=v5.0.0 \
--build-arg WAZUH_DASHBOARDS_PLUGINS=v5.0.0 \
--build-arg WAZUH_SECURITY_DASHBOARDS_PLUGIN_BRANCH=v5.0.0 \
--build-arg WAZUH_DASHBOARD_REPORTING_BRANCH=v5.0.0 \
--build-arg OPENSEARCH_DASHBOARDS_VERSION=3.3.0 \
-t wzd:v5.0.0 \
-f wazuh-dashboard.Dockerfile .

Run the Docker image:

$ docker run -d --rm --name wazuh-dashboard-package wzd:v5.0.0 tail -f /dev/null

Copy the package to the host and replace <PATH_TO_SAVE_THE_PACKAGE> with the path where you want to save the package:
```
$ docker cp wazuh-dashboard-package:/home/node/packages/. <PATH_TO_SAVE_THE_PACKAGE>
```
Example:
```
$ docker cp wazuh-dashboard-package:/home/node/packages/. /
```
This copies the final package and the packages that were used to generate the final package.
Optional. If you want to generate the .deb or .rpm file, you can use the script launcher.sh in the dev-tools/build-packages/rpm/ or dev-tools/build-packages/deb/ folder of the repository with the following parameters:
- -v: Version of the package.
- -r: Revision of the package.
- -p: Path to the package in tar.gz format generated in the previous step
```
$ ./launcher.sh -v <VERSION> -r <REVISION> -p <PATH_TO_PACKAGE>
```
Replace the placeholders as shown in the example below.

Example:
```
$ ./launcher.sh -v 5.0.0 -r 1 -p file:///wazuh-dashboard-5.0.0-1-linux-x64.tar.gz
```
The package will be generated in the output folder of the rpm or deb folder.

Wazuh agent

In this section, we show how to generate the Wazuh agent package for different environments using dedicated automation scripts. We show package generation for Linux, macOS, Windows, and Wazuh signed packages (WPK).

Follow the steps outlined in each sub-section to build the Wazuh agent package for your preferred environment.

Linux endpoint

Wazuh provides an automated way of building DEB and RPM Linux agent packages using Docker.

Requirements

Ensure that you meet the following requirements to continue:

Docker
Git

Creating the agent package

Follow the steps below to create the Wazuh DEB and RPM agent packages:

Clone the wazuh repository from GitHub and navigate to the packages/ directory. Select the version, v5.0.0.
```
$ git clone https://github.com/wazuh/wazuh && cd wazuh/packages && git checkout v5.0.0
```
Run the command below to build a DEB or an RPM Wazuh agent package:
Note

Use the following architecture equivalences:
- amd64 -> x86_64
- arm64 -> aarch64
- armhf -> armv7hl
# ./generate_package.sh -t agent -a amd64 -p /opt/ossec --system deb
This command generates a Wazuh agent v5.0.0 DEB package with /opt/ossec/ as the installation directory for x86_64 systems.
# ./generate_package.sh -t agent -a amd64 -p /opt/ossec --system rpm
This command generates a Wazuh agent v5.0.0 RPM package with /opt/ossec/ as the installation directory for x86_64 systems.

You can run the generate_package.sh script with the -h flag to explore your desired options:

$ ./generate_package.sh -h

macOS endpoint

Wazuh provides an automated way of building the Wazuh agent package for macOS environments.

Note

To build the Wazuh agent package for macOS, you must perform this operation in a macOS environment.

Requirements

Ensure that you meet the following requirements to continue.

Packages
Brew
git: Install with Homebrew using this command: brew install git.

If Packages and Brew are not already installed on your system, they will be installed when you run the generate_wazuh_packages.sh script below.

Creating the agent package

Follow the steps below to create a macOS package:

Clone the wazuh repository from GitHub and navigate to the macos/ directory. Select the version, v5.0.0.

$ git clone https://github.com/wazuh/wazuh && cd wazuh/packages && git checkout v5.0.0 && cd macos

Install the build dependencies using the command:
```
$ ./generate_wazuh_packages.sh -i
```
Build the macOS package. Find some examples below.
```
# ./generate_wazuh_packages.sh -s /tmp
```
This will build a version v5.0.0 Wazuh agent macOS package and store it in /tmp.
```
# ./generate_wazuh_packages.sh -s /tmp -j 6
```
This will also build a v5.0.0 Wazuh agent macOS package and store it in /tmp but will use 6 jobs to compile the sources.
```
# ./generate_wazuh_packages.sh -s /tmp -j 6 -c
```
In addition to the previous settings, this will generate a .sha512 file containing the checksum of the package.

You can run the generate_package.sh script with the -h flag to explore your desired options:

$ ./generate_package.sh -h

Apple notarization process

With macOS Mojave, Apple introduced the notarization process to improve the security of the final users. With macOS Mojave is recommended to notarize any installer/app, but with the release of macOS Catalina, it is mandatory to notarize any app or installer distributed outside of the App Store. To successfully notarize your package, you must have the following items:

Apple developer ID: This is used to request the certificates to sign the binaries, the .pkg file, and notarize the package. You can request one using the signing your apps for gatekeeper documentation. Besides, you need to enable two-factor authentication (2FA) and enroll in the Apple Developer program.
Apple application certificate and apple installer certificate: These certificates are used to sign the code and the .pkg file. In the create developer ID certificates documentation, you can find more information about how to request them. Once you have downloaded them, you must add them to your login keychain and make sure that codesign and productsign can access the certificates and the private key.
Xcode 10 or greater: To properly sign the binaries, sign the package, and notarize it, you must install and download it.
Temporary password for xcrun altool: To notarize the package, you must use your Apple Developer ID and your password, but, for security reasons, only application specific passwords are allowed. To request one, you can use the sign in to apps with your Apple Account using app-specific passwords documentation.

Once you have set up the environment, you can build and notarize the package as follows:

$ sudo ./generate_wazuh_packages.sh -j 4 -r 1 --notarize \
  --keychain "/Users/<USERNAME>/Library/Keychains/login.keychain-db" \
  --application-certificate <YOUR_DEVELOPER_ID_APPLICATION> \
  --installer-certificate <YOUR_DEVELOPER_ID_INSTALLATION> \
  --developer-id <YOUR_APPLE_ID@email.com> --keychain-password <LOGIN_PASSWORD> \
  --altool-password <TEMPORARY_PASSWORD_FOR_ALTOOL>

The script will automatically sign the code and enable the hardened runtime, build the package and sign it, upload the package for its notarization. Once it is notarized, the script will staple the notarization ticket to the package. The package can then be installed on those hosts without an internet connection.

The result of the notarization will be stored in the wazuh/packages/macos/request_result.txt file.

Common issues

xcrun: error: unable to find utility "altool", not a developer tool or in PATH: This error appears when xcrun is unable to find altool. To solve this, you need to run:
```
$ sudo xcode-select -r
```
If this doesn't solve the issue, you need to specify the path where Xcode is installed or unpacked:
```
$ sudo xcode-select -s </PATH_TO_Xcode.app>
```
errSecInternalComponent when running codesign: Check the status of the login keychain. To solve it, you need to close all the keychains and then run the script again.
error: The specified item could not be found in the keychain: This error may appear if codesign or productsign can't access the Certificates, the private key or both. Check in the Keychain of your Mac hosts if they can be read by codesign and productsign.

Additional information

Windows endpoint

Wazuh simplifies the process of building Windows agent packages by providing an automated tool specifically designed for this purpose.

Requirements

Ensure that you meet the following requirements to continue.

Creating the agent package

Follow the steps below to generate a Windows agent package:

Note

The automated tool must be executed within a Windows system to ensure compatibility and proper functionality.

The process of successfully generating the Windows Microsoft Software Installer (MSI) package consists of two key stages:

Windows agent compilation: This step requires a Unix-based system with both Docker and Git installed. The Unix environment is necessary for compiling the Windows agent before packaging.
Windows MSI package generation: Once the agent is compiled, a Windows-based system is needed to create the MSI package. This system must have the WiX Toolset, .NET Framework 4.8.1, and the Microsoft Windows SDK installed, as these tools are essential for packaging and installer creation.

Compiling the Windows package

Clone the wazuh repository from GitHub and navigate to the windows/ directory. Select the version, v5.0.0.

$ git clone https://github.com/wazuh/wazuh && cd wazuh/packages && git checkout v5.0.0 && cd windows

Execute the generate_compiled_windows_agent.sh script. This script will build a Docker image with all the necessary tools to compile and obtain the Windows agent compiled in a ZIP file.
```
$ ./generate_compiled_windows_agent.sh -o winagent -s <PATH_TO_AGENT.ZIP>
```
Replace <PATH_TO_AGENT.ZIP> with the path to the directory where to store the zip file.

Note

The -s parameter needs an absolute path. This is where the ZIP file containing the compiled Windows agent will be stored.

Generating the MSI package

After obtaining the ZIP file containing the compiled Wazuh agent, you need to transfer it along with the generate_wazuh_msi.ps1 script to the target Windows host. One way to securely transfer these files from a Linux or macOS system is by using SCP (Secure Copy Protocol).

To transfer the files via SCP, use the following command from your Windows machine:

> scp USERNAME@LINUX_HOST_IP:/<PATH_TO_AGENT.ZIP> C:\Users\<PATH_TO_WORKING_DIRECTORY>
> scp USERNAME@LINUX_HOST_IP:/<PATH_TO_SCRIPT> C:\Users\<PATH_TO_WORKING_DIRECTORY>

Replace:

USERNAME with your Linux user account.
LINUX_HOST_IP with the IP address of the Linux system.
<PATH_TO_AGENT.ZIP> with the full path to the agent ZIP file on the Linux system.
<PATH_TO_SCRIPT> with the full path to the PowerShell script on the Linux system.
<PATH_TO_WORKING_DIRECTORY> with the full path to where to store the copied files on the Windows system.

Once the files are transferred, you can extract the ZIP file on the Windows host using PowerShell (version 5 or higher) with the following command:

> Expand-Archive -LiteralPath .\COMPRESSED_AGENT .\

Replace COMPRESSED_AGENT with the path to the zip file containing the compressed agent. Then copy the generate_wazuh_msi.ps1 script into the src/win32 directory.

> cp generate_wazuh_msi.ps1 .\AGENT_UNCOMPRESSED_FOLDER\src\win32

Execute the generate_wazuh_msi.ps1 script:

> cd .\AGENT_UNCOMPRESSED_FOLDER\src\win32
> .\generate_wazuh_msi.ps1

Note

The generate_wazuh_msi.ps1 script requires cv2pdb.exe V3 to function correctly. Ensure that cv2pdb.exe is accessible via the system's PATH. Using an incompatible version may result in errors or unexpected behavior.

This tool can be used to generate the Windows Wazuh agent msi package.

PARAMETERS TO BUILD WAZUH-AGENT MSI (OPTIONALS):
    1. MSI_NAME: MSI package name output.
    2. SIGN: yes or no. By default 'no'.
    3. WIX_TOOLS_PATH: Wix tools path.
    4. SIGN_TOOLS_PATH: sign tools path.
    5. CERTIFICATE_PATH: Path to the .pfx certificate file.
    6. CERTIFICATE_PASSWORD: Password for the .pfx certificate file.

USAGE:

    * WAZUH:
      $ ./generate_wazuh_msi.ps1  -MSI_NAME {{ NAME }} -SIGN {{ yes|no }} -WIX_TOOLS_PATH {{ PATH }} -SIGN_TOOLS_PATH {{ PATH }}
        Build a devel msi:    $ ./generate_wazuh_msi.ps1 -MSI_NAME wazuh-agent_4.11.1-1_windows_0ceb378.msi -SIGN no
        Build a prod msi:     $ ./generate_wazuh_msi.ps1 -MSI_NAME wazuh-agent-4.11.1-1.msi -SIGN yes

> ./generate_wazuh_msi.ps1 -MSI_NAME WAZUH_PACKAGE.msi -SIGN no  -WIX_TOOLS_PATH "C:\Program Files (x86)\WiX Toolset v3.14\bin"

Replace WAZUH_PACKAGE with your desired name for the output MSI package.

Use the command below to use a specific certificate and password.

> ./generate_wazuh_msi.ps1 -MSI_NAME WAZUH_PACKAGE.msi -SIGN yes -WIX_TOOLS_PATH "C:\Program Files (x86)\WiX Toolset v3.14\bin" -CERTIFICATE_PATH .\certificate.pfx -CERTIFICATE_PASSWORD mypassword

If you don't specify the CERTIFICATE_PATH and CERTIFICATE_PASSWORD parameters, the best-matching certificate from the Certificate Store is selected for signing the package. For more details, check the /a option of the sign command in SignTool.

If the WIX_TOOLS and/or SIGN_TOOLS binaries are not added to the environment PATH, specify the path as shown below:

> ./generate_wazuh_msi.ps1 -MSI_NAME mypackage.msi -SIGN yes -WIX_TOOLS_PATH C:\PATH_TO_WIX_TOOL_FILES -SIGN_TOOLS_PATH C:\PATH_TO_SIGN_TOOL_FILES

Wazuh signed package (WPK)

Wazuh signed package (WPK) is a lightweight package format that includes the agent binaries along with a digital signature to ensure its integrity. It is particularly useful for remotely upgrading Wazuh agents directly from the Wazuh manager, eliminating the need for external configuration management tools.

Wazuh provides an automated way of building WPK using Docker, so there is no need for any other dependencies.

To generate a WPK package, you need an X509 certificate and a certificate authority (CA). See Creating a custom WPK to learn more.

Follow the steps below to create a WPK package:

Requirements

Ensure that you meet the following requirements to continue.

Docker
Git

Initial steps

Clone the wazuh repository and navigate to the wpk/ directory. Select the version, v5.0.0.

# git clone https://github.com/wazuh/wazuh && cd wazuh/packages && git checkout v5.0.0 && cd wpk

Execute the generate_wpk_package.sh script:

# ./generate_wpk_package.sh -h

This script will build a Docker image with all the necessary tools to create the WPK and run a container that will build it:

Usage: ./generate_wpk_package.sh [OPTIONS]
It is required to use -k or --aws-wpk-key, --aws-wpk-cert parameters

    -t,   --target-system <target> [Required] Select target wpk to build [linux/windows/macos].
    -b,   --branch <branch>        [Required] Select Git branch.
    -d,   --destination <path>     [Required] Set the destination path of package.
    -pn,  --package-name <name>    [Required] Path to package file (rpm, deb, apk, msi, pkg) to pack in wpk.
    -o,   --output <name>          [Required] Name to the output package.
    -k,   --key-dir <path>         [Optional] Set the WPK key path to sign package.
    --aws-wpk-key                  [Optional] AWS Secrets manager Name/ARN to get WPK private key.
    --aws-wpk-cert                 [Optional] AWS secrets manager Name/ARN to get WPK certificate.
    --aws-wpk-key-region           [Optional] AWS Region where secrets are stored.
    -c,   --checksum               [Optional] Generate checksum on destination folder. By default: no.
    --dont-build-docker            [Optional] Locally built docker image will be used instead of generating a new one. By default: yes.
    --tag <name>                   [Optional] Tag to use with the docker image.
    -h,   --help                   Show this help.

To use this tool, the previously required certificate and the key must be created in a dedicated directory.

Linux

To build a WPK for Linux, you need to first download a package of the desired version.

The following steps demonstrate the build process for Debian amd64, but you can follow similar steps for RPM-based distributions and other supported architectures:

Download the Linux debian package:

# curl -O https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_5.0.0-1_amd64.deb

Run the generate_wpk_package.sh script to build the Linux WPK package:
```
# ./generate_wpk_package.sh -t linux -b v5.0.0 -d /tmp/wpk -k <PATH_TO_KEYS> -o LinuxAgent.wpk -pn Wazuh-agent_5.0.0-1_amd64.deb
```
Replace <PATH_TO_KEYS> with the full path to where the X509 certificate and root CA are stored.

This script builds a Wazuh 5.0.0 Linux WPK package named LinuxAgent.wpk and stores it in /tmp/wpk. This action is done using the previously generated keys that are saved in /tmp/keys.

If you use the -c or --checksum option, a file containing the SHA512 checksum is created in the same output path. This location is configurable, allowing you to indicate where you want to store it.

macOS

To build a WPK for macOS, you need to first download a PKG package of the desired version:

The following steps demonstrate the build process for an intel64 architecture, but you can follow similar steps for arm64:

Download the intel64 package:

# curl -O https://packages.wazuh.com/4.x/macos/wazuh-agent-5.0.0-1.intel64.pkg

Run the generate_wpk_package.sh script to build the macOS WPK package:
```
# ./generate_wpk_package.sh -t macos -b v5.0.0 -d /tmp/wpk -k /PATH/TO/KEYS -o macOSAgent.wpk -pn wazuh-agent-5.0.0-1.intel64.pkg
```
Replace /PATH/TO/KEYS with the full path to where the X509 certificate and root CA are stored.

This script builds a Wazuh 5.0.0 macOS WPK package named macOSAgent.wpk and stores it in /tmp/wpk. This action is done using the previously generated keys that are saved in /tmp/keys.

If the -c or --checksum option is used, a file is created containing the SHA512 checksum in the same output path. This location is configurable, and you can indicate where you want to store it.

Windows

To build a WPK for Windows, you need to first download an MSI package of the desired version:

Download the intel64 package:

# curl -O https://packages.wazuh.com/4.x/windows/wazuh-agent-5.0.0-1.msi

Run the generate_wpk_package.sh script to build the Windows WPK package:
```
# ./generate_wpk_package.sh -t windows -b v5.0.0 -d /tmp/wpk -k /<PATH_TO_KEYS> -o WindowsAgent.wpk -pn /tmp/wazuh-agent-5.0.0-1.msi
```
Replace <PATH_TO_KEYS> with the full path to where the X509 certificate and root CA are stored.

This script builds a Wazuh 5.0.0 Windows WPK package named WindowsAgent.wpk and stores it in /tmp/wpk. This action is done using the previously generated keys that are saved in /tmp/keys.

If the -c or --checksum option is used, a file is created containing the SHA512 checksum in the same output path. This location is configurable, and you can indicate where you want to store it

Using checksums

Run the command below to build a WPK with a checksum:

# ./generate_wpk_package.sh -t linux -b v5.0.0 -d /tmp/wpk -k /<PATH_TO_KEYS> -o LinuxAgent.wpk -pn wazuh-agent_5.0.0-1_amd64.deb -c /tmp/wpk_checksum

Replace <PATH_TO_KEYS> with the full path to where the X509 certificate and root CA are stored.

Wazuh-Logtest

The Wazuh Logtest tool is designed to help users test and validate decoders, rules, and event parsing logic. It allows security engineers and developers to simulate how Wazuh will interpret specific log messages without needing to inject them into a live agent or production environment. This tool is particularly helpful when writing and debugging custom rules and decoders, as well as when troubleshooting false positives and false negatives, ensuring more accurate and reliable alerting.

The Wazuh-Logtest tool is accessible across different components within the Wazuh ecosystem:

Core Logtest engine: This is the underlying engine that powers Wazuh log testing. It is integrated directly into the wazuh-analysisd daemon, which is responsible for log analysis and rule evaluation.
Wazuh Server API: This provides a remote interface to the Core Logtest engine, allowing users to send sample log messages and receive parsing results. This is particularly useful for automating rule testing or integrating with external tools.
Wazuh CLI Logtest tool: This is a command-line utility that provides a user-friendly way to test log messages locally, leveraging the same Core Logtest engine used by the Wazuh server API.

Wazuh server API and Wazuh-Logtest tool connect to the wazuh-analysisd session manager. This session manager works as a sandbox with the rules engine, isolating different users with their own rules and decoders.

The image below illustrates how the user logs test flow through the Wazuh environment.

Sessions

Wazuh-Logtest is based on the use of isolated sessions, identified with a "token". Each session stores its own history of events, rules and decoders loaded. When the log evaluation is requested for the first time, the session manager creates a new session, processing and returning the result along with the alphanumeric token as identification of the new session.

Idle session collector

The idle session collector runs every session_timeout seconds. This parameter is defined in the rule_test section of the ossec.conf file. Every time the collector starts, it searches for sessions that have been idle longer than the time specified in session_timeout to close them.

The following illustration shows how the collector runs on T0, T1, T2 ... At the moment the session generates its last request, between T0 and T1, its timeout is between T1 and T2, then on T2 the collector closes the session.

Session lifetime

Sessions have a default expiration time of 15 minutes. When a session remains idle with no log processing requests during that period, the idle session collector closes the session. Requests with an expired session token are also processed, generate a new session token and notify the user.

RBAC database integrity

The integrity of the role based access control (RBAC) database is checked when the Wazuh server API starts. The result of this check determines whether the database needs an update or not. The integrity check allows the following:

Upgrade to a Wazuh version where this version includes breaking changes in the RBAC database structure or new default resources.
Restore the RBAC database with its default RBAC resources if it was manually deleted. This allows restoring the RBAC database to a fresh install state if needed.

Warning

User-created resources are lost when the database is restored with default resources.

How the database upgrade process works

During the RBAC database integrity check, Wazuh compares its RBAC database version with the installed one. If they don't match, the database upgrade process is triggered.

Here is an abridged list of steps performed during the database upgrade process:

A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it.
Every user created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and other details.
In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resources, the following actions are carried out:
1. If the user-created user has the same name as a default user, the user-created user is renamed appending '_user' to its name.
2. If the user-created role has the same name as a default role, the first one is renamed appending '_user' to its name.
3. If the user-created rule has the same name or body as a default rule, the relationships of the first one are migrated to the new default rule.
4. If the user-created policy has the same name or body as a default policy, the relationships of the first one are migrated to the new default policy.
Relationships between RBAC user-created resources are added to the new database.
Relationships between RBAC user created resources and default ones are updated:
1. If the default resource does not exist in the new version, the relationships between user created resources and the deleted resources are removed.
2. If the default resource has a different ID in the new version, the relationships between user created resources and the default resource are updated to match the new ID and keep the old functionality.
3. In any other case, the relationships between user created resources and the default resources are kept.
The old RBAC database file is replaced by the new one.

Migration examples

After upgrading from a Wazuh version with RBAC database version 0 to 1, WAZUH_PATH/logs/api.log:

2022/06/17 09:44:04 INFO: Checking RBAC database integrity...
2022/06/17 09:44:04 INFO: /var/ossec/api/configuration/security/rbac.db file was detected
2022/06/17 09:44:04 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1
2022/06/17 09:44:09 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully
2022/06/17 09:44:09 INFO: RBAC database integrity check finished successfully
2022/06/17 09:44:12 INFO: Listening on ['0.0.0.0', '::']:55000..

After upgrading from a Wazuh version with RBAC database version 0 to 1, with the old DB having a user that is a default user in the new version:

WAZUH_PATH/logs/api.log:

2022/06/17 10:00:21 INFO: /var/ossec/api/configuration/security/rbac.db file was detected
2022/06/17 10:00:21 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1
2022/06/17 10:00:25 WARNING: User 100 (example) is part of the new default users. Renaming it to 'example_user'
2022/06/17 10:00:26 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully
2022/06/17 10:00:26 INFO: RBAC database integrity check finished successfully
2022/06/17 10:00:29 INFO: Listening on ['0.0.0.0', '::']:55000..

GET /security/users response:

{
  "data": {
    "affected_items": [
      {
        "id": 1,
        "username": "wazuh",
        "allow_run_as": true,
        "roles": [
          1
        ]
      },
      {
        "id": 2,
        "username": "wazuh-wui",
        "allow_run_as": true,
        "roles": [
          1
        ]
      },
      {
        "id": 3,
        "username": "example",
        "allow_run_as": true,
        "roles": []
      },
      {
        "id": 100,
        "username": "example_user",
        "allow_run_as": false,
        "roles": [
          100
        ]
      }
    ],
    "total_affected_items": 4,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "All specified users were returned",
  "error": 0
}

Configuring core dump generation

A core dump or crash dump is a snapshot of the memory of a process taken when a program terminates abnormally, such as due to a crash or unhandled error. The operating system on a monitored endpoint can automatically generate core dumps. These dumps are valuable for diagnosing frozen processes. Alongside environment information, such as the operating system version, they offer insights into the cause of a crash.

Red Hat based OSs

Follow the steps below to enable core dump on RedHat based systems:

Edit the /etc/systemd/system.conf file and add the following lines.
```
DumpCore=yes
DefaultLimitCORE=infinity
```

Edit the /etc/sysctl.d/core.conf file and add the following lines:

kernel.core_pattern = /var/lib/coredumps/core-%e-pid%p-time%t
kernel.core_uses_pid = 1
fs.suid_dumpable = 2

Create the /var/lib/coredumps directory and grant it permissions 773:
```
# mkdir /var/lib/coredumps
# chmod 700 /var/lib/coredumps
```
Reboot the system.
After system reboot, set the core ulimit to unlimited in your terminal:
```
# ulimit -c unlimited
# sysctl -p
```
Restart the Wazuh agent:
```
# /var/ossec/bin/wazuh-control restart
```

Debian based OSs

In Linux version 2.41 and later, a template defines the location and name of the generated core dump files. Earlier versions generate the core dump files next to the location of the file that caused the error.

Using systemd

Systemd allows centralized management and configuration of core dumps across your system. To set up core dump generation with systemd, use the built-in features as follows:

Install the Systemd core dump package:
```
# apt install systemd-coredump
```

Check that the Systemd core dump unit socket is active:

# systemctl status systemd-coredump.socket

systemd-coredump.socket - Process Core Dump Socket
     Loaded: loaded (/lib/systemd/system/systemd-coredump.socket; static)
    Active: active (listening)...

Edit the /etc/systemd/coredump.conf file, and add the following lines to enable core dump collection and set external core dump storage. To disable core dump generation you must set Storage=none.
```
[Coredump]
Storage=external
```
Recommended – Add this configuration to the /etc/systemd/coredump.conf file to set a size limit for core dump files. For example, 2 GB.
```
ProcessSizeMax=2G
```
Restart the systemd-coredump service to apply the changes.
```
# systemctl restart systemd-coredump.socket
```
Check the status of the systemd-coredump service to ensure it is running without errors:
```
# systemctl status systemd-coredump.socket
```
To check the generated core dump files, take a look at the default /var/lib/systemd/coredump/ directory. To find out the filename pattern for these files, run the following command.
```
# cat /proc/sys/kernel/core_pattern
```
```
|/lib/systemd/systemd-coredump %P %u %g %s %t 9223372036854775808 %h %d
```

Manual configuration

Setting up core dump generation without using systemd involves configuring the operating system core dump settings manually. Follow these steps to set up core dump generation manually.

Set the core dump size limit to unlimited to enable core dump generation with complete debugging information. To disable it, set it to zero by running ulimit -c 0. To check the current core dump size limit, run ulimit -c.
```
# ulimit -c unlimited
```
Set the core dump file location and pattern. For example, to set the /var/core/ directory and the filename pattern core.%e.%p, where %e represents the executable name and %p represents the process ID, run the following command.
```
# echo "/var/core/core.%e.%p" > /proc/sys/kernel/core_pattern
```
To discard core dumps, you can run echo "/dev/null" > /proc/sys/kernel/core_pattern.

Note

Consider restarting relevant processes to ensure that the changes take effect.
We recommend preserving these changes across reboots. Add the ulimit and echo commands above to a startup or system initialization script such as /etc/rc.local.

macOS endpoints

On macOS, most applications have core dump generation disabled by default. However, you can enable it using the ulimit command. To enable core dump generation on macOS follow these steps:

Set the core dump size limit to unlimited to enable core dump generation with complete debugging information. To disable it, set it to zero by running ulimit -c 0. To check the current core dump size limit, run ulimit -c.
```
# ulimit -c unlimited
```
Set the core dump generation path and filename pattern. For example, to set the /cores/ directory and the filename pattern core.%P. Where %P is the process ID, run the following command.
```
# sysctl -w kern.corefile=/cores/core.%P
```

Enabling core dump generation might consume significant disk space, so use it judiciously. Moreover, not all processes on macOS support or behave consistently with core dump generation.

Windows endpoints

To collect user-mode crash dumps on Windows, you can use the Windows Error Reporting (WER) feature. You can set it to save crash dump files locally by editing the Windows Registry as follows.

Accessing the Windows Registry

Press Windows + R keys on your keyboard to open the Run dialog box.
Type regedit in the search box and click OK to open the Registry editor.
Backup the Windows Registry or create a system restore point to safeguard your system.

Configuring Windows Error Reporting

Navigate to the LocalDumps registry key or create it, as it might not exist by default.
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
```
Right-click on the LocalDumps key and choose New > Key. Name the new key wazuh-agent.exe.
Right-click inside the wazuh-agent.exe key and choose New > Expandable String Value. Name the new value DumpFolder.
Right-click the DumpFolder value and select Modify. Change it to %LOCALAPPDATA%\WazuhCrashDumps.
Right-click inside the wazuh-agent.exe key again and choose New > DWORD (32-bit) Value. Name the new value as DumpType.
Right-click the DumpType value and select Modify. Change it to 2.
Close the regedit tool and restart the Wazuh agent using PowerShell with administrator privileges.
```
> Restart-Service -Name wazuh
```

Release notes

This section summarizes the most important features of each Wazuh release.

Wazuh version	Release date
5.0.0	TBD
4.14.3	TBD
4.14.2	TBD
4.14.1	12 November 2025
4.14.0	23 October 2025
4.13.1	24 September 2025
4.13.0	18 September 2025
4.12.0	7 May 2025
4.11.2	1 April 2025
4.11.1	12 March 2025
4.11.0	20 February 2025
4.10.3	19 August 2025
4.10.2	22 May 2025
4.10.1	16 January 2025
4.10.0	9 January 2025
4.9.2	4 November 2024
4.9.1	17 October 2024
4.9.0	5 September 2024
4.8.2	20 August 2024
4.8.1	18 July 2024
4.8.0	12 June 2024
4.7.5	30 May 2024
4.7.4	29 April 2024
4.7.3	4 March 2024
4.7.2	10 January 2024
4.7.1	20 December 2023
4.7.0	27 November 2023
4.6.0	31 October 2023
4.5.4	23 October 2023
4.5.3	10 October 2023
4.5.2	6 September 2023
4.5.1	24 August 2023
4.5.0	10 August 2023
4.4.5	10 July 2023
4.4.4	13 June 2023
4.4.3	25 May 2023
4.4.2	18 May 2023
4.4.1	12 April 2023
4.4.0	28 March 2023
4.3.11	24 April 2023
4.3.10	16 November 2022
4.3.9	13 October 2022
4.3.8	19 September 2022
4.3.7	24 August 2022
4.3.6	20 July 2022
4.3.5	29 June 2022
4.3.4	8 June 2022
4.3.3	1 June 2022
4.3.2	30 May 2022
4.3.1	18 May 2022
4.3.0	5 May 2022
4.2.7	30 May 2022
4.2.6	28 March 2022
4.2.5	15 November 2021
4.2.4	20 October 2021
4.2.3	6 October 2021
4.2.2	28 September 2021
4.2.1	3 September 2021
4.2.0	25 August 2021
4.1.5	22 April 2021
4.1.4	25 March 2021
4.1.3	23 March 2021
4.1.2	8 March 2021
4.1.1	25 February 2021
4.1.0	15 February 2021
4.0.4	14 January 2021
4.0.3	30 November 2020
4.0.2	24 November 2020
4.0.1	11 November 2020
4.0.0	23 October 2020
3.13.6	19 September 2022
3.13.5	24 August 2022
3.13.4	30 May 2022
3.13.3	28 April 2021
3.13.2	22 September 2020
3.13.1	15 July 2020
3.13.0	22 June 2020
3.12.3	30 April 2020
3.12.2	9 April 2020
3.12.1	8 April 2020
3.12.0	24 March 2020
3.11.4	25 February 2020
3.11.3	28 January 2020
3.11.2	22 January 2020
3.11.1	10 January 2020
3.11.0	23 December 2019
3.10.2	23 September 2019
3.10.1	19 September 2019
3.10.0	18 September 2019
3.9.5	8 August 2019
3.9.4	7 August 2019
3.9.3	9 July 2019
3.9.2	10 June 2019
3.9.1	21 May 2019
3.9.0	2 May 2019
3.8.2	31 January 2019
3.8.1	24 January 2019
3.8.0	18 January 2019
3.7.2	17 December 2018
3.7.1	5 December 2018
3.7.0	10 November 2018
3.6.1	7 September 2018
3.6.0	29 August 2018
3.5.0	10 August 2018
3.4.0	24 July 2018
3.3.1	18 June 2018
3.3.0	8 June 2018
3.2.4	1 June 2018
3.2.3	28 May 2018
3.2.2	7 May 2018
3.2.1	2 March 2018
3.2.0	8 February 2018
3.1.0	22 December 2017
3.0.0	3 December 2017
2.1.0	17 August 2017

5.x

This section summarizes the most important features of each Wazuh 5.x release.

Wazuh version	Release date
5.0.0	TBD

5.0.0 Release notes - TBD

This section lists the changes in version 5.0.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Breaking changes

What's new

This release includes new features or enhancements as the following:

#7827 Added default notification channels through the health check.
#7597 Added sample data generators for agent monitoring and server statistics.
#7662 Added "form-data": "^4.0.4" to the resolutions section to enforce the required dependency version.
#7694 Added prompts to views related to Server API connectivity and alerts index pattern issues.
Added a Not applicable status to the SCA CheckResult enum, including color mapping (#B9A888) and sample data support.
#7833 Added alerting sample monitors to the health check.
#7917, #7975, #7990, #7994 Added the Normalization application.
#7924 Added the default wazuh-events* index pattern.
#7839 Adapted alerts sample data to the Wazuh Common Schema.
#7688 Set cluster mode as the default for all Wazuh installations, including single-node deployments, and updated RBAC permissions to cluster:* actions.
#7578, #7929, #7974, #7979 Reworked SCA module visualizations, enabled global details for all agents without pinning, replaced the /sca endpoint with the wazuh-states-sca-* index pattern, and added sample data support.
#7604 Split the FIM registry inventory into two index patterns and updated fields in FIM file and registry sample data.
#7622, #7694, #7756, #7829 Reworked the health check.
#7622 Reworked several view components to use data sources.
#7754 Fixed date and format errors across multiple views.
#7812 Upgraded the brace-expansion dependency to versions 1.1.12 and 2.0.2.
#7812 Upgraded the tar-fs dependency to version 2.1.4.
#7871 Migrated wazuh.yml settings to opensearch_dashboards.yml and advanced settings.
#7871 Changed sample data index names.
#7900 Reworked the Generate report button.
#7842, #7847, #7916, #7938 Changed the dashboard renderer to use saved objects.
#7934 Changed the rule.groups filter to wazuh.integration.decoders.
#7981 Applied the new home page navigation style to all dashboards.
#7688 Removed manager-specific logic in favor of cluster-based management.
#7597 Removed backend monitoring and statistics jobs.
#7597, #7698 Removed monitoring and statistics job settings from the configuration.
#7597 Removed the prompt related to disabled statistics jobs in the Statistics application.
#7612 Removed configuration for modules relying on deprecated daemons: wazuh-agentlessd, wazuh-csyslogd, wazuh-dbd, wazuh-integratord, wazuh-maild, and wazuh-reportd.
#7645 Removed deprecated modules: OpenSCAP, CIS-CAT, and Osquery.
#7622 Removed the /health-check and /blank-screen frontend routes.
#7622 Removed the Miscellaneous section from App Settings.
#7622 Removed deprecated health check and customization settings.
#7871 Removed legacy customization, alerts sample, and UI API editable settings.
#7871 Removed the App Settings application.
#7871 Removed GET /elastic/alerts and /utils/configuration* endpoints.
#7871 Removed tasks related to custom logo sanitization and reports directory migration.
#7901 Removed the Rules, Decoders, CDB List, and Ruleset test applications.
#7899 Removed the legacy reporting application, including server routes, UI, PDF generation logic, and related customization settings.
#7932 Removed several sections from Server Management > Settings and agent configuration.
#7933 Removed the wazuh-alerts* index pattern and replaced it with wazuh-events* as the default. Index pattern selection is now handled per module.
#7933 Removed deprecated ip.ignore and pattern settings.
#7977 Removed references to alerts and archives templates.
#7857, #7868, #7891, #7982 Removed indexer resource files from the source code and dependency installation process.

Resolved issues

This release resolves known issues as the following:

#7923 Fixed a hardcoded version value in the Deploy agent wizard.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.x

This section summarizes the most important features of each Wazuh 4.x release.

Wazuh version	Release date
4.14.3	TBD
4.14.2	TBD
4.14.1	12 November 2025
4.14.0	23 October 2025
4.13.1	24 September 2025
4.13.0	18 September 2025
4.12.0	7 May 2025
4.11.2	1 April 2025
4.11.1	12 March 2025
4.11.0	20 February 2025
4.10.3	19 August 2025
4.10.2	22 May 2025
4.10.1	16 January 2025
4.10.0	9 January 2025
4.9.2	4 November 2024
4.9.1	17 October 2024
4.9.0	5 September 2024
4.8.2	20 August 2024
4.8.1	18 July 2024
4.8.0	12 June 2024
4.7.5	30 May 2024
4.7.4	29 April 2024
4.7.3	4 March 2024
4.7.2	10 January 2024
4.7.1	20 December 2023
4.7.0	27 November 2023
4.6.0	31 October 2023
4.5.4	23 October 2023
4.5.3	10 October 2023
4.5.2	6 September 2023
4.5.1	24 August 2023
4.5.0	10 August 2023
4.4.5	10 July 2023
4.4.4	13 June 2023
4.4.3	25 May 2023
4.4.2	18 May 2023
4.4.1	12 April 2023
4.4.0	28 March 2023
4.3.11	24 April 2023
4.3.10	16 November 2022
4.3.9	13 October 2022
4.3.8	19 September 2022
4.3.7	24 August 2022
4.3.6	20 July 2022
4.3.5	29 June 2022
4.3.4	8 June 2022
4.3.3	1 June 2022
4.3.2	30 May 2022
4.3.1	18 May 2022
4.3.0	5 May 2022
4.2.7	30 May 2022
4.2.6	28 March 2022
4.2.5	15 November 2021
4.2.4	20 October 2021
4.2.3	6 October 2021
4.2.2	28 September 2021
4.2.1	3 September 2021
4.2.0	25 August 2021
4.1.5	22 April 2021
4.1.4	25 March 2021
4.1.3	23 March 2021
4.1.2	8 March 2021
4.1.1	25 February 2021
4.1.0	15 February 2021
4.0.4	14 January 2021
4.0.3	30 November 2020
4.0.2	24 November 2020
4.0.1	11 November 2020
4.0.0	23 October 2020

4.14.3 Release notes - TBD

This section lists the changes in version 4.14.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Resolved issues

This release resolves known issues as the following:

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.14.2 Release notes - TBD

This section lists the changes in version 4.14.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh agent

#33313 Added detection of the -a never,task Audit rule in FIM whodata for Linux.

Ruleset

#32856 Added SCA policy for Microsoft Windows Server 2025.

Other

#33069 Upgraded the starlette dependency to 0.49.1.

Wazuh dashboard

#7883 Added persistence for page size and sorting in API tables.
#7878 Improved text size consistency and visual hierarchy across the Agent Overview page by implementing standardized typography styling.
#7896 Improved Agent Overview resilience by rendering each available system inventory field.
#7897 Upgraded cookie dependency to 0.7.0.
#7963 Removed the SCA Agent card subtitle.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#33046 Prevented Azure Log Analytics bookmarks from being overwritten across similar configurations.
#33330 Fixed discrepancy in the API certificate files.
#33589 Made analysisd ruleset reload endpoints fully asynchronous to avoid blocking the API event loop.
#33580 Improved analysisd ruleset hot reload performance.
#33602 Avoided using systemctl in restart scripts when systemd is not running as PID 1.

Wazuh agent

#33171 Fixed Windows agent remote upgrade (WPK) when installed in a custom directory.
#33182 Fixed a package issue causing upgrades to fail when the shared directory contained subdirectories.
#33270 Fixed FIM issue preventing whodata from working on systems with /var and /etc mounted on different volumes.
#33322 Optimized user and group inventory performance in Syscollector on Windows Domain Controllers.
#33227 Fixed an agent bug that prevented directories from being received in the remote configuration.
#33343 Silenced agent log message about failing to connect to Active Response when it is disabled.

Ruleset

#33202 Fixed bug in multiple macOS SCA checks.
#33361 Fixed indentation issue in the SCA policy for Windows 10 Enterprise that prevented its execution.

Wazuh dashboard

#7883 Removed sorting for Program name and Order columns in the Related decoders table, and the Groups column in the Related rules table, to prevent API errors.
#7962 Fixed text alignment and column distribution in the System inventory card within the Agent view.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.14.1 Release notes - 12 November 2025

This section lists the changes in version 4.14.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#32009 Added IAM role support for VPC flow logs in the AWS wodle.
#32514 Added support for static and temporary AWS credentials in the Amazon Security Lake subscriber.
#32401 Optimized wazuh-db startup by executing agent schema creation in a single transaction.
#32463 Improved vulnerabilities index upgrade with hash-based mapping validation, automatic safe reindex, and backup cleanup.
#32069 Improved C++ logging mechanism to avoid unnecessary heap allocations.
#32521 Improved IndexerConnector error handling and response parsing to provide structured logging of 4xx/5xx errors.
#32525 Reduced default verbosity of wazuh-authd when handling invalid connections.
#32697 Remoted now reads internal options at process startup.

Wazuh agent

#32746 Added support for Homebrew 2.0+ in IT Hygiene for macOS.
#31080 Changed how the fim_check_ignore function works in negative regex cases.
#31375 Changed how null values for hotfixes are handled in the Windows agent.
#32874 Improved service shutdown procedure.

Ruleset

#31449 Reworked SCA policy for Microsoft Windows 10 Enterprise.

Other

#31422 Upgraded the starlette dependency to version 0.47.2.
#32782 Upgraded the embedded Python interpreter to version 3.10.19.
#32900 Updated curl dependency to version 8.12.1.
#32294 Updated LUA to version 5.4.6.
#32294 Updated libarchive to version 3.8.0.

Wazuh dashboard

#7804 Upgraded the axios dependency to version 1.12.2.
#7841 Improved column order in IT Hygiene > Network > Traffic view to follow a logical source-to-destination flow.
#7639 Improved integrity monitoring settings terminology by clarifying file and registry labels, and updating component names for better user understanding.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#32045 Fixed manager vulnerability scan not triggering due to incorrect Syscollector event provider topic name.
#32787 Fixed IndexerConnector abuse control to prevent data loss on failed syncs.
#32107 Fixed user tag handling by adding user as an alias for the dstuser static field.
#32057 Fixed JSON validation issues in Analysisd and SCA components.
#32829 Fixed a bug in Vulnerability Scanner where the database offset was updated even in error cases.

Wazuh agent

#32383 Fixed indefinite waiting in FIM whodata health check.
#31241 Fixed graceful shutdown in FIM.
#32049 Verified the SHA256 of commands on every execution.
#32528 Fixed duplicate <ca_store> configuration block during RPM package upgrades.
#31144 Fixed a bug that prevented overwriting <registry_limit> or <file_limit> options from remote configuration.
#29853 Fixed a bug in Logcollector that prevented following symlinks when resolving wildcarded files.
#31222 Unified detection logs for wildcarded files in Logcollector.
#32027 Fixed a bug in FIM that did not recognize Registry keys unless they were UTF-8.
#32731 Fixed a bug in Logcollector that ignored all files with <age> filter on Windows.
#32812 Reverted IT Hygiene package vendor format on Debian to include name and email again.
#32785 Fixed a bug in IT Hygiene that reported duplicated Edge browser extensions.
#32838 Fixed reload of the <labels> block via remote configuration.
#32836 Fixed Windows installer to deploy SCA policies for Windows 2022 instead of Windows Server 2025.

Ruleset

#31349 Fixed bug in Windows SCA.
#31102 Fixed mistaken alert.
#31886 Fixed SCA checks in Oracle Linux 9.
#32509 Fixed bugs in Windows Server 2016 SCA.
#32523 Fixed bugs in PAM decoder.
#32480 Fixed macOS Sequoia SCA scans that produced errors.
#32802 Fixed Windows Server 2016 SCA policy configuration issue.

Wazuh dashboard

#7689 Fixed navigation issue in the MITRE ATT&CK framework details flyout.
#7710 Fixed event count evolution visualization in the Endpoint Details view to use the server API context filter.
#7783 Fixed sorting by agent count in Top 5 Groups visualization in Endpoints summary.
#7803 Fixed System Inventory displaying incorrect agent data after switching agents in the Endpoint Details view.
#7838 Replaced the Microsoft Graph API module icon with the official Microsoft Graph API logo for better specificity.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.14.0 Release notes - 23 October 2025

This section lists the changes in version 4.14.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

The 4.14.0 release enhances the IT Hygiene capability with an expanded inventory that now includes browser extensions, endpoint services, users, and groups. It also introduces a new Microsoft Graph API dashboard for monitoring activity and audit events from Microsoft cloud services, and adds support for hot reload of Wazuh agent configuration. In addition, this release introduces multiple stability, performance, and security improvements across the platform.

Inventory – Browser Extensions: Added a unified inventory model to track browser extensions across Windows, macOS, and Linux systems. Enables security auditing and compliance monitoring for Chrome, Firefox, Safari, and other browsers.
Inventory – Services: Introduced a normalized inventory of Windows services and Linux systemd units. Provides visibility into service states, startup types, and critical services across endpoints.
Inventory – Users & Groups: Implemented a cross-platform inventory for system users and groups. Supports normalized data structures, relationships, and consistent queries across agents, Wazuh-DB, and the Dashboard.
Wazuh agent configuration hot reload: The Wazuh Agent can now apply remote configuration changes dynamically without breaking its connection to the server. All daemons except agentd are restarted during reload, improving resilience and reducing disruptions across large deployments.
Microsoft Graph API dashboard: A new dashboard has been added to visualize and query Microsoft Graph services, including Microsoft Azure cloud events.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#30848 Added system users and groups to the inventory data.
#31614 Added browser extensions and services to the inventory data.
#31731 Added IPv6 support to the Maltiverse integration.
#30192 Improved databaseFeedManagerTesttool.
#30793 Adapted wazuh-maild to the RFC5322 standard.
#31218 Improved the Active Response endpoint performance.

Wazuh agent

#30235 Added support for Parquet version 2 in the AWS wodle.
#30797 Added hot configuration reload support for Linux agents.
#31163 Added support for Amazon Inspector v2.
#30369 Added system users and groups to the inventory data.
#805 Added browser extensions to the inventory data.
#807 Added services to the inventory data.
#31418 Added missing AWS regions us-gov-west-1 and us-gov-east-1 to the AWS wodle.
#32413 Added Windows kernel version information to IT Hygiene.
#31640 Changed rootkit error messages to warnings due to future deprecation.

RESTful API

#30913 Added Syscollector users and groups endpoints.
#31513 Added Syscollector services and browser_extensions endpoints.

Ruleset

#30745 Added SCA content for Rocky Linux 10.
#31747 Added SCA content for Debian 13.

Other

#31272 Updated packaging dependency to 25.0.
#30536 Updated requests to version 2.32.4.
#30624 Updated urllib3 to version 2.5.0 and protobuf to version 5.29.5.
#30916 Upgraded Python embedded interpreter to 3.10.18.
#31779 Updated OpenSSL to 3.0.15 and cpp-httplib to v0.25.0.
#29586 Updated SQLite dependency to version 3.50.4.

Wazuh dashboard

#7777 Added visualizations field validations when creating wazuh-states index patterns.
#7554 Created Users & Groups inventories. #7587 #7792 #7787
#7586 Added the ability to set the Wazuh data path (wazuh directory) within the directory defined through the path.data setting.
#7641 Added a new Browser Extensions tab in IT Hygiene. #7696 #7729 #7774 #7785
#7516 Added Microsoft Graph API module. #7644 #7661
#7646 Added a new Services tab in IT Hygiene. #7695 #7729 #7773 #7790
#7711 Added a final step in the Deploy new agent section to navigate back to the agent list.
#7712 Updated OS logos.
#7742 Changed the Services tab label to Listeners in IT Hygiene > Networks.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#29663 Fixed internal decoder RC startup.
#29673 Fixed queue stats RC over wazuh-analysisd.
#29672 Fixed race condition in the event queue.
#29699 Fixed regexCompile race condition.
#30653 Fixed malformed alerts in alerts.log when the <group> tag contains newline characters.
#31599 Fixed and improved dpkg version comparison algorithm in Vulnerability Detector.

Wazuh agent

#30831 Fixed errors in Azure Graph event fields.
#30877 Added the missing prov`i`der field to the whodata section in the syscheckd JSON configuration.
#31700 Fixed journald disabled filters when both configuration blocks have no filters.
#30215 Fixed whodata FIM compatibility with the latest audit versions.
#31875 Fixed mismatch between MTU values in the database and indexer for Windows agents.

RESTful API

#31046 Fixed secure headers configuration.
#31315 Fixed display of sensitive information for non-privileged users.

Ruleset

#29976 Fixed multiple Rocky Linux SCA checks generating incorrect results.
#30173 Fixed missing check (2.3.7.6) in Windows Server 2019 v2.0.0.
#30276 Fixed camel casing in ownCloud ruleset header.
#30489 Fixed false positive in check 2.3.3.2 for macOS 13, 14, and 15 SCA.
#30529 Fixed bug in rule 92657.
#30528 Fixed field names in Office 365 rules.
#30515 Fixed action field in Fortigate rules.
#30612 Fixed Auditd EXECVE sibling decoders.
#31227 Fixed issues with Windows OS languages other than English.
#30717 Reworked SCA policy for Debian Linux 12.
#32025 Fixed missing comma in 0393-fortiauth_rules.xml.
#32102 Fixed Windows SCA user account checks.
#32106 Fixed inaccuracies in Ubuntu 24.04 SCA policy.
#32143 Fixed incorrect service name in Ubuntu firewall service check.

Wazuh dashboard

#7811 Fixed missing scan settings in Inventory Data.
#7796 Fixed the Endpoint summary to correctly display outdated agents without filters, resolving previous inconsistencies.
#7596 Fixed missing provider and queue_size fields in whodata configuration.
#7630 Fixed an error that caused PDF report tables to overflow the page width.
#7611 Fixed TypeError when changing API host ID in wazuh.yml configuration.
#7669 Fixed behavior and appearance alignment with OpenSearch (Wazuh Indexer) Dev Tools.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.13.1 Release notes - 24 September 2025

This section lists the changes in version 4.13.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh dashboard

#7752 Changed the label from Packages to Unique packages in the KPI for IT Hygiene > Software.

Resolved issues

This release resolves known issues as the following:

Wazuh dashboard

#7753 Fixed RBAC validation for reload button to prevent API failures when users lack cluster:restart permission.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.13.0 Release notes - 18 September 2025

This section lists the changes in version 4.13.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

The 4.13.0 release improves deployment flexibility, enhances centralized data access, and strengthens platform resilience. Key highlights include the introduction of the IT Hygiene dashboard, which provides users with the ability to centrally view and query IT Hygiene data.

Global queries for IT Hygiene data: Wazuh now supports global queries for IT Hygiene data through a newly dedicated IT Hygiene dashboard
Reliability and performance improvements across the platform.
Multiple bug fixes in core components and the UI.
Updates based on recent security scans.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#29232 Improved reports functionality to avoid duplicated daily FIM reports.
#29363 Optimized agent query endpoints.
#29406 Implemented RBAC resource cache with TTL support.
#29514 Improved Wazuh-DB protocol to support large HTTP requests and remove pagination.
#29515 Added HTTP client implementation to wazuh-db.
#29458 Added hot ruleset reload support to Analysisd.
#29916 Enabled CVE re-indexing when documents change in Vulnerability Detector.
#29153 Separated control messages from remoted's connection handling.
#30504 Added sanity checks for hotfix values in Vulnerability Detector.
#30851 Improved exception handling in the run_local SDK function.
#29135 Improved Authd connection management using epoll to handle concurrent agent registration requests more efficiently.
#31114 Added a single writer buffer manager instance for each indexer connector instance.

Wazuh agent

#29391 Added support for Rocky Linux and AlmaLinux in the upgrade module.
#29393 Added handling of CentOS 9 SCA files in package specs.
#29139 Added SCA support for Oracle Linux 10.
#30556 Added Rootcheck rule to detect root-owned files with world-writable permissions.
#29426 Improved agent synchronization to reduce redundant payload transfers.
#28688 Improved Syscollector to report only Python packages managed by dpkg.
#29399 Improved wazuh-db JSON handling performance.
#29930 Enhanced Azure module logging.
#29940 Improved restart behavior on macOS agents after upgrade.
#29443 Standardized service timeouts across components.
#30377 Added MS Graph token validation before performing requests.
#30763 Added support for UTF-8 characters in file paths in FIM.
#30637 Removed internal_key from query filters.

RESTful API

#29524 Added server UUID to the /manager/info endpoint.
#29589 Added /agents/summary endpoint.
#31459 Added ruleset reload endpoints.

Ruleset

#29269 Added SCA content for CentOS Stream 9.
#29653 Added IOCs and new rules to improve the 4.x ruleset.
#29139 Added SCA content for Oracle Linux 10.
#28790 Added rule to minimize Windows event flooding on the manager.

Other

#29610 Updated Python dependencies: setuptools, Jinja2, and PyJWT.
#28646 Upgraded embedded Python interpreter to 3.10.16.
#29735 Upgraded h11 to 0.16.0 and httpcore to 1.0.9.
#28564 Removed unused Azure Python dependencies.

Wazuh dashboard

#7368 Added It Hygiene application. #7461 #7476 #7475 #7513 #7582 #7588 #7692 #7717
#7368 Added hardware and system information to the agent overview.
#7379 Added persistence for selected columns and page size in data grid settings. #7513
#7373 Added the ability to manage the sample data from IT Hygiene and vulnerabilities. #7449 #7475 #7718
#7443 Added back button to Deploy Agent page that redirects to Endpoints Summary.
#7412 Added UUID field to the APIs table.
#7373 Moved /elastic/samplealerts API endpoints to /indexer/samplealerts.
#7430 Changed macOS agent startup command.
#7368 Removed Inventory data view from agent overview.
#7475 Removed vulnerability.pattern setting.
#7368 Removed GET /api/syscollector API endpoint.
#7368 Removed inventory data report and POST /reports/agents/{agentID}/inventory API endpoint.
#7483 Removed the enrollment.password field from the /utils/configuration endpoint response to prevent unauthorized agent registration by users with read-only API roles.
#7657 Changed the manager reset button to reload in Rules, Decoders, and CDB list. #7677
#7484 Reduced the number of API calls to retrieve agent summary information.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#29181 Fixed missing agent version handling in Vulnerability Detector.
#29624 Fixed race condition in agent status synchronization between worker and master.
#30534 Fixed agent-group assignment for missing agents with improved error handling.
#30818 Fixed missing OS info updates in global inventory after first scan.
#31048 Fixed wazuh-db failure during agent restarts by switching the restart query to HTTP.
#30627 Fixed DFM graceful shutdown.
#30718 Fixed inode field as string in FIM JSON messages to ensure schema consistency.
#30837 Fixed duplicate OS vulnerabilities detected after an OS version change.

Wazuh agent

#29312 Fixed incorrect event handling in the Custom logs bucket.
#29317 Fixed Azure blob download race condition.
#28962 Fixed false FIM reports and configuration upload issues.
#29502 Fixed incorrect IPv6 format reported by WindowsHelper.
#29561 Fixed hidden port detection and netstat fallback.
#29905 Replaced select() with sleep() in Logcollector to avoid Docker-related errors.
#30060 Fixed NetNTLMv2 exposure by filtering UNC paths and mapped drives in Windows agent.
#29820 Fixed Windows agent not starting after manual upgrade by deferring service start to post-install.
#30552 Fixed precision loss in the FIM inode field for values greater than 2^53.
#30614 Fixed expanded file list in the logcollector getconfig output.
#31187 Fixed authd.pass ACL permissions to match client.keys security level in the Windows agent installer.

RESTful API

#29166 Fixed version sorting in agent list endpoint.
#28962 Fixed false positive detection during configuration uploading.

Ruleset

#29221 Fixed bugs in Windows 11 Enterprise SCA policy.
#29040 Fixed multiple SCA check errors in RHEL 9/10 and Rocky Linux 8/9.
#28982 Fixed diff logic in rootcheck that caused false negatives.
#28711 Fixed incorrect SCA results for RHEL 8 and CentOS 7.
#30827 Fixed false positives in Ubuntu 24.04 benchmark.

Wazuh dashboard

#7368 Fixed a problem in Vulnerabilities > Dashboard and Inventory when there are no indices matching with the index pattern.
#7425 Fixed double backslash warning on xml editor.
#7422 Fixed the X-axis label in the Vulnerabilities by year of publication visualization.
#7501 Fixed a bug in Rule details flyout, where it didn't map all the compliances.
#7540 Fixed the Windows service name in Deploy new agent.
#7552 Fixed an issue where filter values could change on navigation or pin/unpin actions, causing unexpected search results.
#7544 Fixed an issue in the expanded table row where outdated information could appear when using the refresh button.
#7550 Fixed a bug causing format issues in CSV reports.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.12.0 Release notes - 7 May 2025

This section lists the changes in version 4.12.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Wazuh 4.12.0 introduces functional improvements that expand the platform’s capabilities and compatibility. This release supports ARM architecture in central components, allowing Wazuh to run on a wider range of hardware. It also enhances threat intelligence by adding CTI references to the CVE data, providing better context for vulnerabilities. Additionally, it introduces eBPF support for the File Integrity Monitoring (FIM) module, enabling more efficient and modern monitoring on Linux endpoints.

ARM architecture support in central components: The Wazuh manager, indexer, and dashboard now support ARM-based systems, offering greater deployment flexibility.
CTI links to CVE information: Vulnerability Detection module now includes CTI references within the CVE details, offering enriched context and threat intelligence to aid in vulnerability assessment.
Improved file integrity monitoring with eBPF support: The file integrity monitoring module now supports eBPF on Linux, improving who-data monitoring and system visibility.
New SCA policy for Distribution Independent Linux endpoints: A new Security Configuration Assessment (SCA) policy is now available for Wazuh Linux agents.

Breaking changes

OpenSearch 2.19.1 and Apache Lucene upgrade: Wazuh 4.12.0 upgrades to OpenSearch 2.19.1 and updates the Apache Lucene version. This change affects compatibility with previous versions. As a result, downgrades are not supported. Once you upgrade the Wazuh indexer to version 4.12.0, you cannot revert to an earlier version.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#26652 Added new compilation flags for the Vulnerability Detection module.
#26083 Added support for central components in ARM architectures.
#28220 Added functionality to navigate to CTI links related to specific CVE detections from states and alerts.
#27614 Updated curl dependency to 8.11.0.
#28298 Upgraded cryptography package to version 44.0.1.
#28047 Converted server logs timestamp to UTC.
#28149 Removed restriction for aws_profile in Security Lake.
#28038 Removed error logs when the response is 409 for certain OpenSearch calls.
#27451 Upgraded packages: python-multipart to 0.0.20, starlette to 0.42.0, and Werkzeug to 3.1.3.
#27990 Removed warning about events in cloudwatchlogs.
#27603 Added package condition field in indexed vulnerabilities.

Wazuh agent

#27956 Added eBPF-based integration to support whodata in FIM.
#28416 Added support for the riskDetections relationship in MS Graph.
#28389 Added time delay option in MS Graph integration to prevent log loss.
#28276 Added page size option to MS Graph integration.
#28388 Implemented Journald rotation detection in Logcollector.

Ruleset

#26732 Added SCA content for Windows Server 2025.
#26736 Added SCA content for Fedora 41.
#26837 Created SCA policy for Distribution Independent Linux.
#23194 Created SCA policy for Ubuntu 24.04 LTS.
#26982 Improved SCA rule for macOS 15.

Wazuh dashboard

#7182 Added setting to limit the number of rows in CSV reports.
#7306 Added vulnerability.scanner.reference field containing the CTI reference of the vulnerability.
#7192 Refined queue usage visualizations in Statistics.
#7390 Removed revision number from About page.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#26720 Fixed inconsistent vulnerability severity categorization by correcting CVSS version prioritization.
#26769 Fixed a potential crash in Wazuh-DB by improving the PID parsing method.
#28185 Fixed concurrent mechanism on column family RocksDB.
#28503 Fixed unused variables in Analysisd.
#29050 Fixed Analysisd startup failure caused by mixing static and dynamic rules with the same ID.
#27834 Fixed crash in Vulnerability Scanner when processing delayed events during agent re-scan.
#26679 Improved signal handling during process stop.
#27750 Improved cleanup logic for the content folder in the VD module.
#27806 Sanitized invalid size values from package data provider events.
#26704 Fixed crash when reading email alerts missing the email_to attribute.
#29179 Fixed offset errors by updating the DB only after processing events.

Wazuh agent

#26647 Fixed a bug that could cause wazuh-modulesd to crash at startup.
#26289 Fixed incorrect UTF-8 character validation in FIM. Thanks to @zbalkan.
#27100 Improved URL validation in Maltiverse integration.
#28005 Fixed issue in Syscollector where package sizes were reported as negative.
#29161 Fixed enrollment failure on Solaris 10 caused by unsupported socket timeout.
#29214 Fixed memory issue in the wazuh-agentd argument parser.
#28928 Fixed WPK package upgrades for DEB when upgrading from version 4.3.11 or earlier.

Wazuh dashboard

#7185 Fixed issue where adding the same filter twice wouldn't display it in the search bar.
#7171 Fixed rendering of rows in CDB list table when they start with quotes.
#7206 Fixed width of long fields in the document detail flyout.
#7267 Fixed logging of UI logs due to an undefined logger property.
#7278 Fixed TOP-5-SO filter management in Endpoints > Summary.
#7304 Fixed CSV export not filtering by time range.
#7336 Fixed agent view not displaying the latest agent state.
#7377 Fixed saved queries not appearing in the search bar.
#7401 Fixed monitoring cronjob infinite retries in case of a request exception.
#7399 Fixed double scroll bar in Discover.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.11.2 Release notes - 1 April 2025

This section lists the changes in version 4.11.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#28797 Improved Wazuh DB performance using built-in types.

RESTful API

#28653 Added the authentication_pool_size option to customize the number of authentication processes in the Wazuh server API configuration.

Resolved issues

This release resolves known issues as the following:

Wazuh dashboard

#7370 #7371 Fixed several broken Wazuh documentation links.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.11.1 Release notes - 12 March 2025

This section lists the changes in version 4.11.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh agent

#28075 Changed ms-graph page size to 50.
#28045 Removed ca.com domain filter from the Rootcheck malware ruleset.

Wazuh dashboard

#7318 Added missing fields to the default fields list of the alerts index pattern.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#28294 Fixed the OS CPE build for package scans with data from Wazuh-DB.
#28292 Added delete by query logic when indexer is disabled.
#28396 Fixed heap buffer overflow in Analysisd rule parser.
#28429 Fixed unnecessary data copy during curl calls.

Wazuh agent

#28339 Improved agent connectivity.
#28516 Applied the agent.recv_timeout timeout to the agent enrollment process to prevent it from waiting indefinitely for a response.

Wazuh dashboard

#7299 Fixed documentation links related to agent management.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.11.0 Release notes - 20 February 2025

This section lists the changes in version 4.11.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

The 4.11 release introduces significant improvements in vulnerability detection, system inventory accuracy, and virtual machine base OS updates. The focus is on enhancing security insights, ensuring up-to-date system compatibility, and improving detection mechanisms for installed software. Key updates include the enhancement of the vulnerability detection process for CNA (CVE Numbering Authority), updates to AMI and OVA base operating systems, and improvements to Syscollector's software detection capabilities.

Key features include the following:

Vulnerability detection CNA enhancement: The vulnerability scanner now prioritizes CISA-sourced vulnerability data over the NVD, ensuring more accurate and detailed vulnerability assessments. This enhancement reduces false positives and improves alignment with official security sources.
AMI and OVA base OS update: The base OS for AMI and OVA has been updated to Amazon Linux 2023 (AL2023) due to security vulnerabilities in Amazon Linux 2 (AL2) and its approaching end of life.
Syscollector's software detection improvement: Syscollector now provides enhanced detection of installed software. Improvements include better package identification in macOS, expanded detection of pip and npm installations, and integration with Windows WMI to capture system updates more accurately.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#27771 Improved delimiters on XML.
#27893 Improved FIM decoder.
#27835 Improved SCA and Syscheck decoders.
#27914 Improved CISCAT decoder detection messages.
#27692 Added CISA vulnerability content and prioritized it over NVD in the vulnerability scanner.
#28195 Changed ms-graph page size.

Wazuh agent

#26706 Improved Syscollector hotfix coverage on Windows by integrating WMI and WUA APIs.
#26782 Extended Syscollector capabilities to detect installed .pkg packages.
#26236 Updated standard Python and NPM package location in Syscollector to align with common installation paths.

Wazuh dashboard

#7193 Refined the layout of the agent details view.
#7195 Changed the width of the command column, relocate argvs column and change the width of the rest of the columns in the table processes.
#7245 Removed unused node_build field in the package manifest of the wazuh plugin.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#26132 Enabled inventory synchronization in Vulnerability Detector when the Indexer module is disabled.

Wazuh agent

#27739 Fixed error in event processing on AWS Custom Logs Buckets module.

RESTful API

#26255 Added the security:revoke action to the PUT /security/user/revoke endpoint.

Wazuh dashboard

#7251 Fixed documentation URL related to the usage of the authentication password in agent deployment.
#7255 Fixed a problem with duplicated requests to get the list of valid index patterns in the menu.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.10.3 Release notes - 19 August 2025

This section lists the changes in version 4.10.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Other

#30829 Updated requests to version 2.32.4 (backport from 4.14.0).
#30829 Updated urllib3 to version 2.5.0 and protobuf to version 5.29.5 (backport from 4.14.0).
#29933 Updated dependencies: setuptools, Jinja2, and PyJWT (backport from 4.14.0).

Resolved issues

This release resolves known issues as the following:

Wazuh dashboard

#7648 Fixed a bug that caused a format issue in CSV reports.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.10.2 Release notes - 22 May 2025

This section lists the changes in version 4.10.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#29633 Improved SCA and Syscheck decoders. (Backport from 4.11.0)

Other

#29669 Upgraded python-multipart to 0.0.20, starlette to 0.42.0, Werkzeug to 3.1.3 (backport from 4.12.0), h11 to 0.16.0, and httpcore to 1.0.9.

Wazuh dashboard

#7433 Added a test to verify that table column fields are known, and updated the known fields of the alerts index with new ones.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#29612 Enabled inventory synchronization in Vulnerability Detector when the Indexer module is disabled. (Backport from 4.11.0)
#29613 Fixed OS CPE build for package scans with data from Wazuh-DB. (Backport from 4.11.1)
#29599 Fixed heap buffer overflow in Analysisd rule parser. (Backport from 4.11.1)
#29615 Improved signal handling during process stop. (Backport from 4.12.0)
#29616 Fixed crash when reading email alerts missing the email_to attribute. (Backport from 4.12.0)

Wazuh agent

#29598 Fixed a bug that could cause wazuh-modulesd to crash at startup. (Backport from 4.12.0)
#29600 Fixed WPK package upgrades for DEB when upgrading from version 4.3.11 or earlier. (Backport from 4.12.0)
#29635 Fixed error in event processing on the AWS Custom Logs Buckets module. (Backport from 4.11.0)
#29604 Improved URL validation in the Maltiverse integration. (Backport from 4.12.0)

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.10.1 Release notes - 16 January 2025

This section lists the changes in version 4.10.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh dashboard

#7233 Added comma separators to numbers.
#7226 Moved the ability to manage the visibility of fields in Events and Vulnerability Detection > Inventory tables from the Columns button to a new Available fields button, enhancing the performance of the view.
#7226 Changed the color of the Export formatted button in data grid tables to match the color of the rest of the table buttons.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#27502 Handled HTTP 413 response code in the Indexer connector.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.10.0 Release notes - 9 January 2025

This section lists the changes in version 4.10.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release delivers key improvements across several areas, including enhanced debugging, expanded integration capabilities, standardised logging, refined compliance checks, and an improved dashboard user experience.

Key features include the following:

Wazuh debug symbols generation: Debug symbols are now generated during builds for macOS, Linux, and Windows, with crash dump generation by default in installers. Adequate documentation is provided for users to disable the crash dump generation process.
Standardized logging for cloud integrations: A logger has been introduced to standardize logs for cloud integration modules, improving log management and consistency.
Microsoft Intune integration: Integration with Microsoft Intune allows Wazuh to retrieve audit logs from managed devices, process them using built-in decoders and rules, and generate actionable security alerts.
Vulnerability evaluation status: A new field has been introduced to indicate whether a vulnerability is under evaluation or disputed, assisting users in tracking vulnerabilities still awaiting analysis in the National Vulnerability Database (NVD).
Wazuh Dashboard UI improvements: Several key sections of the Wazuh dashboard have been redesigned to improve the user experience. Changes include updates to the Overview, Events, and Agent detail pages, along with the addition of an Agents management menu. Additionally, there are redesigns of the deploy new agent page, adjustments to the loading logo size, and fixes to the vulnerability inventory table for improved usability.
Reworked SCA policies: Numerous SCA policies have been reworked, including policies for Rocky Linux 8, Alma Linux 8, Amazon Linux 2023, Windows Server 2019, RedHat 9, Windows Server 2012 R2, Windows Server 2012 (no R2), Debian 10, Ubuntu 18, Amazon Linux 2, SUSE 15, macOS Ventura, and Windows 11 Enterprise..

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#24333 Added self-recovery mechanism for rocksDB databases.
#25189 Improve logging for indexer connector monitoring class.
#23760 Added generation of debug symbols.
#27320 Improved Vulnerability Scanner performance by optimizing the PEP440 version matcher.
#27324 Improved Vulnerability Scanner performance by optimizing version matcher object creation.
#27321 Improved Vulnerability Scanner performance by optimizing global data handling.

Wazuh agent

#23760 Added generation of debug symbols.
#23998 Changed how the AWS module handles non-existent regions.
#2006 Changed macOS packages building tool.
#7498 Enhanced Wazuh macOS agent installation instructions.
#2826 Enhanced Windows agent signing procedure.
#23466 Enhanced security by implementing a mechanism to prevent unauthorized uninstallation of the Wazuh agent on Linux endpoints.
#24498 Enhanced integration with Microsoft Intune MDM to pull audit logs for security alert generation.
#26137 Updated rootcheck old signatures.

RESTful API

#24621 Created new endpoint for agent uninstall process.

Ruleset

#21794 Created SCA policy for Microsoft Windows Server 2012 (non-R2).
#21434 Reworked SCA policy for Microsoft Windows Server 2019.
#24667 Reworked SCA policy for Red Hat Enterprise Linux 9.
#24991 Reworked SCA policy for Microsoft Windows Server 2012 R2.
#24957 Reworked SCA policy for Ubuntu 18.04 LTS and fixed incorrect checks in Ubuntu 22.04 LTS.
#24969 Reworked SCA policy for Amazon Linux 2.
#24975 Reworked SCA policy for SUSE Linux Enterprise 15.
#24992 Reworked SCA policy for Apple macOS 13.0 Ventura.
#25710 Reworked SCA policy for Microsoft Windows 11 Enterprise.

Other

#25374 Updated the embedded Python version up to 3.10.15.
#25324 Upgraded certifi and removed unused packages.
#25893 Upgraded external cryptography library dependency version to 43.0.1.
#26252 Upgraded external starlette and uvicorn dependencies.

Wazuh dashboard

#6964 Added sample data for YARA.
#6963 Updated malware detection group values in data sources.
#6938 Changed the registration ID of the Settings application for compatibility with OpenSearch Dashboards 2.16.0.
#6964 Changed Malware detection dashboard visualizations.
#6945 Removed agent RBAC filters from dashboard queries.
#7001 Removed GET /elastic/statistics API endpoint.
#6968 Added a custom filter and visualization for vulnerability.under_evaluation field. #7044 #7046
#7032 Changed MITRE ATT&CK overview description.
#7041 Changed the agents summary in overview with no results to an agent deployment help message.
#7036 Changed malware feature description.
#7033 Changed the font size of the KPI subtitles and the features descriptions.
#7059 Changed the initial width of the default columns for each selected field.
#7038 Removed VirusTotal application in favor of Malware Detection.
#7058 Add vulnerabilities card to agent details page.
#7112 Added an Agents management menu and moved the sections: Endpoint Groups and Endpoint Summary which changed its name to Summary.
#7119 Added ability to filter from File Integrity Monitoring registry inventory.
#7119 Added new field columns and ability to select the visible fields in the File Integrity Monitoring Files and Registry tables.
#7081 Added filter by value to document details fields.
#7135 Added pinned agent mechanic to inventory data, stats, and configuration for consistent functionality.
#7057 Changed the warning icon in events view to an info icon.
#7034 Changed feature container margins to ensure consistent separation and uniform design.
#7089 Changed inventory, stats and configuration page to use tabs.
#7156 Added ability to edit the wazuh.updates.disabled configuration setting from the UI.
#7149 Changed styles in the register agent view for consistency of styles across views.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#24620 Added support for multiple Certificate Authorities files in the indexer connector.
#24529 Removed hardcoded cipher text size from the RSA decryption method.
#25094 Avoided infinite loop while updating the vulnerability detector content.
#26223 Fixed repeated OS vulnerability reports.
#25479 Fixed inconsistencies between reported context and vulnerability data.
#26073 Fixed concurrency issues in LRU caches.
#26232 Removed all CVEs related to a deleted agent from the indexer.
#26922 Prevented an infinite loop when indexing events in the Vulnerability Detector.
#26842 Fixed segmentation fault in DescriptionsHelper::vulnerabilityDescription.
#24034 Fixed vulnerability scanner re-scan triggers in cluster environment.
#23266 Updated CURL version to 8.10.0.
#27145 Fixed an issue where elements in the delayed list were not purged when changing nodes.
#27145 Added logic to avoid re-scanning disconnected agents.

Wazuh agent

#25452 Fixed macOS agent upgrade timeout.
#24531 Fixed macOS agent startup error by properly redirecting cat command errors in wazuh-control.
#24516 Fixed inconsistent package inventory size information in Syscollector across operating systems.
#24125 Fixed missing Python path locations for macOS in Data Provider.
#25429 Fixed permission error on Windows 11 agents after remote upgrade.
#24387 Fixed increase of the variable containing file size in FIM for Windows.
#25699 Fixed timeout issue when upgrading Windows agent via WPK.
#26748 Allowed unknown syslog identifiers in Logcollector's journald reader.
#26828 Prevented agent termination during package upgrades in containers by removing redundant kill commands.
#26861 Fixed handle leak in FIM's realtime mode on Windows.
#26900 Fixed errors on AIX 7.2 by adapting the blibpath variable.
#26944 Sanitized agent paths to prevent issues with parent folder references.
#26633 Fixed an issue in the DEB package that prevented the agent from restarting after an upgrade.
#26944 Improved file path handling in agent communications to avoid references to parent folders.
#27054 Set RPM package vendor to UNKNOWN_VALUE when the value is missing.
#27059 Updated Solaris package generation to use the correct wazuh-packages reference.

Ruleset

#22597 Fixed logical errors in Windows Server 2022 SCA checks.
#25224 Fixed incorrect regulatory compliance in several Windows rules.
#24733 Fixed incorrect checks in Ubuntu 22.04 LTS.
#25190 Removed a check with high CPU utilization in multiple SCA policies.

Wazuh dashboard

#7001 Fixed issue where read-only users could not access the Statistics application.
#7047 Fixed the filter being displayed cropped on screens of 575px to 767px in the vulnerability detection module.
#7029 Fixed no-agent alert appearing with a selected agent in the agent-welcome view.
#7042 Fixed security policy exception when it contained deprecated actions.
#7048 Fixed export of formatted CSV data with special characters from tables.
#7077 Fixed filter management to prevent hiding when adding multiple filters.
#7120 Fixed loading state of the agents status chart in the home overview.
#7075 Fixed border on cells in events that disappear when clicked.
#7116 Fixed the Mitre ATT&CK exception in the agent view, the redirections of ID, Tactics, Dashboard Icon and Event Icon in the drop-down menu, and the card not displaying information when the flyout was opened.
#7047 Fixed the filter displaying cropped on screens of 575px to 767px in vulnerability detection module.
#7119 Fixed ability to filter from files inventory details flyout of File Integrity Monitoring.
#7122 Removed processes state column in macOS agents.
#7160 Fixed invalid date filter applied on FIM details flyout.
#7156 Fixed the Check updates UI being displayed despite being configured as disabled.
#7151 Fixed filter by value in document details not working in Safari.
#7167 Fixed error message to prevent passing non-string values to the Wazuh logger.
#7177 Fixed the rendering of the data.vulnerability.reference field in the table and flyout.
#7072 Fixed column reordering feature.
#7161 Fixed endpoint group module name and indexer management order.
#440 Fixed incorrect or empty Wazuh API version displayed after upgrade.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.9.2 Release notes - 4 November 2024

This section lists the changes in version 4.9.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#26453 Fixed an unhandled exception during IPC event parsing.

Wazuh dashboard

#7128 Fixed vulnerabilities inventory table scroll.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.9.1 Release notes - 17 October 2024

This section lists the changes in version 4.9.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#24110 Improved provisioning method for wazuh-keystore to enhance security.

Wazuh agent

#25652 Added support for macOS 15 "Sequoia" in Wazuh Agent.

RESTful API

#26103 Changed the error status code thrown when basic services are down to 500.

Wazuh dashboard

#6977 Added feature to filter by field in the events table rows.
#6981 Changed the text of the query limit tooltip.
#6919 Upgraded the axios dependency to 1.7.4.
#6954 Improved MITRE ATT&CK intelligence flyout details readability.
#6984 Upgraded Event-tab column selector to show picked columns first.
#6960 Changed vulnerabilities.reference to links in Vulnerability Detection > Inventory columns.
#6982 Upgraded the follow-redirects dependency to 1.15.6.
#6956 Changed many loading spinners in some views to loading search progress.
#6999 Removed the XML autoformat function group configuration due to performance issues.
#7023 Removed the PDF report footer year.
#7086 Removed data grid tables from Threat Hunting dashboard, GitHub panel, and Office365 panel.

Packages

#3111 Added offline installation assistant import for the downloaded GPG Wazuh key.
#3098 Changed version to tag reference in source_branch references.
#3118 Changed Filebeat passwords only when installing Wazuh Server or changing passwords.
#3119 Updated SECURITY.md format.
#3121 Added stage parameter in bump_version script.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#24909 Fixed vulnerability detector issue where RPM upgrade wouldn't download new content.
#25667 Fixed uncaught exception at Keystore test tool.
#25705 Replaced eval calls with ast.literal_eval.
#26277 Fixed the cluster being disabled by default when loading configurations.
#25945 Added support for ARM packages for wazuh-manager.

Wazuh agent

#24910 Fixed agent crash on Windows version 4.8.0.
#25209 Fixed data race conditions at FIM's run_check.
#24376 Fixed Windows agent crashes related to syscollector.dll.
#25445 Fixed errors related to the libatomic.a library on AIX 7.X.
#24932 Fixed errors in Windows Agent where EvtFormatMessage returned errors 15027 and 15033.
#25459 Fixed FIM issue where it couldn't fetch group entries longer than 1024 bytes.
#25469 Fixed Wazuh Agent crash at syscollector.
#23528 Fixed a bug in the processed dates in the AWS module related to the AWS Config type.
#24694 Fixed an error in Custom Logs Buckets when parsing a CSV file that exceeds a certain size.
#26108 Fixed macOS syslog and ULS not configured out-of-the-box.

RESTful API

#25764 Fixed requests logging to obtain the hash_auth_context from JWT tokens.
#25216 Enabled API to listen to both IPv4 and IPv6 stacks.

Wazuh dashboard

#6933 Fixed issue causing vulnerability dashboard to fail loading for read-only users.
#6905 Fixed the temporal directory variable in the command to deploy a new Windows agent.
#6906 Fixed an error in the command to deploy a new macOS agent that could cause the registration password to have a wrong value due to a \n inclusion.
#6901 Fixed rendering of an active response as disabled when it is active.
#6908 Fixed an error in Dev Tools when using payload properties as arrays.
#6987 Fixed font size in tables used in the events tab, the Threat hunting dashboard tab, and the Vulnerabilities inventory tab.
#6983 Fixed missing link to Vulnerabilities detection and Office 365 in the agent menu of Endpoints Summary.
#6983 Fixed missing options depending on agent operating system in the agent configuration report.
#6989 Fixed a style issue that affected the Discover plugin.
#6995 Fixed a problem updating the API host registry in the GET /api/check-stored-api.
#7019 Fixed the Open report button on the toast and the Download report icon in the reporting table in Safari.
#7015 Fixed style issue when unpinning an agent in the endpoint summary section.
#7021 Fixed overflow style on a long value filter.
#7056 Fixed buttons enabled for a read-only user in Endpoint groups section.
#7090 Fixed the automatic page refresh in dashboards and prevented duplicate requests.

Packages

#3110 Fixed bug when changing the Filebeat URL in the Installation Assistant.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.9.0 Release notes - 5 September 2024

This section lists the changes in version 4.9.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release introduces several significant updates aimed at enhancing functionality, compatibility, and user experience. Key updates include support for journald logs in Logcollector, improved compatibility with OpenSearch 2.13.0, and integration with AWS Security Hub. Additionally, there are improvements to WPK packages and enhancements in the Wazuh-API with Connexion 3.0 and Uvicorn support. The release also addresses numerous bugs, further stabilizing the platform and improving overall performance.

Journald support in Logcollector: Systemd's journald logging is now supported, enabling Logcollector to monitor these logs, which can provide valuable information for users.
Integrate Wazuh with AWS Security Hub: Wazuh now integrates with AWS Security Hub, enabling users to manage security and assess compliance with best practices directly within AWS.
Improve WPKs: The WPK packages' logic has been streamlined, reducing complexity, especially in the backup/rollback process, and ensuring smoother updates.
Refactoring and redesign Endpoints Summary charts: The Endpoints Summary charts have been refactored and redesigned for improved clarity and usability.
New or updated SCA policies: Added support for Oracle Linux 9, Alma Linux 9, and Rocky Linux 9, and updated policies for RedHat 7, CentOS 7, RedHat 8, and CentOS 8.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#17306 Added alert forwarding to Fluentd.
#20285 Changed logging level of wazuh-db recv() messages from error to debug.
#16666 Fixed malformed JSON error in wazuh-analysisd.
#23727 Added missing functionality for vulnerability scanner translations.
#23722 Improved performance for vulnerability scanner translations.
#24536 Enhanced vulnerability scanner logging to be more expressive.
#17306 The manager now supports alert forwarding to Fluentd.
#23513 Added the HAProxy helper to manage load balancer configuration and automatically balance agents.
#23222 Added a validation to avoid killing processes from external services.
#23996 Enabled certificates validation in the requests to the HAProxy helper using the default CA bundle.
#21195 Sanitized the integrations directory code.

Wazuh agent

#19753 Removed the directory /boot from the default FIM settings for AIX.
#21690 Improved debugging logs for Windows registry monitoring configuration. Now the Wrong registry value type warnings include the registry path to help troubleshooting. Thanks to Zafer Balkan (@zbalkan).
#21287 Added Amazon Linux 1 and Amazon Linux 2023 support for the Wazuh installation assistant.
#23137 Added Journald support in Logcollector.
#20727 Fixed Windows Agent 4.8.0 permission errors on Windows 11 after upgrade.
#22440 Fixed Syscollector not checking if there's a scan in progress before starting a new one.
#16487 Fixed alerts are created when syscheck diff DB is full.
#2195 Fixed Wazuh deb uninstallation to remove non-config files.
#23273 Fixed improper Windows agent ACL on non-default installation directory.
#17664 Fixed socket configuration of an agent is displayed.
#18494 Fixed wazuh-modulesd printing child process not found error.
#23848 Fixed issue with an agent starting automatically without reason.
#17415 Fixed GET /syscheck to properly report size for files larger than 2GB.
#23203 Added support for Amazon Security Hub via AWS SQS.
#20624 Refactored and modularized the Azure integration code.
#23790 Improved logging of errors in Azure and AWS modules.
#22583 Dropped support for Python 3.7 in cloud integrations.

RESTful API

#23199 Replaced aiohttp server with uvicorn.
#23199 Changed the PUT /groups/{group_id}/configuration endpoint response error code when uploading an empty file.
#23199 Changed the GET, PUT and DELETE /lists/files/{filename} endpoints response status code when an invalid file is used.
#23199 Changed the PUT /manager/configuration endpoint response status code when uploading a file with invalid content-type.
#23094 Added support in the Wazuh API to parse journald configurations from the ossec.conf file.
#24360 Added user-agent to the CTI service request.
#21653 Merged group files endpoints (GET /groups/{group_id}/files/{filename}) into one that uses the raw parameter to receive plain text data.
#22388 Removed the hardcoded fields returned by the GET /agents/outdated endpoint and added the select parameter to the specification.
#22423 Updated the regex used to validate CDB lists.
#22413 Changed the default value for empty fields in the GET /agents/stats/distinct endpoint response.
#22380 Changed the Wazuh API endpoint responses when receiving the Expect header.
#22745 Enhanced Authorization header values decoding errors to avoid showing the stack trace and fail gracefully.
#22908 Updated the format of the fields that can be N/A in the API specification.
#22954 Updated the Wazuh API specification to conform with the current endpoint requests and responses.
#22416 Removed the cache configuration option from the Wazuh API.

Ruleset

#19754 Clarified the description for rule ID 23502 about solved vulnerabilities.
#17784 Added new SCA policy for Rocky Linux 8.

Other

#20778 Upgraded external OpenSSL library dependency version used by Wazuh from V1 to V3.
#22680 Upgraded external connexion library dependency version to 3.0.5 and its related interdependencies.

Wazuh dashboard

#6145 Added AngularJS dependencies.
#6580 Migrated from AngularJS to ReactJS. #6555 #6618 #6613 #6631 #6594 #6893
#6120 Removed legacy embedded discover component.
#6268 Refactored the Endpoints Summary charts.
#6250 Added agent groups edition to Endpoints Summary. #6274
#6476 Added a filter to select outdated agents and the Upgrade agent action to Endpoints Summary. #6501 #6529 #6648
#6337 Changed the way the configuration is managed in the backend side. #6573
#6337 Moved the content of the API is down and Check connection views to the Server APIs view.
#6545 Added macOS log collection tab.
#6481 Removed the GET /api/timestamp API endpoint.
#6481 Removed the PUT /api/update-hostname/{id} API endpoint.
#6481 Removed the DELETE /hosts/remove-orphan-entries API endpoint.
#6573 Enhanced the validation for enrollment.dns on App Settings application.
#6607 Implemented the option to control configuration editing via API endpoints and UI.
#6572 Added the Journald log collector tab.
#6482 Implemented new data source feature on MITRE ATT&CK module.
#6653 Added HAProxy helper settings to cluster configuration.
#6660 Changed log collector socket configuration response property.
#6558 Added the ability to open the report file and the reporting application from toast message.
#6558 Added Office 365 support for agents.
#6716 Refactored the search bar to handle fixed and user-added filters correctly. #6755
#6714 Replaced the custom EuiSuggestItem component with the native component from OpenSearch UI.
#6800 Added pinned agent data validation when rendering the Inventory data, Stats, and Configuration tabs in Agent preview of Endpoints Summary.
#6534 Improvement of the filter management system by implementing new standard modules. #6772 #6873
#6745 Generate URL with predefined filters.
#6782 Removed unused API endpoints from creation of old visualizations: GET /elastic/visualizations/{tab}/{pattern}.
#6839 Changed permalink field in the Events tab table in VirusTotal to show an external link.
#6890 Changed the internal control from Endpoint Groups to a control via URL.
#6882 Changed the internal control from MITRE ATT&CK > Intelligence > Table to a control via URL.
#6886 Changed the display of rule details flyout to be based on URL.
#6161 Changed the logging system to use the one provided by the platform.
#6161 Removed logs.level setting.
#6161 Removed the usage of wazuhapp-plain.log, wazuhapp.log, wazuh-ui-plain.log, and wazuh-ui.log files.
#6161 Removed the App logs application.
#6161 Removed API endpoint GET /utils/logs/ui.
#6161 Removed API endpoint GET /utils/logs.
#6848 Added wz-link component to handle redirections.
#6902 Removed embedded dom-to-image dependency.
#6902 Added embedded and customized dom-to-image-more dependency.
#6949 Changed the order of columns in Vulnerabilities Detection > Events table.

Packages

#2989 Updated Password Tool to add default user and password to the filebeat.yml when changing passwords
#2991 Allow installation on any OS
#2970 Added support for Rocky Linux 9.4 in Installation assistant
#2944 Update API script file name
#2698 Added new Azure module files
#2945 Added support for Ubuntu 24.04 in Installation assistant
#2922 Changed log message when not yum nor apt-get are found. Added clearer instructions on following steps
#2911 Cert-tool logfile added. Modified common_logger function to write on files without root permission
#2908 Added bash dependency to Wazuh agent RPM for AIX
#2909 Prevent failed checks related to dashboard and indexer
#2900 Installation Assistant language agnostic
#2882 Added rollBack to several exit points
#2753 Adding support for Amazon Linux 1, 2, and 2023
#2790 Added support for AL2023 in WIA
#2300 Added SCA policy for Rocky Linux 8 in SPECS.
#3070 Removed migrated and unsupported code.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

#20505 Fixed compilation issue for local installation.
#24375 Fixed a warning when uninstalling the Wazuh manager if the vulnerability detection feed is missing.
#24393 Ensured vulnerability detection scanner log messages end with a period.

Wazuh agent

#19146 Fixed command monitoring on Windows to support UTF-8 characters.
#21455 Fixed an error in Windows agents preventing whodata policies loading.
#21595 Fixed an unexpected error where the manager received messages with a reported size not corresponding to the bytes received.
#21729 Prevented backup failures during WPK upgrades. A dependency check for the tar package was added.
#22210 Fixed a crash of the agent due to a library incompatibility.
#21728 Fixed an error of the Osquery integration on Windows that prevented loading osquery.conf.
#22588 Fixed a crash in the agent Rootcheck component when using <ignore>.
#20425 Fixed the agent not deleting the wazuh-agent.state file in Windows when stopped.
#24412 Fixed error in packages generation for CentOS 7.
#22392 Fixed Azure auditLogs/signIns status parsing (thanks to @Jmnis for the contribution).
#22621 Fixed how the S3 object keys with special characters are handled in the Custom Logs Buckets integration.

RESTful API

#20507 Improved XML validation to match the Wazuh internal XML validator.
#22428 Fixed bug in GET /groups.
#24946 Fixed the GET /agents/outdated endpoint query.

Ruleset

#22178 Added parsing of the optional node= log heading field to Audit decoders.

Other

#19794 Fixed a buffer overflow hazard in HMAC internal library.

Wazuh dashboard

#6237 Fixed disappearing scripted fields when index pattern fields refreshed.
#6667 Fixed invalid IP address ranges and file hashes in sample alert scripts.
#6558 Fixed error of malformed table row in PDF report generation.
#6730 Fixed the validation of the maximum allowed time interval for cron jobs.
#6747 Fixed styles in small height viewports.
#6770 Fixed behavior in Configuration Assessment when changing API.
#6871 Fixed the maximum width of the clear session button in the ruleset test view.
#6876 Fixed the width of the last modified column of the table in Windows Registry.
#6880 Fixed redirection to FIM > Inventory > Files from FIM > Inventory > Windows Registry when switching to a non-Windows agent.

Packages

#3063 Fixed Kibana server change password.
#3074 Fixed bugs in the offline installation using the installation assistant.
#3082 Fixed bug when inserting Filebeat template.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.8.2 Release notes - 20 August 2024

This section lists the changes in version 4.8.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Manager

#25225 Added a fix for when remoted fails to read a message.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.8.1 Release notes - 18 July 2024

This section lists the changes in version 4.8.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Manager

#24357 Added dedicated RSA keys for keystore encryption.

RESTful API

#24173 Updated the GET /manager/version/check endpoint response to always include the uuid field.

Other

#24108 Upgraded external Jinja2 library dependency version to 3.1.4.
#23925 Upgraded external requests library dependency version to 2.32.2.

Packages

#3005 Added -A|--api option validation to the wazuh-passwords-tool.sh script for changing API user credentials.

Resolved issues

This release resolves known issues as the following:

Manager

#24308 Fixed a bug in upgrade_agent CLI where it occasionally hung without showing a response.
#24341 Fixed a bug in upgrade_agent CLI where it occasionally raised an unhandled exception.
#24509 Changed keystore cipher algorithm to remove the reuse of sslmanager.cert and sslmanager.key.

Agent

#23989 Fixed the macOS agent to retrieve correct CPU name.

Dashboard plugin

#6778 Removed the unnecessary delay body parameter on server API requests.
#6777 Fixed home KPI links with custom or index pattern where the title is different from the ID.
#6793 Fixed the colors related to vulnerability severity levels on the Vulnerability Detection dashboard.
#6827 Fixed pinned agent error in vulnerabilities events tab.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.8.0 Release notes - 12 June 2024

This section lists the changes in version 4.8.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release introduces a major refactor of the Vulnerability Detector module that increases coverage and improves reliability by using a centralized feed of curated vulnerabilities maintained by Wazuh. It introduces global queries for vulnerability detection information, allowing users to search through vulnerability detection data across all endpoints.

The Wazuh dashboard notifies users whenever there's a newer Wazuh version available and offers a revamped UX navigation experience by completely overhauling the menu layout.

To support the centralized vulnerability feed and update check services, Wazuh has developed a new platform aimed at integrating and distributing Cyber Threat Intelligence (CTI) data.

Package inventory can now collect information from expanded sources, including the Snap package manager.

The release also addresses hundreds of bugs of varying impacts, further stabilizing the platform and improving the overall user experience.

Vulnerability Detector refactor: Vulnerability detection uses a centralized feed maintained by Wazuh and introduces global queries, significantly improving vulnerability detection capabilities and performance.
Update check service UI: Users can now be notified whenever there's a new Wazuh version available.
Wazuh dashboard UX redesign: A significant overhaul aimed at enhancing the user interface and experience, making navigation and operation more intuitive.
Snap packages support & PYPI and Node packages support: Wazuh now includes support for inventorying packages installed through the Snap package manager, improving visibility into software management.

Breaking changes

Manager

The Vulnerability Detection module no longer downloads external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). Instead, the vulnerability detection capability now uses the new Wazuh CTI platform. wazuh #14153
The Vulnerability Detection module requires setting up communication with the Wazuh indexer. wazuh #14153
The Vulnerability Detector module has been renamed to Vulnerability Detection. The vulnerability-detector configuration option has been renamed to vulnerability-detection. wazuh #19781

Dashboard plugin

The Wazuh dashboard disabled_roles setting has been removed. Now, the Wazuh dashboard is visible to every Wazuh indexer role. wazuh-dashboard-plugins #5841
The Wazuh dashboard customization.logo.sidebar setting has been removed, and the sidebar logo is no longer customizable. wazuh-dashboard-plugins #5841
The extensions.* settings have been removed. Now, all Wazuh modules are visible in the main menu. wazuh-dashboard-plugins #5841
The default Wazuh dashboard home URL has changed from https://<WAZUH_DASHBOARD_URL>/app/wazuh to https://<WAZUH_DASHBOARD_URL>/app/wz-home. You can check the /etc/wazuh-dashboard/opensearch_dashboard.yml configuration file and replace the uiSettings.overrides.defaultRoute: /app/wazuh setting with uiSettings.overrides.defaultRoute: /app/wz-home if needed. An app not found error will appear if this value is incorrect. wazuh-packages #2497

What's new

This release includes new features or enhancements as the following:

Manager

#21201 Refactored vulnerability detection capability.
#18476 Improved wazuh-db detection of deleted database files.
#16893 Added timeout and retry parameters to the VirusTotal integration.
#18988 Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle.
#19819 Replaced Filebeat date index name processor to ensure the indices are identifiable by the index alias for auto-rollover.
#18466 Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools.
#17015 Refactored how cluster status dates are treated in the cluster.
#21602 The log message about file rotation and signature from wazuh-monitord has been updated.
#21670 Implemented a dedicated keystore for indexer configuration to improve management of sensitive information.
#22774 Improved Wazuh-DB performance by adjusting SQLite synchronization policy.
#17750 Upgraded docker-compose V1 to V2 in API Integration test scripts.

Agent

#15740 Added snap package manager support to Syscollector.
#18574 Disabled host's IP query by Logcollector when ip_update_interval=0.
#17932 Added event size validation for the external integrations.
#17623 Refactored and modularized the AWS integration code.
#17623 Added new unit tests for the AWS integration.
#19064 Added multiple tenants support to the MS Graph integration module.
#16200 FIM now buffers the Linux audit events for who-data to prevent side effects in other components.
#19720 The sub-process execution implementation has been improved.
#20649 Added geolocation mapping for the AWS WAF events.
#21530 Added a validation to reject unsupported regions when using the inspector service.
#21561 Added additional information on some AWS integration errors.
#21791 Replaced the usage of fopen with wfopen to avoid processing invalid characters on Windows.
#21637 Fixed installation script to prevent macOS agent to start automatically after installation.

RESTful API

#19952 Added new GET /manager/version/check API endpoint to obtain information about new releases of Wazuh.
#20119 Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead.
#20420 Added the auto option to the ssl_protocol setting in the API configuration. This option enables automatic negotiation of the TLS certificate.
#21572 Removed the compilation_date field from GET /cluster/{node_id}/info and GET /manager/info endpoints.
#22387 Deprecated the cache configuration option.
#17048 Removed the custom parameter from the PUT /active-response endpoint.
#22727 Added API configuration option to protect the Wazuh indexer configuration from updates.

Ruleset

#19528 Added rules to detect IcedID attacks.
#17780 Added new SCA policy for Amazon Linux 2023.
#18721 Revised SCA policy for Ubuntu Linux 18.04.
#17515 Revised SCA policy for Ubuntu Linux 22.04.
#18440 Revised SCA policy for Red Hat Enterprise Linux 7.
#17770 Revised SCA policy for Red Hat Enterprise Linux 8.
#17412 Revised SCA policy for Red Hat Enterprise Linux 9.
#17624 Revised SCA policy for CentOS 7.
#18439 Revised SCA policy for CentOS 8.
#18010 Revised SCA policy for Debian 8.
#17922 Revised SCA policy for Debian 10.
#18695 Revised SCA policy for Amazon Linux 2.
#18985 Revised SCA policy for SUSE Linux Enterprise 15.
#19037 Revised SCA policy for macOS 13.0 Ventura.
#19515 Revised SCA policy for Microsoft Windows 10 Enterprise.
#20044 Revised SCA policy for Microsoft Windows 11 Enterprise.
#17518 Updated MITRE DB to v13.1.

Other

#20003 Upgraded embedded Python version to 3.10.13.
#23112 Upgraded external aiohttp library dependency version to 3.9.5.
#22221 Upgraded external cryptography library dependency version to 42.0.4.
#21710 Upgraded external curl library dependency version to 8.5.0.
#20003 Upgraded external grpcio library dependency version to 1.58.0.
#23112 Upgraded external idna library dependency version to 3.7.
#21684 Upgraded external Jinja2 library dependency version to 3.1.3.
#21710 Upgraded external libarchive library dependency version to 3.7.2.
#20003 Upgraded external numpy library dependency version to 1.26.0.
#21710 Upgraded external pcre2 library dependency version to 10.42.
#20493 Upgraded external pyarrow library dependency version to 14.0.1.
#21710 Upgraded external rpm library dependency version to 4.18.2.
#20741 Upgraded external SQLAlchemy library dependency version to 2.0.23.
#21710 Upgraded external sqlite library dependency version to 3.45.0.
#20630 Upgraded external urllib3 library dependency version to 1.26.18.
#21710 Upgraded external zlib library dependency version to 1.3.1.
#21710 Added external lua library dependency version 5.3.6.
#21749 Added external PyJWT library dependency version 2.8.0.
#21749 Removed external python-jose and ecdsa library dependencies.

Dashboard plugin

#5791 Added remember server address check.
#6093 Added a notification about new Wazuh updates and a button to check their availability. #6256 #6328
#6083 Added the ssl_agent_ca configuration to the SSL Settings form.
#5896 Added global vulnerabilities dashboards.
#5840 Added an agent selector to the agent view.
#5840 Moved the Wazuh menu into the side menu. #6226 #6423 #6510 #6591
#5840 Removed the disabled_roles and customization.logo.sidebar settings.
#5840 Removed module visibility configuration and removed the extensions.* settings.
#6035 Updated all dashboard visualization definitions. #6632 #6690
#6067 Reorganized tabs order in all modules.
#6174 Removed the implicit filter of WQL language of the search bar UI.
#6373 Changed the API configuration title to API Connections.
#6366 Removed Compilation date field from the Status view.
#6361 Removed WAZUH_REGISTRATION_SERVER variable from Windows agent deployment command.
#6354 Added a dash character and a tooltip element to Run as in the API configuration table to indicate it's been disabled.
#6364 Added tooltip element to Most active agent in Details in the Endpoint summary view and renamed a label element. #6421
#6379 Changed overview home top KPIs. #6408 #6569
#6341 Removed notice of old Discover deprecation.
#6492 Updated the PDF report year number to 2024.
#6702 Adjusted font style of Endpoints summary KPIs, Index pattern, and API selectors, as well as adjusted the Dev Tools column widths.

Packages

#2332 Added check into the installation assistant to prevent the use of public IP addresses.
#2365 Removed the postProvision.sh script. It's no longer used in OVA generation.
#2364 Added curl error messages in downloads.
#2469 Improved debug output in the installation assistant.
#2557 Added SCA policy for Amazon Linux 2023 in SPECS.
#2558 Wazuh password tool now recognizes UI created users.
#2562 Bumped Wazuh indexer to OpenSearch 2.10.0.
#2563 Bumped Wazuh dashboard to OpenSearch Dashboards 2.10.0.
#2577 Added APT and YUM lock logic to the Wazuh installation assistant.
#2164 Deprecated CentOS 6 and Debian 7 for the Wazuh manager compilation, while still supporting them in the Wazuh agent compilation.
#2588 Added logic to the installation assistant to check for clean Wazuh central components removal.
#2615 Added branding images to the header of Wazuh dashboard.
#2696 Updated Filebeat module version to 0.4 in Wazuh installation assistant.
#2695 Added content database in RPM and DEB packages.
#2669 Upgraded botocore dependency in WPK package Docker containers.
#2738 Added xz utils as requirement.
#2777 Added support for refactored vulnerability detector in the installation assistant.
#2797 The Wazuh installation assistant now uses 127.0.0.1 instead of localhost in the Wazuh dashboard configuration. #2808
#2801 Added check into the installation assistant to ensure sudo package is installed.
#2802 Added the Wazuh keystore functionality to the passwords tool.
#2809 Upgrade scripts to support building Wazuh with OpenSSL 3.0.
#2784 Added rollback and exit in case the Wazuh indexer security admin fails.
#2804 Added the keystore tool for both RPM and DEB manager packages creation. #2802
#2798 Add compression for the Wazuh manager due to inclusion of Vulnerability Detection databases.
#2796 Simplified the Wazuh dashboard help menu entries.
#2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.
#2891 Skipped certificate validation for CentOS 5 package generation.
#2890 Updated the file permissions of vulnerability detection-related directories.
#2966 Added Ubuntu 24 support to the Wazuh installation assistant.
#2422 Added the possibility of registering the localhost domain in the installation assistant and in the cert-tool.
#2408 Added new AWS files to Solaris SPECS.
#2553 Added new role to grant ISM API permissions.
#2578 Changed the order of Explore category and Indexer/dashboard management title on dashboard.
#2582 Added the ISM init script to the Wazuh indexer package.
#2584 Added ISM script in installation assistant.
#2586 Moved ISM scripts from package to base.
#2590 Extended indexer-init.sh to accept arguments.
#2592 Updated the initialize cluster script in the offline installation workflow.
#2598 Updated min_doc_count value.
#2606 Improved ISM init script.
#2609 Adapted wazuhapp and Wazuh dashboard to install the Wazuh CheckUpdates and Core plugins.
#2639 Changed check yum lock function.
#2653 Collapsed initially the application categories in the side menu of Wazuh dashboard.
#2687 Added common_checkAptLock function.
#2700 Updated indexer-ism-init.sh.
#2711 Ensured config is present in ossec.conf after upgrade via rpm.
#2712 Added wazuh-filebeat template to Wazuh indexer.
#2713 Removed wazuh-template json.
#2726 Updated indexer-ism-init.sh.
#2733 Updated indexer-ism-init.sh.
#2742 Vulnerability detection refactor.
#2748 Removed flag --download-content.
#2782 Split CentOS and RHEL check.
#2789 Updated Wazuh favicon for Safari.
#2795 Replaced category management description.
#2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.
#2807 Silenced sudo package check.
#2821 Removed debug variable in Admin certificate generation.
#2822 Do not decompress .tar.xz file, remove xz dependency.
#2827 Added step for restore ossec.conf file in backup/restore scripts.
#2838 Removed download-content.sh and download.rules files.

Resolved issues

This release resolves known issues as the following:

Manager

#17886 Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken.
#23371 Added a mechanism to prevent cluster errors from an expected wazuh-db exception.
#23216 Fixed a race condition when creating agent database files from a template.

Agent

#16839 Fixed process path retrieval in Syscollector on Windows XP.
#16056 Fixed the OS version detection on Alpine Linux.
#18642 Fixed Solaris 10 name not showing in the dashboard.
#21932 Fixed an error in macOS Ventura compilation from sources.
#23532 Fixed PyPI package gathering on macOS Sonoma.

RESTful API

#20527 Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC.
#23120 Fixed an issue in GET /manager/configuration where only the last of multiple <ignore> items in the configuration file was displayed.

Dashboard plugin

#5840 Fixed a problem with the agent menu header when the side menu is docked.
#6102 Fixed how the query filters apply on the Security Alerts table.
#6177 Fixed exception in agent view when an agent doesn't have policies.
#6177 Fixed exception in Inventory when agents don't have operating system information.
#6177 Fixed pinned agent state in URL.
#6234 Fixed invalid date format in About and Agents views.
#6305 Fixed issue with script to install agents on macOS if using the registration password deployment variable.
#6327 Fixed an issue preventing the use of a hostname as the Server address in Deploy New Agent.
#6342 Fixed wrong Queue Usage values in Server management > Statistics.
#6352 Fixed Statistics view errors when cluster mode is disabled.
#6374 Fixed the help menu, to be consistent and avoid duplication.
#6378 Fixed the axis label visual bug from dashboards.
#6431 Fixed error displaying when clicking Refresh in MITRE ATT&CK if the the Wazuh indexer service is down.
#6484 Fixed minor style issues. #6489 #6587
#6617 Fixed error when clicking Log collection in Configuration of a disconnected agent.
#6333 Fixed a typo in an abbreviation for Fully Qualified Domain Name.
#6553 Fixed "View alerts of this Rule" link.

Packages

#2381 Fixed DNS validation in the installation assistant.
#2401 Fixed debug redirection in the installation assistant.
#2850 Fixed certificates generation output for certificates not created.
#2906 Moved up the hardware check of the installation assistant. Now dependencies don't get installed if it fails.
#2380 Fixed source_branch variable in master branch.
#2535 Fixed mkdir wazuh-install-files error.
#2560 Fixed internalusers-backup directory owner and permissions.
#2585 Fixed bug with -i option.
#2646 Fixed wazuh-indexer.spec duplicated information.
#2723 Fixed Filebeat template URL in Wazuh indexer.
#2796 Fixed duplicated help menu.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories

4.7.5 Release notes - 30 May 2024

This section lists the changes in version 4.7.5. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#23441 Added a database endpoint to recalculate the hash of agent groups.

Wazuh dashboard

#6687 Added sanitization to custom branding SVG files.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#23447	Fixed an issue in a cluster task where full group synchronization was constantly triggered.
#23216	Fixed race condition when creating agent database files from a template.

Wazuh agent

Reference	Description
#23468	Fixed segmentation fault in the logcollector multiline-regex configuration.
#23543	Fixed crash in FIM module when processing paths with non UTF-8 characters.

Wazuh dashboard

Reference	Description
#6718	Fixed a missing space in the macOS agent installation command when a password is required.

Changelogs

More details about these changes are provided in the changelog of each component:

4.7.4 Release notes - 29 April 2024

This section lists the changes in version 4.7.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#22933	Fixed wazuh-db not clearing labels from deleted agents.
#22994	Improved stability by ensuring workers resume normal operations even during master node downtime.

Changelogs

More details about these changes are provided in the changelog of each component:

4.7.3 Release notes - 4 March 2024

This section lists the changes in version 4.7.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#21997	Resolved a transitive mutex locking issue in wazuh-db that was impacting performance.
#21977	Wazuh DB internal SQL queries have been optimized by tuning database indexes to improve performance.

Wazuh dashboard

Reference	Description
#6458	Fixed an error when uploading CDB lists.

Changelogs

More details about these changes are provided in the changelog of each component:

4.7.2 Release notes - 10 January 2024

This section lists the changes in version 4.7.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#21142 Added minimum time constraint of 1 hour for downloading the Vulnerability Detector feed.

Wazuh agent

#20638 Added request timeouts for the external and cloud integrations. This prevents indefinite waiting for a response.

Ruleset

#17565 Added new SCA policy for Debian 12 systems.

Other

#20798 Upgraded external aiohttp library dependency to version 3.9.1 to address a security vulnerability.

Wazuh dashboard

#6191 Added Hostname and Board Serial information to Agents > Inventory data.
#6208 Added contextual information to the deploy agent steps.

Packages

#2670 Removed installed dependencies that were part of the Wazuh installation assistant. This ensures a clean post-installation state.
#2677 Removed gnupg package as RPM dependency in the Wazuh installation assistant.
#2693 Added Debian12 SCA files.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#21011	`wazuh-remoted` now logs the warning regarding invalid message size from agents in hex format.
#20658	Fixed a bug within the Windows Eventchannel decoder to ensure proper handling of Unicode characters.
#20735	Fixed data validation for decoding Windows Eventchannel XML input strings.

Wazuh agent

Reference	Description
#20656	Implemented validation for the format of the IP address parameter in the `host_deny` active response.
#20594	Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events.
#20447	Fixed issue with the `profile` prefix in parsing AWS configuration profiles.
#20660	Fixed parsing and validation for the AWS regions argument, expanding the AWS regions list accordingly.

Ruleset

Reference	Description
#20663	Updated AWS Macie rules to show relevant fields in alert details.

Wazuh dashboard

Reference	Description
#6185	Fixed Agents preview page load when there are no registered agents.
#6206, #6213	Changed the endpoint to get Wazuh server auth configuration to `manager/configuration/auth/auth`.
#6224	Fixed error navigating back to agent in some scenarios.

Packages

Reference	Description
#2667	Fixed warning message when generating certificates.

Changelogs

More details about these changes are provided in the changelog of each component:

4.7.1 Release notes - 20 December 2023

This section lists the changes in version 4.7.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Agent

#20616 Improved WPK upgrade scripts to ensure safe execution and backup generation.

Other

#20149 Upgraded external certifi library dependency version to 2023.07.22.
#20149 Upgraded external requests library dependency version to 2.31.0.
#18800 Upgraded embedded Python version to 3.9.18.

Packages

#2559 Updated Wazuh assistant help text for offline download option.
#2627 Updated error message for CentOS GPG key import failure.
#2624 Added macOS 14 Sonoma SCA files.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#20178	Fixed a thread lock bug that slowed down `wazuh-db` performance.
#20386	Fixed a bug in Vulnerability detector that skipped vulnerabilities for Windows 11 21H2.
#5941	The installer now updates the `merged.mg` file permissions on upgrade.
#19993	Fixed an insecure request warning in the Shuffle integration.
#19888	Fixed a bug that corrupted cluster logs when rotated.
#20580	Fixed a bug causing the Canonical feed parser to fail in Vulnerability Detector.

Agent

Reference	Description
#20332	Fixed a bug that prevented the local IP address from appearing in the port inventory from macOS agents.
#20180	Fixed the default Logcollector settings on macOS to collect logs out-of-the-box.
#20169	Fixed a bug in the FIM decoder at `wazuh-analysisd` that ignored Windows Registry events from agents earlier than 4.6.0.
#20250	Fixed multiple bugs in the Syscollector decoder at `wazuh-analysisd` that did not sanitize the input data properly.
#20284	Added the `pyarrow_hotfix` dependency to fix the pyarrow `CVE-2023-47248` vulnerability in the AWS integration.
#20598	Fixed a bug that allowed two simultaneous updates to occur through WPK.

RESTful API

Reference	Description
#18423	Fixed inconsistencies in the behavior of the `q` parameter of some endpoints.
#18495	Fixed a bug in the `q` parameter of the `GET /groups/{group_id}/agents` endpoint.
#19533	Fixed bug in the regular expression used to reject non ASCII characters in some endpoints.

Wazuh dashboard

Reference	Description
#6076	Fixed problem when using non latin characters in the username.
#6104	Fixed UI crash on retrieving log collection configuration for macos agent.
#6105	Fixed incorrect validation of the agent name on the Deploy new agent window.
#6184	Fixed missing columns in the agent table of Groups.

Packages

Reference	Description
#2561	Fixed `network.host` fetching in Password tool. A commented line like `#network.host: "XXX.XXX.XXX.XXX"` is now ignored.
#2493	Fixed issue where Intel64 macos packages failed to install on ARM-based machines.
#2611	Fixed file permissions issue in `merged.mg` files when updating a manager using packages update.

Changelogs

More details about these changes are provided in the changelog of each component:

4.7.0 Release notes - 27 November 2023

This section lists the changes in version 4.7.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

#18026 Added native Maltiverse integration. Wazuh now leverages the Maltiverse API to enrich alerts. This enhancement supplements alert details with threat intelligence data following the Elastic Common Schema (ECS) standard. Acknowledgments to David Gil (@dgilm).
#16090 Added an option to customize the Slack integration.
#16008 An unnecessary sanity check related to Syscollector has been removed from wazuh-db.
#18570 Added support for Amazon Linux 2023 in Vulnerability Detector.
#20367 The manager now rejects agents with a higher version by default.

Agent

#17951 Added support for Custom AWS Logs in Buckets via AWS SQS. This enhancement improves visibility and troubleshooting in AWS environments.
#15582 Added geolocation for aws.data.client_ip field. The new GeoIP feature enables tracking of geographical locations of AWS ALB client IP addresses. This addition enhances visibility into network traffic and security monitoring. Acknowledgements to Arran Rhodes @rh0dy.
#15699 Added package inventory support for Alpine Linux in Syscollector.
#16117 Added package inventory support for MacPorts package manager in Syscollector. This enhancement improves compatibility with macOS.
#17982 Added package inventory support for Python PYPI and Node.js in Syscollector.
#15000 Added process information to the open ports inventory in Syscollector. This addition enhances ports inventory capabilities for better management and tracking on Linux systems.
#17966 The shared modules code has been sanitized according to the convention.
#18006 The package inventory internal messages have been modified to honor the schema compliance.
#20360 Added clarification to the agent connection log. The agent must connect to a manager of the same or higher version.

Wazuh dashboard

#5680 Added the Status detail column in the Agents table.
#5738 The agent registration wizard now effectively manages special characters in passwords.
#5636 Changed the Network ports table columns for Linux agents.
#5707 Changed Timelion-type displays in the Management > Statistics section to line-type displays.
#5747 Removed views in JSON and XML formats from the Management settings.

RESTful API

#19726 Added new status_code field to GET /agents response.
#20126 Deprecated the following API endpoints.
- PUT /vulnerability
- GET /vulnerability/{agent_id}
- GET /vulnerability/{agent_id}/last_scan
- GET /vulnerability/{agent_id}/summary/{field}

Packages

#2568 Updated links to wazuh-dashboard-plugins repository.
#2555 Added firewall validation to the installation assistant.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#16683	Fixed an unexpected cluster error when a worker gets restarted.
#16681	Fixed an issue that let the manager validate wrong XML configurations.
#19869	Fixed default value for `multiarch` field in syscollector packages.
#20081	Fixed WPK rollback rebooting the host in Windows agent.

Agent

Reference	Description
#17006	Fixed detection of `osquery 5.4.0+` running outside the integration.
#16089	Fixed vendor data in package inventory for Brew packages on macOS.
#19811	Improved reliability of the signature verification mechanism.

RESTful API

Reference	Description
#16489	Addressed error handling for `non-utf-8` encoded file readings.
#16914	Resolved an issue in the `WazuhException` class that disrupted the API executor subprocess.
#16918	Corrected an empty value problem in the API specification key.

Other

Reference	Description
#17040	Fixed the signature of the internal function `OSHash_GetIndex()`.

Wazuh dashboard

Reference	Description
#5591	Fixed problem with new or missing columns in the Agents table.
#5676	Fixed the color of the agent name in the groups section in dark mode.
#5597	Fixed the propagation event so that the flyout data, in the decoders, does not change when the button is pressed.
#5631	Fixed the tooltips of the tables in the Security section, and removed unnecessary requests.

Packages

Reference	Description
#2523	Fixed wrong condition when generating the RPM Wazuh indexer package with an existent base file.

Changelogs

More details about these changes are provided in the changelog of each component:

4.6.0 Release notes - 31 October 2023

This section lists the changes in version 4.6.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Included support for the Microsoft Graph Security API. This addition enables users to integrate and fetch security alerts from multiple Microsoft products. It provides a cohesive security perspective.
Added the Webhook input API endpoint. It paves the way to dynamic integrations and real-time responses. It enhances automation capabilities and responsiveness.
Incorporated Office 365 support for GCC/GCCH. This addition extends monitoring coverage for organizations with a strong reliance on Office 365, particularly in GCC/GCCH environments. It ensures comprehensive compliance and security.
Support for AlmaLinux OS, Debian 12, and Amazon Linux 2022 is now included in Vulnerability Detector. Expanding support to newer OS versions demonstrates the platform adaptability to the evolving Linux ecosystem. It also highlights our commitment to user safety across diverse environments.
Included PCRE2 support in Security Configuration Assessment (SCA). This addition provides users with a more powerful pattern-matching tool. It enhances the software auditing and compliance capabilities

Breaking changes

The integration methods for Splunk, OpenSearch, and Elastic Stack have been changed. Please refer to the Integrations guide to learn more.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#13559 wazuh-authd can now generate X509 certificates.
#13797 Introduced a new CLI to manage features related to the Wazuh API RBAC resources.
#13034 Added support for Amazon Linux 2022 in Vulnerability Detector.
#16343 Added support for Alma Linux in Vulnerability Detector.
#18542 Added support for Debian 12 in Vulnerability Detector.
#14953 Added mechanism in wazuh-db to identify fragmentation and perform vacuum.
#19956 Adjusted the default settings for wazuh-db to perform database auto-vacuum more often.
#18333 Added an option to set whether the manager should ban newer agents.
#15661 Added mechanism to prevent Wazuh agents connections to lower manager versions.
#14659 wazuh-remoted now checks the size of the files to avoid malformed merged.mg.
#14024 Added a limit option for the Rsync dispatch queue size.
#14026 Added a limit option for the Rsync thread pool.
#14549 wazuh-authd now shows a warning when deprecated forcing options are present in the configuration.
#14804 The agent now notifies the manager when Active Response fails to run netsh.
#13906 Use a new broadcast system to send agent group information from the master node of a cluster.
#15220 Changed cluster send_request method so that timeouts are treated as exceptions and not as responses.
#13065 Refactored methods responsible for file synchronization within the cluster.
#16065 Changed schema constraints for sys_hwinfo table.
#15709 The Auth process does not start when the registration password is empty.
#19400 Changed the message type for GetSecurityInfo from error to debug.

Agent

#15226 Added GuardDuty Native support to the AWS integration.
#14768 Added --prefix parameter to Azure Storage integration.
#16493 Added validations for empty and invalid values in AWS integration.
#13573 Added new unit tests for GCloud integration and increased coverage to 99%.
#14104 Added new unit tests for Azure Storage integration and increased coverage to 99%.
#14177 Added new unit tests for Docker Listener integration.
#18116 Added support for Microsoft Graph security API. Thanks to Bryce Shurts (@S-Bryce).
#15852 Added wildcard support in FIM Windows registers.
#15973 Added wildcards support for folders in the localfile configuration on Windows.
#14782 Added new settings ignore and restrict to logcollector.
#12745 Added RSync and DBSync to FIM.
#17124 Added PCRE2 regex for SCA policies.
#14763 Added mechanism to detect policy changes.
#13264 FIM option fim_check_ignore now applies to files and directories.
#16531 Changed AWS integration to take into account the user configuration found in the .aws/config file.
#14537 Changed the calculation of timestamps in AWS and Azure modules by using UTC timezone.
#15009 Changed the AWS integration to only show the Skipping file with another prefix message in debug mode.
#14999 Changed debug level required to display CloudWatch Logs event messages.
#17447 Changed syscollector database default permissions.
#17161 Changed agent IP lookup algorithm.
#14499 Changed InstallDate origin in Windows installed programs.
#14524 Enhanced clarity of certain error messages in the AWS integration for better exception tracing.
#13420 Improved external integrations SQLite queries.
#16325 Improved items iteration for Config and VPCFlow AWS integrations.
#14784 Unit tests have been added to the shared JSON handling library.
#14476 Unit tests have been added to the shared SQLite handling library.
#15032 Improved command to change user and group from version 4.2.x to 4.x.x.
#15647 Changed the internal value of the open_attemps configuration.
#13878 The unused option local_ip for agent configuration has been deleted.
#14684 Removed unused migration functionality from the AWS integration.
#17655 Deleted definitions of repeated classes in the AWS integration.
#15031 Removed duplicate methods in AWSBucket and reuse inherited ones from WazuhIntegration.
#16547 Added support for Office365 MS/Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) API. Thanks to Bryce Shurts (@S-Bryce).
#19758 Reduced the default FIM event throughput to 50 EPS.

RESTful API

#17670 Added POST /events API endpoint to ingest logs through the API.
#17865 Added query, select and distinct parameters to multiple endpoints.
#13919 Added a new upgrade and migration mechanism for the RBAC database.
#13654 Added a new API configuration option to rotate log files based on a given size.
#15994 Added relative_dirname parameter to GET, PUT and DELETE methods of the /decoder/files/{filename} and /rule/files/{filename} endpoints.
#18212 Added a new configuration option to disable uploading configurations containing the new allow_higher_version setting.
#13615 Added API integration tests documentation.
#13646 Changed the API's response status code for Wazuh cluster errors from 400 to 500.
#15934 Removed legacy code related to agent databases in /var/agents/db.
#19001 Changed Operational API error messages to include additional information.

Ruleset

#14138 The SSHD decoder has been improved to catch disconnection events.

Wazuh dashboard

#5197 #5274 #5298 #5409 Added rel="noopener noreferrer" in documentation links.
#5203 Added ignore and restrict options to Syslog configuration.
#5376 Added the extensions.github and extensions.office settings to the default configuration file.
#4163 Added new global error treatment (client-side).
#5519 Added new CLI to generate API data from specification file.
#5551 Added specific RBAC permissions to the Security section.
#5443 Added Refresh and Export formatted button to panels in Agents > Inventory data.
#5491 Added Refresh and Export formatted buttons to Management > Cluster > Nodes.
#5201 Changed of regular expression in RBAC.
#5384 Migrated the timeFilter, metaFields, and maxBuckets health checks inside the pattern check.
#5485 Changed the query to search for an agent in Management > Configuration.
#5476 Changed the search bar in management/log to the one used in the rest of the app.
#5457 Changed the design of the wizard to add agents.
#5363 #5442 #5443 #5444 #5445 #5447 #5452 #5491 #5785 Introduced a new, enhanced search bar. It adds new features to all the searchable tables which leverages the Wazuh API. It also addresses some of the issues found in the previous version.
#5451 Removed deprecated request and code in agent's view.
#5453 Removed unnecessary dashboard queries caused by the deploy agent view.
#5500 Removed repeated and unnecessary requests in the Security section.
#5519 Removed scripts to generate API data from live Wazuh manager.
#5532 Removed the pretty parameter from cron job requests.
#5528 Removed unnecessary requests in the Management > Status section.
#5485 Removed obsolete code that caused duplicate requests to the API in Management.
#5592 Removed unused embedded jquery-ui.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#13979	Fixed `wazuh-remoted` not updating total bytes sent in UDP.
#14356	Fixed translation of packages with a missing version in CPE Helper for Vulnerability Detector.
#14174	Fixed undefined behavior issues in Vulnerability Detector unit tests.
#14019	Fixed permission error when producing FIM alerts.
#15164	Fixed memory leaks in `wazuh-authd`.
#14763	Fixed Audit policy change detection in FIM for Windows.
#14408	Fixed `origin_module` variable value when sending API or framework messages to core sockets.
#15715	Fixed an issue where an erroneous tag appeared in the cluster logs.
#15250	Fixed log error displayed when there's a duplicate worker node name within a cluster.
#15487	Resolved an issue in the `agent_upgrade` CLI when used from worker nodes.
#18047	Fixed error in the `agent_upgrade` CLI when displaying upgrade result.
#15277	Fixed error in which the connection with the cluster was broken in local clients for not sending keepalives messages.
#15298	Fixed error in which exceptions were not correctly handled when `dapi_err` command could not be sent to peers.
#16257	Fixed error in worker's Integrity sync task when a group folder was deleted in master.
#16506	Fixed error when trying to update an agent through the API or the CLI while pointing to a WPK file.
#15074	Fixed `wazuh-remoted` high CPU usage in a master node without agents.
#16101	Fixed race condition in `wazuh-analysisd` handling the rule ignore option.
#16000	Fixed missing rules and decoders in Analysisd JSON report.
#14356	Fixed translation of packages with missing version in CPE Helper.
#15826	Fixed log date parsing at predecoding stage.
#14019	Fixed permission error in JSON alert.

Agent

Reference	Description
#13534	Fixed the architecture of the dependency URL for macOS.
#13588	Fixed a path length limitation that prevented FIM from reporting changes on Windows.
#14993	Updated the AWS integration to use the regions specified in the AWS config file when no regions are provided in `ossec.conf`.
#14850	Corrected the error code `#2` for the SIGINT signal within the AWS integration.
#14740	Fixed the `discard_regex` functionality for the AWS GuardDuty integration.
#14500	Fixed error messages in the AWS integration when there is a `ClientError`.
#14493	Fixed error that could lead to duplicate logs when using the same dates in the AWS integration.
#16116	Fixed `check_bucket` method in AWS integration to be able to find logs without a folder in root.
#16360	Added field validation for `last_date.json` in Azure Storage integration.
#15763	Improved handling of invalid regions given to the VPCFlow AWS integration, enhancing exception clarity.
#16070	Fixed error in the GCloud Subscriber unit tests.
#16410	Fixed the marker that AWS custom integrations use.
#16365	Fixed error messages when there are no logs to process in the WAF and Server Access AWS integrations.
#16463	Added region validation before instantiating AWS service class in the AWS integration.
#14161	Fixed `InstallDate` format in Windows installed programs.
#15428	Fixed syscollector default interval time when the configuration is empty.
#16268	Fixed agent starts with an invalid FIM configuration.
#15719	Fixed rootcheck scan trying to read deleted files.
#15739	Fixed compilation and build in Gentoo.
#19375	Fixed a crash when FIM scanned long Windows paths.
#19378	Fixed FIM who-data support for AArch64 platforms.

RESTful API

Reference	Description
#13421	Fixed an unexpected behavior when using the `q` and `select` parameters in some endpoints.
#15203	Resolved an issue in the `GET /manager/configuration` API endpoint when retrieving the vulnerability detector configuration section.
#15152	Fixed `GET /agents/upgrade_result` endpoint internal error with code `1814` in large environments.
#16756	Enhanced the `alphanumeric_symbols` regex to better accommodate specific SCA remediation fields.
#15967	Fixed bug that would not allow retrieving the Wazuh logs if only the JSON format was configured.
#16310	Fixed error in `GET /rules` when variables are used inside `id` or `level` ruleset fields.
#16248	Fixed `PUT /syscheck` and `PUT /rootcheck` endpoints to exclude exception codes properly.
#16347	Adjusted `test_agent_PUT_endpoints.tavern.yaml` to resolve a race condition error.
#16844	Fixed some errors in API integration tests for RBAC white agents.

Wazuh dashboard

Reference	Description
#4828	Fixed trailing hyphen character for OS value in the list of agents.
#4911	Fixed several typos in the code.
#4917	Fixed the display of more than one protocol in the Global configuration section.
#4918	Fixed uncaught error and wrong error message in the PCI DSS Control tab.
#4894	Fixed references to Elasticsearch in Wazuh-stack plugin.
#5135	Fixed the 2 errors that appeared in console in Settings > Configuration section.
#5376	Fixed the GitHub and Office 365 module visibility configuration for each API host that was not kept when changing/upgrading the plugin.
#5376	Fixed the GitHub and Office 365 modules appearing in the main menu when they were not configured.
#5364	Fixed TypeError in FIM Inventory using a new error handler.
#5423	Fixed error when using invalid group configuration.
#5460	Fixed repeated requests in inventory data and configurations of an agent.
#5465	Fixed repeated requests in the group table when adding a group or refreshing the table.
#5521	Fixed an error in the request body suggestions of API Console.
#5734	Fixed some errors related to relative dirname of rule and decoder files.
#5879	Fixed package URLs in the `aarch64` commands.
#5888	Fixed the install macOS agent commands.

Packages

Reference	Description
#2495	Fixed debug redirection in packages installation in the Wazuh installation assistant.
#2490	Fixed dashboard dependencies in RHEL systems.
#2498	Replaced `requestHeadersWhitelist` with `requestHeadersAllowlist`.
#2486	Fixed common WPK container.

Changelogs

More details about these changes are provided in the changelog of each component:

4.5.4 Release notes - 23 October 2023

This section lists the changes in version 4.5.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

#19729 Added a timeout on requests between components through the cluster.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#19702	Fixed a bug that might leave some worker's services hanging if the connection to the master was broken.
#19706	Fixed vulnerability scan on Windows agent when the OS version has no release data.

Changelogs

More details about these changes are provided in the changelog of each component:

4.5.3 Release notes - 10 October 2023

This section lists the changes in version 4.5.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

#18783 Vulnerability Detector now fetches the SUSE feeds in Gzip compressed format.

Agent

#19205 Support for macOS 14 (Sonoma).

RESTful API

#18509 Added support for the $ symbol in query values.
#18346 Added support for the @ symbol in query values.
#18493 Added support for nested queries in the q API parameter.
#18432 Updated force flag message in the agent_upgrade CLI.

Security updates

This release fixes the following vulnerabilities:

Agent

CVE	Reference	Description
CVE-2023-42463	#19069	Fixed a stack overflow hazard in `wazuh-logcollector` that could allow a local privilege escalation. Found by Keith Yeo (@kyeojy).

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#18737	Fixed a bug that might cause `wazuh-analysisd` to crash if it receives a status API query during startup.
#18976	Fixed a bug that might cause `wazuh-maild` to crash when handling large alerts.
#19217	Addressed an issue in Vulnerability Detector when fetching the Suse Linux Enterprise 15 feeds.

Agent

Reference	Description
#18773	Fixed a bug in the memory handle at the agent's data provider helper.
#18903	Fixed a data mismatch in the OS name between the global and agents' databases.
#19286	Fixed wrong Windows agent binaries metadata.
#19397	Fixed error during the Windows agent upgrade.

RESTful API

Reference	Description
#18362	Removed undesired characters when listing rule group names in `GET /rules/groups`.
#18434	Fixed an error when using the query `condition=all` in `GET /sca/{agent_id}/checks/{policy_id}`.
#18733	Fixed an error in the API log mechanism where sometimes the requests would not be printed in the log file.

Wazuh dashboard

Reference	Description
#5925	Fixed the command for agent installation on SUSE to use zypper.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#5925	Fixed the command for agent installation on SUSE to use zypper.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#5925	Fixed the command for agent installation on SUSE to use zypper.

Packages

Reference	Description
#2397	Changed GRUB options in build OVA process.
#2453	Fixed an issue with the Wazuh dashboard port check despite the `-p\|--port` installation assistant option being specified.
#2461	Fixed an issue when passwords changed. Now the `internal_users.yml` file gets updated.
#2492	Fixed missing removal of Wazuh indexer remaining files upon rollback.

Changelogs

More details about these changes are provided in the changelog of each component:

4.5.2 Release notes - 6 September 2023

This section lists the changes in version 4.5.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

#18085 wazuh-remoted now allows connection overtaking if the older agent doesn't respond for a while.
#18468 wazuh-remoted now prints the connection family when an unknown client gets connected.
#18437 The manager stops restricting the possible package formats in the inventory, to increase compatibility.
#18545 The manager stops blocking updates by WPK to macOS agents on ARM64, allowing custom updates.
#18770 Vulnerability Detector now fetches the Debian feeds in BZ2 compressed format.

Packages

#2337 Provided port number option to wazuh-install.sh script.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#18472	Fixed a bug in `wazuh-csyslogd` that causes it to consume 100% of CPU while expecting new alerts.

Wazuh dashboard

Reference	Description
#5764	Fixed an error with the commands in Deploy new agent for Oracle Linux 6+ agents.
#5796	Fixed broken documentation links in Management > Configuration.

Wazuh Kibana plugin for Kibana 7.10.2, 7.16.x, and 7.17.x

Reference	Description
#5764	Fixed an error with the commands in Deploy new agent for Oracle Linux 6+ agents.
#5796	Fixed broken documentation links in Management > Configuration.

Changelogs

More details about these changes are provided in the changelog of each component:

4.5.1 Release notes - 24 August 2023

This section lists the changes in version 4.5.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Native support for Mac computers with Apple silicon. This release provides an ARM-ready Wazuh agent for macOS package.

Breaking changes

This release includes some breaking changes, such as the following:

Agent

#17748 Added the discard_regex functionality to Inspector and CloudWatchLogs AWS integrations.
- With this change, execution stops without warning if you don't use the field parameter when mandatory.

What's new

This version includes new features or improvements, such as the following:

Manager

#18142 Vulnerability Detector now fetches the RHEL 5 feed URL from https://feed.wazuh.com by default.
#16846 The Vulnerability Detector CPE helper has been updated.

Agent

#2224 Added native agent support for Apple silicon.
#17673 Added new validations for the AWS integration arguments.
#16607 The agent for Windows now loads its shared libraries after running the verification.

Ruleset

#17794 The SCA policy for Ubuntu Linux 20.04 (CIS v2.0.0) has been remade.
#17812 Removed check 1.1.5 from Windows 10 SCA policy.

Other

#16990 The CURL library has been updated to v7.88.1.

Wazuh dashboard

#5478 Added Apple Silicon architecture button to the register Agent wizard.
#5497 Removed the agent name in the agent info ribbon.
#5539 Changed method to perform redirection on agent table buttons.
#5538 Changed Windows agent service name in the deploy agent wizard.
#5687 Changed the requests to get the agent labels from the managers.

Wazuh Kibana plugin for Kibana 7.10.2, 7.16.x, and 7.17.x

#5478 Added Apple Silicon architecture button to the register Agent wizard.
#5497 Removed the agent name in the agent info ribbon.
#5539 Changed method to perform redirection on agent table buttons.
#5538 Changed Windows agent service name in the deploy agent wizard.
#5687 Changed the requests to get the agent labels from the managers.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#17866	Fixed a race condition in some RBAC unit tests by clearing the SQLAlchemy mappers.
#17490	Fixed a bug in wazuh-analysisd that could exceed the maximum number of fields when loading a rule.
#17126	Fixed a race condition in wazuh-analysisd FTS list.
#17143	Fixed a crash in Analysisd when parsing an invalid decoder.
#17701	Fixed a segmentation fault in wazuh-modulesd due to duplicate Vulnerability Detector configuration.
#16978	Fixed Vulnerability Detector configuration for unsupported SUSE systems.

Agent

Reference	Description
#17524	Fixed `InvalidRange` error in Azure Storage integration when trying to get data from an empty blob.
#17586	Fixed a memory corruption hazard in the FIM Windows Registry scan.
#17179	Fixed an error in Syscollector reading the CPU frequency on Apple M1.
#16659	Fixed agent WPK upgrade for Windows that might leave the previous version in the Registry.
#17176	Fixed agent WPK upgrade for Windows to get the correct path of the Windows folder.

RESTful API

Reference	Description
#17632	Fixed `PUT /agents/upgrade_custom` endpoint to validate that the file extension is `.wpk`.
#17660	Fixed errors in API endpoints to get `labels` and `reports` active configuration from managers.

Ruleset

Reference	Description
#17941	Fixed CredSSP encryption enforcement at Windows Benchmarks for SCA.
#17940	Fixed an inverse logic in MS Windows Server 2022 Benchmark for SCA.
#17779	Fixed a false positive in Windows Eventchannel rule due to substring false positive.
#17813	Fixed missing whitespaces in SCA policies for Windows.
#17798	Fixed the description of a Fortigate rule.

Wazuh dashboard

Reference	Description
#5471	Fixed the rendering of tables that contain IPs and agent overview.
#5490	Fixed the agents active coverage stat as `NaN` in Details panel of Agents section.
#5687	Fixed a broken documentation link to agent labels.
#5714	Fixed the PDF report filters applied to tables.
#5766	Fixed outdated year in the PDF report footer.

Wazuh Kibana plugin for Kibana 7.10.2, 7.16.x, and 7.17.x

Reference	Description
#5471	Fixed the rendering of tables that contain IPs and agent overview.
#5490	Fixed the agents active coverage stat as `NaN` in Details panel of Agents section.
#5687	Fixed a broken documentation link to agent labels.
#5714	Fixed the PDF report filters applied to tables.
#5766	Fixed outdated year in the PDF report footer.

Changelogs

More details about these changes are provided in the changelog of each component:

4.5.0 Release notes - 10 August 2023

This section lists the changes in version 4.5.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This version includes new features or improvements, such as the following:

Manager

#17954 Vulnerability Detector now fetches the NVD feed from https://feed.wazuh.com, based on the NVD API 2.0.
- The <update_from_year> option has been deprecated.

RESTful API

#17703 Modified the API integration tests to include Nginx LB logs in case of test failures.

Resolved issues

This release resolves known issues as the following:

Manager

Reference	Description
#17656	Fixed an error in the installation commands of the API and Framework modules when upgrading from sources.
#18123	Fixed embedded Python interpreter to remove old Wazuh packages from it.

RESTful API

Reference	Description
#17703	Fixed an error in the Nginx LB entrypoint of the API integration tests.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.5 Release notes - 10 July 2023

This section lists the changes in version 4.4.5. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Installer

Reference	Description
#2256	Fixed an error in the DEB packages that prevented the agent and manager from being installed on Debian 12.
#2257	Fixed a service requirement in the RPM packages that prevented the agent and manager from being installed on Oracle Linux 9.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.4 Release notes - 13 June 2023

This section lists the changes in version 4.4.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Agent

#17506 The Windows agent package signing certificate has been updated.

Ruleset

#17211 Updated all current rule descriptions from "Ossec" to "Wazuh".

Wazuh dashboard

#5416 Changed the title and added a warning in step 3 of the Deploy new agent section.

Wazuh Kibana plugin for Kibana 7.10.2

#5416 Changed the title and added a warning in step 3 of the Deploy new agent section.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

#5416 Changed the title and added a warning in step 3 of the Deploy new agent section.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#17178	The vulnerability scanner stops producing false positives for some Windows 11 vulnerabilities due to a change in the feed's CPE.
#16908	Prevented the VirusTotal integration from querying the API when the source alert misses the MD5.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.3 Release notes - 25 May 2023

This section lists the changes in version 4.4.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Agent

#16521 Added support for Apple Silicon processors to the macOS agent.
#2211 Prevented the installer from checking the old users ossecm and ossecr on upgrade.
#17195 Changed the deployment variables capture on macOS.

Ruleset

#17202 Unified the SCA policy names.

Resolved issues

This release resolves known issues as the following:

Agent

Reference	Description
#2217	Removed the temporary file "ossec.confre" after upgrade on macOS.
#2208	Prevented the installer from corrupting the agent configuration on macOS when deployment variables were defined on upgrade.
#2218	Fixed the installation on macOS by removing calls to launchctl.

Wazuh dashboard

Reference	Description
#5481 #5484	Fixed command to install the macOS agent on the agent wizard.
#5470	Fixed command to start the macOS agent on the agent wizard.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#5481 #5484	Fixed command to install the macOS agent on the agent wizard.
#5470	Fixed command to start the macOS agent on the agent wizard.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#5481 #5484	Fixed command to install the macOS agent on the agent wizard.
#5470	Fixed command to start the macOS agent on the agent wizard.

Wazuh Splunk app

Reference	Description
#1407	Fixed macOS agent install and restart command.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.2 Release notes - 18 May 2023

This section lists the changes in version 4.4.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#15957 Remove an unused variable in wazuh-authd to fix a String not null terminated Coverity finding.

Agent

#16515 Added a new module to integrate with Amazon Security Lake as a subscriber.
#16847 Added support for localfile blocks deployment.
#16743 Changed netstat command on macOS agents.

Ruleset

#15566 Added macOS 13.0 Ventura SCA policy.
#15567 Added new ruleset for macOS 13 Ventura and older versions.
#16549 Added a new base ruleset for log sources collected from Amazon Security Lake.

Other

#16692 Added pyarrow and numpy Python dependencies.
#16692 Added importlib-metadata and zipp Python dependencies.
#17053 Updated Flask Python dependency to 2.2.5.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#16394	Fixed a bug causing agent groups tasks status in the cluster not to be stored.
#16478	Fixed memory leaks in Vulnerability Detector after disk failures.
#16530	Fixed a pre-decoder problem with the + symbol in the macOS ULS timestamp.

Agent

Reference	Description
#16517	Fixed an issue with MAC address reporting on Windows systems.
#16857	Fixed Windows unit tests hanging during execution.

RESTful API

Reference	Description
#16381	Fixed agent insertion when no key is specified using `POST /agents/insert` endpoint.

Wazuh dashboard

Reference	Description
#5428 #5432	Fixed a problem in the backend service to get the plugin configuration.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#5428	Fixed a problem in the backend service to get the plugin configuration.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#5428	Fixed a problem in the backend service to get the plugin configuration.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.1 Release notes - 12 April 2023

This section lists the changes in version 4.4.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#15883 Improved WazuhDB performance by avoiding synchronizing existing agent keys and removing deprecated agent databases from var/db/agents.

RESTful API

#16541 Changed API limits protection to allow uploading new configuration files if limit is not modified.

Ruleset

#16017 Added Debian Linux 11 SCA policy.
#16016 SCA policy for Red Hat Enterprise Linux 9 rework.

Other

#16472 Updated embedded Python interpreter to 3.9.16.
#16492 Updated setuptools to 65.5.1.

Packages

#2150 The Wazuh dashboard is now based on OpenSearch dashboards 2.6.0.
#2150 The Wazuh indexer is now based on OpenSearch 2.6.0.
#2147 Added Debian 11 SCA files to specs.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#16546	Reverted the addition of some mapping fields in the Wazuh template, causing a bug with expanded search.

Wazuh dashboard

Reference	Description
#5196	Fixed the search in the agent inventory data tables.
#5334	Fixed the Top 5 users table overflow in the FIM dashboard.
#5337	Fixed a visual error in the About section.
#5329	Fixed the Anomaly and malware detection link.
#5341	Fixed an issue that did not allow closing the time picker when pressing the button multiple times in Agents and Management/Statistics.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#5196	Fixed the search in the agent inventory data tables.
#5329	Fixed the Anomaly and malware detection link.
#5341	Fixed an issue that did not allow closing the time picker when pressing the button multiple times in Agents and Management/Statistics.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#5196	Fixed the search in the agent inventory data tables.
#5329	Fixed the Anomaly and malware detection link.
#5341	Fixed an issue that did not allow closing the time picker when pressing the button multiple times in Agents and Management/Statistics.

Changelogs

More details about these changes are provided in the changelog of each component:

4.4.0 Release notes - 28 March 2023

This section lists the changes in version 4.4.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This new version of Wazuh brings new features and adds support for some Linux distributions and integrations. For more details, the highlights of Wazuh 4.4.0 are listed below:

IPv6 support for the enrollment process and the agent-manager connection
Vulnerability detection support for SUSE agents
Wazuh indexer and dashboard are now based on OpenSearch 2.4.1 version
Rework of Ubuntu Linux 20.04 and 22.04 SCA policies
Support for Azure Integration in Linux agents

Below you can find more information about each of these highlights.

Wazuh 4.4.0 brings IPv6 support when connecting and enrolling an agent to a manager. The IPv6 protocol can handle packets more effectively, enhance performance, and boost security. This new feature allows agents to register and connect through an IPv6 address.

SUSE agents now natively support vulnerabilities detection. Wazuh added full support for SUSE Linux Enterprise Server and Desktop operating systems versions 11, 12, and 15. The vulnerability Detector now scans the programs identified by syscollector, looking to report vulnerabilities described in the SUSE OVAL and the NVD databases.

Wazuh indexer and dashboard bump to OpenSearch 2.4.1. The Wazuh indexer and the Wazuh dashboard are based on OpenSearch, an open source search and analytics project derived from Elasticsearch and Kibana. We generated and tested the wazuh-indexer Debian and RPM packages with OpenSearch 2.4.1 and the wazuh-dashboard Debian and RPM packages with OpenSearch dashboards 2.4.1. This way, we avoid earlier version vulnerabilities and incorporate new functionalities.

To solve some errors in the previous Ubuntu Linux 20.04 SCA Policy, we reworked the Ubuntu Linux 20.04 and 22.04 SCA policies. As part of this task, we used the CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 to update Ubuntu Linux 22.04 SCA Policy.

Wazuh added support for Azure Integration in Linux agents. Now this integration can run for both agents and managers. We modified the packages generation process to support Azure in those agents that are installed using the WPK packages. Each new WPK package contains all the updated binaries and source code, and the installer updates all files and binaries to support Azure integration.

Finally, it’s essential to remark that we maintain support for all installation alternatives. Indeed we maintain and extend this support by adding more recent versions.

Note

Starting with Wazuh v4.5.0, the central components will only support the Amazon Linux, RHEL, CentOS, and Ubuntu operating systems whose versions are officially supported by their vendors. Wazuh agents will maintain their current support status.

Breaking changes

This release includes some breaking changes, such as the following:

Wazuh manager

#10865 The agent key polling module has been ported to wazuh-authd.

RESTful API

#14119 Added new setting upload_wazuh_configuration to the Wazuh API configuration. The old parameter remote_commands is now part of this setting.
#14230 Deprecated GET /manager/stats/analysisd, GET /manager/stats/remoted, GET /cluster/{node_id}stats/analysisd, and GET /cluster/{node_id}stats/remoted API endpoints. Use new endpoints GET /manager/daemons/stats and /cluster/{node_id}/daemons/stats, respectively.
#16231 Removed RBAC group assignments' related permissions from DELETE /groups to improve performance and changed response structure.

Ruleset

Wazuh ruleset has been updated, and you can check the changes in the following list. If you have a custom set of decoders and rules, please check the changes done.

What's new

This version includes new features or improvements, such as the following:

Wazuh manager

#9995 Added new unit tests for cluster Python module and increased coverage to 99%.
#11190 Added file size limitation on cluster integrity sync.
#13424 Added unittests for CLIs script files.
#9962 Added support for SUSE in Vulnerability Detector.
#13263 Added support for Ubuntu Jammy in Vulnerability Detector.
#13608 Added a software limit to restrict the number of EPS a manager can process.
#11753 Added a new wazuh-clusterd task for agent-groups info synchronization.
#14950 Added unit tests for functions in charge of getting ruleset sync status.
#14950 Added auto-vacuum mechanism in wazuh-db.
#10843 Delta events in Syscollector when data gets changed may now produce alerts.
#10822 wazuh-logtest now shows warnings about ruleset issues.
#12206 Modulesd memory is now managed by jemalloc to help reduce memory fragmentation.
#12117 Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed.
#12352 Improved the shared configuration file handling performance.
#11753 The agent group data is now natively handled by Wazuh DB.
#10710 Improved security at cluster zip filenames creation.
#12390 The core/common.py module is refactored.
#12497 The format_data_into_dictionary method of WazuhDBQuerySyscheck class is refactored.
#11124 The maximum zip size that can be created while synchronizing cluster Integrity is limited.
#13065 The functions in charge of synchronizing files in the cluster are refactored.
#13079 Changed MD5 hash function to BLAKE2 for cluster file comparison.
#12926 Renamed wazuh-logtest and wazuh-clusterd scripts to follow the same scheme as the other scripts (spaces symbolized with _ instead of -).
#13741 Added the update field in the CPE Helper for Vulnerability Detector.
#11702 The agents with the same ID are prevented from connecting to the manager simultaneously.
#13713 wazuh-analysisd, wazuh-remoted, and wazuh-db metrics have been extended.
#11753 wazuh-clusterd number of messages are minimized and optimized from workers to master related to agent-info tasks.
#14244 The performance of the agent_groups CLI is improved when listing agents belonging to a group.
#14475 Changed wazuh-clusterd binary behavior to kill any existing cluster processes when executed.
#14791 Changed wazuh-clusterd tasks to wait asynchronously for responses coming from wazuh-db.
#11190 Use zlib for zip compression in cluster synchronization.
#12241 Added mechanism to dynamically adjust zip size limit in Integrity sync.
#12409 Removed the unused internal option wazuh_db.sock_queue_size.
#10940 Removed all the unused exceptions from the exceptions.py file.
#10740 Removed unused execute method from core/utils.py.
#13119 Removed unused set_user_name function in framework.
#12370 Unused internal calls to wazuh-db have been deprecated.
#14542 Debian Stretch support in Vulnerability Detector has been deprecated.
#15853 The status field in SCA is deprecated.
#16066 Agent group guessing now writes the new group directly on the master node based on the configuration hash.
#16098 Added cascading deletion of membership table entries when deleting a group.
#16499 Changed agent_groups CLI output so affected agents are not printed when deleting a group.

Wazuh agent

#11756 Added support of CPU frequency data provided by Syscollector on Raspberry Pi.
#11450 Added support for IPv6 address collection in the agent.
#11833 Added the process startup time data provided by Syscollector on macOS.
#11571 Added support for package retrieval in Syscollector for openSUSE Tumbleweed and Fedora 34.
#11640 Added the process startup time data provided by Syscollector on macOS.
#11796 Added support for package data provided by Syscollector on Solaris.
#10843 Added support for delta events in Syscollector when data gets changed.
#12035 Added support for pre-installed Windows packages in Syscollector.
#11268 Added support for IPv6 on agent-manager connection and enrollment.
#12582 Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module.
#10870 Added support for using the Azure integration module in Linux agents.
#11852 Added new error messages when using invalid credentials with the Azure integration.
#12515 Added reparse option to CloudWatchLogs and Google Cloud Storage integrations.
#14726 Wazuh Agent can now be built and run on Alpine Linux.
#15054 Added native Shuffle integration.
#11587 Improved the free RAM data provided by Syscollector.
#12752 The Windows installer (MSI) now provides signed DLL files.
#12748 Changed the group ownership of the Modulesd process to root.
#12750 Some parts of Agentd and Execd were refactored.
#10478 Handled new exceptions in the external integration modules.
#11828 Optimized the number of calls to DB maintenance tasks performed by the AWS integration.
#12404 Improved the reparse setting performance by removing unnecessary queries from external integrations.
#12478 Updated and expanded Azure module logging functionality to use the ossec.log file.
#12647 Improved the error management of the Google Cloud integration.
#12769 The logging tag in GCloud integration is deprecated. It now uses wazuh_modules debug value to set the verbosity level.
#12849 The last_dates.json file of the Azure module was deprecated in favor of a new ORM and database.
#12929 Improved the error handling in AWS integration's decompress_file method.
#11190 The compress/decompress Cluster's methods are now improved. Now we use zlib for zip compression in cluster synchronization.
#11354 The exception handling on Wazuh Agent for Windows was changed to DWARF2.
#14696 The root CA certificate for WPK upgrade has been updated.
#14822 Agents on macOS now report the OS name as "macOS" instead of "Mac OS X".
#14816 The Systemd service stopping policy has been updated.
#14793 Changed how the AWS module handles ThrottlingException adding default values for connection retries in case no config file is set.
#15404 The agent for Windows now verifies its libraries to prevent side loading.
#14543 Azure and AWS credentials are deprecated in the configuration authentication option.

RESTful API

#10620 Added new API integration tests for a Wazuh environment without a cluster configuration.
#11731 Added wazuh-modulesd tags to GET /manager/logs and GET /cluster/{node_id}/logs endpoints.
#12438 Added Python decorator to soft deprecate API endpoints adding deprecation headers to their responses.
#12486 Added new exception to inform that /proc directory is not found or permissions to see its status are not granted.
#12362 Added new field and filter to GET /agents response to retrieve agent groups configuration synchronization status.
#12498 Added agent groups configuration synchronization status to GET /agents/summary/status endpoint.
#11171 Added JSON log handling.
#12029 Added integration tests for IPv6 agent's registration.
#12887 Enable ordering count in /groups endpoints by Agents.
#12092 Added a hash to API logs to identify users logged in with authorization context.
#14295 Added logic to API logger to renew its streams if needed on every request.
#14401 Added GET /manager/daemons/stats and GET /cluster/{node_id}/daemons/stats API endpoints.
#14464 Added GET /agents/{agent_id}/daemons/stats API endpoint.
#14471 Added the possibility to get the configuration of the wazuh-db component in active configuration endpoints.
#15084 Added distinct and select parameters to GET /sca/{agent_id} and GET /sca/{agent_id}/checks/{policy_id} endpoints.
#15290 Added new endpoint to run vulnerability detector on-demand scans (PUT /vulnerability).
#11341 Improved GET /cluster/healthcheck endpoint and cluster_control -i more CLI call in loaded cluster environments.
#12551 Changed API version and upgrade_version filters to work with different version formats.
#9413 Renamed GET /agents/{agent_id}/group/is_sync endpoint to GET /agents/group/is_sync and added new agents_list parameter.
#10397 Added POST /security/user/authenticate endpoint and marked GET /security/user/authenticate endpoint as deprecated.
#12526 Adapted framework code to agent-group changes to use the new wazuh-db commands.
#13791 Updated default timeout for GET /mitre/software to avoid timing out in slow environments after the MITRE DB update to v11.2.
#14119 Changed API settings related to remote commands. The remote_commands section will be held within upload_wazuh_configuration.
#14233 Improved API unauthorized responses to be more accurate.
#14259 Updated framework functions that communicate with the request socket to use remote instead.
#14766 Improved parameter validation for API endpoints that require component and configuration parameters.
#15017 Improved GET /sca/{agent_id}/checks/{policy_id} API endpoint performance.
#15334 Improved exception handling when connecting to Wazuh sockets.
#15671 Modified _group_names and _group_names_or_all regexes to avoid invalid group names.
#15747 Changed GET /sca/{agent_id}/checks/{policy_id} endpoint filters and response to remove the status field.
#12595 Removed never_connected agent status limitation when assigning agents to groups.
#12053 Removed null remediations from failed API responses.
#12365 GET /agents/{agent_id}/group/is_sync endpoint is deprecated.

Ruleset

#13594 Added support for new sysmon events.
#13595 Added new detection rules using Sysmon ID 1 events.
#13596 Added new detection rules using Sysmon ID 3 events.
#13630 Added new detection rules using Sysmon ID 7 events.
#13637 Added new detection rules using Sysmon ID 8 events.
#13639 Added new detection rules using Sysmon ID 10 events.
#13631 Added new detection rules using Sysmon ID 11 events.
#13636 Added new detection rules using Sysmon ID 13 events.
#13673 Added new detection rules using Sysmon ID 20 events.
#13638 Added new PowerShell ScriptBlock detection rules.
#15157 Added HPUX 11i SCA policies using bastille and without bastille.
#15072 Updated ruleset according to new API log changes when the user is logged in with authorization context.
#13579 Updated 0580-win-security_rules.xml rules.
#13622 Updated Wazuh MITRE ATT&CK database to version 11.3.
#13633 Updated detection rules in 0840-win_event_channel.xml.
#15070 SCA policy for Ubuntu Linux 20.04 rework.
#15051 Updated Ubuntu Linux 22.04 SCA Policy with CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.

Other

#12733 Added unit tests to the component in Analysisd that extracts the IP address from events.
#12518 Added python-json-logger dependency.
#10773 The Ruleset test suite is prevented from restarting the manager.
#14839 The pthread's rwlock was replaced with a FIFO-queueing read-write lock.
#15809 Updated Python dependency certifi to 2022.12.7.
#15896 Updated Python dependency future to 0.18.3.
#16317 Updated Werkzeug to 2.2.3.
#16317 Updated Flask to 2.0.0.
#16317 Updated itsdangerous to 2.0.0.
#16317 Updated Jinja2 to 3.0.0.
#16317 Updated MarkupSafe to 2.1.2.

Wazuh dashboard

#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.
#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.
#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.
#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added data-test-subj create policy.
#4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine OS.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and Wazuh protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from GET to POST in the requests to login to the Wazuh API.
#4376 #5071 5131 Improved alerts summary performance.
#4363 #5076 Improved Agents Overview performance.
#4529 #4964 Improved the message displayed when a version mismatches between the Wazuh API and the Wazuh APP.
#4363 Independently load each dashboard from the Agents Overview page.
#3874 The endpoint /agents/summary/status response was adapted.
#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4985 Updated the winston dependency to 3.5.1.
#4985 Updated the pdfmake dependency to 0.2.6.
#4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#5031 Unify the SCA check result label name.
#5062 Updated mocha dependency to 10.1.0.
#5062 Updated pdfmake dependency to 0.2.7.
#4491 Removed custom styles from Kibana 7.9.0.
#4985 Removed the angular-chart.js dependency.
#5062 #5089 Remove the pug-loader dependency.

Wazuh Kibana plugin for Kibana 7.10.2

#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 Added the ability to set the name of the agent using the deployment wizard.
#4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.
#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.
#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.
#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added data-test-subj create policy.
#4933 Added extra steps message and a new command for Windows XP and Windows Server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine os.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and Wazuh protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from GET to POST in the requests to login to the Wazuh API.
#4376 #5071 #5131 Improved alerts summary performance.
#4363 #5076 Improved Agents Overview performance.
#4529 #4964 Improved the message displayed when a version mismatches between the Wazuh API and the Wazuh APP.
#4363 Independently load each dashboard from the Agents Overview page.
#3874 The endpoint /agents/summary/status response was adapted.
#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4985 Updated the winston dependency to 3.5.1.
#4992 The button to export the app logs is now disabled when there are no results, instead of showing an error toast.
#5062 Updated mocha dependency to 10.1.0.
#5031 Unify the SCA check result label name.
#5014 Removed the angular-chart.js dependency.
#5062 Removed the pug-loader dependency.
#5102 Removed unused file related to agent menu.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.
#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.
#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.
#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added data-test-subj create policy.
#4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine os.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and Wazuh protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from GET to POST in the requests to login to the Wazuh API.
#4376 #5071 #5131 Improved alerts summary performance.
#4363 #5076 Improved Agents Overview performance.
#4529 #4964 Improved the message displayed when a version mismatches between the Wazuh API and the Wazuh APP.
#4363 Independently load each dashboard from the Agents Overview page.
#3874 The endpoint /agents/summary/status response was adapted.
#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4972 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#4985 Updated the winston dependency to 3.5.1.
#4985 Updated the pdfmake dependency to 0.2.6.
#4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#5062 Updated mocha dependency to 10.1.0.
#5062 Updated pdfmake dependency to 0.2.7.
#5031 Unify the SCA check result label name.
#4985 Removed the angular-chart.js dependency.
#5062 Removed the pug-loader dependency.
#5103 Removed unused file related to agent menu.

Wazuh Splunk app

#1355 Added agent's synchronization statistics.
#1355 Updated the response handlers for the /agents/summary/status endpoint.

Packages

#1980 The Wazuh dashboard is now based on OpenSearch dashboards 2.4.1.
#1979 The Wazuh indexer is now based on OpenSearch 2.4.1.
#1715 Added the Alpine package build.
#1770 The wazuh-certs-tool.sh now supports multiple IP addresses for each node.
#1167 Added the Azure wodle files to the Solaris 11 and RPM agent SPEC files.
#1379 Added the new wodles/gcloud files and folders to the Solaris 11 SPEC file.
#1453 Added orm.py to the Solaris 11 SPEC file.
#1299 Applied the changes required for the new agent-group mechanism.
#1569 Removed unnecessary plugins from the default Wazuh dashboard.
#1602 Simplified the Splunk packages builder.
#1687 Installed open-vm-tools in the OVA.
#1699 Added a custom path option for the Wazuh indexer packages.
#1751 Updated the Wazuh dashboard loading screen.
#1823 The indexer-security-init.sh now accepts DNS names as network hosts.
#1154 The Wazuh passwords tool is now able to obtain the IP address of an interface from the configuration file.
#1839 The Wazuh installation assistant now uses apt-get instead of apt.
#1831 The base creation is now integrated within the build_packages.sh script.
#1838 Changed the internal directory in the base container.
#1473 Changed method from GET to POST in the API login requests.
#1882 Added changes to distribute the libstdc++ and libgcc_s to wazuh-packages.
#1890 Updated permissions in the Wazuh indexer and Wazuh dashboard.
#1876 Removed the deprecated apt-key utility from the Wazuh installation assistant.
#1904 Parameterized the Wazuh dashboard script.
#1929 Added the Wazuh dashboard light loading screen logo in dark mode.
#1930 Added the Distribution version matrix section in the wazuh-packages README.md file.
#1961 Added ossec.conf file generation and improved SPECs on the Alpine packages.
#1343 Signed the Windows dynamic link library files.

Resolved issues

This release resolves known issues, such as the following:

Wazuh manager

Reference	Description
#10873	Fixed `wazuh-dbd` halt procedure.
#12098	Fixed compilation warnings in the manager.
#12516	Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups.
#12834	Fixed the Active Response decoders to support back the top entries for source IP in reports.
#13338	Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed.
#12127	Fixed several code flaws in the Python framework.
#10635	Fixed code flaw regarding the use of XML package.
#10636	Fixed code flaw regarding permissions at group directories.
#10544	Fixed code flaw regarding temporary directory names.
#11951	Fixed code flaw regarding `try`, `except` and `pass` code block in `wazuh-clusterd`.
#10782	Fixed framework datetime transformations to UTC.
#11866	Fixed a cluster error when Master-Worker tasks were not properly stopped after an exception occurred in one or both parts.
#12831	Fixed cluster logger issue printing `NoneType: None` in error logs.
#13419	Fixed unhandled cluster error when reading a malformed configuration.
#13368	Fixed framework unit test failures when run by the root user.
#13405	Fixed a memory leak in `analysisd` when parsing a disabled Active Response.
#13892	`wazuh-db` is prevented from deleting queue/diff when cleaning databases.
#14981	Fixed multiple data race conditions in Remoted reported by ThreadSanitizer.
#15151	Fixed `aarch64` OS collection in Remoted to allow WPK upgrades.
#15165	Fixed a race condition in Remoted that was blocking agent connections.
#13531	Fixed Virustotal integration to support non UTF-8 characters.
#14922	Fixed a bug masking as Timeout any error that might occur while waiting to receive files in the cluster.
#15876	Fixed a read buffer overflow in `wazuh-authd` when parsing requests.
#16012	Applied workaround for `bpo-46309` used in a cluster to `wazuh-db` communication.
#16233	Let the database module synchronize the agent group data before assignments.
#16321	Fixed memory leaks in wazuh-analysisd when parsing and matching rules.

Wazuh agent

Reference	Description
#7687	Fixed collection of maximum user data length.
#10772	Fixed missing fields in Syscollector on Windows 10.
#11227	Fixed the process startup time data provided by Syscollector on Linux.
#11837	Fixed network data reporting by Syscollector related to tunnel or VPN interfaces.
#12066	V9FS file system is skipped at Rootcheck to prevent false positives on WSL.
#9067	Fixed double file handle closing in Logcollector on Windows.
#11949	Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost.
#12148	Fixed internal exception handling issues on Solaris 10.
#12300	Fixed duplicate error message IDs in the log.
#12691	Fixed compilation warnings in the agent.
#12147	Fixed the `skip_on_error` parameter of the AWS integration module, which was set to `True` by default.
#12381	Fixed AWS DB maintenance with Load Balancer Buckets.
#12650	Fixed AWS integration's `test_config_format_created_date` unit test.
#12630	Fixed `created_date` field for LB and Umbrella integrations.
#13185	Fixed AWS integration database maintenance error management.
#13674	The default delay at GitHub integration has been increased to 30 seconds.
#14706	Logcollector has been fixed to allow locations containing colons (:).
#13835	Fixed system architecture reporting in Syscollector on Apple Silicon devices.
#14190	The C++ standard library and the GCC runtime library are now included with Wazuh.
#13877	Fixed missing inventory cleaning message in Syscollector.
#15322	Fixed WPK upgrade issue on Windows agents due to process locking.
#13044	Fixed FIM injection vulnerability when using `prefilter_cmd` option.
#14525	Fixed the parse of ALB logs splitting `client_port`, `target_port` and `target_port_list` in separated `ip` and `port` for each key.
#15335	Fixed a bug that prevents processing Macie logs with problematic ipGeolocation values.
#15584	Fixed GCP integration module error messages.
#15575	Fixed an error that prevented the agent on Windows from stopping correctly.
#16140	Fixed Azure integration credentials link.

RESTful API

Reference	Description
#12302	Fixed copy functions used for the backup files and upload endpoints to prevent incorrect metadata.
#11010	Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints.
#10736	Fixed a bug where `null` values from `wazuh-db` were returned in API responses.
#12063	Connections through `WazuhQueue` will be closed gracefully in all situations.
#12450	Fixed exception handling when trying to get the active configuration of a valid but not configured component.
#12700	Fixed `api.yaml` path suggested as remediation at `exception.py`.
#12768	Fixed `/tmp` access error in containers of API integration tests environment.
#13096	The API will return an exception when the user asks for agent inventory information, and there is no database for it (never connected agents).
#13171 #13386	Improved regex used for the `q` parameter on API requests with special characters and brackets.
#12592	Removed `board_serial` from syscollector integration tests expected responses.
#12557	Removed cmd field from expected responses of syscollector integration tests.
#12611	Reduced the maximum number of groups per agent to 128 and adjusted group name validation.
#14204	Reduced amount of memory required to read CDB lists using the API.
#14237	Fixed a bug where the cluster health check endpoint and CLI would add an extra active agent to the master node.
#15311	Fixed bug that prevents updating the configuration when using various `<ossec_conf>` blocks from the API.
#15194	Fixed vulnerability API integration tests' healthcheck.

Ruleset

Reference	Description
#11613	Fixed `OpenWRT` decoder fixed to parse UFW logs.
#14807	Bug fix in `wazuh-api-fields` decoder.
#13567	Fixed deprecated MITRE tags in rules.
#15241	SCA checks IDs are not unique.
#14513	Fixed regex in check 5.1.1 of Ubuntu 20.04 SCA.
#15251	Removed wrong Fedora Linux SCA default policies.
#15156	SUSE Linux Enterprise 15 SCA Policy duplicated check ids 7521 and 7522.

Other

Reference	Description
#14165	Fixed Makefile to detect CPU architecture on Gentoo Linux.

Wazuh dashboard

Reference	Description
#4425	Fixed nested fields filtering in dashboards tables and KPIs.
#4428	Fixed nested field rendering in security alerts table details.
#4539	Fixed a bug where the Wazuh logo was used instead of the custom one.
#4516	Fixed rendering problems of the `Agent Overview` section in low resolutions.
#4595	Fixed issue when logging out from Wazuh when SAML is enabled.
#4710 #4728 #4971	Fixed server errors with code 500 when the Wazuh API is not reachable / up.
#4653 #5010	Fixed pagination to SCA table.
#4849	Fixed `WAZUH_PROTOCOL` param suggestion.
#4876 #4880	Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.
#4929	Disabled unmapped fields filter in Security Events alerts table.
#4933	Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.
#4943	Fixed agent deployment instructions for HP-UX and Solaris.
#4638 #5046	Fixed a bug that caused the flyouts to close when clicking inside them.
#4981	Fixed the manager option in the agent deployment section.
#4999 #5031	Fixed Inventory checks table filters by stats.
#4962	Fixed commands in the deploy new agent section(most of the commands are missing `-1`).
#4968	Fixed agent installation command for macOS in the deploy new agent section.
#4942	Fixed agent graph in OpenSearch dashboard.
#4984	Fixed commands in the deploy new agent section(most of the commands are missing `-1`).
#4975	Fixed default last scan date parser to be able to catch dates returned by Wazuh API when no vulnerabilities scan has been made.
#5035	A solaris command has been fixed.
#5045	Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word `or higher` in buttons to `+`.Fixed validations for HP-UX, Solaris and Alpine.
#5069	Fixed error in Github module PDF report.
#5098	Fixed password input in deploy new agent section.
#5094	Fixed error when clicking on the selectors of agents in the group agents management.
#5092	Fixed menu content panel is displayed in the wrong place.
#5101	Fixed greyed and disabled menu section names.
#5107	Fixed misspelling in the NIST module.
#5150	Fixed Statistic cronjob bulk document insert.
#5137	Fixed the style of the buttons showing more event information in the event view table.
#5144	Fixed Inventory module for Solaris agents.
#5167	Fixed the module information button in Office365 and Github Panel tab to open the nav drawer.
#5200	Fixed a UI crash due to `external_references` field could be missing in some vulnerability data.
#5273	Fixed the Wazuh main menu is not displayed when the navigation menu is locked.
#5286	The event view is now working correctly after fixing a problem that occurred when Lucene language was selected in the search bar.
#5285 #5295	Fixed the incorrect use of the connection secure property by Deploy Agent.
#5291	Head rendering in the agent view has been corrected.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4425	Fixed nested fields filtering in dashboards tables and KPIs.
#4428	Fixed nested field rendering in security alerts table details.
#4539	Fixed a bug where the Wazuh logo was used instead of the custom one.
#4516	Fixed rendering problems of the `Agent Overview` section in low resolutions.
#4595	Fixed issue when logging out from Wazuh when SAML is enabled.
#4710 #4728 #4971	Fixed server errors with code 500 when the Wazuh API is not reachable / up.
#4653 #5010	Fixed pagination to SCA table.
#4849	Fixed `WAZUH_PROTOCOL` param suggestion.
#4876 #4880	Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.
#4929	Disabled unmapped fields filter in Security Events alerts table.
#4981	Fixed the manager option in the agent deployment section.
#4999 #5031	Fixed Inventory checks table filters by stats.
#4962	Fixed commands in the deploy new agent section(most of the commands are missing `-1`).
#4968	Fixed agent installation command for macOS in the deploy new agent section.
#4933	Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.
#4943	Fixed agent deployment instructions for HP-UX and Solaris.
#4999	Fixed Inventory checks table filters by stats.
#4975	Fixed default last scan date parser to be able to catch dates returned by Wazuh API when no vulnerabilities scan has been made.
#5035	A Solaris command has been fixed.
#5045	Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX,Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word `or higher` in buttons to `+`.Fixed validations for HP-UX, Solaris and Alpine.
#5069	Fixed error in Github module PDF report.
#5098	Fixed password input in deploy new agent section.
#5094	Fixed error when clicking on the selectors of agents in the group agents management.
#5107	Fixed misspelling in the NIST module.
#5150	Fixed Statistic cronjob bulk document insert.
#5137	Fixed the style of the buttons showing more event information in the event view table.
#5144	Fixed Inventory module for Solaris agents.
#5200	Fixed a UI crash due to `external_references` field could be missing in some vulnerability data.
#5285 #5295	Fixed the incorrect use of the connection secure property by Deploy Agent.
#5291	Head rendering in the agent view has been corrected.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4425	Fixed nested fields filtering in dashboards tables and KPIs.
#4428 #4925	Fixed nested field rendering in security alerts table details.
#4539	Fixed a bug where the Wazuh logo was used instead of the custom one.
#4516	Fixed rendering problems of the `Agent Overview` section in low resolutions.
#4595	Fixed issue when logging out from Wazuh when SAML is enabled.
#4710 #4728 #4971	Fixed server errors with code 500 when the Wazuh API is not reachable / up.
#4653 #5010	Fixed pagination to SCA table.
#4849	Fixed `WAZUH_PROTOCOL` param suggestion.
#4876 #4880	Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.
#4929	Disabled unmapped fields filter in Security Events alerts table.
#4832 #4838	Fixed the agents wizard OS styles and their versions.
#4981	Fixed the manager option in the agent deployment section.
#4999 #5031	Fixed Inventory checks table filters by stats #4999 #5031
#4962	Fixed commands in the deploy new agent section(most of the commands are missing `-1`).
#4968	Fixed agent installation command for macOS in the deploy new agent section.
#4933	Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.
#4943	Fixed agent deployment instructions for HP-UX and Solaris.
#4999	Fixed Inventory checks table filters by stats.
#4983	Fixed agent installation command for macOS in the deploy new agent section.
#4975	Fixed default last scan date parser to be able to catch dates returned by Wazuh API when no vulnerabilities scan has been made.
#5035	A Solaris command has been fixed.
#5045	Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word `or higher` in buttons to `+`.Fixed validations for HP-UX, Solaris and Alpine.
#5069	Fixed error in Github module PDF report.
#5098	Fixed password input in deploy new agent section.
#5094	Fixed error when clicking on the selectors of agents in the group agents management.
#5107	Fixed misspelling in the NIST module.
#5150	Fixed Statistic cronjob bulk document insert.
#5137	Fixed the style of the buttons showing more event information in the event view table.
#5144	Fixed Inventory module for Solaris agents.
#5200	Fixed a UI crash due to `external_references` field could be missing in some vulnerability data.
#5285 #5295	Fixed the incorrect use of the connection secure property by Deploy Agent.
#5291	Head rendering in the agent view has been corrected.

Packages

Reference	Description
#1091	Updated `g++` to fix an undefined behavior on openSUSE Tumbleweed.
#976	Added the missing `tar` dependency in the Wazuh installation assistant.
#1196	Fixed the RPM wazuh-agent package build.
#1431	Fixed a compilation error on CentOS 5 and CentOS 7, as well as the building of the Docker images for CentOS 5 on the i386 architecture.
#1611	Fixed the Solaris 11 generation branch.
#1653	Fixed the log cleaning command in the OVA generation.
#1661	Fixed the `invoke.rc` call.
#1674	Fixed RHEL9 `init.d` file installation.
#1675	Fixed RHEL9 `sysv-init` error.
#1650	Fixed the package building for Arch Linux.
#1688	Updated the `generate_ova.sh` script.
#2019	Removed error logs from the OVA.
#1905	Fixed service enablement in SUSE packages.
#1877	Fixed package conflicts between the `wazuh-manager` and `azure-cli` on CentOS 8.
#1779	Fixed the Wazuh installation assistant all-in-one deployment on Fedora 36.
#1812	Fixed the RHEL and CentOS SCA template generation.
#1826	Fixed the `wazuh-certs-tool.sh` behavior when the given command does not match the content of the `config.yml` file.
#1824	Added `daemon-reload` at the end of the rollback function.
#1836	Fixed the Wazuh offline installation messages.
#1898	Removed Wazuh dashboard and Wazuh indexer init.d service for RHEL9.
#1925	Removed a black square icon from the Wazuh dashboard.
#1963	An issue that didn't allow the Wazuh installation assistant to create certificates for more than 9 nodes is now fixed.
#1987	Removed the `init.d` service for Wazuh dashboard RPM.
#1983	requestHeadersWhitelist is deprecated and has been replaced by requestHeadersAllowlist.
#1986	The Wazuh installation assistant now shows a message indicating that the Wazuh indexer was removed.
#2018	Disabled the expanded header by default in the Wazuh dashboard.
#1932	Added flag mechanism to configure the protection for untrusted libraries verification.
#1727	Added a fix to avoid GLIBC crash.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.11 Release notes - 24 April 2023

This section lists the changes in version 4.3.11. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#16752	Fixed a dead code bug that might cause wazuh-db to crash.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.10 Release notes - 16 November 2022

This section lists the changes in version 4.3.10. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#15219	The Arch Linux feed URL in Vulnerability Detector is updated.
#15197	A bug in Vulnerability Detector related to the internal database access is fixed.
#15303	A crash hazard in Analysisd when parsing an invalid `<if_sid>` value in the ruleset is now fixed.

Wazuh agent

Reference	Description
#15259	The agent upgrade configuration has been restricted to local settings.
#15262	An unwanted Windows agent configuration modification on upgrade is fixed.

Wazuh dashboard

Reference	Description
#4815	An issue with logging out from Wazuh when SAML is enabled is now fixed.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4815	An issue with logging out from Wazuh when SAML is enabled is now fixed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4815	An issue with logging out from Wazuh when SAML is enabled is now fixed.

Packages

Reference	Description
#1901	Improved the `config.yml` template to prevent indentation issues.
#1910	Fixed the clean function in the WPK generation.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.9 Release notes - 13 October 2022

This section lists the changes in version 4.3.9. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh agent

#14497 An obsolete Windows Audit SCA policy file is removed.

Wazuh Kibana plugin

Support for Kibana 7.17.6.

Wazuh Splunk app

Support for Splunk 8.2.7.1 and 8.2.8.

Other

#15067 The external protobuf Python dependency is updated to 3.19.6.

Resolved issues

This release resolves known issues as the following:

Wazuh agent

Reference	Description
#15007	The remote policy detection in SCA is fixed.
#15023	Fixed the agent upgrade module settings parser. Now a default CA file is set.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.8 Release notes - 19 September 2022

This section lists the changes in version 4.3.8. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh agent

#14842 Updated the WPK upgrade root CA certificate.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#14752	A wrong field assignation in Audit decoders is now fixed.
#14825	A performance problem when synchronizing files through the cluster is fixed. The multigroup folder in worker nodes is no longer cleaned upon node restart.
#14772	A problem when using an invalid syntax with the `if_sid` label is fixed. Now the rule is ignored if the listed `if_sid` rules are not separated by spaces or commas.

Wazuh agent

Reference	Description
#14801	A path traversal flaw in Active Response affecting agents from v3.6.1 to v4.3.7 is fixed. Thanks to Roshan Guragain for reporting this vulnerability.

Packages

Reference	Description
#1798	Improved error management and IP values extraction function in the `wazuh-certs-tool.sh`.
#1806	An error while changing the password in the Wazuh dashboard configuration using `wazuh-install.sh` is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.7 Release notes - 24 August 2022

This section lists the changes in version 4.3.7. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#14540 A cluster command to obtain custom ruleset files and their hash is added.

Wazuh agent

#13958 The logs of the Office365 integration module are improved.

RESTful API

#14551 The endpoint GET /cluster/ruleset/synchronization to check the status of the synchronization of the ruleset in a cluster is added.
#14208 The performance of framework functions for MITRE API endpoints is improved.

Ruleset

#13806 An SCA Policy for CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is added.
#13879 The SCA Policy for CIS Microsoft Windows 10 Enterprise is updated with the benchmark v1.12.0 for the release 21H2.
#13843 An SCA policy for Red Hat Enterprise Linux 9 (RHEL9) is added.
#13899 An SCA policy for CIS Microsoft Windows Server 2022 Benchmark 1.0.0 is added.

Wazuh dashboard

#4350 The deprecated manager_host field in Wazuh API responses about agent information is no longer used.

Wazuh Kibana plugin for Kibana 7.10.2

#4350 The deprecated manager_host field in Wazuh API responses about agent information is no longer used.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

#4350 The deprecated manager_host field in Wazuh API responses about agent information is no longer used.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.3.7.

Packages

#1737 passwords-tool tests are added with the files passwords-tool.yml and tests-stack.sh.
#1742 A port status check is added to the Wazuh installation assistant to avoid the installation ending up in failure if one of the Wazuh default ports is being used.
#1754 Skipping the OS check of the wazuh-install.sh script when downloading files is added.
#1629 The -tmp option is added to the the wazuh-certs-tool script in order to specify the tmp directory.
#1685 The RHEL 9 SCA files are added to the specs.
#1734 All Zypper references are removed from the unattended and test directories.
#1753 TLS versions lower than v1.2 are disabled to avoid using weak cipher suites.
#1641 Removed the revision variables from the Wazuh installation assistant.
#1750 The OVA generation scripts are modified to adapt them to the newest changes in wazuh-passwords-tool.sh.
#1769 The path when copying Fedora SCA files is fixed with the new versions.

RPM revision 2

v4.3.7-2 A bug related to the installation of the SCA policy in RHEL8 is fixed. This error caused the RHEL 9 SCA policy to be installed in RHEL 8 machines instead of the correct one.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#13956	A bug in Analysisd that may make it crash when decoding regexes with more than 14 subpatterns is fixed.
#14366	The risk of a crash when Vulnerability Detector parses OVAL feeds is fixed.
#14436	A busy-looping in `wazuh-maild` when monitoring `alerts.json` is fixed.
#14417	A segmentation fault in `wazuh-maild` when parsing alerts exceeding the nesting limit is fixed.

Wazuh agent

Reference	Description
#14368	A code defect in the GitHub integration module reported by Coverity is fixed.
#14518	An undefined behavior in the agent unit tests is fixed.

Ruleset

Reference	Description
#14513	A bug found in the regular expression used for check 5.1.1 (ID 19137) of the Ubuntu 20 SCA policy file that caused false positives is fixed.
#14483	An error when a Wazuh agent runs an AWS Amazon Linux SCA policy is fixed.
#13950	Amazon Linux 2 SCA policy is modified to resolve rules and conditions on control 1.5.2.
#14481	Missing SCA files are added to the Wazuh manager installation.
#14678	OS detection in Ubuntu 20.04 LTS SCA policy is now fixed.

Wazuh dashboard

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the Wazuh API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	Module settings not persisting between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the Wazuh indexer is fixed.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the Wazuh API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	The persistence of the plugin registry file between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the Wazuh indexer is fixed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the Wazuh API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	Module settings not persisting between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the Wazuh indexer is fixed.

Wazuh Splunk app

Reference	Description
#1359	The API console suggestions were not working in version 4.3.6 and are now fixed.

Packages

Reference	Description
#1762	The Wazuh GPG key is now removed when uninstalling all the Wazuh components using the installation assistant.
#1765	Handling of errors that might happen when downloading Filebeat files is added.
#1766	A check of the indentation of the `config.yml` file is added.
#1731	An error when installing every component of a distributed installation in the same host using the 127.0.0.1 IP address is fixed.
#1619	The code of the Wazuh installation assistant has been improved.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.6 Release notes - 20 July 2022

This section lists the changes in version 4.3.6. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#14085 Support for Ubuntu 22 (Jammy) is added in Vulnerability Detector.
#14117 Support for Red Hat 9 is added in Vulnerability Detector.
#14111 The shared configuration file handling performance is improved in wazuh-remoted.

Wazuh agent

#13837 The macOS codename list is updated in Syscollector.
#14093 The GitHub and Office365 integrations log messages are improved.

Ruleset

#13893 Ubuntu Linux 22.04 SCA policy is added.
#13905 Apple macOS 12.0 Monterey SCA policy is added.

Wazuh Splunk app

#1351 The documentation links are updated to match their respective title on the Wazuh documentation page.
#1354 The use of all tags to filter Wazuh Server logs is re-allowed.

Packages

#1706 The text of the password tool help option is improved.
#1696 The passwords.wazuh file is renamed to wazuh-passwords.txt.
#1697 Wazuh dashboard users wazuh_admin and wazuh_user and roles wazuh_ui_user and wazuh_ui_admin are removed from the installation templates.
#1718 The periodic Filebeat metrics are disabled.
#1683 New Darwin 21 SCA file for macOS 12 added.
#1684 New Ubuntu 22 SCA file added.

Other

#14121 The Filebeat logging metrics are disabled.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#14098	The potential memory leaks in Vulnerability Detector when parsing OVAL with no criteria are fixed.
#13957	A bug in Vulnerability Detector that skipped Windows 8.1 and Windows 8 agents is fixed.
#14061	A bug in wazuh-db that stored duplicate Syscollector package data is fixed.

Wazuh agent

Reference	Description
#13941	The agent shutdown when syncing Syscollector data is fixed.
#14207	A bug in the agent installer that incorrectly detected the Wazuh username is fixed.
#14100	The macOS vendor data retrieval in Syscollector is fixed.
#14106	A bug in the Syscollector data sync when the agent gets disconnected is fixed.
#13980	A crash in the Windows agent caused by the Syscollector SMBIOS parser for Windows agents is fixed.

RESTful API

Reference	Description
#14152	The return of an exception when the user asks for agent inventory information where there is no database for it is fixed, such as `never_connected` agents.

Wazuh dashboard

Reference	Description
#4326	An error distinguishing conjunction operators (AND, OR) in the search bar component is fixed.
#4301	Some link titles are changed to match their documentation section title.
#4301	Missing documentation references to the Agent's overview, Agent's Integrity monitoring, and Agent's Inventory data sections, when the agent has never connected are fixed.
#4301	The links to the web documentation are changed and now point to the plugin short version instead of current.
#4301	Missing documentation link in the Docker Listener module is fixed.
#4301	Some links to web documentation that didn't work are fixed.
#4307	Now, errors on the action buttons of Rules/Decoders/CDB Lists' tables are displayed.
#4330	Changed reports inputs and usernames.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4326	An error distinguishing conjunction operators (AND, OR) in the search bar component is fixed.
#4301	Some link titles are changed to match their documentation section title.
#4301	Missing documentation references to the Agent's overview, Agent's Integrity monitoring, and Agent's Inventory data sections, when the agent has never connected are fixed.
#4301	The links to the web documentation are changed and now point to the plugin short version instead of current.
#4301	Missing documentation link in the Docker Listener module is fixed.
#4301	Some links to web documentation that didn't work are fixed.
#4307	Now, errors on the action buttons of Rules/Decoders/CDB Lists' tables are displayed.
#4330	Changed reports inputs and usernames.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4326	An error distinguishing conjunction operators (AND, OR) in the search bar component is fixed.
#4301	Some link titles are changed to match their documentation section title.
#4301	Missing documentation references to the Agent's overview, Agent's Integrity monitoring, and Agent's Inventory data sections, when the agent has never connected are fixed.
#4301	The links to the web documentation are changed and now point to the plugin short version instead of current.
#4301	Missing documentation link to the Docker Listener module is fixed.
#4301	Some links to web documentation that didn't work are fixed.
#4307	Now, errors on the action buttons of Rules/Decoders/CDB Lists' tables are displayed.
#4330	Changed reports inputs and usernames.

Wazuh Splunk app

Reference	Description
#1351	Some links to web documentation that didn't work are fixed.
#1296	An error on the DevTools where the payload was not being sent, that caused the request to fail is fixed.

Packages

Reference	Description
#1713	An error when upgrading using symlinks is fixed.
#1721	An error with the installation assistant API in single Wazuh manager nodes is fixed.
#1726	A problem with Filebeat found in systems using GLIBC is fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.5 Release notes - 29 June 2022

This section lists the changes in version 4.3.5. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

#13915 The Vulnerability Detector log is improved for the case when the agent OS data is unavailable.

Wazuh agent

#13749 Package data support is extended in Syscollector for modern RPM agents.
#13898 Verbosity of the GitHub module logs is improved.

Ruleset

#13567 Deprecated MITRE tags in rules are removed.

Wazuh dashboard

#4244 When a user goes to test a new rule in Tools / Ruleset Test, there were API messages that were not displayed. Now, this issue is fixed and the messages are displayed on the screen.
#4261 An authorization prompt is added in MITRE > Intelligence.
#4239 The reference from Manager is changed to the Wazuh server in the Deploy new agent guide.
#4267 The filtered tags are removed because they were not supported by the API endpoint.
#4254 The styles in visualizations are changed.

Wazuh Kibana plugin for Kibana 7.10.2

#4244 When a user goes to test a new rule in Tools / Ruleset Test, there were API messages that were not displayed. Now, this issue is fixed and the messages are displayed on the screen.
#4261 An authorization prompt is added in MITRE > Intelligence.
#4239 The reference from Manager is changed to the Wazuh server in the Deploy new agent guide.
#4267 The filtered tags are removed because they were not supported by the API endpoint.
#4254 The styles in visualizations are changed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

#4244 When a user goes to test a new rule in Tools / Ruleset Test, there were API messages that were not displayed. Now, this issue is fixed and the messages are displayed on the screen.
#4261 An authorization prompt is added in MITRE > Intelligence.
#4239 The reference from Manager is changed to the Wazuh server in the Deploy new agent guide.
#4267 The filtered tags are removed because they were not supported by the API endpoint.
#4254 The styles in visualizations are changed.

Wazuh Splunk app

#1292 The status Pending to the Agents sections is added.
#1276 A disabled state to the Apply changes button on the Agents group editor is added when no changes on the group are made.

Packages

#1635 Removed dependencies from the wazuh-indexer package.
#1663 Improved how the password tool changes the API passwords.

Other

#13811 The test_agent_PUT_endpoints.tavern.yaml API integration test failure in numbered branches is fixed.
#13790 The external click and clickclick Python dependencies are upgraded to 8.1.3 and 20.10.2 respectively.

Resolved issues

This release resolves known issues as the following:

Wazuh manager

Reference	Description
#13662	The upgrade module response message has been fixed not to include null values.
#13863	A string truncation warning log in wazuh-authd when enabling password authentication is fixed.
#13587	A memory leak in wazuh-analysisd when overwriting a rule multiple times is fixed.
#13907	The wazuh-agentd and client-auth are prevented from performing enrollment if the agent fails to validate the manager certificate.
#13694	The manager compilation when enabling GeoIP support is fixed.
#13883	A crash in wazuh-modulesd when getting stopped while downloading a Vulnerability Detector feed is fixed.

Wazuh agent

Reference	Description
#13606	Agent auto-restart on shared configuration changes when running on containerized environments is fixed.
#13880	An issue when attempting to run the DockerListener integration using Python 3.6 and having the Docker service stopped is fixed.

RESTful API

Reference	Description
#13867	The `tag` parameter of `GET /manager/logs` and `GET /cluster/{node_id}/logs` endpoints is updated to accept any string.

Ruleset

Reference	Description
#13597	Fixed Eventchannel testing and improved reporting capabilities of the runtest tool.
#13781	The Amazon Linux 2 SCA policy is modified to resolve a typo on control 1.1.22 and `EMPTY_LINE` conditions.
#13950	The Amazon Linux 2 SCA policy is modified to resolve the rule and condition on control 1.5.2.

Wazuh dashboard

Reference	Description
#4233	Type error when changing screen size in agents section is fixed.
#4235	A logged error that appeared when the `statistics` tasks tried to create an index with the same name, causing the second task to fail on the creation of the index because it already exists, is removed.
#4237	A UI crash due to a query with syntax errors in `Modules/Security events` is fixed.
#4240	An error when generating a module report after changing the selected agent is fixed.
#4266	An unhandled error when a Wazuh API request failed in the dev tools is fixed.
#4264	An error related to `API not available` when saving the manager configuration and restarting the manager from `Management/Configuration/Edit configuration` on manager mode is fixed.
#4253	A UI problem that required scrolling to see the logs in Management/Logs and Settings/Logs is fixed.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4233	Type error when changing screen size in agents section is fixed.
#4235	A logged error that appeared when the `statistics` tasks tried to create an index with the same name, causing the second task to fail on the creation of the index because it already exists, is removed.
#4237	A UI crash due to a query with syntax errors in `Modules/Security events` is fixed.
#4240	An error when generating a module report after changing the selected agent is fixed.
#4266	An unhandled error when a Wazuh API request failed in the dev tools is fixed.
#4264	An error related to `API not available` when saving the manager configuration and restarting the manager from `Management/Configuration/Edit configuration` on manager mode is fixed.
#4253	A UI problem that required scrolling to see the logs in Management/Logs and Settings/Logs is fixed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4233	Type error when changing screen size in agents section is fixed.
#4235	A logged error that appeared when the `statistics` tasks tried to create an index with the same name, causing the second task to fail on the creation of the index because it already exists, is removed.
#4237	A UI crash due to a query with syntax errors in `Modules/Security events` is fixed.
#4240	An error when generating a module report after changing the selected agent is fixed.
#4266	An unhandled error when a Wazuh API request failed in the dev tools is fixed.
#4264	An error related to `API not available` when saving the manager configuration and restarting the manager from `Management/Configuration/Edit configuration` on manager mode is fixed.
#4253	A UI problem that required scrolling to see the logs in Management/Logs and Settings/Logs is fixed.

Wazuh Splunk app

Reference	Description
#1290	Outdated documentation links have been updated.
#1343	The Alerts view from the MITRE section has been hardened in case of errors during the requests to the API (for example timeouts).

Packages

Reference	Description
#1673	The error with the installation of the file init.d to enable Wazuh service in RHEL 9 systems is fixed.
#1675	The error with the installation of the file sysv-init to enable Wazuh service in RHEL 9 systems is fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.4 Release notes - 8 June 2022

This section lists the changes in version 4.3.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh manager

#13437 Integratord now tries to read alerts indefinitely, instead of performing 3 attempts.
#13626 A timeout for remote queries made by the Office 365, GitHub, and Agent Update modules is added.

Wazuh dashboard

#4166 #4188 The pending agent status is added to some sections where it was missing.
#4166 The visualization of Status panel in Agents is replaced.
#4166 The visualization of policy in Modules/Security configuration assessment/Inventory is replaced.
#4166 #4199 Consistency is improved in the colors and labels used for the agent status.
#4169 How the full and partial scan dates are displayed in the Details panel of Vulnerabilities/Inventory is replaced.

Wazuh Kibana plugin for Kibana 7.10.2

#4166 #4188 The pending agent status is added to some sections where it was missing.
#4166 The visualization of Status panel in Agents is replaced.
#4166 The visualization of policy in Modules/Security configuration assessment/Inventory is replaced.
#4166 #4199 Consistency is improved in the colors and labels used for the agent status.
#4169 How the full and partial scan dates are displayed in the Details panel of Vulnerabilities/Inventory is replaced.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

#4166 #4188 The pending agent status is added to some sections where it was missing.
#4166 The visualization of Status panel in Agents is replaced.
#4166 The visualization of policy in Modules/Security configuration assessment/Inventory is replaced.
#4166 Consistency is improved in the colors and labels used for the agent status.
#4169 How the full and partial scan dates are displayed in the Details panel of Vulnerabilities/Inventory is replaced.

Wazuh Splunk app

#1327 Splunk search-handler event management is improved to avoid forwarder toast error misinterpretation.

Packages

#1595 Splunk packages builder is simplified.
#1606 The Wazuh logo on the login page is updated.
#1628 Support for Ubuntu 22 is added.
#1548 The installation assistant now changes the Wazuh API default passwords.

Resolved issues

This release resolves known issues.

Wazuh manager

Reference	Description
#13621	A bug in `agent_groups` CLI when removing agent groups is fixed.
#13459	Linux compilation errors with GCC 12 are fixed.
#13604	A crash in wazuh-analysisd when overwriting a rule with a configured active response is fixed.
#13666	A crash in wazuh-db when it cannot open a database file is fixed.
#13566	The vulnerability feed parsing mechanism now truncates excessively long values (This problem was detected during Ubuntu Bionic feed update).
#13679	A crash in wazuh-maild when parsing an alert with no full log and containing arrays of non-strings is fixed.

RESTful API

Reference	Description
#13550	The default timeouts for `GET /mitre/software` and `GET /mitre/techniques` are updated to avoid timing out in slow environments.

Ruleset

Reference	Description
#13560	The prematch criteria of `sshd-disconnect` decoder is fixed.

Wazuh dashboard

Reference	Description
#4166	When the platform visualizations didn't use some definitions related to the UI on Kibana 7.10.2 is now fixed.
#4167	A toast message with a successful process appeared when removing an agent of a group in `Management/Groups` and the agent appears in the agent list after refreshing the table is fixed.
#4176	The import of an empty rule or decoder file is fixed.
#4180	The overwriting of rule and decoder imports is now fixed.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4166	When the platform visualizations didn't use some definitions related to the UI on Kibana 7.10.2 is now fixed.
#4167	A toast message with a successful process appeared when removing an agent of a group in `Management/Groups` and the agent appears in the agent list after refreshing the table is fixed.
#4176	The import of an empty rule or decoder file is fixed.
#4180	The overwriting of rule and decoder imports is now fixed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4166	When the platform visualizations didn't use some definitions related to the UI on Kibana 7.10.2 is now fixed.
#4167	A toast message with a successful process appeared when removing an agent of a group in `Management/Groups` and the agent appears in the agent list after refreshing the table is fixed.
#4176	The import of an empty rule or decoder file is fixed.
#4180	The overwriting of rule and decoder imports is now fixed.
#4157	Wazuh now maintains the filters when clicking on the `Visualize` button of a document field from `<Module>/Events` and redirects to the `lens` plugin.
#4198	Missing background in the status graph tooltip in agents is fixed.
#4219	The problem allowing to remove the filters from the module is fixed.

Wazuh Splunk app

Reference	Description
#1329	Unhandled expired session when requesting Splunk DB documents is fixed.

Packages

Reference	Description
#1613	Suse init script installation in agent is fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.3 Release notes - 1 June 2022

This section lists the changes in version 4.3.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.3.3.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.3.3.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#13651	Avoid creating duplicated `<client>` configuration blocks during deployment.

Agent

Reference	Description
#13642	Prevent Agentd from resetting its configuration on `<client>` block re-definition.

Wazuh dashboard

Reference	Description
#4151	The Wazuh dashboard troubleshooting URL is now fixed.

Wazuh Kibana plugin for Kibana 7.10.2

Reference	Description
#4150	The Wazuh Kibana plugin troubleshooting URL is now fixed.

Wazuh Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4146	A bug that prevented removing implicit filters in modules is now fixed.
#4150	The Wazuh Kibana plugin troubleshooting URL is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.2 Release notes - 30 May 2022

This section lists the changes in version 4.3.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.3.2.

Resolved issues

This release resolves a known issue.

Manager

Reference	Description
#13617	A crash in Vulnerability Detector when scanning agents running on Windows is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.1 Release notes - 18 May 2022

This section lists the changes in version 4.3.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh dashboard

#4142 Added a warning about the PowerShell version requirement in the Windows agent installation wizard.

Wazuh Splunk app

#1322 Added a warning about the PowerShell version requirement in the Windows agent installation wizard.
#1323 The compatibility checks of the app have been changed to simplify the release flow.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#13439	A crash when overwritten rules are triggered is fixed.
#13439	A memory leak when loading overwritten rules is fixed.
#13439	The use of relationship labels in overwritten rules is now fixed.
#13430	The regex used to transform into datetime in the logtest framework function is fixed.

RESTful API

Reference	Description
#13178	The API response when using sort in Agent upgrade related endpoints is now fixed.

Ruleset

Reference	Description
#13409	Fixed rule 92656, added field condition `win.eventdata.logonType` equals 10 to avoid false positives.

Wazuh dashboard

Reference	Description
#4141	Enhanced the output of the Ruleset Test tool. An error that caused falsy values to be displayed as undefined is now fixed.

Wazuh Splunk app

Reference	Description
#1320	Fixed the render condition of a toast message related to the forwarder when there is no data of agents and the agent deployment guide is displayed in the Agents section.
#1318	The access to Management/Configuration due to missing permissions when the manager cluster is disabled is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.3.0 Release notes - 5 May 2022

This section lists the changes in version 4.3.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Wazuh 4.3.0 includes many new additions, such as a remarkable enhancement with the new Wazuh indexer and Wazuh dashboard that improve the user experience and facilitate the management of the whole platform.

Version 4.3.0 enhances the performance of the Wazuh solution and adds new integrations such as the following:

Vulnerability Detector support for Amazon Linux and Arch Linux
New agent integrations with logs from Office 365 and GitHub
Improved RESTful API availability thanks to the API now using multiple processes
Now the Wazuh manager cluster uses multiple processes for improved performance
Wazuh now supports Logcollector with native macOS logs (Unified Logging System)
AWS S3 Server Access logs, Google Cloud Storage buckets, and access logs are now supported too

Below you will find more information about each of these new features.

With Wazuh 4.3.0, two new installers called the Wazuh indexer, and the Wazuh dashboard are available to users to facilitate installation, upgrades, and configuration. The Wazuh indexer is a customized OpenSearch distribution with configurations and tools needed to run out of the box for Wazuh. The Wazuh dashboard is a customized OpenSearch dashboards distribution with the Wazuh plugin embedded, plus new configurations and customizations.

The new Wazuh dashboard is a flexible and intuitive web interface for mining, analyzing, and visualizing data. It provides out-of-the-box dashboards, allowing users to navigate the interface that now presents a renewed design with a new palette of colors. The versioning equivalent to the Wazuh manager will allow upgrades without the risk of incompatibilities.

An installation assistant wazuh-install.sh is available to users, allowing any type of installation, whether an all-in-one, single node, or multi-node. This is possible by simply defining a configuration file, with everything connected and secured, including random passwords and generated certificates. In addition, Debian and RPM packages for ppc64le architectures are made available to users.

Now, the agent is able to collect the installed packages inventory on Amazon Linux and Arch Linux, giving support to Vulnerability Detector for reporting vulnerability exposures. In addition, the Vulnerability Detector now manages a vulnerability inventory and produces alerts during the first agents scan and when a new vulnerability is either found or solved.

New integrations to collect auditing logs from Office 365 and GitHub are added to the agent in this new version. A side panel component that displays information about the active module of the Office 365 setup is introduced, and the Wazuh dashboard now includes events from Office 365. Moreover, Wazuh now supports Logcollector with native macOS logs (Unified Logging System), AWS S3 Server Access logs, and Google Cloud Storage buckets and access logs.

The RESTful API availability has been enhanced thanks to the API now using multiple processes. The performance of several API endpoints is also improved, which is especially palpable in large environments. Additionally, the agent batch is upgraded with an increased limit of agents per request and a new set of filters.

Wazuh v4.3.0 brings significant changes to the cluster, which now uses multiple processes to improve the performance. The results in the table below show a significant improvement for the cluster in this new version. The cluster tasks are performed 423% faster than in the previous version, approximately five times faster, while the RAM consumption decreased to a third. This performance is especially appreciable during the setup phase, where the cluster load is at its highest.

We want to mention another Wazuh 4.3.0 significant new feature. It is related to a new Intelligence tab added to the MITRE ATT&CK module. This tab provides further information about MITRE resources such as groups, mitigations, tactics, and techniques using the new Wazuh API endpoints. Additionally, the Framework tab is adapted to the new Wazuh API endpoints.

Finally, it is important to remark that we maintain support for all installation alternatives. Indeed we maintain and extend this support by adding more recent versions.

What's new

This release includes new features or enhancements.

Manager

#8178 Wazuh adds support for Arch Linux OS in Vulnerability Detector.
#8749 A log message in the cluster.log file is added to notify that wazuh-clusterd has been stopped.
#9077 Wazuh improves API and cluster processes behavior by adding the PID of the wazuh-clusterd processes and the API when these processes are started in foreground mode.
#10492 Time calculation is added when extra information is requested to the cluster_control binary.
#9209 Wazuh adds a context variable to indicate the origin module in socket communication messages.
#9733 A unit tests for framework/core files is added to increase coverage.
#9204 A verbose mode is added in the wazuh-logtest tool.
#8830 Wazuh adds Vulnerability Detector support for Amazon Linux.
#10693 The new option <force> to set the behavior is introduced when Authd finds conflicts on agent enrollment requests.
#9099 Wazuh adds sanitizers to the unit tests execution.
#8237 Vulnerability Detector introduces vulnerability inventory.
The manager will only deliver alerts when new vulnerabilities are detected in agents or when they stop applying.
#11031 A mechanism to ensure the worker synchronization permissions are reset after a fixed period of time is added.
#11799 A new mechanism is now added to create and handle PID files for each child process of the API and cluster.
#8083 The internal handling of agent keys is changed in Remoted to speed up key reloading.
#7885 The option <server> of the Syslog output now supports hostname resolution.
#7763 The product's UNIX user and group are renamed to "wazuh".
#7865 The MITRE database is redesigned to provide full and searchable data.
#7358 The static fields related to FIM are ported to dynamic fields in Analysisd.
#8351 All randomly generated IDs used for cluster tasks are changed. Now, uuid4 is used to ensure IDs are not repeated.
#8873 The sendsync error log is Improved to provide more details of the used parameters.
#9708 The walk_dir function is changed to be iterative instead of recursive.
#10183 The Integrity sync behavior is refactored so that new synchronizations do not start until extra-valid files are processed.
#10101 Cluster synchronization is changed so that the content of the etc/shared folder is synchronized.
#8351 All XML file loads are changed. Now, defusedxml library is used to avoid possible XML-based attacks.
#8535 Configuration validation from execq socket is changed to com socket.
#8392 The utils unittest is updated to improve process_array function coverage.
#8885 The request_slice calculation is changed to improve efficiency when accessing wazuh-db data.
#9273 The retrieval of information from wazuh-db is improved to reach the optimum size in a single iteration.
#9234 The way framework uses context cached functions and adds a note on context_cached docstring is optimized.
#9332 The framework regexes is improved to be more specific and less vulnerable.
#9423 The framework exceptions are unified for non-active agents.
#9433 The RBAC policies are changed to case insensitive.
#9548 Framework stats module is refactored into SDK and core components to comply with Wazuh framework code standards.
#10309 The size of the agents' chunks sent to the upgrade socket is changed to make the upgrade endpoints faster.
#9408 The rootcheck and syscheck SDK code are refactored to make it clearer.
#9738 The Azure-logs module is adapted to use Microsoft Graph API instead of Active Directory Graph API.
#8060 Analysisd now reconnects to Active Response if Remoted or Execd gets restarted.
#10335 Agent key polling now supports cluster environments.
#10357 The support of Vulnerability Detector is extended for Debian 11 (Bullseye).
#10326 The remoted performance with an agent TCP connection sending queue is improved.
#9093 Agent DB synchronization has been boosted by caching the last data checksum in Wazuh DB.
#8892 Logtest now scans new ruleset files when loading a new session.
#8237 CVE alerts by Vulnerability Detector now include the time of detection, severity, and score.
#10849 The manager startup is fixed when <database_output> is enabled.
Improved cluster performance using multiprocessing:
- #10767 The cluster local_integrity task is changed to run in a separate process to improve overall performance.
- #10807 Now, the cluster communication with the database for agent information synchronization runs in a separate parallel process.
- #10920 Now, the cluster processing of the extra-valid files in the master node is carried out in a separate parallel process.
- #11328 The cluster's file compression task in the master node is carried out in a separate parallel process.
- #11364 Now, the processing of Integrity files in worker nodes is carried out in a separate parallel process.
- #11386 Use cluster and API single processing when the wazuh user doesn't have permissions to access /dev/shm.
#12446 Support for Windows 11 is added in Vulnerability Detector.
#12491 The Ubuntu OVAL feed URL to security-metadata.canonical.com is changed.
#12652 Now, Analysisd warns about missing rule dependencies instead of rejecting the ruleset.
#8399 The data reporting for Rootcheck scans in the agent_control tool has been deprecated.
#8846 The old framework functions used to calculate agent status are now removed.

Agent

#8016 An option is added to allow the agent to refresh the connection to the manager.
#8532 A new module to collect audit logs from GitHub is introduced.
#8461 FIM now expands wildcarded paths in the configuration on Windows agents.
#8754 FIM reloads wildcarded paths on full scans.
#8306 Wazuh adds a new path_suffix option to the AWS module configuration.
#8331 A new discard_regex option is added to the AWS module configuration.
#8482 Wazuh adds support for the S3 Server Access bucket type in the AWS module.
#9119 Wazuh adds support for Google Cloud Storage buckets using a new GCP module called gcp-bucket.
#9119 Wazuh adds support for Google Cloud Storage access logs to the gcp-bucket module.
#9420 Wazuh adds support for VPC endpoints in the AWS module.
#9279 Wazuh adds support for GCS access logs in the GCP module.
#10198 An AIM role session duration parameter to the AWS module is added.
#8826 Wazuh adds support for variables in SCA policies.
#7721 FIM now fills an audit rule file to support who-data, although Audit is in immutable mode.
#8957 An integration to collect audit logs from Office 365 is introduced.
#10168 A new field DisplayVersion to Syscollector to help Vulnerability Detector match vulnerabilities for Windows is added.
#10148 Wazuh adds support for macOS agent upgrade via WPK.
#8632 Wazuh adds Logcollector support for macOS logs (Unified Logging System).
#8381 The agent now reports the version of the running AIX operating system to the manager.
#8604 The reliability of the user ID parsing in FIM who-data mode on Linux is improved.
#10230 AWS service_endpoint parameter description to suit FIPS endpoints too is reworded.
#5047 The support of Logcollector for MySQL 4.7 logs is extended.
#9887 Agents running on FreeBSD and OpenBSD now report their IP addresses.
#8202 The verbosity of FIM debugging logs is reduced.
#9992 The agent's IP resolution frequency has been limited to prevent high CPU load.
#10236 Syscollector is optimized to use less memory.
#10337 Wazuh adds support of ZscalerOS system information in the agent.
#10259 Syscollector is extended to collect missing Microsoft product hotfixes.
#10396 The osquery integration is updated to find the new osqueryd location as of version 5.0.
#9123 The internal FIM data handling has been simplified to find files by their path instead of their inode.
#9764 The WPK installer rollback on Windows is reimplemented.
#10208 Active responses for Windows agents now support native fields from Eventchannel.
#10651 Error logs by Logcollector when a file is missing have been changed to info logs.
#8724 The agent MSI installer for Windows now detects the platform version to install the default configuration.
#3659 Agent logs for inability to resolve the manager hostname now have info level.
#11276 An ID number to connection enrollment logs is added.
#10838 Standardized the use of the only_logs_after parameter in the external integration modules.
#10900 The oscap module files are removed as it was already deprecated in version 4.0.0.
#12150 DockerListener integration shebang is updated to python3 for Wazuh agents.
#12779 The ico and jpg files have been updated with the new Wazuh logo for the Windows installer.

RESTful API

#7988 A new PUT /agents/reconnect endpoint is added to force agents reconnection to the manager.
#6761 The select parameter is added to the GET /security/users, GET /security/roles, GET /security/rules and GET /security/policies endpoints.
#8100 The type and status filters are added to GET /vulnerability/{agent_id} endpoint.
#7490 An option is added to configure SSL ciphers.
#8919 An option is added to configure the maximum response time of the API.
#8945 A new DELETE /rootcheck/{agent_id} endpoint is added.
#9028 A new GET /vulnerability/{agent_id}/last_scan endpoint is added to check the latest vulnerability scan of an agent.
#9028 A new cvss and severity fields and filters are added to GET /vulnerability/{agent_id} endpoint.
#9100 An option is added to configure the maximum allowed API upload size.
#9142 A new unit and integration tests for API models are added.
#9077 A message with the PID of wazuh-apid process when launched in foreground mode is added.
#9144 Wazuh adds external id, source, and url to the MITRE endpoints responses.
#9297 Custom healthchecks for legacy agents are added in API integration tests, improving maintainability.
#9914 A new unit test for the API python module is added to increase coverage.
#10238 A docker logs separately in API integration tests environment are added to get cleaner reports.
#10437 A new disconnection_time field is added to GET /agents response.
#10457 New filters are added to agents' upgrade endpoints.
#8288 New MITRE API endpoints and framework functions are added to access all the MITRE information.
#10947 Show agent-info permissions flag is added when using cluster_control and in the GET /cluster/healthcheck API endpoint.
#11931 Save agents' ossec.log if an API integration test fails.
#12085 POST /security/user/authenticate/run_as endpoint is added to API bruteforce blocking system.
#12638 A new API endpoint is added to obtain summaries of agent vulnerabilities' inventory items.
#12727 The new fields external_references, condition, title, published, and updated are added to GET /vulnerability/{agent_id} API endpoint.
#13262 The possibility to include strings in brackets in values of the q parameter is added.
#7490 The SSL protocol configuration parameter is renamed.
#8827 The API spec examples and JSON body examples are reviewed and updated.
The performance of several API endpoints is improved. This is especially appreciable in environments with a big number of agents:
- #8937 The endpoint parameter PUT /agents/group is improved.
- #8938 The endpoint parameter PUT /agents/restart is improved.
- #8950 The endpoint parameter DELETE /agents is improved.
- #8959 The endpoint parameter PUT /rootcheck is improved.
- #8966 The endpoint parameter PUT /syscheck is improved.
- #9046 The endpoint parameter DELETE /groups is improved and API response is changed to be more consistent.
#8945 The endpoint parameter DELETE /rootcheck is changed to DELETE /experimental/rootcheck.
#9012 The time it takes for wazuh-apid process is reduced to check its configuration when using the -t parameter.
#9019 The malfunction in the sort parameter of syscollector endpoints is fixed.
#9113 The API integration tests stability when failing in entrypoint is improved.
#9228 The SCA API integration tests dynamic to validate responses coming from any agent version are fixed.
#9227 All the date fields in the API responses to use ISO8601 are refactored and standardized.
#9263 The Server header from API HTTP responses is removed.
#9371 The JWT implementation by replacing HS256 signing algorithm with RS256 is improved.
#10009 The limit of agents to upgrade using the API upgrade endpoints is removed.
#10158 The Windows agent's FIM responses are changed to return permissions as JSON.
#10389 The API endpoints are adapted to changes in wazuh-authd daemon force parameter.
#10512 The use_only_authd API configuration option and related functionality are deprecated. wazuh-authd will always be required for creating and removing agents.
#10745 The API validators and related unit tests are improved.
#10905 The specific module healthchecks in API integration tests environment is improved.
#10916 The thread pool executors for process pool executors to improve API availability is changed.
#11410 The HTTPS options to use files instead of relative paths are changed.
#8599 The select parameter from GET /agents/stats/distinct endpoint is removed.
#8099 The GET /mitre endpoint is removed.
#11410 The option to set the log path in the configuration is deprecated.

Ruleset

#11306 Carbanak detection rules are added.
#11309 Cisco FTD rules and decoders are added.
#11284 Decoders for AWS EKS service are added.
#11394 F5 BIG IP ruleset is added.
#11191 GCP VPC storage, firewall, and flow rules are added.
#11323 GitLab 12.0 ruleset are added.
#11289 Microsoft Exchange Server rules and decoders are added.
#11390 Microsoft Windows persistence by using registry keys detection is added.
#11274 Oracle Database 12c rules and decoders are added.
#8476 Rules for Carbanak step 1.A - User Execution: Malicious files are added.
#11212 Rules for Carbanak step 2.A - Local discoveries are added.
#9075 Rules for Carbanak step 2.B - Screen capture is added.
#9097 Rules for Carbanak step 5.B - Lateral movement via SSH are added.
#11342 Rules for Carbanak step 9.A - User monitoring is added.
#11373 Rules for Cloudflare WAF are added.
#11013 Ruleset for ESET Remote console is added.
#8532 Ruleset for GitHub audit logs are added.
#11137 Ruleset for Palo Alto v8.X - v10.X are added.
#11431 SCA policy for Amazon Linux 1 is added.
#11480 SCA policy for Amazon Linux 2 is added.
#7035 SCA policy for apple macOS 10.14 Mojave is added.
#7036 SCA policy for apple macOS 10.15 Catalina is added.
#11454 SCA policy for macOS Big Sur is added.
#11250 SCA policy for Microsoft IIS 10 is added.
#11249 SCA policy for Microsoft SQL 2016 is added.
#11247 SCA policy for Mongo Database 3.6 is added.
#11248 SCA policy for NGINX is added.
#11245 SCA policy for Oracle Database 19c is added.
#11154 SCA policy for PostgreSQL 13 is added.
#11223 SCA policy for SUSE Linux Enterprise Server 15
#11432 SCA policy for Ubuntu 14 is added.
#11452 SCA policy for Ubuntu 16 is added.
#11453 SCA policy for Ubuntu 18 is added.
#11430 SCA policy for Ubuntu 20 is added.
#11286 SCA policy for Solaris 11.4 is added.
#11122 Sophos UTM Firewall ruleset is added.
#11357 Wazuh-api ruleset is added.
#11016 Audit rules are updated.
#11177 AWS s3 ruleset is updated.
#11344 Exim 4 decoder and rules to latest format is updated.
#8738 MITRE DB with the latest MITRE JSON specification is updated.
#11255 Multiple rules to remove alert_by_email option are updated.
#11795 NextCloud ruleset is updated.
#11232 ProFTPD decoder is updated.
#11242 RedHat Enterprise Linux 8 SCA up to version 1.0.1 is updated.
#11100 Rules and decoders for FortiNet products are updated.
#11429 SCA policy for CentOS 7 is updated.
#8751 SCA policy for CentOS 8 is updated.
#11263 SonicWall decoder values are fixed.
#11388 SSHD ruleset is updated.
#8552 From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively.

Wazuh Kibana plugin

#3557 GitHub and Office365 modules are added.
#3541 A new Panel module tab for GitHub and Office365 modules is added.
#3639 Wazuh adds the ability to filter the results for the Network Ports table in the Inventory data section.
#3324 A new endpoint service is added to collect the frontend logs into a file.
#3327 #3321 #3367 #3373 #3374 #3390 #3410 #3408 #3429 #3427 #3417 #3462 #3451 #3442 #3480 #3472 #3434 #3392 #3404 #3432 #3415 #3469 #3448 #3465 #3464 #3478 The frontend handle errors strategy is improved: UI, Toasts, console log, and log in file.
#3368 #3344 #3726 Intelligence tab is added to the MITRE ATT&CK module.
#3424 Sample data for office365 events are added.
#3475 A separate component to check for sample data is created.
#3506 A new hook for getting value suggestions is added.
#3531 Dynamic simple filters and simple GitHub filters fields are added.
#3524 Configuration viewer for Module Office 365 is added to the Configuration section of the Management menu.
#3518 A side panel component that displays information about the active module of the Office 365 setup is introduced.
#3533 Specifics and custom filters for Office 365 search bar are added.
#3544 Pagination and filter are added to drilldown tables at the Office pannel.
#3568 Simple filters change between panel and drilldown panel.
#3525 New fields are added to the Inventory table and Flyout Details.
#3691 Columns selector are added in agents table.
#3742 A new workflow is added for creating wazuh packages.
#3783 template and fields checks in the health check run correctly according to the app configuration.
#3804 A toast message lets you know when there is an error creating a new group.
#3846 A step to start the agent is added to the deploy new Windows agent guide.
#3893 3 new panels are added to Vulnerabilities/Inventory.
#3893 A new field of Vulnerabilities is added to the details flyout.
#3924 Missing fields used in visualizations are added to the known fields related to alerts.
#3946 A troubleshooting link is added to the "index pattern was refreshed" toast.
#4041 More number options are added to the tables widget in Modules -> "Mitre".
#3121 Ossec to wazuh is changed in all sample-data files.
#3279 Empty fields are modified in FIM tables and syscheck.value_name in discovery now shows an empty tag for visual clarity.
#3346 The MITRE tactics and techniques resources are adapted to use the API endpoints.
#3517 The filterManager subscription is moved to the hook useFilterManager.
#3529 Filter is changed from "is" to "is one of" in the custom search bar.
#3494 Refactor modules-defaults.js to define what buttons and components are rendered in each module tab.
#3663 #3806 The deprecated and new references for the authd configuration are updated.
#3549 Time subscription is added to the Discover component.
#3446 Testing logs using the Ruletest Test don't display the rule information if not matching a rule.
#3649 The format permissions are changed in the FIM inventory.
#3686 #3728 The request to agents that do not return data is now changed to avoid unnecessary heavy load requests.
#3788 Rebranding. Replaced the brand logos, set module icons with brand colors
#3795 User used for sample data management is changed.
#3792 The agent install codeblock copy button and PowerShell terminal warning is changed.
#3811 The naming related to the plugin platform from a specific one to a generic one using the term plugin platform is replaced.
#3893 Dashboard tab of Vulnerabilities module is removed, three new panels to Vulnerabilities/Inventory are added, and details Flyout fields are enhanced.
#3908 Now, all available fields are shown in the Discover Details Flyout table. Furthermore, the open row icon width is fixed in the first column when the table has a few columns.
#3924 Missing fields used in visualizations to the known fields related to alerts are added.
#3946 Troubleshooting link to "index pattern was refreshed" toast is added.
#3196 The table in Vulnerabilities/Inventory is refactored.
#3949 Google Groups app icons are changed.
#3857 Sorting for Agents or Configuration checksum column in the table of Management/Groups is removed due to this is not supported by the API.

Wazuh Splunk app

Support for Wazuh 4.3.0
#1166 Alias field is added to API to facilitate distinguishing between different managers.
#1126 Ensure backwards compatibility.
#1148 A Security Section is added to manage security related configurations.
#1171 Crud Policies are added to the security section.
#1168 Crud Roles are added to the security section.
#1169 Crud Role Mapping is added to the security section.
#1173 Crud Users is added to the security section.
#1147 Created a permissions validation service.
#1164 Implemented the access control on the App's views.
#1155 Implemented a service to fetch Wazuh's users and their roles.
#1156 Implemented a server to fetch Splunk's users and their roles.
#1149 A run_as checkbox is added to the API configuration.
#1174 The ability to use the Authorization Context login method is added.
#1228 Extensions now can only be changed by Splunk Admins.
#1186 Wazuh rebranding.
#1172 Deprecated authd options are updated.
#1236 Refactored branding color styles to improve maintainability.
#1243 Wazuh API's name is changed to its alias in the quick settings selector.

Other

#10247 External SQLite library dependency is upgraded to version 3.36.
#10247 External BerkeleyDB library dependency is upgraded to version 18.1.40.
#10247 External OpenSSL library dependency is upgraded to version 1.1.1l.
#10927 External Google Test library dependency is upgraded to version 1.11.
#11436 External Aiohttp library dependency is upgraded to version 3.8.1.
#11436 External Werkzeug library dependency is upgraded to version 2.0.2.
#11436 Embedded Python is upgraded to version 3.9.9.

Packages

#1518 Changed default attributes in Wazuh dashboard package. (A wazuh-dashboard new package with -2 revision was released)
#1496 Hide passwords in log file.
#1500 The dashboard IP messages are fixed.
#1499 Improved APT locked message and retry time.
#1497 Unhandled promise for the dashboard is fixed.
#1494 Update ova motd message 4.3.
#1471 Remove service disable from RPM and Debian packages.
#1471 Disabled multitenancy by default in the dashboard and changed the app default route.
#1434 Set as a warning the unhandled promises in the Wazuh dashboard.
#1395 Remove IP message from OVA.
#1390 Remove demo certificates from indexer and dashboard packages.
#1307 Add centos8 vault repository due to EOL.
#1302 The user deletion warning RPM manager is fixed.
#1292 The issue where Solaris 11 was not executed in clean installations is fixed.
#1280 The error where Wazuh could continue running after uninstalling is fixed.
#1274 The AIX partition size is fixed.
#1147 The Solaris 11 upgrade from previous packages is fixed.
#1126 Add new GCloud integration files to Solaris 11.
#689 Update SPECS.
#888 An error in CentOS 5 building is fixed.
#944 Add new SCA files to Solaris 11.
#915 Improved support for ppc64le on CentOS and Debian.
#1005 The error with wazuh user in Debian packages is fixed.
#1023 Add ossec user and group during compilation.
#1261 Merge Wazuh Dashboard v3 #.
#1256 The certs permissions in RPM is fixed.
#1208 Kibana app now supports pluginPlatform.version property in the app manifest.
#1162 The certificates creation using parameters 4.3 is fixed.
#1193 The Archlinux package generation parameters 4.3 are fixed.
#1132 Add new 2.17.1 log4j mitigation version 4.3.
#1123 The client keys Ownership for 3.7.x and previous versions is fixed.
#1106 A new log4j remediation 4.3 is added.
#1112 The Linux wpk generation 4.3 is fixed.
#1096 Add log4j mitigation 4.3.
#1086 Increase admin.pem cert expiration date 4.3.
#1078 Remove wazuh user from unattended/OVA/AMI 4.3.
#1074 The groupdel ossec error during upgrade to 4.3.0 is fixed.
#1067 The curl kibana.yml 4.3 is fixed.
#1060 Remove restore-permissions.sh from Debian Packages.
#1048 Bump unattended 4.3.0.
#1012 Removed cd usages in unattended installer and fixed uninstaller 4.3.
#1023 Add ossec user and group during compilation.
#1020 Removed warning and added text in wazuh-passwords-tool.sh final message 4.3.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#8223	A memory defect is fixed in Remoted when closing connection handles.
#7625	A timing problem is fixed in the manager that might prevent Analysisd from sending Active responses to agents.
#8210	A bug in Analysisd that did not apply field lookup in rules that overwrite other ones is fixed.
#8902	The manager is now prevented from leaving dangling agent database files.
#8254	The remediation message for error code 6004 is updated.
#8157	A bug when deleting non-existing users or roles in the security SDK is now fixed.
#8418	A bug with `agent.conf` file permissions when creating an agent group is now fixed.
#8422	Wrong exceptions with wdb pagination mechanism are fixed.
#8747	An error when loading some rules with the `\` character is fixed.
#9216	The `WazuhDBQuery` class is changed to properly close socket connections and prevent file descriptor leaks.
#10320	An error in the API configuration when using the `agent_upgrade` script is fixed.
#10341	The `JSONDecodeError` in Distributed API class methods is handled.
#9738	An issue with duplicated logs in Azure-logs module is fixed and several improvements are applied to it.
#10680	The query parameter validation is fixed to allow usage of special chars in Azure module.
#8394	A bug running `wazuh-clusterd` process when it was already running is fixed.
#8732	Cluster is now allowed to send and receive messages with a size higher than request_chunk.
#9077	A bug that caused `wazuh-clusterd` process to not delete its PID files when running in foreground mode and it is stopped is fixed.
#10376	Race condition due to lack of atomicity in the cluster synchronization mechanism is fixed.
#10492	A bug when displaying the dates of the cluster tasks that have not finished yet is fixed. Now, `n/a` is displayed in these cases.
#9196	Missing field `value_type` in FIM alerts is fixed.
#9292	A typo in the SSH Integrity Check script for Agentless is fixed.
#10421	Multiple race conditions in Remoted are fixed.
#10390	The manager agent database is fixed to prevent dangling entries from removed agents.
#9765	The alerts generated by FIM when a lookup operation on a SID fails are fixed.
#10866	A bug that caused cluster agent-groups files to be synchronized multiple times unnecessarily is fixed.
#10922	An issue in Wazuh DB that compiled the SQL statements multiple times unnecessarily is fixed.
#10948	A crash in Analysisd when setting Active Response with agent_id = 0 is fixed.
#11161	An uninitialized Blowfish encryption structure warning is fixed.
#11262	A memory overrun hazard in Vulnerability Detector is fixed.
#11282	A bug when using a limit parameter higher than the total number of objects in the wazuh-db queries is fixed.
#11440	A false positive for MySQL in Vulnerability Detector is prevented.
#11448	The segmentation fault when the wrong configuration is set is fixed.
#11440	A false positive in Vulnerability Detector is fixed when scanning OVAl for Ubuntu Xenial and Bionic.
#11835	An argument injection hazard is fixed in the Pagerduty integration script. Thank you Jose Maria Zaragoza (@JoseMariaZ) for reporting this issue.
#11863	Memory leaks in the feed parser at Vulnerability Detector are fixed. Architecture data member from the RHEL 5 feed. RHSA items containing no CVEs. Unused RHSA data member when parsing Debian feeds.
#12368	Now, Authd ignores the pipe signal if Wazuh DB gets closed.
#12415	A buffer handling bug is fixed in Remoted that left the syslog TCP server stuck.
#12644	A memory leak in Vulnerability Detector is fixed when discarding kernel packages.
#12655	A memory leak at wazuh-logtest-legacy is fixed when matching a level-0 rule.
#12489	Now, the cluster is disabled by default when the "disabled" tag is not included.
#13067	A bug in the Vulnerability Detector CPE helper that may lead to producing false positives about Firefox ESR is fixed.

Agent

Reference	Description
#8784	A bug in FIM that did not allow monitoring new directories in real-time mode if the limit was reached at some point is fixed.
#8941	A bug in FIM that threw an error when a query to the internal database returned no data is fixed.
#8362	An error where the IP address was being returned along with the port for Amazon NLB service is fixed.
#8372	AWS module is fixed to properly handle the exception raised when processing a folder without logs.
#8433	A bug with the AWS module when pagination is needed in the bucket is fixed.
#8672	An error with the ipGeoLocation field in AWS Macie logs id fixed.
#10333	An incorrect debug message in the GCloud integration module is changed.
#7848	Data race conditions are fixed in FIM.
#10011	A wrong command line display in the Syscollector process report on Windows is fixed.
#10249	An issue that causes shutdown when agentd or analysisd is stopped is fixed.
#10405	Wrong keepalive message from the agent when file merged.mg is missing is fixed.
#10381	Missing logs from the Windows agent when it's getting stopped are fixed.
#10524	Missing packages reporting in Syscollector for macOS due to empty architecture data is fixed.
#7506	FIM on Linux to parse audit rules with multiple keys for who-data is fixed.
#10639	Windows 11 version collection in the agent is fixed.
#10602	Missing Eventchannel location in Logcollector configuration reporting is fixed.
#10794	CloudWatch Logs integration is updated to avoid crashing when AWS raises Throttling errors.
#10718	AWS modules' log file filtering is fixed when there are logs with and without a prefix mixed in a bucket.
#10884	A bug on the installation script that made upgrades not to update the code of the external integration modules id fixed.
#10921	An issue with the AWS integration module trying to parse manually created folders as if they were files is fixed.
#11086	Some installation errors in OS with no subversion are fixed.
#11115	A typo in an error log about enrollment SSL certificate is fixed.
#11121	A unit tests for Windows agent when built on MinGW 10 is fixed.
#10942	Windows agent compilation warnings are fixed.
#11207	The OS version reported by the agent on OpenSUSE Tumbleweed is fixed.
#11329	The Syscollector is prevented from truncating the open port inode numbers on Linux.
#11365	An agent auto-restart on configuration changes, when started via `wazuh-control` on a Systemd based Linux OS is fixed.
#10952	A bug in the AWS module resulting in unnecessary API calls when trying to obtain the different Account IDs for the bucket is fixed.
#11278	Azure integration's configuration parsing to allow omitting optional parameters is fixed.
#11296	Azure Storage credentials validation bug is fixed.
#11455	The read of the hostname in the installation process for openSUSE is fixed.
#11425	The graceful shutdown when the agent loses connection is fixed.
#11736	The error "Unable to set server IP address" is fixed on the Windows agent.
#11608	The reparse option is fixed in the AWS VPCFlow and Config integrations.
#12324	The way the AWS Config integration parses the dates used to search in the database for previous records was fixed.
#12676	Now, Logcollector audit format parses logs with a custom name_format.
#12704	An issue with the Agent bootstrap is fixed, it might lead to a startup timeout when it cannot resolve a manager hostname.
#13088	A bug in the agent's leaky bucket throughput regulator that could leave it stuck if the time is advanced on Windows is fixed.

RESTful API

Reference	Description
#8196	An inconsistency in RBAC resources for `group:create`, `decoders:update`, and `rules:update` actions are fixed.
#8378	The handling of an API error message occurring when Wazuh is started with a wrong `ossec.conf` is fixed. Now, the execution continues and raises a warning.
#8548	A bug with the `sort` parameter that caused a wrong response when sorting by several fields is fixed.
#8597	The description of `force_time` parameter in the API spec reference is fixed.
#8537	API incorrect path in remediation message when a maximum number of requests per minute is reached is fixed.
#9071	Agents' healthcheck error in the API integration test environment is fixed.
#9077	A bug with `wazuh-apid` process handling of PID files when running in foreground mode is fixed.
#9192	A bug with RBAC `group_id` matching is fixed.
#9147	Temporal development keys and values from `GET /cluster/healthcheck` response are removed.
#9227	Several errors when filtering by dates are fixed.
#9262	The limit in some endpoints like `PUT /agents/group/{group_id}/restart` and added a pagination method is fixed.
#9320	A bug with the `search` parameter resulting in invalid results is fixed.
#9368	Wrong values of `external_id` field in MITRE resources are fixed.
#9399	The way how the API integration testing environment checks that wazuh-apid daemon is running before starting the tests is fixed.
#9777	A healthcheck is added to verify that `logcollector` stats are ready before starting the API integration test.
#10159	The API integration test healthcheck used in the `vulnerability` test cases is fixed.
#10179	An error with `PUT /agents/node/{node_id}/restart` endpoint when no agents are present in selected node is fixed.
#10322	An RBAC experimental API integration test expecting a 1760 code in implicit requests is fixed.
#10289	A cluster race condition that caused the API integration test to randomly fail is fixed.
#10619	The `PUT /agents/node/{node_id}/restart` endpoint to exclude exception codes properly is fixed.
#10666	The `PUT /agents/group/{group_id}/restart` endpoint to exclude exception codes properly is fixed.
#10656	The agent endpoints q parameter to allow more operators when filtering by groups is fixed.
#10830	The API integration tests related to rule, decoder, and task endpoints are fixed.
#11411	Exceptions handling when starting the Wazuh API service is improved.
#11598	The race condition while creating RBAC database is fixed.
#12102	The API integration tests failures caused by race conditions are fixed.

Ruleset

Reference	Description
#11117	Bad characters are fixed on rules 60908 and 60884 - win-application rules.
#11369	Microsoft logs rules are fixed.
#11405	PHP rules for MITRE and groups are fixed.
#11214	Rules id for Microsoft Windows PowerShell is fixed.

Wazuh Kibana plugin

Reference	Description
#3384	The creation of log files is fixed.
#3484	The double fetching alerts count when pinning/unpinning the agent in MITRE ATT&CK/Framework is fixed.
#3490	A refactor of the query Config is changed from Angular to React.
#3412	The flyout closing when dragging and releasing mouse event outside the Rule-test and Decoder-test flyout is fixed.
#3430	Now Wazuh notifies you when you are registering an agent without permission.
#3438	Not used `redirectRule` query param when clicking the row table on CDB Lists/Decoders is removed.
#3439	The code overflows over the line numbers in the API Console editor is fixed.
#3440	The issue that avoids opening the main menu when changing the selected API or index pattern is fixed.
#3443	An error message in conf management is fixed.
#3445	An issue related to the size API selector when the name is too long is fixed.
#3456	An error when editing a rule or decoder is fixed.
#3458	An issue about the index pattern selector doesn't display the ignored index patterns is fixed.
#3553	An error in /Management/Configuration when the cluster is disabled is fixed.
#3565	An issue related to pinned filters removed when accessing the `Panel` tab of a module is fixed.
#3645	Multi-select component searcher handler is fixed.
#3609	The order logs properly in Management/Logs are fixed.
#3661	The Wazuh API requests to `GET //` are fixed.
#3675	Missing MITRE tactics are fixed.
#3488	The CDB list views not working with IPv6 is fixed.
#3466	The bad requests using the Console tool to `PUT /active-response` API endpoint are fixed.
#3605	An issue related to the group agent management table does not update on error is fixed.
#3651	An issue about not showing packages details in agent inventory for a FreeBSD agent SO is fixed.
#3652	Wazuh token deleted twice is fixed.
#3687	The handler of an error on dev-tools is fixed.
#3685	The compatibility with wazuh 4.3 - kibana 7.13.4 is fixed.
#3689	The registry values without agent pinned in FIM>Events are fixed.
#3688	The breadcrumbs style compatibility for Kibana 7.14.2 is fixed.
#3682	The security alerts table when filters change is fixed.
#3692	An error that shows we're using X-Pack when we have Basic is fixed.
#3700	The blank screen in Kibana 7.10.2 is fixed.
#3704	Related decoders file link errors when users click on it are fixed.
#3708	Flyouts in Kibana 7.14.2 are fixed.
#3707	The bug of index patterns in health-check due to a bad copy of a PR is fixed.
#3733	Styles and behavior of button filter in the flyout of `Inventory` section for `Integrity monitoring` and `Vulnerabilities` modules are fixed.
#3733	The height of the `Evolution` card in the `Agents` section when has no data for the selected time range is fixed.
#3722	The clearing of the query filter that doesn't update the data in Office 365 and GitHub Panel tab is updated.
#3710	Wrong daemons in the filter list are fixed.
#3724	A bug when creating a filename with spaces that throws a bad error is fixed.
#3731	A bug in security User flyout nonexistent unsubmitted changes warning is fixed.
#3732	The redirect to a new tab when clicking on a link is fixed.
#3737	Missing settings in `Management/Configuration/Global configuration/Global/Main settings` is fixed.
#3738	The `Maximum call stack size exceeded` error exporting key-value pairs of a CDB List is fixed.
#3741	The regex lookahead and lookbehind for safari are fixed.
#3744	Vulnerabilities Inventory flyout details filters are fixed.
#3604	Removed API selector toggle from Settings menu since it performed no useful function.
#3748	Dashboard PDF report error when switching pinned agent state is fixed.
#3753	The rendering of the command to deploy a new Windows agent not working in some Kibana versions now works correctly.
#3772	Action buttons no longer overlay with the request text in Tools/API Console.
#3774	A bug in Rule ID value in reporting tables related to top results is now fixed.
#3787	An issue with github/office365 multi-select filters suggested values is now fixed.
#3790	We fixed an issue related to updating the aggregation data of the Panel section when changing the time filter
#3804	We removed the button to remove an agent for a group in the agents' table when it is the default group.
#3776	Adding a single agent to a group is fixed.
#3777	The implicit filters from the search bar can be removable.
#3778	Office365/Github module the side panel tab are fixed.
#3780	No wrap text in MITRE ATT&CK intelligence table is fixed.
#3781	The visualization tooltip position is fixed.
#3787	github/office365 multi-select filters suggested values is fixed.
#3796	The styles on the evolution card are fixed.
#3831	Internal user no longer needs permission to make x-pack detection request.
#3845	Agents details card style is fixed.
#3854	Agents evolutions card is fixed.
#3866	Routing redirection in events documents discovers links are fixed.
#3868	Health-check is fixed.
#3901	The table of Vulnerabilities/Inventory doesn't reload when changing the selected agent is fixed.
#3901	The issue with the table in Modules/Vulnerabilities/Inventory that doesn't refresh when changing the selected agent is fixed.
#3937	An asynchronism issue when multiple fields are missing in the Events view rows details is solved.
#3942	A rendering problem in the map visualizations is fixed.
#3877	Parse error when using # character not at the beginning of the line.
#3944	The rule.mitre.id cell enhancement that doesn't support values with sub techniques is solved.
#3947	An error when changing the selected time in some flyouts is fixed.
#3957	An issue related to the user can log out when the Kibana server has a basepath configurated is solved.
#3991	A fatal cron-job error when Wazuh API is down is fixed.

Wazuh Splunk app

Reference	Description
#1137	Long agent names no longer overflow in the overview page.
#1138	An issue that occurred when saving rules or decoders files is now fixed.
#1141	An issue with unnecessary table requests when resizing the browser window is fixed.
#1215	Agent counters are now centered correctly.
#1216	Users can no longer add new agents without the right "create" permissions.
#1217	The navigation bar for Security options no longer overlaps with the background header.
#1223	An error when the agents view is re-initialized is now fixed.
#1230	This issue is fixed and you can now see actions after adding the first API.
#1232	The Agent status chart data is shown correctly.
#1237	The Agent status graph is fixed to show the correct amount of agents.
#1258	The sorting on the Groups table columns is fixed.
#1260	Non-sortable columns are fixed on the Security section tables.
#1271	Group report disabled configuration parameter error is fixed.
#1266	Import CDB list file is fixed.
#1282	Header menu height style issue is fixed.
#1283	An error is fixed on the search string used on the Alerts Summary table in the Overview > Vulnerability section, causing the table to show no data.

Others

Reference	Description
#9168	Error detection in the CURL helper library is fixed.
#10899	External Berkeley DB library support for GCC 11 is fixed.
#11086	An installation error due to missing OS minor version on CentOS Stream is fixed.
#11455	An installation error due to a missing command hostname on OpenSUSE Tumbleweed is fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.7 Release notes - 30 May 2022

This section lists the changes in version 4.2.7. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.2.7.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.2.7.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#13617	A crash in Vulnerability Detector when scanning agents running on Windows is now fixed (backport from 4.3.2).

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.6 Release notes - 28 March 2022

This section lists the changes in version 4.2.6. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.2.6.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.2.6.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#11974	This release resolves an integer overflow hazard in `wazuh-remoted` that caused it to drop incoming data after receiving 2^31 messages.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.5 Release notes - 15 November 2021

This section lists the changes in version 4.2.5. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Manager

#10809 Active response requests for agents between versions 4.2.0 and 4.2.4 are now sanitized to prevent unauthorized code execution.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.2.5.
Support for Kibana 7.13.4.
Support for Kibana 7.14.2.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.2.5.

Resolved issues

This release resolves known issues.

Agent

Reference	Description
#10809	A bug in the Active Response tools that might allow unauthorized code execution has been mitigated.

Wazuh Kibana plugin

Reference	Description
#3653	A compatibility issue between Wazuh 4.2 and the kibana 7.13.4 is now fixed. In addition, this fix is compatible with Kibana 7.10.
#3654	This fix resolves an error that produced the interactive screen of a new agent to break when selecting the Windows OS option. This fix is compatible with Kibana 7.10.
#3668	A style compatibility issue of the breadcrumb navigation inside Kibana 7.14.2 is now fixed.
#3670	This fix resolves the Wazuh API token not being deprecated after logout with Kibana 7.13 and 7.14.
#3672	A Group Configuration and Management Configuration error is now fixed when the user tries to go back after saving.
#3674	With this fix, the panels and their titles are correctly displayed in the Welcome Overview and the Management Directory. In addition, it resolves that all the Wazuh menus are consistent without titles in gray.
#3676	An issue with double flyout appearing when clicking a policy is now fixed.
#3678	Kibana settings conflict in health check is now fixed.
#3681	Compatibility to get the valid index patterns and refresh fields for Kibana 7.10.2-7.13.4 is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.4 Release notes - 20 October 2021

This section lists the changes in version 4.2.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.2.4.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.2.4.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#9158	This fix prevents files belonging to deleted agents from remaining in the manager.
#10432	Fixed inaccurate agent group file cleanup in the database sync module. Now, the module syncs up the agent database from `client.keys` before cleaning up the groups folder.
#10479	This fix prevents the manager from corrupting the agent data integrity when the disk gets full.
#10559	A resource leak in Vulnerability Detector when scanning Windows agents is now fixed.

Wazuh Kibana plugin

Reference	Description
#3638	An issue that caused the user's auth token not to be deprecated correctly after logging out of the API is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.3 Release notes - 6 October 2021

This section lists the changes in version 4.2.3. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin

Wazuh Kibana plugin is now compatible with Wazuh 4.2.3.

Wazuh Splunk app

Wazuh Splunk app is now compatible with Wazuh 4.2.3.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#10388	An issue in Remoted that might lead it to crash when retrieving an agent's group is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.2 Release notes - 28 September 2021

This section lists the changes in version 4.2.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release includes highlighted features and enhancements.

Manager

#9779 Authd now refuses enrollment attempts if the agent already holds a valid key. With this added feature, Authd can only generate new keys if the agent key does not exist on the manager side. Based on this, the manager has the capability to decide if a new key should be generated or not. Since the introduction of Enrollment in version 4.0.0, Wazuh provides the user with an automated mechanism to enroll agents with minimal configuration. This registration method might cause agents to self-register under certain circumstances, even if they were already registered. This improvement prevents this issue from happening and avoids re-registering agents that already have valid keys.

Agent

#9927 The Google Cloud Pub/Sub integration module is updated to increase processed events per second. The rework of this integration module allows multithreading, increases performance significantly, and adds a new num_threads option to the module configuration. The new multithreading feature allows pulling messages with multiple subscribers simultaneously, improving the performance drastically. In addition, this new Google Cloud integration includes some improvements in the pulling and acknowledging mechanism, and the socket connection as well.

Wazuh Kibana plugin

#3175 Wazuh improves the API selector and Index pattern selector of the Wazuh Kibana plugin, moving both from the main menu to the upper right corner of the header bar for quick access. This new UX improvement allows users to have better management of these two features. As for visualization, the API selector is displayed when there is more than one to select. The Index pattern selector is displayed under the same conditions and only contains index patterns that have Wazuh alerts.
#3503 Wazuh adds a new functionality that allows users to change the logotype settings of the Wazuh Kibana plugin. From the Logo Customization section of the Configuration page, users can customize the logos of the app easily and to their liking. Setting options include customization of Logo App, Logo Sidebar, Logo Health Check, and Logo Reports.

Wazuh Splunk app

#1107 Wazuh adds Quick Settings to improve the view and selection of the Wazuh API, Index, and Source type of the Wazuh Splunk app. Now users can change the configuration of these elements easily from this new menu in the app.

What's new

This release includes new features or enhancements.

Manager

#9133 The agent's inventory data on the manager is correctly cleaned up when Syscollector is disabled.
#9779 Authd now correctly refuses enrollment attempts if the agent already holds a valid key.

Agent

#9907 Syscollector scan performance is optimized.
#9927 The Google Cloud Pub/Sub integration module rework increases the number of processed events per second allowing multithreading and enhancing performance. Also, a new num_threads option is added to the module configuration.
#9964 google-cloud-pubsub dependency is now upgraded to the latest stable version (2.7.1).
#9443 The WPK installer rollback is reimplemented on Linux.
#10217 Updated AWS WAF implementation to change httpRequest.headers field format.

RESTful API

#10219 Made SSL ciphers configurable and renamed SSL protocol option.

Wazuh Kibana plugin

#3170 Wazuh support links are added to the Kibana help menu. You now get quick access to the Wazuh Documentation, Slack channel, Projects on GitHub, and Google Group.
#3184 You now can access group details directly by using the group query parameter in the URL.
#3222 #3292 A new configuration is added to disable Wazuh App access from X-Pack/ODFE role.
#3221 New confirmation message is now displayed when closing a form.
#3503 Wazuh introduces a new Logo Customization section that allows you to change and customize app logotypes.
#3592 The link to the Wazuh Upgrade guide is now included in the message shown when the Wazuh API version and the Wazuh App version mismatch.
#3160 To improve user experience, module titles are now removed from the dashboards.
#3174 The default wazuh.monitoring.creation app setting is changed from d to w.
#3174 The default wazuh.monitoring.shards app setting is changed from 2 to 1.
#3189 SHA1 field is removed from the Windows Registry details pane.
#3250 Removed tooltip from header breadcrumb to improve readability.
#3197 Refactoring of the Health check component improves user experience.
#3210 When deploying a new agent, the Install and enroll the agent command now specifies the version in the package downloaded name.
#3243 In the vulnerabilities Inventory, the restriction that only allowed current active agents’ information to be shown is removed. Now, it displays the vulnerabilities table regardless of whether the agent is connected or not.
#3175 To improve user experience of the Wazuh Kibana API, the Index pattern selector and API selector are moved to the header bar.
#3258 Health check actions' notifications are refactored and the process can now be run in debug mode.
#3349 Changed the way kibana-vis hides the visualization while loading. This improvement prevents errors caused by having a 0 height visualization.

Wazuh Splunk app

#1083 Added MITRE ATT&CK framework integration.
#1076 Added MITRE ATT&CK dashboard integration.
#1109 Wazuh now gives you enhanced insight into the CVE that are affecting an agent. The newly added Inventory dashboard in the Vulnerabilities module allows you to visualize information such as name, version, and package architecture, as well as the CVE ID that affects the package.
#1104 New Source type selector is now added to customize queries used by dashboards.
#1107 The Wazuh Splunk app now includes a Quick settings menu to improve user experience. This enhancement allows you to quickly view and select the Wazuh API, Index, and Source type.
#1118 jQuery version is upgraded from 2.1.0 to 3.5.0.
Wazuh supports Splunk 8.1.4.
Wazuh supports Splunk 8.2.2.

Resolved issues

This release resolves known issues.

Manager

Reference	Description
#9647	A false positive in Vulnerability Detector is no longer generated when packages have multiple conditions in the OVAL feed.
#9042	This fix prevents pending agents from keeping their state indefinitely in the manager.
#9088	An issue in Remoted is fixed. Now, it checks the group an agent belongs to when it receives the keep-alive message and avoids agents in connected state with no group assignation.
#9278	An issue in Analysisd that caused the value of the rule option `noalert` to be ignored is now fixed.
#9378	Fixed Authd's startup to set up the PID file before loading keys.
#9295	An issue in Authd that delayed the agent timestamp update when removing agents is now fixed.
#9705	An error in Wazuh DB that held wrong agent timestamp data is now resolved.
#9942	An issue in Remoted that kept deleted shared files in the multi-groups' merged.mg file is now fixed.
#9987	An issue in Analysisd that overwrote its queue socket when launched in test mode is now resolved.
#10016	This fix prevents false positives when evaluating DU patches in the Windows Vulnerability Detector.
#10214	Memory leak is fixed when generating the Windows report in Vulnerability Detector.
#10194	A file descriptor leak is fixed in Analysisd when delivering an AR request to an agent.

Agent

Reference	Description
#9710	This fix prevents the manager from hashing the shared configuration too often.
#9310	Memory leak is fixed in Logcollector when re-subscribing to Windows EventChannel.
#9967	Memory leak is fixed in the agent when enrolling for the first time with no previous key.
#9934	CloudWatchLogs log stream limit, when there are more than 50 log streams, is now removed.
#9897	Fixed a problem on the Windows installer and now, with this fix, the agent can be successfully uninstalled or upgraded.
#9775	AWS WAF log parsing error is fixed and log parsing now works correctly when there are multiple dictionaries in one line.
#10024	An issue is fixed in the AWS CloudWatch Logs module that caused already processed logs to be collected and reprocessed.
#8256	This fix avoids duplicate alerts from case-insensitive 32-bit registry values in FIM configuration for Windows agents.
#10250	Error with Wazuh path in Azure module is now fixed.
#10210	An issue is fixed in the sources and WPK installer that made the upgrade unable to detect the previous installation on CentOS 7.

RESTful API

Reference	Description
#9984	An issue with distributed API calls when the cluster is disabled is now fixed.

Wazuh Kibana plugin

Reference	Description
#3159	Cluster visualization screen flickering is fixed.
#3161	Links now work correctly when using `server.basePath` Kibana setting.
#3173	In the Vulnerabilities module, a filter error is resolved and PDF reports are generated with complete Summary information.
#3234	Fixed typo error in the Configuration tab of the Settings page.
#3217	In the agent summary of the Agents data overview page, fields no longer overlap under certain circumstances and are correctly displayed.
#3257	An issue when using the Ruleset Test is now fixed. Now, all requests are made in the session unless you click Clear session.
#3237	Visualize button issue is resolved and the button is displayed when expanding a field in the Events tab sidebar.
#3244	Some modules were missing from the Agents data overview page. This issue is fixed and they are now successfully displayed.
#3260	With this fix, App log messages are improved and WUI error logs removed.
#3272	Some errors on PDF reports are fixed.
#3289	When deploying a new agent, selecting macOS as the operating system in a Safari browser no longer generates a TypeError.
#3297	An issue in the Security configuration assessment module is fixed. SCA checks are displayed correctly.
#3241	An issue with an error message when adding sample data fails is fixed.
#3303	An error in reports is fixed and now the Alerts Summary of modules is generated completely.
#3315	Fixed dark mode visualization background in PDF reports.
#3309	Kibana integrations are now adapted to Kibana 7.11 and 7.12.
#3306	An issue is fixed in the Agents overview window and is now rendered correctly.
#3326	Fixed an issue with miscalculation of table width in PDF reports. With this fix, tables are displayed correctly.
#3323	`visData` table property is normalized for 7.12 backward compatibility and Alerts Summary table is shown in PDF reports.
#3358	Export-to-CSV buttons in dashboard tables are now fixed.
#3345	Fixed Elastic UI breaking changes errors in 7.12.
#3347	Wazuh main menu and breadcrumb render issues are now fixed.
#3397	This fix prevents some errors from causing a massive increase in logs size.
#3593	Fixed an issue in the Vulnerabilities pane that did not show alerts if the vulnerability had a field missing.
#3240	This fix correctly hides the navbar Wazuh label.
#3355	Labels of some visualizations no longer overlap, improving readability.

Wazuh Splunk app

Reference	Description
#1070	Error when trying to pin filters is fixed.
#1074	Issue in tables without server side pagination is fixed. This allows to load unlimited items but only 1 page at a time preserving client and server resources.
#1077	An issue with the gear icon mispositioned in FIM tables is now fixed.
#1078	Added cache control. With this fix, a message is displayed if the version of the Wazuh app in your browser does not correspond with the app version installed on Splunk.
#1084	Fixed error where tables unset their loading state before finishing API calls.
#1083	An issue about search bar queries with spaces is fixed.
#1083	Fixed pinned fields ending with curly brackets.
#1099	Splunk Cloud compatibility issues are now fixed.
#1103	Agents node names are now correctly displayed for agent overview.
#1103	Reports no longer have missing columns for some tables and are now displayed correctly.
#1112	Issue with expanding row feature in File Integrity Monitoring of agents is now fixed.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.1 Release notes - 3 September 2021

This section lists the changes in version 4.2.1. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Wazuh core

Resolved issues

Installer

Reference	Description
#9973	An issue in the upgrade to 4.2.0 that disabled Eventchannel support on Windows agents is now fixed.

Modules

Reference	Description
#9975	An issue with Python-based integration modules causing the integrations to stop working in Wazuh v4.2.0 agents is now fixed.

Wazuh Kibana plugin

What's new

Wazuh Kibana plugin is now compatible with Wazuh 4.2.1.

Wazuh Splunk app

What's new

Wazuh Splunk app is now compatible with Wazuh 4.2.1.

Changelogs

More details about these changes are provided in the changelog of each component:

4.2.0 Release notes - 25 August 2021

This section lists the changes in version 4.2.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

Core

#3368, #5652, #7109 Logcollector improvements:

Logcollector is now enhanced with several new features. Wazuh adds Logcollector support for bookmarks, which allows you to continue reading a log file from the last read line where the agent stopped, improving efficiency and productivity. The multi-line log support through regex lets you collect multi-line logs with a variable number of lines. The agent also generates a statistics file report during Logcollector lifetime. This means that, in addition to the alternative of accessing metrics via API queries, you now have the option to access this information from a file stored in an agent, according to a configurable time.
#7731 Visibility improvements on agent CVE inventory report:

Wazuh now generates CVE inventory reports that give you insight into vulnerabilities that affect an agent. With this added feature, this information is now queried through the RESTful API and displayed on the user interface for analysis. This visibility improvement allows you to assess vulnerabilities affecting your monitored agents and take quick corrective action if needed.
#7541 Agent port support for TCP and UDP:

Remoted now supports listening to TCP and UDP ports simultaneously. This new support of both protocols provides several enhanced features related to manager active check, agent connection and logging, active response, API requests, JSON formatting, and more. This new supportability also provides enhancements related to centralized configuration since now agents can be configured remotely by using the agent.conf file.
#6912 Wazuh unified standard improvements:

The names of daemons and tools for the Wazuh product are now renamed and unified to achieve consistency and uniformity, according to the new Wazuh standards.
#7105, #7018, #7268, #8224, #7795 Stability enhancements on Wazuh features:

Wazuh new fixes provide stability to several features of the solution, including Analysisd, File Integrity Monitoring, Remoted, and Vulnerability Detector. These changes improve user experience throughout the product.

API

#7588 Endpoint for allow_run_as parameter configuration:

The allow_run_as parameter is now removed from endpoints to create and update API users. Now, Wazuh adds a new endpoint to modify the user’s allow_run_as flag, allowing you to enable or disable the parameter after creating a user.
#7647 CVE data endpoint integration:

Wazuh adds a new endpoint to get CVE data on affected agents. With this new endpoint, you can query the vulnerability data of any agent and get enhanced insight into the CVE, giving you easy access to data such as package name, package version, package architecture, and the CVE ID that affects said package.
#7200 Endpoint for Logcollector statistics:

Wazuh adds a new endpoint to get statistics from different components such as Logcollector, allowing you to retrieve information from both managers and agents. With this enhancement, Wazuh components that generate statistics files bring this information using their own socket interface and fetch the data from a remote component.
#6366 Improved DELETE /agents endpoint:

The DELETE/agents query now integrates new parameters that allow you to customize selection, and to easily remove agents that belong to a group. With this improvement, the older_than field is also removed from the response.

Wazuh Kibana plugin

#1434 New Ruleset Test tool:

Wazuh improves the user experience by adding a new Ruleset Test feature under the Tools section of the Wazuh Kibana plugin menu. This feature is also included as a tool in the action bar of both the Edit Rules and Edit Decoders sections, allowing you to keep the Ruleset Test window open while you navigate through the page to edit or create a ruleset file.

The new Ruleset Test tool also integrates an input box for reading sample logs and an output box that allows you to visualize the test results. With this enhancement, you can now test sample logs directly on the Wazuh user interface and see how the ruleset reacts to specific log messages.

#1434 Tools menu improvements:

The Dev Tools feature is renamed as API Console and it is now found, together with the new Ruleset Test feature, inside the new Tools section under the Wazuh Kibana plugin menu.

#3056 New Agent Stats section:

Wazuh adds a new Stats section that improves the visibility you have over agents’ statistics. You can access this feature by clicking Stats in the action ribbon on the Agent data overview page. This improvement allows you to visualize information fetched by the new API endpoint /agents/{agent_id}/stats/logcollector in the Wazuh user interface.

#3069 Agent new vulnerability inventory:

Wazuh now gives you enhanced insight into the CVE that are affecting an agent. The newly added Inventory tab in the Vulnerabilities module allows you to visualize information such as package name, package version, package architecture, and the CVE ID that affects the package, and more. You can also access the vulnerability data flyout to expand on the specifics of each vulnerability entry detailed in the Inventory.

Breaking changes

#7317 With its Active Response capability, Wazuh now sends information to the active response executables via stdin instead of in-line arguments. Any custom active response script developed for previous versions of Wazuh needs to be adapted to accept the event information. Previous default scripts present in the active-response/bin directories are now replaced as part of the agent upgrade process. The Wazuh manager continues to send in-line arguments to Wazuh agents up to version 4.1.5. This improvement also includes new rules to match the new active response logs.

Wazuh core

What's new

This release includes new features or enhancements.

Cluster

#8175 Improvements in cluster node integrity calculation make the process more efficient. Now, it calculates the MD5 of only the files that were modified since the last integrity check.
#8182 The synchronization workflow of agent information between cluster nodes is optimized and now the synchronization is performed in a single task for each worker.
#8002 Cluster logs are now changed to show more useful and essential information, improving clarity and readability.

Core

#3368 Wazuh adds support for bookmarks in Logcollector. This allows you to follow the log file from the last read line where the agent stopped.
#5652 Wazuh collects multi-line logs with a variable number of lines in Logcollector. This improved support is especially useful when dealing with logs, such as Java Stack Trace, since the number of lines in the log no longer needs to be held constant for every event type.
#6830 A new option is added that lets you limit the maximum number of files read per second for File Integrity Monitoring (FIM) scan. You now have more FIM control by allowing you to set the limit of the amount of data analyzed during a scheduled scan.
#7109 Wazuh adds statistics file to Logcollector. In addition to the alternative of accessing metrics via API queries, you now have the option to access this information from a file stored in an agent, according to a configurable time. This data is generated and updated every logcollector.state_interval seconds and can be accessed at any moment.
#7239 Wazuh provides enhanced state information by adding statistical data queries to the agent.
#7307 Quoting in commands to group arguments in the command wodle and SCA checks are allowed. Before this enhancement, the system parsed quoted substrings into the same argument but double-quotes were kept. Now, scapes and double-quotes are allowed in command lines so that you can handle arguments in command calls.
#7408 Agent IP address detection capabilities are improved and agents running on Solaris now send their IP address to the manager.
#7444 A new ip_update_interval option is added to set how often the agent refreshes its IP address.
#7661 New support is added for testing location information in Wazuh logtest.
#7731 Vulnerability Detection capabilities are now improved by adding new Vulnerability Detector reports to the Wazuh database so you can know which CVE affect an agent.
#8755 Newly added option allows you to enable or disable listening to Authd TSL port.
#6912 Wazuh daemons are now renamed to follow the Wazuh unified standard.
#6903 Wazuh CLIs and related tools are now renamed to follow Wazuh unified standard.
#6920 Wazuh internal directories are now renamed to follow Wazuh unified standard.
#6759 Wazuh improvement prevents a condition in FIM from possibly causing a memory error.
#6828 FIM now switches from who-data to real-time mode when Audit is in immutable mode.
#7317 Active Response protocol changed to receive messages in JSON format that include the full alert.
#7264 References in logs are now changed to include Wazuh product name.
#7541 Remoted now supports both TCP and UDP protocols simultaneously.
#7595 Unit tests for the os_net library are now improved in functionality and consistency.
#6999 FIM now removes the Audit rules when their corresponding symbolic links change their target.
#7797 Compilation from sources now downloads the prebuilt external dependencies. This improvement helps to consume fewer resources and eliminates overhead.
#7807 The old implementation of logtest is restored and renamed as wazuh-logtest-legacy, improving functionality.
#7974 Wazuh adds performance improvements to Analysisd when running on multi-core hosts.
#8021 Agents now notify the manager that they are stopping. This allows the manager to log an alert and immediately set their state to "disconnected".
#7327 Wazuh building process is now independent of the installation directory. With this improvement, the embedded Python interpreter is now provided in a preinstalled, portable package, and the Wazuh resources are now accessed via a relative path to the installation directory.
#8201 In the Security configuration assessment module, the error log message shown when the agent cannot connect to the SCA queue is now changed to a warning message to redefine its severity.
#8921 The agent now validates the Audit connection configuration when enabling who-data for FIM on Linux.
#7175 The /etc/ossec-init.conf file no longer exists.
#7398 Unused files are removed from the repository, including TAP tests.
#7379 Syscollector now synchronizes its database with the manager, avoiding full data delivery on each scan.

API

#7200 Wazuh adds a new endpoint to get agent statistics from different components.
#7588 Wazuh adds a new endpoint to modify the user’s allow_run_as flag, allowing you to enable or disable the parameter.
#7647 Wazuh adds a new endpoint to get CVE data on affected agents. You can now query the vulnerability data of any agent.
#7803 A new API configuration validator is now added to improve validation checking processes.
#8115 Wazuh adds the capability that allows you to disable the max_request_per_minute API configuration option by setting its value to 0.
#6904 Ruleset versions for GET /cluster/{node_id}/info and GET /manager/info are deprecated and removed.
#6909 POST /groups endpoint is now changed to specify the group name in a JSON body instead of a query parameter.
#7312 PUT /active-response endpoint function is now changed to create messages with new JSON format.
#6366 The DELETE/agents query now integrates new parameters that allow you to easily remove agents that belong to a group. With this improvement, the older_than field is also removed from the response.
#7909 Login security controller is improved to avoid errors in Restful API reference links.
#8123 The PUT /agents/group/{group_id}/restart response format is now improved when there are no agents assigned to the group.
#8149 Agent keys used when adding agents through the Wazuh API are now obscured in the API log.
#8457 All agent-restart function of endpoints is now improved by removing the active-response check.
#8615 The performance of API request processing time is optimized by applying cache to token RBAC permissions extraction. Now, this process is invalidated if any resource related to the token is modified.
#8841 Wazuh default value set for the limit API parameter is 500, but now you can specify the maximum value to 100000.
#7588 The allow_run_as parameter is now removed from endpoints to create and update API users.
#7006 The behind_proxy_server option is now removed from configuration.

Framework

#8682 This enhancement improves the agent insertion algorithm when Authd is not available.
#6904 update_ruleset script is now deprecated and removed.

Ruleset

#7100 Wazuh now provides decoder support for UFW (Uncomplicated Firewall) and its log format. This improvement ensures the correct processing of Ubuntu default firewall logs.
#6867 The ruleset is updated and normalized to follow the Wazuh unified standard.
#7316 CIS policy "Ensure XD/NX support is enabled" is restored for SCA.

External dependencies

#8886 Boto3, botocore, requests, s3transfer, and urllib3 Python dependencies are now upgraded to their latest stable versions.
#9389 Python is now updated to the latest stable version 3.9.6.
GCP dependencies and pip are now upgraded to their latest stable versions.
python-jose is upgraded to version 3.1.0.
Wazuh now adds tabulate dependency.

Resolved issues

This release resolves known issues.

Cluster

Reference	Description
#6736	Memory usage is now optimized and improved when creating cluster messages.
#8142	Error when unpacking incomplete headers in cluster messages is now fixed. Now cluster communication works correctly and the process is completed successfully.
#8499	When iterating a file listed that is already deleted, the error message is now changed and shown as a debug message.
#8901	An issue with cluster timeout exceptions is now fixed.
#8872	An issue with KeyError that occurred when an error command is received in any cluster node is now fixed.

Core

Reference	Description
#6934	In FIM, setting `scan_time` to `12am` or `12pm` now works correctly.
#6802	In FIM, reaching the file limit no longer creates wrong alerts for events triggered in a monitored folder. Now, a new SQLite query fetches the information of all the files in a specific order.
#7105	The issue in Analysisd that reserved the static decoder field name `command` but was not evaluated is resolved. From now on, it is always treated as a dynamic decoder field.
#7073	The evaluation of fields in the `description` tag of roles now works correctly.
#6789	In FIM, errors that caused symbolic links not to work correctly are now fixed.
#7018	Path validation in FIM configuration is now fixed. Now, the process to validate and format a path from configuration is performed correctly.
#7018	The issue with `ignore` option in FIM where relative paths are not resolved is now fixed.
#7268	The issue in FIM that wrongly detected that the file limit was reached is now fixed and `nodes_count` database variable is checked correctly.
#7265	Alerts are now successfully generated in FIM when a domain user deletes a file.
#7359	Windows agent compilation with GCC 10 is now performed successfully.
#7332	Errors in FIM when expanding environment variables are now fixed.
#7476	Rule descriptions are now included in archives when the input event matches a rule, regardless of whether an alert was triggered or not.
#7495	The regex parser is fixed and it now accepts empty strings.
#7414	In FIM, an issue with `delete` events with real-time is now fixed. Now, deleted files in agents running on Solaris generate alerts and are correctly reported.
#7633	In Remoted, the priority header is no longer included incorrectly in Syslog when using TCP.
#7782	A stack overflow issue in the XML parsing is now fixed by limiting the levels of recursion to 1024.
#7795	Vulnerability Detector now correctly skips scanning all the agents in the master node that are connected to another worker.
#7858	Wazuh database synchronization module now correctly cleans dangling agent group files.
#7919	In Analysisd, a regex parser issue with memory leaks is now fixed.
#7905	A typo is fixed in the initial value for the hotfix scan ID in the agents' DB schema.
#8003	A segmentation fault issue is fixed in Vulnerability Detector when parsing an unsupported package version format.
#7990	In FIM, false positives were triggered due to file `inode` collisions in the engine DB. This issue is now fixed and FIM works properly when the `inode` of multiple files is changed.
#6932	An issue with error handling when wildcarded RHEL feeds are not found is now fixed.
#7862	The `equals` comparator is fixed for OVAL feeds in Vulnerability Detector. Now, equal versions in the OVAL scan are successfully compared.
#8098 #8143	In FIM, an issue that caused a Windows agent to crash when synchronizing a Windows Registry value that starts with a colon `:` is now resolved. `winagent` no longer crashes during the synchronization of registries.
#8151	A starving hazard issue in the Wazuh DB is fixed and there are no longer risks of incoming requests being stalled during database commitment.
#8224	An issue with race condition in Remoted that, under certain circumstances, crashes when closing RID files is now fixed. Remoted now locks the KeyStore in writing mode when closing RIDs.
#8789	This fix resolves a descriptor leak issue in the agent when it failed to connect to Authd.
#8828	An issue related to a potential error caused by a delay in the creation of Analysisd PID file when starting the manager is now fixed.
#8551	An invalid memory access hazard issue is fixed In Vulnerability Detector.
#8571	When the agent reports a file with an empty ACE list, it no longer causes an error at the manager in the FIM decoder.
#8620	This fix prevents the agent on macOS from getting corrupted after an operating system upgrade.
#8357	An error is fixed in the manager that prevented its configuration to be checked after a change by the API when Active response is disabled.
#8630	When removing an agent, the manager now correctly removes remote counters and agent group files.
#8905	This fix in the agent on Windows resolves the issue that might cause the FIM DB to be corrupted when disabling the disk sync.
#9364	Logcollector on Windows no longer crashes when handling the position of the file.
#9285	In Remoted, a buffer underflow hazard when handling input messages is now fixed.
#9547	In the agent, an issue that tried to verify the WPK CA certificate even when verification was disabled is now fixed.

API

Reference	Description
#7587	API messages for agent upgrade results are fixed and improved.
#7709	An issue with wrong user strings in API logs is fixed when receiving responses with status codes 308 or 404.
#7867	Newly added variable fixes API errors when `cluster` is `disabled` and `node_type` is `worker`.
#7798	API integration test mapping script is now updated, fixing redundant paths and duplicated tests.
#8014	API integration test case `test_rbac_white_all` no longer fails and a new test case for the enable/disable `run_as` endpoint is added for improved consistency.
#8148	An issue related to thread race condition when adding or deleting agents without `authd` is now fixed.
#8496	CORS (cross-origin resource sharing) is now fixed in API configuration, allowing lists to be added to `expose_headers` and `allow_headers`.
#8887	An issue related to api.log is fixed to avoid unhandled exceptions on API timeouts.

Ruleset

Reference	Description
#7837	`usb-storage-attached` regex pattern is now improved to support blank spaces.
#7645	SCA checks for RHEL 7 and CentOS 7 are now fixed.
#8111	Match criteria for AWS WAF rules are now fixed and improved.

Wazuh Kibana plugin

What's new

This release includes new features or enhancements.

#1434 A new Ruleset Test tool is added under the Tools menu and in the action bar of the Edit Rules and Edit Decoders sections. You can now test sample logs directly on the Wazuh user interface and see how the ruleset reacts to specific log messages.
#1434 Dev Tools feature is now moved under the new Tools menu and it is renamed as API Console.
#3056 Wazuh adds a new Stats section on the Agent data overview page that allows you to see the agent information retrieved by /agents/{agent_id}/stats/logcollector API endpoint.
#3069 A new vulnerability inventory is now added to the Vulnerability module, allowing you to see data on the CVE that affect your monitored agents.
#2925 In the Security events module, the Rows per page option of the Explore agent section is now configurable.
#3051 New reminder message and restart button are now displayed in the Rules, Decoders, and CDB lists sections of the management menu for you to restart the cluster or management after importing a file.
#3061 The API Console feature of the Tools menu now includes a logtest PUT sample for you to have as a reference.
#3109 A new button is added for you to recheck the API connection during a health check.
#3111 Wazuh adds a new wazuh-statistics template and new mapping for the indices.
#3126 When you deploy a new agent, a new link to the Wazuh documentation is added under the Start the agent step of the process for you to check if the connection to the manager is successful after adding a new agent.
#3238 When you deploy a new agent, a warning message is shown under the Install and enroll the agent step of the process to warn you about running the command on a host with an agent already installed. This action causes the agent package to be upgraded without enrolling the agent.
#2892 In the Integrity monitoring module, the Top 5 users result table is now changed to improve user experience.
#3080 The editing process of the allow_run_as user property is now adapted to the new PUT /security/users/{user_id}/run_as endpoint.
#3046 Some ossec references are now renamed to follow Wazuh unified standard.

Resolved issues

This release resolves known issues.

Wazuh Kibana plugin

Reference	Description
#3088	Only authorized agents are shown in the Agents stats and Visualizations dashboard.
#3095	Pending status option for agents is now included on the Agents overview page.
#3097	Index pattern setting is now applied when choosing from existing patterns.
#3108	An issue with space character missing on the deployment command when UDP is configured is now fixed.
#3110	When a node is selected in the Analysis Engine section of the Statistics page, you can now correctly see the statistics of the selected node.
#3114	When selecting a MITRE technique in the MITRE ATTACK module, the changed date filter of the flyout window no longer modifies the main date filter as well.
#3118	An issue with the name of the TCP sessions visualization is now fixed and the average metric is now changed to total TCP sessions.
#3120	Only authorized agents are correctly shown on the Events and Security alerts tables.
#3122	In the Agents module, Last keep alive data is now displayed correctly within the panel.
#3128	Wazuh Kibana plugin no longer redirects to the Settings page instead of the Overview page after a health check.
#3144	An issue with the Wazuh logo path in the Kibana menu when `server.basePath` setting is used is now fixed.
#3152	An issue related to a deprecated endpoint for creating agent groups is now fixed.
#3163	This fix resolves the issue caused when checking process for TCP protocol in Deploy a new agent window.
#3181	An issue with RBAC with agent group permissions is fixed. Now, when authorized agents are specified by their group instead of their IDs, you can successfully access the Security configuration assessment module, the Integrity monitoring module, and the Configuration window on the Agents page.
#3232	The index pattern is now successfully created when performing the health check, preventing an API-conflict error during this process.
#3569	Windows updates section is no longer displayed incorrectly when generating PDF reports for Linux agent inventories.
#3574	Error logging is now improved and some unnecessary error messages are removed.

Wazuh Splunk app

What's new

This release includes new features or enhancements.

#1024 In Discover view, the search query is changed to show the alert’s evolution.
#1066 In the Agents window of the Groups page, a new link is added to the result table to access Agent view.
#1052 Wazuh is now compatible with Python3. Python2 is now deprecated and removed.
#1058 The create group POST request is adapted to the latest Wazuh API changes.

Resolved issues

This release resolves known issues.

Splunk

Reference	Description
#944	Wazuh tools are now renamed to follow Wazuh unified standard. `ossec-control` is now `wazuh-control` and `ossec-regex` is now renamed as `wazuh-regex`.
#945	Wazuh daemons are now renamed to follow Wazuh unified standard.
#1020	An issue related to token cache duration is now fixed.
#1042	An issue with dynamic column's width for agents PDF report is now fixed.
#1045	The issue related to the app not loading when it is not connected to the API is now fixed and information is displayed correctly.
#1046	A styling issue with success toast message for saving agent configuration is now fixed.
#1059	A minor styling issue is now fixed and Export button on the Export Results window now works correctly when you hover over it.
#1063	A new error handler message is now added to the Alerts window of the Configuration page.
#1069	The error message that appears when adding an API and the connection fails is now fixed and the message content text is shown correctly.
#1021	An issue with the error toast message in search handler is fixed when the connection with forwarder fails.

Changelogs

More details about these changes are provided in the changelog of each component:

4.1.5 Release notes - 22 April 2021

This section lists the changes in version 4.1.5. More details about these changes are provided in the changelog of each component:

Wazuh core

Resolved issues

Reference	Description
4cbd1e8	Issue is fixed in Vulnerability Detector that made `modulesd` crash while updating the NVD feed due to a missing CPE entry.

Wazuh Kibana plugin

What's new

Wazuh Kibana plugin is now compatible with Wazuh 4.1.5.

Wazuh Splunk app

What's new

Wazuh Splunk app is now compatible with Wazuh 4.1.5.

4.1.4 Release notes - 25 March 2021

This section lists the changes in version 4.1.4. More details about these changes are provided in the changelog of each component:

Wazuh core

Resolved issues

This release resolves known issues.

Cluster

Reference	Description
#8017	Issue with the Wazuh manager worker nodes reconnection after restarting the Wazuh master node is fixed. Workers now successfully reconnect to the master node after it is restarted.

Wazuh Kibana plugin

What's new

This release includes new features or enhancements.

Wazuh Kibana plugin is now compatible with Wazuh 4.1.4.

4.1.3 Release notes - 23 March 2021

This section lists the changes in version 4.1.3. More details about these changes are provided in the changelog of each component:

Wazuh core

What's new

This release includes new features or enhancements.

External dependencies:

#7943 Python is upgraded from 3.8.6 to 3.9.2. This upgrading includes several Python dependencies to be compatible with the latest stable version.

Resolved issues

This release resolves known issues.

Core

Reference	Description
#7870	In File Integrity Monitoring, the issue with files' modification time on Windows is fixed. That prevents the agent from producing this error: `ERROR: (6716): Could not open handle for 'c:\test\untitled spreadsheet.xlsx'. Error code: 32`
#7873	Issue in Wazuh DB that truncated the output of the agents' status query towards the cluster is fixed.

API

Reference	Description
#7906	Validation for absolute and relative paths is modified to avoid inconsistencies. These changes in the `validator.py` module improve security verifications of paths.

Wazuh Kibana plugin

What's new

This release includes new features or enhancements.

#2985 In the Settings module, you can now create and configure a new index pattern after changing the default one. This improves user experience when retrieving data from indices for queries and visualizations.
#3039 In the Agents module, the node name information is now detailed in the agents' list and in the agent information section. With this enhancement, you can better visualize the cluster node to which each agent is reporting.
#3041 A new loading view is displayed when the user is logging some tabs. This improves user experience since permission prompts are no longer shown while updating a tab.
#3047 All date labels are changed to Kibana formatting time zone for consistency.
#3048 Custom messages are now added for each possible run_as setup. This improves the warning messages whenever run_as is not allowed.
#3049 When selecting a default API, the toast message is cleaner and shows the API host ID.

Resolved issues

This release resolves known issues.

Reference	Description
#3028	In Role mapping, the issue that caused unnecessary operators to be added when editing the role mapping is now fixed and no longer affects usability.
#3057	Issue with rule filter not applied when selecting a Rule ID in another module is now fixed. Now, the selected Rule ID is correctly applied throughout all modules.
#3062	Issue with changing master node configuration is now fixed. Now, the Wazuh API connection checking is completed successfully and no longer triggers an error when changing the configuration of the master node.
#3063	Issue with Wazuh crashing after reloading due to caching bundles is now fixed. Improved validations now prevent this issue from reoccurring.
#3066	Wrong variable declaration for macOS agents is now fixed.
#3084	Improved error handling when an invalid rule is configured. The file saving algorithm now prevents files with incorrect configurations from being saved.
#3086	Some errors in the Events table are now fixed. Action buttons of the `rule.mitre.tactic` column are repositioned correctly and Event links work after you add, remove, or move a column.

4.1.2 Release notes - 8 March 2021

This section lists the changes in version 4.1.2. More details about these changes are provided in the changelog of each component:

Wazuh core

Changed

Core

The default value of the agents_disconnection_time is set to 10 minutes, preventing false-positives alerts of disconnected agents.
In Remoted, the warning log of messages sent to disconnected agents is now changed to level-1 debug log.

API

API logs showing request parameters and body are now generated with API log level info instead of log level debug.

External dependencies

aiohttp is upgraded from 3.6.2 to 3.7.4.

Fixed

Issue with unit tests that randomly caused false failures is fixed.
Analysisd configuration now applies the json_null_fields setting successfully.
In Remoted, the ipv6 option checking ignores invalid values correctly.
Issue with rids_closing_time option checking in Remoted is now fixed.

Wazuh Kibana plugin

Changed

Some empty state messages have been improved.
The example host configuration in Add new API section now includes the setting run_as.

Fixed

SCA policy detail no longer shows name and check results of another policy.
Alerts are now correctly displayed in the alerts table when switching pinned agents.
In Role mapping, issue with data loading and Create Role mapping button is now fixed.
Pagination in SCA checks table when expanding a row now works correctly.
Issue with agent table showing suggestions with manager information is now fixed.
Loading of inventory is now disabled when a request fails.
Single nodes can be restarted using optional node-name parameter in cluster restart requests.
Pinned agents successfully trigger new filtered queries.
Issue with overlay of Wazuh menu when Kibana menu is opened or docked is now fixed.

4.1.1 Release notes - 25 February 2021

This section lists the changes in version 4.1.1. More details about these changes are provided in the changelog of each component:

Wazuh core

Added

External dependencies

Added cython (0.29.21) library to Python dependencies.
Added xmltodict (0.12.0) library to Python dependencies.

Changed

External dependencies

Upgraded Python version from 3.8.2 to 3.8.6.
Upgraded Cryptography python library from 3.2.1 to 3.3.2.
Upgraded cffi python library from 1.14.0 to 1.14.4.

API

Added raw parameter to GET /manager/configuration and GET cluster/{node_id}/configuration endpoints to load ossec.conf in XML format.

Fixed

API

An error with the RBAC permissions in the GET /groups endpoint.
A bug with Windows registries when parsing backslashes.
An error with the RBAC permissions when assigning multiple agent:group resources to a policy.
An error with search parameters when using special characters.

AWS Module

A bug that caused an error when attempting to use an IAM Role with CloudWatchLogs service.

Framework

A race condition bug when using RBAC expand_group function.
The migration process to overwrite default RBAC policies.

Core

A bug in the Windows agent that did not respect the buffer EPS limit.
A bug in Integratord that might lose alerts from Analysisd due to a race condition.
Silenced the error message when the Syslog forwarder reads an alert with no rule object.
A memory leak in Vulnerability Detector when updating NVD feeds.
Prevented FIM from raising false positives about group name changes due to a thread unsafe function.

Removed

API

Deprecated /manager/files and /cluster/{node_id}/files endpoints.

Wazuh Kibana plugin

Added

New prompt to show unsupported module for the selected agent.
Added an X-Frame-Options header to the backend responses.

Changed

Added toast with refresh button when new fields are loaded in dashboard.
Migrated the Wazuh API endpoints for manager and cluster files and their corresponding RBAC.
Enhanced generic statusCode error message to be more user friendly.

Fixed

A login error when AWS Elasticsearch and ODFE are used.
An error message that was displayed when changing a group configuration even when the user had the right permissions.
Disabled switch visual edit button when JSON content is empty in Role Mapping.
Disappearing menu and blank content when an unsupported agent (OS) is selected.
Forcing a non-numeric filter value in a number type field applying a filter in the search bar of dashboards and events.
Wrong number of alerts that were shown in Security Events.
Search using uncommon characters in Management groups of agents.
The SCA policy stats that did not refresh.
AWS index fields loading even when no AWS alerts were found.
Date fields format in FIM and SCA modules.
Recurrent error message in Manage agents when the user has no permissions.
An issue that prevented from editing empty rules and decoders files that already existed in the Wazuh manager.
Support for alerts index pattern with different IDs and names.
The unpin button in the selection modal of agents in the menu.
Close Wazuh API session when logging out from UI.
Missing && in macOS agent deployment command.
Prompt permissions on Mitre > Framework and Integrity monitoring > Inventory.

4.1.0 Release notes - 15 February 2021

This section lists the changes in version 4.1.0. More details about these changes are provided in the changelog of each component:

Highlights

Added support for regular expressions negation and PCRE2 format in rules and decoders.
New ruleset test module managed by the analysis daemon allowing testing sessions of rules and decoders.
New upgrade module that provides simultaneous agent upgrades in a single node or cluster architecture.
The Vulnerability Detector now supports macOS agents. These agents must be updated to 4.1 to scan vulnerabilities.
Support for AWS load balancers logs: Application Load Balancer, Classic Load Balancer, and Network Load Balancer.
Removed the limit on the number of agents a manager can support.
New endpoints to query and manage Rootcheck data.
Support for Open Distro for Elasticsearch 1.12.0.
Support for Elastic Stack basic license 7.10.0 and 7.10.2.

Wazuh core

Added

Core

Negation logic for rules.
Support for PCRE2 regular expressions in rules and decoders.
New ruleset test module managed by the analysis daemon allowing testing sessions of rules and decoders.
New upgrade module that provides simultaneous agent upgrades in a single node or cluster architecture. WPK upgrade functionality has been moved to this module.
New task module that collects and manages all the upgrade tasks executed in the agents or managers.
Let the time interval to detect that an agent got disconnected configurable. Deprecate parameter DISCON_TIME.
Vulnerability Detector support for macOS.
Capability to perform FIM on values in the Windows Registry.

API

New endpoints to query and manage rootcheck data.
New endpoint to check task status.
New endpoints to run the logtest tool and delete a logtest session.
debug2 mode for API log and improved debug mode.

AWS module

Support for AWS load balancers logs: Application Load Balancer, Classic Load Balancer, and Network Load Balancer.

Framework

New framework modules to use the logtest tool.
Improved q parameter on rules, decoders, and cdb-lists modules to allow multiple nested fields.

Changed

Core

Removed limit on the number of agents that a manager can support.
Migration of rootcheck results to Wazuh DB to remove the files with the results of each agent.
New mechanism to close RIDS files when agents are disconnected.
Moved CA configuration section to verify WPK signatures from the active-response section to the agent-upgrade section.
The ossec-logtest tool is deprecated and replaced by wazuh-logtest, which uses a new testing service integrated in Analysisd.
Modified the error message to debug when multiple daemons attempt to remove an agent simultaneously.
Replaced the error message with a warning when the agent fails to reach a module.

API

The status parameter behavior in the DELETE /agents endpoint to enhance security.
Allow agent upgrade endpoints to accept a list of agents, maximum 100 agents per request.
Improved input validation regexes for names and array_names.

Framework

Refactored framework to work with the new upgrade module.
Refactored agent upgrade CLI to work with the new upgrade module. It distributes petitions in a clustered environment.
Rule and decoder details structure to support PCRE2.
Refactored framework to adapt agent status changes in wazuh.db.
Improved the performance of AWS Config integration by removing alert fields with variables such as Instance ID in its name.

Fixed

Core

An error in analysisd when getting the ossec group ID.
Prevented FIM from reporting configuration error when patterns in settings match no files.
The array parsing when building JSON alerts.
Added Firefox ESR to the CPE helper to distinguish it from Firefox when looking for vulnerabilities.
The evaluation of packages from external sources with the official vendor feeds in Vulnerability Detector.
The handling of duplicated tags in the Vulnerability Detector configuration.
The validation of hotfixes gathered by Syscollector.
The reading of the Linux OS version when /etc/os-release does not provide it.
A false positive when comparing the minor target of CentOS packages in Vulnerability Detector.
A zombie process leaks in modulesd when using commands without a timeout.
A race condition in Remoted that might create agent-group files with wrong permissions.
A warning log in Wazuh DB when upgrading the global database.
A bug in FIM on Windows that caused false positives due to changes in the host timezone or the daylight saving time when monitoring files in a FAT32 filesystem.

API

An error with /groups/{group_id}/config endpoints (GET and PUT) when using complex localfile configurations.

Framework

A cluster_control bug that caused an error message when running wazuh-clusterd in foreground.

Wazuh Kibana plugin

Added

Check the Kibana max buckets config by default in health-check and increase them.
A warning in the role mapping section if the run_as setting is disabled.
A label to indicate that the wui_ rules only apply to the wazuh-wui API user.

Changed

Adapted the Wazuh Kibana plugin to the new Kibana platform.
Wazuh config directory moved from /usr/share/kibana/optimize to /usr/share/kibana/data Kibana directory.
Support on FIM Inventory Windows Registry for the new scheme with registry_key and registry_value from syscheck.
Uncheck agents after an action in agents groups management.
Unsave rule files when editing or creating a rule with invalid content.
Replaced Wazuh API user with wazuh-wui in the default configuration.
Add agent id to the reports name in Agent Inventory and Modules.
Allow access to the Agents section with agent:group resource permission.
Added vulnerabilities module for macOS agents.

Fixed

Server error Invalid token specified: Cannot read property 'replace' of undefined.
Show empty rules and decoders files.
Wrong hover texts in CDB list actions.
Access to forbidden agents information when exporting agents list.
The complex search using the Wazuh API query filter in search bars.
Validation to check if userPermissions are not ready yet.
Agents table OS field sorting: Changed agents table field os_name to os.name,os.version to make it sortable.
Different parsed datetime between agent detail and agents overview table.
An error with the agents status pie chart tooltip that did not display the number of agents on the first hover.
Menu crash when Solaris agents are selected.
Report's creation dates set to 1970-01-01T00:00:00.000Z in some OS.
Missing commands for Ubuntu/Debian and CentOS on the Deploy new agent section.
Different hours displayed on Alerts List section in some dashboards.
Permissions to access agents when policy agent:read is set.
SCA permissions for agents views and dashboards.
Settings of statistics indices creation that did not work properly.

Wazuh ruleset

Added

The ruleset update tool is now able to bypass the version check with the force option.
New AWS Config-History rules to make it more granular by including every item status supported.
Several hundred new SCA policies for various operating systems.

Changed

FIM rules have been adapted to the improvements for Windows Registry monitoring.

Fixed

Updated MITRE techniques in web rules.
Sonicwall predecoder to accept whitespaces at the beginning.

4.0.4 Release notes - 14 January 2021

This section lists the changes in version 4.0.4. More details about these changes are provided in the changelog of each component:

Wazuh core

Added

API

Missing secure headers for API responses to fulfill the OWASP recommendations.
New option to disable uploading configurations containing remote commands.
New option to choose the SSL ciphers. Default value TLSv1.2.

Changed

API

Restore and update API configuration endpoints have been deprecated.
JWT token expiration time set to 15 minutes.

Fixed

API

Fixed a path traversal flaw (CVE-2021-26814) affecting 4.0.0 to 4.0.3 at /manager/files and /cluster/{node_id}/files endpoints. This vulnerability allowed authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service could exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script. Thanks to Davide Meacci for reporting this vulnerability.

Framework

Bug with client.keys file handling when adding agents without authd.

Core

The purge of the Redhat vulnerabilities database before updating it.

Wazuh Kibana plugin

Added

Support for Wazuh v4.0.4.

4.0.3 Release notes - 30 November 2020

This section lists the changes in version 4.0.3. More details about these changes are provided in the changelog of each component:

Wazuh core

Fixed

API

API timeouts with GET /agents call in loaded cluster environments.
Timeout issue related with GET /manager/configuration/validation and GET /cluster/configuration/validation in big environments.
Timeout and performance issue related with GET /overview agents request in loaded cluster environments.

Wazuh Kibana plugin

Added

Support for Wazuh v4.0.3.

4.0.2 Release notes - 24 November 2020

This section lists the changes in version 4.0.2. More details about these changes are provided in the changelog of each component:

Wazuh core

Added

Core

Version detection in the agent for macOS Big Sur.

Changed

API

GET /agents/summary/os, GET /agents/summary/status and GET /overview/agents will no longer consider 000 as an agent.
Increased to 64 the maximum number of characters that can be used in security users, roles, rules, and policies names.

Fixed

API

Error with POST /security/roles/{role_id}/rules when removing role-rule relationships with admin resources.
Timeout error with GET /manager/configuration/validation when using it in a slow environment.

Framework

Error with some distributed requests when the cluster configuration is empty.
Special characters in default policies.

Core

Bug in Remoted that limited the maximum agent number to MAX_AGENTS-3 instead of MAX_AGENTS-2.
Error in the network library when handling disconnected sockets.
Error in FIM when handling temporary files and registry keys exceeding the path size limit.
Bug in FIM that stopped monitoring folders pointed by a symbolic link.
Race condition in FIM that could cause Syscheckd to stop unexpectedly.

Wazuh Kibana plugin

Added

Support for Wazuh v4.0.2.

Changed

An alert summary table is now included in PDF reports of all modules.
Authentication with run_as is now available for other users besides wazuh-wui.
A notification is now displayed when no agents have been registered.
API security entities between 0 and 99 are now reserved.

Fixed

Manager restart in rule editor with Wazuh cluster enabled.
Restored the tables in the agents reports.
Corrected the subtraction of managers (agent 000) in agent count considering the RBAC permissions of the current user.
Changes done via a worker API were overwritten.
Default user field in Security Role mapping is now provided depending on whether ODFE or X-Pack is installed.
Bug that replaced index-pattern title with its ID during the updating process.

4.0.1 Release notes - 11 November 2020

This section lists the changes in version 4.0.1. More details about these changes are provided in the changelog of each component:

Wazuh core

Changed

Framework

Updated Python cryptography library to version 3.2.1.

Fixed

API

Added missing agent:group resource to the RBAC catalog. This prevented the Wazuh Kibana plugin from obtaining the correct information from the RBAC catalog.
Changed limit parameter behavior in GET sca/{agent_id}/checks/{policy_id} endpoint and fixed some information loss when paginating wdb.
Fixed an error with GET /security/users/me when logged in with run_as. This endpoint must return the permissions and information of the user who makes the request. However, when the user was authenticated through auth_context, this endpoint did not return the permissions granted by this method.

Framework

Fixed zip files compression and handling in cluster integrity synchronization.

Core

Fixed version matching when assigning a feed in the Vulnerability Detector.
Improved permissions on Windows agent. Users with limited privileges will now be unable to read the contents of the Wazuh agent folder.
Fixed a bug that may lead the agent to crash when reading an invalid Logcollector configuration.

Wazuh Kibana plugin

Added

Support for Wazuh v4.0.1.

Fixed

Fixed icons that did not align correctly in Modules > Events.
Fixed statistics visualizations that did not show data.
Fixed error on loading CSS files.
Fixed search filter in the search bar in Module/SCA that was not working.

Wazuh ruleset

Fixed

Removed duplicated Windows rules for EventChannel. These extra rules were preventing certain events from triggering alerts.

4.0.0 Release notes - 23 October 2020

This section lists the changes in version 4.0.0. More details about these changes are provided in the changelog of each component:

Highlights

The agent enrollment is now performed on the main daemon initialization. There is no need to request a key using an external CLI anymore. Agents are now able to request a key to the manager on their own if no key was defined on startup or if the manager has rejected the connection (Agents in 3.x version are still 100% compatible with 4.x version).
Wazuh API RBAC: Configure users, roles, and policies to manage access permissions. Wazuh WUI now permits granular control over access to resources depending on user roles, this will allow enterprises to manage user accounts that fulfill different functions in the security of the environment.
Wazuh API is now embedded in the Wazuh manager.
Wazuh manager and agents will use TCP as the default communication protocol.
The Windows agent MSI installer is now signed using DigiCert instead of GlobalSign. DigiCert is known for being present on more Windows versions including the oldest ones.
FIM implements now a set of settings to control the module temporal files disk usage. This means that now we can choose the amount of disk space used by the report change utility. The diff option reports changes in the monitored files, to do so, it creates a compressed copy of the file and checks if it changes. This method may use a lot of disk space. Wazuh 4.0 introduces new capabilities to limit the space used.

Breaking changes

The agent-auth tool starts the deprecation cycle (to be deprecated in v5.0.0). The agent registration on demand will still be available using CLI.
The API is now embedded in the Wazuh manager, no wazuh-api package will be installed anymore.
Wazuh manager and agents are no longer using UDP as the default communication protocol. TCP is enabled by default.
OpenSCAP policies removed from RPM and DEB packages. Folder present policies in the agent installation will be removed.

Wazuh core

Added

Wazuh API

Embedded Wazuh API with Wazuh Manager, there is no need to install Wazuh API.
Migrated Wazuh API server from NodeJS to Python.
Added asynchronous aiohttp server for the Wazuh API.
The new Wazuh API is approximately 5 times faster on average.
Added OpenAPI based Wazuh API specification.
Improved Wazuh API reference documentation based on OpenAPI spec using redoc.
Added a new yaml Wazuh API configuration file.
Added new endpoints to manage API configuration and deprecated configure_api.sh.
Added RBAC support to Wazuh API.
Added new endpoints for Wazuh API security management.
Added SQLAlchemy ORM based database for RBAC.
Added a new JWT authentication method.
Wazuh API up and running by default in all nodes for a clustered environment.
Added new and improved error handling.
Added tavern and docker based Wazuh API integration tests.
Added new and unified Wazuh API response structure.
Added new endpoints for Wazuh API users management.
Added a new endpoint to restart agents that belong to a node.
Added and improved q filter in several endpoints.
Tested and improved Wazuh API security.
Added DDOS blocking system.
Added brute force attack blocking system.
Added content-type validation.
Added and updated framework unit tests to increase coverage.
Added improved support for monitoring paths from environment variables.
Added auto-enrollment capability. Agents are now able to request a key from the manager if the current key is missing or wrong.

Vulnerability Detector

Redhat vulnerabilities are now fetched from OVAL benchmarks.
Debian vulnerable packages are now fetched from the Security Tracker.
The Debian Security Tracker feed can be loaded from a custom location.
Allow compressed feeds for offline updates.
The manager now updates the MSU feed automatically.
CVEs with no affected version defined in all the feeds are now reported.
CVEs vulnerable for the vendor and missing in the NVD are now reported.

Changed

Changed multiple Wazuh API endpoints.
Refactored framework module in SDK and core.
FIM Windows events handling refactored.
Changed framework to access global.db using wazuh-db.
Changed agent-info synchronization task in Wazuh cluster.

Fixed

Fixed an error with the last scan time in syscheck endpoints.
Added support for monitoring directories that contain commas.
Fixed a bug where configuring a directory to be monitored as realtime and whodata resulted in realtime prevailing.
Fixed using an incorrect mutex while deleting inotify watches.
Fixed a bug that could cause multiple FIM threads to request the same temporary file.
Fixed a bug where deleting a file permanently in Windows would not trigger an alert.
Fixed a typo in the file monitoring options log entry.
Fixed an error where monitoring a drive in Windows under scheduled or realtime mode would generate alerts from the recycle bin.
When monitoring a drive in Windows in the format U:, it will monitor U:\ instead of the agent's working directory.
Fixed a bug where monitoring a drive in Windows with recursion_level set to 0 would trigger alerts from files inside its subdirectories.
Fixed an Azure wodle dependency error. The package azure-storage-blob>12.0.0 does not include a component used.

Vulnerability Detector

Vulnerabilities of Windows Server 2019 which do not affect to Windows 10 were not being reported.
Vulnerabilities patched by a Microsoft update with no supersedence were not being reported.
Vulnerabilities patched by more than one Microsoft update were not being evaluated against all the patches.
Duplicated alerts in Windows 10.
Syscollector now discards hotfixes that are not fully installed.
Syscollector now collects hotfixes that were not being parsed.

Removed

Removed Wazuh API cache endpoints.
Removed Wazuh API rootcheck endpoints.
Deprecated Debian Jessie and Wheezy for Vulnerability Detector (EOL).

Wazuh Kibana plugin

Added

Support for Wazuh v4.0.0.
Support for Kibana v7.9.1 and v7.9.2.
Support for Open Distro 1.10.1.
Added a RBAC security layer integrated with Open Distro and X-Pack.
Added remoted and analysisd statistics.
Expand supported deployment variables.
Added new configuration view settings for GCP integration.
Added logic to change the metafields configuration of Kibana.

Changed

Migrated the default index-pattern to wazuh-alerts-*.
Removed the known-fields functionality.
Security Events dashboard redesigned.
Redesigned the app settings configuration with categories.
Moved the wazuh-registry file to Kibana optimize folder.

Fixed

Format options in wazuh-alerts index-pattern are not overwritten now.
Prevent blank page in detail agent view.
Navigable agents name in Events.
Index pattern is not being refreshed.
Reporting fails when agent is pinned and compliance controls are visited.
Reload rule detail does not work properly with the related rules.
Fix search bar filter in Manage agent of group.

Wazuh ruleset

Changed compliance rules groups and removed alert_by_email option by default.
Let the Ruleset update tool pick up the current version branch by default.

Wazuh packages

Added

Added Open Distro for Elasticsearch packages to Wazuh's software repository.

Changed

Wazuh services are no longer enabled nor started in a fresh install.
Wazuh services will be restarted on upgrade if they were running before upgrading them.
Wazuh API and Wazuh Manager services are unified in a single wazuh-manager service.
Wazuh plugin for Kibana package has been renamed.
Wazuh VM now uses Wazuh and Open Distro for Elasticsearch.

Fixed

Unit files for systemd are now installed on /usr/lib/systemd/system.
Improved the upgrade of unit files.
ossec-init.conf file now shows the build date for any system.
Fixed an error setting SCA file permissions on .deb packages.

Removed

The Wazuh API package has been removed. Now, the Wazuh API is embedded into the Wazuh Manager installation.
Removed OpenSCAP files and integration.

Wazuh documentation

Added

Added instructions to install Wazuh along with Open Distro for Elasticsearch.
Added scripts, created by the Wazuh team, that allow the user to install Wazuh and Elastic Stack automatically.
Added tabs in the installation guide to ease the navigation through the different options available.
Added a 'More installation alternatives' section that provides instructions on how to install Wazuh along with commercial options like Elastic Stack basic license or Splunk. This section also includes instructions on how to install Wazuh from sources.

Changed

Reorganized the installation guide to help the user through the installation process of Wazuh and Elastic Stack in a single section.
Split the installation guide in all-in-one installation and distributed deployment.
Reorganized the upgrade guide.

3.x

This section summarizes the most important features of each Wazuh 3.x release.

Wazuh version	Release date
3.13.6	19 September 2022
3.13.5	24 August 2022
3.13.4	30 May 2022
3.13.3	28 April 2021
3.13.2	22 September 2020
3.13.1	15 July 2020
3.13.0	22 June 2020
3.12.3	30 April 2020
3.12.2	9 April 2020
3.12.1	8 April 2020
3.12.0	24 March 2020
3.11.4	25 February 2020
3.11.3	28 January 2020
3.11.2	22 January 2020
3.11.1	10 January 2020
3.11.0	23 December 2019
3.10.2	23 September 2019
3.10.1	19 September 2019
3.10.0	18 September 2019
3.9.5	8 August 2019
3.9.4	7 August 2019
3.9.3	9 July 2019
3.9.2	10 June 2019
3.9.1	21 May 2019
3.9.0	2 May 2019
3.8.2	31 January 2019
3.8.1	24 January 2019
3.8.0	18 January 2019
3.7.2	17 December 2018
3.7.1	5 December 2018
3.7.0	10 November 2018
3.6.1	7 September 2018
3.6.0	29 August 2018
3.5.0	10 August 2018
3.4.0	24 July 2018
3.3.1	18 June 2018
3.3.0	8 June 2018
3.2.4	1 June 2018
3.2.3	28 May 2018
3.2.2	7 May 2018
3.2.1	2 March 2018
3.2.0	8 February 2018
3.1.0	22 December 2017
3.0.0	3 December 2017

3.13.6 Release notes - 19 September 2022

This section lists the changes in version 3.13.6. More details about these changes are provided in each component changelog:

Wazuh core

#14823 A path traversal flaw in Active Response affecting agents from v3.6.1 is fixed.

Wazuh Kibana app

Support for Wazuh v3.13.6.

Wazuh Splunk

Support for Wazuh v3.13.6.

3.13.5 Release notes - 24 August 2022

This section lists the changes in version 3.13.5. More details about these changes are provided in each component changelog:

Wazuh Kibana app

#4336 Sanitize the report's inputs and usernames.

Wazuh Splunk

Support for Wazuh v3.13.5.

3.13.4 Release notes - 30 May 2022

This section lists the changes in version 3.13.4. More details about these changes are provided in each component changelog:

Wazuh core

A crash in Vulnerability Detector when scanning agents running on Windows is now fixed (backport from 4.3.2).

Wazuh Kibana app

Support for Wazuh v3.13.4.

Wazuh Splunk

Support for Wazuh v3.13.4.

3.13.3 Release notes - 28 April 2021

This section lists the changes in version 3.13.3. More details about these changes are provided in each component changelog:

Wazuh core

Issue is fixed in Vulnerability Detector that made modulesd crash while updating the NVD feed due to a missing CPE entry.

Wazuh Kibana app

Support for Wazuh v3.13.3.

Wazuh Splunk

Support for Wazuh v3.13.3.

3.13.2 Release notes - 22 September 2020

This section lists the changes in version 3.13.2. More details about these changes are provided in each component changelog:

Wazuh core

Updated the default NVD feed URL from 1.0 to 1.1 in Vulnerability Detector.

Wazuh Kibana app

Support for Wazuh v3.13.2.

Wazuh Splunk

Support for Wazuh v3.13.2.

3.13.1 Release notes - 15 July 2020

This section lists the changes in version 3.13.1. More details about these changes are provided in each component changelog:

Wazuh core

Added the settings <max_retries> and <retry_interval> to adjust the amount of connection retries and the agent failover interval.
Fixed Modulesd crash caused by Vulnerability Detector when OS inventory is disabled for the agent.

Wazuh Kibana app

Support for Wazuh v3.13.1.

Wazuh API

New validator added to the endpoint /sca/:agent_id/checks/:policy_id that allows using filter the SCA checks by reason, status, and command.

Wazuh Splunk

Support for Wazuh v3.13.1.
Support for Splunk v8.0.4.
Updated references of the field vulnerability.reference to vulnerability.references.
Fixed wazuh-monitoring indices on Splunk 8.0+ version.

3.13.0 Release notes - 22 June 2020

This section lists the changes in version 3.13.0. More details about these changes are provided in each component changelog:

Wazuh core

Added

Included the NVD as a feed for Linux agents in vulnerability detector.
Improved the vulnerability detector engine to correlate alerts between different feeds.
Added vulnerability detector module unit testing for Unix source code.
Added a timeout to the updates of the vulnerability detector's feeds to prevent hangings.
Added option for the JSON decoder to choose the treatment of array structures.
Added mode value (real-time, Who-data, or scheduled) as a dynamic field in FIM alerts.
Added a field to configure the maximum files to be monitored by the FIM module.
New module to pull and process logs from Google Cloud Pub/Sub service.
Added support for mapping rules with MITRE ATT&CK framework.
Added as a dependency Microsoft's Software Update Catalog used by vulnerability detector.
Added support for aarch64 and armhf architectures.

Changed

Decreased event fetching delay from 10 miliseconds to 5 miliseconds in FIM modes real-time and whodata (rt_delay).
Who-data includes new fields: process CWD, parent process id, and CWD of parent process.
FIM now allows to rename/delete files while calculating their hash.
Extended the statics fields comparison in the ruleset options.
The state field has been removed from vulnerability alerts.
The NVD is now the primary feed for the vulnerability detector in Linux.
Removed OpenSCAP policies installation and configuration block.
Changed same/different_systemname for same/different_system_name in Analysisd static filters.
Updated the internal Python interpreter from v3.7.2 to v3.8.2.

Other fixes and improvements

Fixed a bug that occasionally, kept the memory reserved when deleting monitored directories in FIM.
Fixed and issue regarding inotify watchers allocation when modifying directories in FIM real-time.
Fixed an error that caused the alerts deletion with a wrong path in Who-data mode.
Fixed an issue that did not generate alerts in Who-data mode when a subdirectory was added to the monitored directory in Windows.
Avoided the truncation of the full log field of the alert when the path is too long.
When there is a failure setting policies in Windows, FIM will automatically change from Who-data to real-time mode.
Fixed an error that prevented from restarting Windows agents from the manager.
Fixed an error that did not allow the usage of the tag URL by configuring the NVD in a vulnerability detector module.
Fixed TOCTOU condition in Clusterd when merging agent-info files.
Fixed race condition in Analysisd when handling accumulated events.
Avoided to count links when generating alerts for ignored directories in Rootcheck.
Fixed typo in the path used for logging when disabling an account.
Fixed an error when receiving different Syslog events in the same TCP packet.
Fixed a bug in vulnerability detector on Modulesd when comparing Windows software versions.
Fixed a bug that caused an agent's disconnection time not to be displayed correctly.
Optimized the function to obtain the default gateway.
Fixed host verification when signing a certificate for the manager.
Fixed possible duplicated ID on client.keys adding new agent through the API with a specific ID.
Avoid duplicate descriptors using wildcards in localfile configuration.
Guaranteed that all processes are killed when service stops.
Fixed mismatch in integration scripts when the debug flag is set to active.

Wazuh Kibana App

Added

Support for Wazuh v3.13.0.
Support for Kibana v7.7.1
Support for Open Distro 1.8
Added new navigation experience with a global menu.
Added a breadcrumb in Kibana top nav.
Added a new Agents Summary Screen.
Added a new feature to add sample data to dashboards.
Added MITRE integration.
Added Google Cloud Platform integration.
Added TSC integration.
Added a new integrity monitoring state view for agent.
Added a new integrity monitoring files detail view.
Added a new component to explore compliance requirements.

Changed

Code migration to React.js.
Global review of styles.
Unified Overview and Agent dashboards into new Modules.
Changed vulnerabilities' dashboard visualizations.

Fixed

Fixed Open Distro tenants to be functional.
Improved navigation performance.
Avoid creating the wazuh-monitoring index pattern if it is disabled.
SCA checks without compliance field could not be expanded.

Wazuh API

Added

Added new API requests:
- GET/mitre
- GET/rules/mitre
- GET/rules/tsc
Added new filters in request GET/rules:
- mitre: Filters the rules by mitre requirement.
- tsc: Filters the rules by tsc requirement.

Changed

Increased the maximum allowed size of the files to be uploaded from 1MB to 10MB. This change applies to:
- POST /manager/files
- POST /cluster/:node_id/files
- POST /agents/groups/:group_id/configuration
- POST /agents/groups/:group_id/files/:file_name

Wazuh ruleset

Added

Added rules and decoders for macOS sshd logs.
Added TSC/SOC compliance mapping.
Added rules and decoders for PaloAlto logs.
Added rules and decoder to monitor the FIM database status.
Added rules for WAF.

Changed

Changed description of vulnerability detector rules.
Changed squid decoders.

Fixed

Fixed the provider name so that Windows Eventlog's logs match with the Wazuh rules.
Fixed static filters related to the system_name field.
Removed trailing whitespaces in the group name section of the ruleset.
Removed invalid zeroes from rules id.

Wazuh Splunk

Support for Wazuh v3.13.0

3.12.3 Release notes - 30 April 2020

This section lists the changes in version 3.12.3. More details about these changes are provided in each component changelog:

Wazuh core

Disabled WAL in databases handled by Wazuh DB to save disk space.

Fixed a bug in Remoted that could prevent agents from connecting in UDP mode.

Fixed a bug in the shared library that caused that daemons could not find the ossec group.

Prevented Syscollector from falling into an infinite loop when failed to collect the Windows hotfixes.

Fixed a memory leak in the system scan by Rootcheck on Windows.

Fixed a bug in Logcollector that caused that the out_format option did not apply for the targeted agent.

Fixed a bug that caused FIM could not handle large inode numbers correctly.

Fixed a bug that made ossec-dbd crash due to a bad mutex initialization.

Wazuh Kibana App

Support for Wazuh v3.12.3

Wazuh Splunk

Support for Wazuh v3.12.3

3.12.2 Release notes - 9 April 2020

This section lists the changes in version 3.12.2. More details about these changes are provided in each component changelog:

Wazuh core

Fixed a bug in Vulnerability Detector that made wazuh-modulesd crash when parsing the version of a package from a RHEL feed.

Wazuh Kibana App

Support Wazuh 3.12.2.

Wazuh Splunk

Support for Wazuh v3.12.2

3.12.1 Release notes - 8 April 2020

This section lists the changes in version 3.12.1. More details about these changes are provided in each component changelog:

Wazuh core

Updated MSU catalog on 31/03/2020.
Fixed XML validation with paths ending in \.
Fixed compatibility with the Vulnerability Detector feeds for Ubuntu from Canonical, that are available in a compressed format.
Added missing field database to the FIM on-demand configuration report.
Fixed a bug in Logcollector that made it forward a log to an external socket infinite times.
Fixed a buffer overflow when receiving large messages from Syslog over TCP connections.
Fixed a malfunction in the Integrator module when analyzing events without a certain field.
Removed support for Ubuntu 12.04 (Precise) in Vulneratiliby Detector as its feed is no longer available.

Wazuh Kibana App

Support Wazuh 3.12.1
Added new FIM settings on configuration on demand.
Updated agent's variable names in deployment guides.
Pagination is now displayed as tables.

Wazuh ruleset

Fixed the Dropbear brute force rule entrypoint.

Wazuh Splunk

Support for Wazuh v3.12.1.
Added new FIM settings on configuration on demand.

3.12.0 Release notes - 24 March 2020

This section lists the changes in version 3.12.0. More details about these changes are provided in each component changelog:

Wazuh core

File integrity monitoring

Added synchronization capabilities for FIM.
Added SQL database for the FIM module. Its storage can be switched between disk and memory.
Added FIM module unit testing for Unix source code.
Added FIM module unit testing for Windows source code.
Moved the FIM logic engine to the agent.

Logcollector

Avoided reopening the current socket when Logcollector fails to send an event.
Prevent Logcollector from starving when has to reload files.
Made Logcollector continuously attempt to reconnect with the agent daemon.

AWS

Added support for monitoring Cisco Umbrella S3 buckets.
Added support for monitoring AWS S3 buckets in GovCloud regions.

Other fixes and improvements

Added multi-target support for unit testing
Added a status validation when starting Wazuh.
Added automatic reconnection with the Eventchannel service when it is restarted.
Made Windows agents send the keep-alive independently.
Source IP address checking by default in the registration process is no longer enforced.
Fixed a small memory leak in clustered.
Fixed a crash in the fluent forwarder when SSL is not enabled.
Replaced non-reentrant functions to avoid race condition hazards.
Fixed the registration of more than one agent as any when forcing to use the source IP address.
Fixed Windows upgrades in custom directories.
Fixed the format of the alert payload passed to the Slack integration.

Wazuh Kibana App

Support for Wazuh v3.12.0
Added a new setting to hide manager alerts from dashboards.
Added a new setting to be able to change API from the top menu.
Added a new setting to enable/disable the known fields health check.
Added suport for PCI 11.2.1 and 11.2.3 rules.
Restructuration of the optimize/wazuh directory.
Improved performance of Dasboards reports generation.
Discover time range selector is now displayed on the Cluster section.
Added the win_auth_failure rule group to Authentication failure metrics.
Negative values in Syscheck attributes now have their correct value in reports.

Wazuh API

Enabled HTTPS by default in installation script.
Added distinct parameter to syscheck endpoints.
Added condition field to SCA endpoints.
Fixed a bug that made requests not being distributed to the selected node_id.

Wazuh ruleset

Extended the rules to detect shellshock attacks.
Updated Roundcube decoder to support versions greater than 1.4.
Added rules and decoders for Junos.
Fixed GPG requirement in Windows rules.
Improved Cisco decoders and fixed Owlh rule's IDs conflict.
Fixed checkpoint decoders to read events with a different format.

3.11.4 Release notes - 25 February 2020

This section lists the changes in version 3.11.4. More details about these changes are provided in each component changelog:

wazuh/wazuh

Wazuh core

Agent

Fixed a bug on Agentd that prevented agents from resolving host names after initialization.

3.11.3 Release notes - 28 January 2020

This section lists the changes in version 3.11.3. More details about these changes are provided in each component changelog:

wazuh/wazuh

Wazuh core

Agent

Fixed a bug in Rootcheck on Windows that caused false positives about file size mismatch.

3.11.2 Release notes - 22 January 2020

This section lists the changes in version 3.11.2. More details about these changes are provided in each component changelog:

Wazuh core

Security Configuration Assessment

Fixed handler leaks on SCA module for Windows agents.

Vulnerability Detector

The module needed around 1 GB memory during the NVD feed fetch. The memory usage now remains on a few hundred MBs.

Rootcheck

Fixed bug on Rootcheck scan that led to 100% CPU usage spikes. The <readall> option was wrongly applied, even when disabled.
Fixed handler leaks on Rootcheck module for Windows agents.

Other fixes and improvements

Fixed a memory leak in Clusterd: the RAM usage was steadily climbing through the days until the memory was exhausted.
Ruleset update lead to incorrect VERSION file permissions.
The Slack integration now correctly handles alerts with no description.

Wazuh UI for Kibana

Increased list filesize limit for the CDB-list.
The XML validator now correctly handles the -- string within comments.

3.11.1 Release notes - 10 January 2020

This section lists the changes in version 3.11.1. More details about these changes are provided in each component changelog:

wazuh/wazuh

Wazuh core

Fixed a bug in the manager that made Analysisd max out the CPU usage when decoding logs from Windows Eventchannel.

3.11.0 Release notes - 23 December 2019

This section shows the most relevant improvements and fixes in version 3.11.0. More details about these changes are provided in each component changelog:

Wazuh core

Vulnerability detector

Windows support. Thanks to a combination of NVD feed and the Microsoft Security guide, the module is able to detect system vulnerabilities and software vulnerabilities.
Added support for Debian 10 and RHEL 8.
Vulnerability detector alerts include PCI-DSS mapping.

Inventory

Added extraction for Windows Security Updates (hotfixes).
Processes and ports are now supported in macOS.

Log collection

Allowed JSON escaping for logs in the output format.
Added the host's primary IP address in the output format.
Wildcards don't detect directories as log files any more.

Analysis engine

Frequency based rules aggregate the counter for the same event source by default. Introduced a new setting to toggle this behavior: global_frequency.
Fields protocol, system_name, data and extra_data can now be used for event matching in rules creation.
The ossec-makelist binary has been deprecated. The Analysisd daemon will compile the CDB lists on the startup.

Other fixes and improvements

The Wazuh agent now waits until the network service is ready before start.
The agent key request service now displays a warning message when registering to an unverified manager.
Improved <address> field validation at agent start up.
Windows EventChannel alerts now include the full message with the coded field translation.

Wazuh API

The query parameter (q) now can be used for filtering rules, decoders and logs.
New endpoint I: PUT /agents/group/{group_id}/restart for restarting all agents assigned to a group.
New endpoint II: GET /syscollector/:agent_id/hotfixes for listing the system hotfixes (Windows).
Improved error descriptions for the PUT /agents/:agent_id/upgrade_custom API call.

Wazuh Ruleset

New decoders and rules for McAfee ePolicy Orchestrator.
Added rules to collect events related to the Windows firewall.
OSQuery logs related to internal messages appear in alerts.

Wazuh WUI for Kibana

Support for Kibana: v6.8.6, v7.5.1.
Support for OpenDistro: v1.3.0.
The API credentials configuration has been migrated from the .wazuh index to the wazuh.yml configuration file. Now the hosts API configuration is managed from this configuration file instead from the WUI.
Reporting module events are now logged in the Wazuh WUI logs.
The index pattern selector is now hidden in case that only one index exists.
Fixed CSV export for files in a agents group.

Wazuh WUI for Splunk

CDB lists names are now correctly displayed.
Fixed a bug in Syscheck section when generating the PDF configuration summary.

Other additions and improvements

The new log collection option <reconnect_time> is included in the Log collection configuration section.
Rules/Decoders/CDB-lists files can be uploaded using a Drag & Drop feature.
Extended the "Add new agent" guide.
Opening an empty file is now correctly handled and doesn't lead to an unexpected error.

3.10.2 Release notes - 23 September 2019

This section lists the changes in version 3.10.2. More details about these changes are provided in each component changelog:

Wazuh core

Fixed error in log collection module when reloading localfiles with strftime wildcards.

3.10.1 Release notes - 19 September 2019

This section lists the changes in version 3.10.1. More details about these changes are provided in each component changelog:

wazuh/wazuh

Wazuh core

Fix error in Remoted when reloading agent keys (locked mutex disposal).
Fix invalid read error in Remoted counters.

Wazuh API

Fixed error after removing a high volume of agents from a group using the Wazuh API.

3.10.0 Release notes - 18 September 2019

This section shows the most relevant improvements and fixes in version 3.10.0. More details about these changes are provided in each component changelog:

Wazuh core

Security Configuration Assessment

Improved internal logic engine and policy syntax changes. Available SCA policies have been also adapted to this refactor.
A numerical comparator has been included as part of the rules syntax.
Compliance mapping information is now part of the alert groups.
Policies present at the default folder are now automatically loaded.
The Manager will request the last assessment results when the DB is empty between scans.

For further information, check our SCA documentation.

HIPAA/NIST support

HIPAA and NIST 800 53 groups were added to the compliance groups parser.
New corresponding fields in the Wazuh Elastic Stack template.

Thanks to this additions, the app includes new HIPAA and NIST 800 53 compliance dashboards.

File integrity monitoring

FIM now identifies equivalent paths adding them only once.
It has been fixed an error in Windows who-data when handling the directories list.
Who-data Linux alerts with hexadecimal fields are now correctly handled.

AWS module

Fixed the exception handling when using an invalid bucket.
Fixed an error when getting profiles in custom AWS buckets.
Fixed the error message when an AWS bucket is empty.

IPv6 Compatibility

Increased the IP address internal representation size to support IPv6.
IPv6 loopback address has been added to localhosts list in the DB output module.

Other fixes and improvements

The log collection module now extends the duplicate file detection with inode comparison, useful for symbolic and hard links.
Agentless queries now accept ] and > characters as terminal prompt characters.
The mail module now supports alerts with the full_log field when using alerts.json as alerts source.
On overwriting rules, list field is now correctly copied from the original to the overwriting rule.
Fixed an error in the hardware inventory collector for PowerPC architectures.

Wazuh API

A new API request has been created to get the full summary of agents:

GET /summary/agents

{
"error": 0,
"data": {

    ...
    "agent_status": {
        "Total": 6,
        "Active": 6,
        "Disconnected": 0,
        "Never connected": 0,
        "Pending": 0
    },
    "agent_version": {
        "items": [
            {
            "version": "Wazuh v3.10.0",
            "count": 1
            },
            {
            "version": "Wazuh v3.9.5",
            "count": 5
            }
        ],
        "totalItems": 6
    },
    "last_registered_agent": {
        "os": {
            "arch": "x86_64",
            "codename": "Bionic Beaver",
            "major": "18",
            "minor": "04",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "uname": "Linux |ee7d4f51c0ae |4.18.0-16-generic |#17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 |x86_64",
            "version": "18.04.2 LTS"
        },
    ...
    }
}

Support for HIPAA, NIST 800 53 and GPG13 compliance: adding new API requests and filters.
Improvements in stored passwords security: encryption changed from MD5 to BCrypt.
Fixed API installation in Docker CentOS 7 containers.

Wazuh Ruleset

981 rules have been mapped to support HIPAA and NIST 800 53 compliance. In addition, the SCA policies have been fully reviewed, adapted to the module refactor and added support for new platforms.

It has been added rules and decoders for other technologies:

Rules for the VIPRE antivirus.
Support for Cisco-ASA devices with new rules and decoders.
Added Windows Software Restriction Policy rules.
Added Perdition(imap/pop3 proxy) rules.
Added support for NAXSI web application firewall.

Wazuh Kibana App

HIPAA and NIST 800 53 new dashboards for the recently added regulatory compliance mapping.
Added support for custom Kibana spaces.
Wazuh Kibana app now works as a native plugin and can be safely hidden/displayed depending on the selected space.
New alerts summary in Overview > FIM panel.
Alerts search bar fixed for Kibana v7.3.0, now queries are applied as expected.
Hide attributes field from non-Windows agents in the FIM table.
Fixed broken view in Management > Configuration > Amazon S3 > Buckets.
Restored Remove column feature in Discover tabs.
The app installation date is now correctly updated.

Wazuh Splunk App

HIPAA and NIST 800 53 new dashboards for the recently added regulatory compliance mapping.
New design and several UI/UX changes.
Wazuh Splunk app has been adapted for Microsoft Edge Browser.
Debug level added for app logs.
Modules are being shown only when supported by the agent OS.
API sensitive information is now hidden on every transition.
Non-active Agent data is now being shown correctly.

Other additions and improvements for both Apps

Export all the information of a Wazuh group and its related agents in a PDF document.
Export the configuration of a certain agent as a PDF document.
Added an interactive and user-friendly guide for agents registering, ending in a copy & paste snippet.

3.9.5 Release notes - 8 August 2019

This section shows the most relevant improvements and fixes in version 3.9.5. More details about these changes are provided in each component changelog:

Wazuh manager

Fixed a bug in the Framework that prevented Cluster and API from handling the file client.keys if it's mounted as a volume on Docker.
Fixed a bug in Analysisd that printed the millisecond part of the alerts' timestamp without zero-padding. That prevented Elasticsearch 7 from indexing those alerts.

Wazuh Kibana app

Fixed a bug present in Kibana v7.3.0, affecting Firefox browser, which creates an endless loop if two or more query filters are added.

3.9.4 Release notes - 7 August 2019

This section shows the most relevant improvements and fixes in version 3.9.4. More details about these changes are provided in each component changelog:

Wazuh agent

Fixed a bug in FIM that made it apply a wrong configuration. This occurred when defining different options for nested directories.
Fixed a bug in Logcollector that made it apply a wrong configuration. This happened when defining multiple stanzas for the same file with different options.
Fixed a bug in the agent that could make it truncate its IP address within the control message.
Fixed a bug in the Windows agent that produced a resource leak when monitoring directories in who-data mode.

Wazuh manager

Fixed a bug in Analysisd that could potentially make it crash while handling JSON objects due to a race condition.
Fixed a bug in Wazuh DB that could make it crash when closing database files due to a double free.
Fixed a bug in Remoted that made it send data to an agent that has just disconnected in TCP mode.
Prevent SCA from producing inconsistencies in the database on the manager side when policy IDs are duplicated.
Fixed a race condition hazard between Clusterd and Remoted while synchronizing agent-related files.
Wazuh DB did not remove a database file until was committed. Now, the database will be closed immediately.

Wazuh Apps

Allowed filtering by clicking a column in rules/decoders tables.
Allowed open file in rules table clicking on the file column.
Improved Kibana app performance.
Removed path filter from custom rules and decoders.
Now path column in rules and decoders is shown.
Removed SCA overview dashboard.
Disabled last custom column removal.
Agents messages across sections have been unified.
Fixed check stored APIs.
Improved wz-table performance.
Fixed inconsistent data between visualizations and tables in Overview Security Events.
Timezone applied in cluster status.
Fixed Overview Security Events report when wazuh.monitoring is disabled.
Now duplicated visualization toast errors are handled.
Fixed not properly updated breadcrumb in ruleset section.
Implicit filters can't be destroyed now.
Fixed windows agent dashboard that didn't show failure logon access.
Scrollbars in file viewers have been fixed on Firefox.
Fixed agent search filters lost when refreshing.
Number of agents is now properly updated.
Alerts of level 12 are now displayed on the Security Events table.

3.9.3 Release notes - 9 July 2019

This section shows the most relevant improvements and fixes in version 3.9.3. More details about these changes are provided in each component changelog:

Wazuh core

Log collector will not report Windows Eventchannel events bookmarked by default.
Agent-info that are not generated in utf-8 format will be discarded.
Fix memory leak in Modules Daemon when your on-demand configuration was requested.
Fixed a bug that crashed Analysisd and Logtest when trying rules having <different_geoip> and no <not_same_field> stanza.
Fixed the parser of the Canonical's OVAL feed due to a syntax change.
Rules with <list lookup="address_match_key" /> produced a false match if the CDB list file is missing.
Remote configuration was missing the <ignore> stanzas for Syscheck and Rootcheck when defined as sregex.

Wazuh apps

Added support for Kibana v7.2.0.
Added support for Kibana v6.8.1.
Fixed height for the menu directive with Dynamic height.
Fixed timepicker in cluster monitoring.
Fixed time offset for reporting table.
Fixed API call for fetching GDPR requirements in agents.
Fixed filters which were not applying when refreshing agents search bar.
Fixed wrong fields in never connected agents.
Fixed the error message when the App detects an unexpected Wazuh version.
Fixed invalid date message in some web browsers.
Fixed missing ignored and ignored_sregex fields in the configuration ondemand.

Wazuh ruleset

Changed NGINX decoder to make the field "server" optional. (Credits to @iasdeoupxe).
Remove unwanted tailing single quote in Audit decoder. (Credits to @branchnetconsulting).
Avoid conflicts between the "uid" and "auid" fields in the Audit decoder. (Credits to @tokibi).
Exclude the full log field from rules for AWS, Suricata, VirusTotal, OwnCloud, Vuls, CIS-CAT, Vulnerability Detector, MySQL, Osquery and Azure.

3.9.2 Release notes - 10 June 2019

This section shows the most relevant improvements and fixes in version 3.9.2. More details about these changes are provided in each component changelog:

Wazuh core

Fixed configuration request for whitelists when the block was empty.
Fixed error deleting temporary files during cluster synchronization.
Changes wrong permissions on agent groups files when they are synchronized by the cluster.
Memory errors fixed in CIS-CAT module.
Fixed error checking agent version in remote upgrades.
Fixed race condition in analysis daemon when decoding SCA events. Using reentrant functions in order to maintain context between successive calls.
Fixed a file descriptor leak in modulesd. This bug appeared when the timeout was exceeded when executing a command.
Fixed invalid content handling RedHat feed, causes unexpected exit in Wazuh modules daemon.
Prevent the agent from stopping if it fails to resolve the manager hostname on startup.

Wazuh apps

Fixed visualization in agent overview dashboard.
Fix adding API data in an invalid format.
Adapt request executed in DevTool to the API standards.
Get same metrics security events dashboard that in the agents overview.
Fixed SCA policy checks table.
Added missing dependency for Discover.

Wazuh ruleset

Fixed Windows rule about audit log.
Fixed invalid check of the Solaris 11 SCA policy.

3.9.1 Release notes - 21 May 2019

This section shows the most relevant improvements and fixes in version 3.9.1. More details about these changes are provided in each component changelog:

Wazuh core

Log collector: Improved wildcards support for Windows platforms. Now, it is possible to set multiple wildcards per path as is shown below:

<localfile>
    <location>C:\Users\user\Desktop\*test*</location>
    <log_format>syslog</log_format>
    <exclude>C:\Users\user\Desktop\*test*.json</log_format>
</localfile>

Fixed crash when an active response command was received and the module was disable
Fixed crash when collecting large files on Windows.
Fixed Wazuh manager automatic restart via API on Docker containers.
Fixed corruption error in cluster agent info files synchronization.
Reverted five seconds reading timeout in FIM scans.

Wazuh apps

Added support for Elastic Stack v7.1.0
Added support for Elastic Stack v6.8.0
Improve dynamic height for configuration editor in Splunk app.
Fixed infinite API log fetching, fix a handled but not shown error messages from rule editor in Splunk app.

Wazuh ruleset

macOS SCA policies based on CIS benchmarks have been corrected.
Windows rules for EventLog and Security Essentials have been fixed as well as the field filters are now more restrictive to avoid false positives.
Fixed typo in Windows NT registries within Windows SCA policies.

Elastic Stack 7

Wazuh is now compatible with Elastic Stack 7, which includes, between others, new out of the box Security features.

Additionally, since this Wazuh release, Logstash is no longer required, Filebeat will send the events directly to Elasticsearch server.

Elastic Stack 6.x is still supported by Wazuh.

3.9.0 Release notes - 2 May 2019

This section shows the most relevant improvements and fixes in version 3.9.0. More details about these changes are provided in each component changelog:

Wazuh core

Automated deployment

Agent installers support now variables which allow deploy an agent in a simple step.

Here we can see an example for CentOS/RHEL:

$ WAZUH_MANAGER_IP="10.0.0.2" yum install wazuh-agent

The above example will install, configure and register the agent, making simple the deployment process.

Security Configuration Assessment (SCA)

Security Configuration Assessment (SCA) is a new module created to improve hardening and policy monitoring capabilities in Wazuh. Policy files are now in YAML format, making easier modifications and reading. Policies have been extended, useful compliance information has been added to each policy (rationale, remediation, CSC, etc.). Scan results are sent and stored in Manager side, being accessible using both the Wazuh API and the Wazuh app.

SCA includes a new database integrity algorithm (which will be included on other modules as FIM and Inventory in the coming releases). The agent will send only those checks which status have changed from previous scans, saving network traffic and decreasing manager load.

Here is an example that runs a scan the 15th of every month:

<sca>
    <enabled>yes</enabled>
    <scan_day>15</scan_day>
    <policies>
        <policy>cis_debian_linux_rcl.yml</policy>
    </policies>
</sca>

Inventory module

Get network and open ports for Windows XP and Windows Server 2003 systems.
Events information can be decoded into dynamic fields, so we can define rules based on Inventory events. Decoders now accept syscollector as value for <decoded_as> tags.
Get the real MAC address of each interface in /sys/class/net/address instead of getting it from interfaces with AF_PACKET sockets, avoiding this way problems with bonded interfaces that share the same MAC address at software level.

FIM: Who-data

Who-data now supports a pre-start health check to make sure Audit socket is ready.
Who-data now supports symbolic links hot changes.
Added support for Fedora 29 systems that use Audit 3.0.

AWS Organizations in CloudTrail

With this enhancement, it is possible getting logs for created organizations by adding <aws_organization_id>ORGANIZATION</aws_organization_id> in the module configuration.

Here is an example of how to configure this new AWS capability:

<wodle name="aws-s3">
    <disabled>no</disabled>
    <bucket type="cloudtrail">
        <name>cloudtrail</name>
        <aws_organization_id>wazuh</aws_organization_id>
        <aws_profile>default</aws_profile>
    </bucket>
    <remove_from_bucket>no</remove_from_bucket>
    <interval>20m</interval>
    <run_on_start>yes</run_on_start>
    <skip_on_error>no</skip_on_error>
</wodle>

Wazuh cluster

The Wazuh manager no longer has any external dependencies on Python. The manager now includes its own embedded Python 3 interpreter. Making easier to configure integrations as AWS, VirusTotal, Azure or Slack.
Cluster synchronization speed is now 100x faster, thanks to asyncio library (Asynchronous I/O) which increases multi-threading performance and network communication.

Added -t and -c options for the Wazuh cluster daemon. Those options allow the user to test an isolated configuration file or to test the existing one configuration file.

Other fixes and improvements

Fixed an error in the OSquery configuration validation. The osqueryd daemon started no matter the string it received, whether it was yes, no or anything else.
Wazuh manager starts regardless of the contents of local_decoder.xml.
Prevent Integrator, Syslog Client and Mail forwarded from getting stuck while reading alerts.json.
Vulnerability detector module now checks that the severity of the alerts has been unified and it also checks if the database is empty before starting a new scan.
Labels starting with _ are now reserved for internal use only.
Windows installer now load the corresponding configuration file based on the system version.
Increase 80x remoted daemon performance for TCP connections.

Wazuh API

Manager configuration file is now editable.
Creation, edition and removal of rules, decoders and CDB Lists is now supported.
Multiple nodes restart.
SCA endpoints for policies, scan and checks.

GET /sca/001

{
    "error": 0,
    "data": {
        "totalItems": 3,
        "items": [
            {
                "pass": 2,
                "references": "https://www.ssh.com/ssh/",
                "invalid": 0,
                "description": "Guidance for establishing a secure configuration for SSH service vulnerabilities.",
                "end_scan": "2019-04-30 05:29:50",
                "score": 22,
                "fail": 7,
                "hash_file": "4c7d05c9501ea38910e20ae22b1670b4f778669bd488482b4a19d179da9556ea",
                "start_scan": "2019-04-30 05:29:50",
                "total_checks": 9,
                "name": "System audit for SSH hardening",
                "policy_id": "system_audit_ssh"
            },
            ...
        ]
    }
}

Dive into your SCA scan results using the API.

GET /sca/001/checks/system_audit_ssh

{
    "error": 0,
    "data": {
        "totalItems": 76,
        "items": [
            {
                "description": "The option MaxAuthTries should be set to 4.",
                "file": "/etc/ssh/sshd_config",
                "remediation": "Change the MaxAuthTries option value in the sshd_config file.",
                "policy_id": "system_audit_ssh",
                "rationale": "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4.",
                "id": 1508,
                "title": "SSH Hardening - 9: Wrong Maximum number of authentication attempts",
                "result": "failed",
                "compliance": [
                {
                    "key": "pci_dss",
                    "value": "2.2.4"
                }
                ],
                "rules": [
                {
                    "type": "file",
                    "rule": "f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;"
                }
                ]
            },
            ...
        ]
    }
}

Wazuh app

Wazuh manager configuration editor

Edit the content of the configuration file for one or more nodes using the interface editor.

Ruleset editor

Thanks to the recently added Wazuh API endpoints, the app comes with multiple improvements for the ruleset section, including rules, decoders and CDB list management.

Expand visualizations

For those cases you want to see a visualization bigger than it is, you can click the expand icon.

Other additions and improvements

Added new dashboards for SCA and Docker modules.
Added support for more than one Wazuh monitoring pattern.
Added a cron job for fetching missing fields of all valid index patterns, also merging dynamic fields every time an index pattern is refreshed by the app.
Added a new way to read manager logs.
Added resizable columns by dragging in tables.

Wazuh ruleset

Added new options <same_field> and <not_same_field> to correlate dynamic fields in rules.

<rule id="100002" level="7" frequency="3" timeframe="300">
    <if_matched_sid>100001</if_matched_sid>
    <same_field>netinfo.iface.name</same_field>
    <same_field>netinfo.iface.mac</same_field>
    <not_same_field>netinfo.iface.rx_bytes</not_same_field>
    <options>no_full_log</options>
    <description>Testing options for correlating repeated fields</description>
</rule>

Improved rules for Docker to prevent the activation of certain rules that should not be activated.
Modified the structure and the names for Windows EventChannel fields in all the related rules.
Fixed the brute-force attack rules for Windows EventChannel by adding the new <same_field> option and changing some rules.

Added Sysmon rules for Windows EventChannel.

<rule id="61619" level="0">
    <if_sid>61618</if_sid>
    <field name="win.eventdata.parentImage">\\services.exe</field>
    <description>Sysmon - Legitimate Parent Image - svchost.exe</description>
</rule>


<rule id="61620" level="12">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.image">lsm.exe</field>
    <description>Sysmon - Suspicious Process - lsm.exe</description>
    <group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,</group>
</rule>

Added a new rule to catch logon success from a Windows workstation.

<rule id="60118" level="3">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.workstationName">\.+</field>
    <field name="win.eventdata.logonType">^2$</field>
    <description>Windows Workstation Logon Success</description>
    <options>no_full_log</options>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>

3.8.2 Release notes - 31 January 2019

This section shows the most relevant fixes in version 3.8.2. A complete list of changes is provided in the change log.

Wazuh manager

Fixed a bug crashing Analysisd when accumulating logs. This bug affected decoders that use the option <accumulate>, like the decoder for OpenLDAP logs, provided out of the box.
Some fields of alerts related to Windows Eventchannel logs included unwanted backslashes (\) and trailing whitespaces. This was due to a log cleaning issue in the manager.

Wazuh agent

Prevent Modulesd from crashing when the configuration contained a <wodle name="command"> stanza without an explicit <tag> option.

3.8.1 Release notes - 24 January 2019

This section shows the most relevant improvements and fixes in version 3.8.1. More details about these changes are provided in each component changelog:

Wazuh core

Fixed memory leak in Logcollector when reading Windows eventchannel.
Fixed version comparisons on Red Hat systems in vulnerability detector module.

Wazuh API

Fixed an issue with the log rotation module which may makes the Wazuh API unavailable on Debian systems.
Fixed improper error handling. Prevented internal paths to be printed in error output.

3.8.0 Release notes - 18 January 2019

This section shows the most relevant improvements and fixes in version 3.8.0. More details about these changes are provided in each component changelog:

Wazuh core

Support for new AWS services

AWS Config
AWS Trusted Advisor
AWS KMS
AWS Inspector
Add support for IAM roles authentication in EC2 instances.

Adding new kind of buckets to your integration is as simple as adding an entry like this to your AWS configuration:

<bucket type="config">
  <name>wazuh-aws-wodle</name>
  <path>config</path>
</bucket>

The alerts that Wazuh sends to Elasticsearch are now including all these AWS additions, so you can track all your AWS services / buckets using Kibana.

Windows events are collected in native JSON

The inventory features for Windows are now using native queries directly to the Windows API, this adds value for this feature, enriches the inventory for Windows and guarantees that you can check your Windows agent accurately.
Windows events are now being fetched in JSON format, which provides a useful format for third-party software and makes Wazuh be more optimized while analyzing Windows events. This improves Windows alerts result and analyzing performance. From this version, Windows agents apply a new rule set

FIM for Windows agents now has the ability to detect changes in attributes and file permissions.

Agents keys polling module

When Remoted reads an invalid key, now it can retrieve it from an external database server and store it to the client.keys file.

Details:

Integrated agent key request to external data sources.
Look for missing or old agent keys when Remoted detects an authorization failure.
Request agent keys by calling a defined executable or connecting to a local socket.

FIM who-data changes

Added a health check for who-data monitoring features. It checks if the Audit events socket is working before starting the who-data engine in order to avoid start listening to it when it's blocked or disabled.
Checks if a rule already exists before trying to insert it to avoid flooding in the audit.log file.
Who-data module is now able to re-connect to an Audit socket even if the instance is using enforcing with SELinux. Before this enhancement, Wazuh could not re-connect the socket after restart Wazuh if enforcing was being used along Audit.

CDB lists auto build

Now the CDB lists are built at installation time, so there is no need to execute ossec-makelists as before for the default lists. Custom lists (added after installation) still need to be compiled manually.

Other Wazuh core fixes and improvements

When upgrading, databases used for FIM purposes are now auto-upgraded by Wazuh (no need for scripts).
Vulnerability detector has been improved for RedHat systems.
This version also fixes some known issues when using Wazuh on ARM, HP-UX or AIX systems.
Logcollector component has been refactored, multiple known issues have been fixed, its performance has been also improved.
Improved IP address validation in the option <white_list> (Credits to @pillarsdotnet).
Improved rule option <info> validation (Credits to @pillarsdotnet).
Fixed error description in the osquery configuration parser (Credits to @pillarsdotnet).
The FTS comment option <ftscomment> was not being read (Credits to @pillarsdotnet).

Wazuh API

New API calls for group management

Edit group configuration file (agent.conf) uploading XML file with new configuration. This addition brings the user the ability to manage groups remotely, from now and onward it's no longer needed to SSH into the manager instance to modify groups or to add/remove agents in groups.

# curl -u foo:bar -X POST -H 'Content-type: application/xml' -d @/tmp/agent.conf.xml \
    "http://localhost:55000/agents/groups/default/files/agent.conf?pretty"

{
  "error": 0,
  "data": "Agent configuration was updated successfully"
}

Add or remove agents of a group in bulk.
Added a new parameter named format for fetching the agent.conf content in JSON/XML format depending on the parameter value.

Wazuh API also has these fixes for this version

Now the Wazuh API service gets the group ID and user ID properly when using Docker containers.
Added missing information when requesting certain files from a group.
Rule variables from the Wazuh ruleset are now replaced by its real value when fetching rules.

Wazuh app

Group management from the app is now available

Manage your groups from the app, this feature includes:

Edit group configuration (agent.conf), just open the XML editor we've added, edit the group configuration and send it to the Wazuh API.

Adding and removing agents in groups. An intuitive view has been added to drag-drop agents in your groups then a button is clicked and your groups are updated.

New search bar for the agents' list

The search bar has been modified to provide an better user experience.
It suggests filters, allows multiple filters at the same time, combines string searches with filters, same as before but now in one place.

New tables for an agent FIM monitored files

The app detects the agent OS in order to show the right FIM data. For instance, if it's a Windows agent, the app shows Windows registry entries.

As most of the app tables, these tables include a search bar and sortable columns.

Modify the Wazuh monitoring index pattern name

This was added before for Wazuh alerts indices, now you can do the same for monitoring indices editing the app configuration file (config.yml).

# Default index pattern to use for Wazuh monitoring
wazuh.monitoring.pattern: wazuh-monitoring-3.x-*

Edit the app configuration file (config.yml) from the app

Those settings are shown at Settings > Configuration as before but now they include a pencil icon which allows you to edit certain settings.
Note: Some settings need that Kibana is restarted before being applied.

Other app improvements

The Dev Tools utility has been improved, small bugs fixed, resizable columns by dragging.
Template check from the app health check now accepts multipattern templates.
All known fields for all the index patterns are now refreshed on the app health check too.
Added "Registered date" and "Last keep alive" in agents table allowing you to sort by these fields.
Now the app looks for the request target if the destination is unreachable. Now you'll know if it was Elasticsearch or the Wazuh API.

Wazuh ruleset

New rules/decoders for Windows

Our ruleset this time comes with some new rules/decoders for Windows:

Added new rules to support the new Windows eventchannel decoder.
Extend Auditd decoder to support more fields.

And we've added a new rule to alert when an agent is removed.

3.7.2 Release notes - 17 December 2018

This section shows the most relevant fixes in version 3.7.2. More details about these changes are provided in the component changelog:

wazuh/wazuh

Logcollector and Analysis daemon fixes

The Logcollector module received two improvements in Wazuh 3.7.2:

Fixed bugs related to the management of special characters such as the new line delimiter (\n), or binary data. From now on, Logcollector will discard log lines containing binary characters.
Fixed errors when Logcollector tries to open or analyze files that disappeared, or when querying if a file reached its end.

In addition to this, the Analysis daemon has been fixed to avoid errors when Windows agents in version 3.7.0 report files whose owner username contains whitespace characters.

3.7.1 Release notes - 5 December 2018

This section shows the most relevant improvements and fixes in version 3.7.1. More details about these changes are provided in each component changelog:

Improved who data capabilities for FIM

This version comes with a new option for the FIM configuration. Now is possible to add extra Audit keys using <audit_key> tag. It allows the who data engine to capture Audit events related to the key.

Other minor improvements

Wazuh 3.7.1 includes some other improvements:

Restored the support for Amazon Linux on the Vulnerability detector.
Improved performance of the Remote service.
Added IPv6 support for the host-deny.sh script from Active Response.
Included more tracing information to the logs generated on debugging mode.
The FIM engine now gives more descriptive messages when a file is not reachable.

New features for Kibana plugin

The main highlights for the Wazuh app for Kibana include a new auto-complete feature for the Dev tools tab, so now the user can start typing an API request to see a list of suggestions.

In addition to this, some refinements and bugfixes were added for better stability and overall performance.

New features for Splunk plugin

The main highlights for the Wazuh app for Splunk include support for extensions, new tabs for VirusTotal and CIS-CAT alerts, the Export as CSV button for several tables and the ability to execute PUT, POST and DELETE requests on the Dev tools tab, along with GET requests.

In addition to this, code refactoring, visual/ UI adjustments, and bugfixes were added for better stability and overall performance.

3.7.0 Release notes - 10 November 2018

This section shows the most relevant improvements and fixes in version 3.7.0. More details about these changes are provided in each component changelog:

Adding agents to multiple groups

One of the major enhancements of this new version consists of adding agents to more than one group simultaneously.

With this improvement, now the agents can be set up using multiple configuration files, and this makes possible to share specific configuration blocks between agents, making this process more powerful to configure the environment. The new feature allows consulting all the agent's group information with the agent_groups tool and on the app using the Wazuh API.

In this example, an agent is added to two new groups.

# curl -u foo:bar -X PUT "http://localhost:55000/agents/001/group/webserver?pretty"

{
  "error": 0,
  "data": "Group 'webserver' added to agent '001'."
}

# curl -u foo:bar -X PUT "http://localhost:55000/agents/001/group/apache?pretty"

{
  "error": 0,
  "data": "Group 'apache' added to agent '001'."
}

And on the API, it's possible to check all the groups the agent is added:

# curl -u foo:bar -X GET "http://localhost:55000/agents/001?pretty"

{
  "error": 0,
  "data": {
    "status": "Active",
    "configSum": "f993610d3e6d7bfd7c008b4fb6deb8a5",
    "group": [
      "default",
      "webserver",
      "apache"
    ],
    "name": "ag-windows-12",
    ...
  }
}

The agent will receive the configuration of all the groups where it has been added.

Learn more about this feature in the multiple groups' documentation.

New module to monitor Microsoft Azure

The new azure-logs module for Wazuh has the ability to obtain and read Azure logs through several service APIs. This helps to monitor all the activity happening in the infrastructure, just by setting up the module to monitor the virtual machines that form the infrastructure, sending events to the Wazuh manager for analysis.

There are several ways to monitor the Azure instances:

Installing the Wazuh agent on the instances.

Monitoring the instances activity through Azure APIs. This includes data about all resource operations (creation, update, and deletion), Azure notifications about the instances, suspicious file executions, health checks, autoscaling events, and so on.

Monitoring the Azure Active Directory service. Monitoring management actions such as creation, update or deletion of users. It's possible to receive alerts on the Wazuh manager when some of these events occur on the Azure infrastructure.

To learn more about this new module and how to configure it, check out the section Monitoring Microsoft Azure with Wazuh.

New module to monitor Docker

The new docker module for Wazuh makes easier to monitor and collect the activity from Docker containers such as creation, running, starting, stopping or pausing events.

In addition to this, and as always, the Wazuh agent can be used to monitor more services and events from the Docker servers, like File integrity or Log data collection.

In this example, the Docker command docker pause apache will stop the container apache and will trigger an alert, as seen on the screenshot below from the Wazuh app for Kibana:

To learn more about this new module and how to configure it, check out the section Using Wazuh to monitor Docker.

Query remote configuration

It's now possible to query for the agent configuration in real time.

These on-demand queries allow searching for the currently applied configuration on the manager and each agent in every moment. As seen on the screenshot below with some basic agent information, this query lets to check the current settings about every enabled module.

Improved performance of FIM and Analysis engines

The Analysis and Integrity Monitoring engines have been enhanced with multithreaded processing. It takes advantage of all manager host's resources by processing events in parallel, getting more performance at lower cost.

The registries generated by the File Integrity Monitoring system are now stored on a new SQLite database. Besides, the required storage resources have been reduced, making it faster and more efficient.

Breaking changes

The old File Integrity Monitoring plain text databases are no longer in use. After the upgrading process, it's necessary to execute the migration script in order to preserve the previous FIM entries.

Distributed API requests in cluster mode

The cluster capabilities were improved to allow distributed API requests. Now the nodes communicate between them to collect information, such as agents status or logs, providing data related to the global architecture, instead of a single instance.

In addition to this, the last keep alive checks on the cluster nodes have been improved, disconnecting them if they don't have internet connection during a certain amount of time.

Advanced API filtering using queries

In this version, the Wazuh API includes a new filtering system. The q parameter allows requesting information using advanced queries with logical operators and separators. Find a more detailed explanation of this feature in the API queries section.

New features for Kibana plugin

The Wazuh app for Kibana includes new features and interface redesigns to make use of the new features included in this version:

Get the current manager/agent configuration on the redesigned tabs.

Added support for multiple groups feature.

The Amazon AWS tab has been redesigned to include better visualizations and the module configuration.

The new Osquery extension shows scans results from this Wazuh module.

Added a new selector to check the cluster nodes’ status and logs on the Management > Status/Logs tabs.

Several bugfixes, performance improvements, and compatibility with the latest Elastic Stack version.

Breaking changes

Wazuh 3.7.0 introduces an update to the Elasticsearch template. This will cause a breaking change in existing installations, although new installations won't be affected by this error.

To learn more about how to fix this, check out the Kibana app's troubleshooting guide.

New features for Splunk plugin

The Wazuh app for Splunk also receives lots of new features and improvements on this new version. The Configuration tab is also improved as on the Kibana plugin to get the current manager/agent configuration, multiple groups support, and also:

A documentation article to set up a reverse proxy configuration for Nginx and the Splunk plugin is now available.

Added Dev tools, Amazon AWS, Osquery, Inventory data and Monitoring tabs to the app.

Added app logs to monitor to check and troubleshoot problems while using the app.

Added a new selector to check the cluster nodes’ status and logs on the Management > Status/Logs tabs.

Several bugfixes, performance improvements, and compatibility with the latest Splunk version.

3.6.1 Release notes - 7 September 2018

This section shows the most relevant improvements and fixes in version 3.6.1. More details about these changes are provided in each component changelog.

Wazuh core

This release is a patch version that fixes some issues encountered in v3.6.0. Some of them are listed below:

The agent.name field has been put back to the alerts in JSON format. On the other hand, we've fixed a problem in the location description of the plain-text alerts.
Vulnerability Detector has been improved to support Debian Sid (the unstable version).
We have also optimized the memory management on agents for AIX and HP-UX systems.
The daemon start and stop list has been reordered in the agent service.
We have corrected the actual recursion level limit in FIM real-time mode.
We have improved the AWS integration parser and its capabilities.
Some other fixes have been applied on this version.

Wazuh API

In this version, the API makes it possible to send Active Response requests, including custom commands that are not declared in the configuration.

For instance:

curl -u foo:bar -X PUT -d '{"command":"restart-ossec0", "arguments": ["-", "null", "(from_the_server)", "(no_rule_id)"]}' -H 'Content-Type:application/json' "http://localhost:55000/active-response/001?pretty"

{
  "error": 0,
  "message": "Command sent."
}

3.6.0 Release notes - 29 August 2018

This section shows the most relevant improvements and fixes in version 3.6.0. More details about these changes are provided in each component changelog.

Wazuh core

This section shows the main features introduced in this new version for the Wazuh core.

Logcollector

Logcollector has been enhanced with two new features:

Now it works in multithread mode. This will improve the throughput and prevent delays among outputs.
Wildcard reloading is now supported: files that match a wild-carded location will be monitored, no need to restart the agent.

File integrity monitoring

The policy monitoring (rootcheck) and file integrity monitoring (syscheck) engines now run independently, so they both can perform a scan at the same time.

Two new features have been added to file integrity monitoring:

Tags for monitored items. This will make alert matching and classification easier.
A new option to limit the recursion level (scanning folder depth) has been introduced.

Wazuh modules

Introducing a re-work of the AWS S3 integration, now supporting CloudTrail, GuardDuty, Macie, IAM, and VPC Flow log data.
The download of OVAL files for Vulnerability Detector has been fixed since Red Hat has changed its protocol to send this files.
Custom command execution (wodle command) supports MD5/SHA1/SHA256 validation of the target binary for execution authorization.

Log analysis and management

The manager will provide remote message statistics, including counting of messages received or dropped, and number of active TCP sessions.
The size limit for logs has been extended from 6 KiB to 64 KiB.
The analysis engine now interprets the hostname field of the input logs as the name of the agent, instead of name+IP. This allows CDB list lookup of agent name.

Wazuh app for Kibana

Support for Kibana v6.4.0.
Added new options to config.yml to change shards and replicas settings for wazuh-monitoring indices.
Improved building package procedure.
The welcome tabs in Overview and Agents have been updated with a new name and description for the existing sections.
Adapted for Internet Explorer 11.

Wazuh app for Splunk

The Splunk app has been redesigned from the ground based on Material Design.

SplunkJS framework (RequireJS + BackboneJS + JQuery) has been wrapped into AngularJS.
Brand new menus, tabs, filters and settings.
Dynamic visualizations, granting improved performance.
Dynamic filter queries.

You can follow our installation guide to test it out: https://documentation.wazuh.com/current/installation-guide/installing-splunk/index.html

3.5.0 Release notes - 10 August 2018

This section shows the most relevant improvements and fixes in version 3.5.0. More details about these changes are provided in each component changelog.

Wazuh core

A new integration with osquery is shown, this will provide new scheduled results for the manager:
- The osquery daemon will be launched in background.
- Filter events by osquery by adding a new option in <location> rules.
- Enrich osquery configuration with pack files aggregation and agent labels.
- Support folders in shared configuration.
Parallelized remoted daemon:
- Up to 16 parallel threads to decrypt messages from agents.
- Frequency of agent keys reloading limited.
- Message input buffer in Analysisd to prevent control messages starvation in Remoted.
Vulnerability Detector has been enhanced, adding support for other operating systems and improving the configuration of OVAL updates.
- Added feed tag for updating each operating system OVAL, allowing to set a different configuration for each of them.
- Packages already scanned won't be checked unless no Syscollector scans are detected in a period longer than 24 hours.
- Added arch check for Red Hat's OVAL.
- Force the vulnerability detection in unsupported OS with the <allow> attribute.
Fixed alerts format in Vulnerability Detector. When showing Vulnerability Detector alerts from a Red Hat agent, an RHSA patch was shown instead of a CVE. This patch consists in various CVEs compressed. The RHSA patches are unpackaged and alerts manifest that the system is vulnerable to each of the CVEs contained in that RHSA.
Added new support for AES encryption for manager and agent.
Enhanced active response process. Added a new feature which allows the user to customize the parameters sent to the agent's active response script.
Added synchronization for remoted counters (rids), being reloaded if the inode of the file has changed.
Windows deletes pending active-responses when an output signal is received.
Rootcheck searchs for 32-bit and 64-bit keys. As Windows agent only runs in 32-bit mode, by default Rootcheck was searching only for 32-bit keys.
Get Linux packages, DEB and RPM, for Syscollector.
Added a new module for downloading shared files for agent groups dynamically.
Get running processes, opened ports, network interfaces, Linux (DEB/RPM) and Windows inventories natively for Syscollector.
- Added field to the hardware inventory about the RAM usage, without using wmic.
- Storage of multiple addresses/netmasks/broadcasts per interface in the DB.
- CentOS 5 compatibility to run the network scan.

Wazuh API

Added information about the user who made the request in the API logs.
New option for downloading the wpk using HTTP in agent_upgrade.
Rotation of log files at midnight.
Added new API requests for syscollector.
Ignore uppercase and lowercase sorting an array.

Wazuh ruleset

Added rules for the new osquery integration.
Improved CIS-CAT rules.
Ignoring syscollector events rule added.

Wazuh app for Kibana

As part of the Elastic Stack v6.3.x compatibility process, now we have support for Kuery as query language for the app search bars.
Added new tab on Configuration to show the current Wazuh app configuration file values.
Added new tab on Configuration to show the latest Wazuh app logs.
Added XML/JSON viewer to Management → Configuration.
Improved reports, now with a better design and document structure.
Human-readability improvements for visualizations, tables and CSV files.
Now it’s possible to remove all the API entries from Settings.
More design improvements for the Welcome tab on some app sections.
More bug fixes, code refactoring and performance improvements.

In addition to this, the documentation now has a dedicated section for the Wazuh app, where you can learn more about its capabilities, how to configure it and install the X-Pack Security plugin.

3.4.0 Release notes - 24 July 2018

This section shows the most relevant improvements and fixes in version 3.4.0. More details about these changes are provided in each component changelog.

Wazuh core

The main feature introduced in this version is the ability to monitor the information relative to the user who makes changes to any file monitored with FIM. This information (who-data) contains the user who makes the changes and also the process used. This new functionality is available in Syscheck on Linux and Windows. See the Auditing who-data section for further information.

Many others improvements and fixes have been included in Syscheck in this new version:

The level of recursiveness when scanning directories can be defined in the internal_options.conf file. By default, it's set to 256.
Added support for SHA256 checksum (by Arshad Khan @arshad01).
Enhanced visualization of Syscheck alerts and insertion of all the available fields in the Syscheck messages from the Wazuh configuration files.
The value xxx (not enabled) was replaced for n/a if the hash couldn't be calculated.
Fixed registry_ignore problem on syscheck for Windows when arch="both" was used.
Allow more than 256 directories in real-time for Windows agent using recursive watchers.

There are other changes which are worth highlighting:

Added a new option to customize the output format per-target in Logcollector.
Added support for unified WPK. Now the WPK files are compatible between versions for the same OS.
The CA verification was fixed to allow with more than one 'ca_store' definition.

Wazuh API

Added new API request: GET/agents/stats/distinct. This new request returns all the different combinations that agents have for the selected fields.
Added experimental_feature option to enable new features in development.

Wazuh ruleset

In older versions, the frequency attribute in rules was the number of hits + 2. In this version this value has been modified to match exactly the number of hits. By this way this value is more easy to understand.

Wazuh app for Kibana

Tables redesign.
Improved reporting capabilities.
Improved Discover performance.
UI redesign, including simpler Welcome screen.
New healthcheck design.
Dev tools one liners.
New inventory tab.
Minor bugfixes.

Wazuh app for Splunk

Support for Splunk v7.1.2.
Dashboard tabs redesign.
Minor bugfixes.

3.3.1 Release notes - 18 June 2018

This section shows the most relevant improvements and fixes in version 3.3.1. More details about these changes are provided in each component changelog.

Wazuh core

Most of the fixes introduced in this new version are focused on the user experience when dealing with the Wazuh management. Improving log messages and configuration issues among other things. There are a few changes which are worth highlighting:

Fixed a bug that prevented the remote upgrades for Ubuntu agents.
An alert has been added to be aware when the process of unmerging the centralized configuration fails.
Prevent interference between the Windows Defender antivirus and the Wazuh agent when managing temporary bookmark files.
It is now possible to set up empty blocks of configuration for some modules. For example, the vulnerability detector module can be enabled by typing <wodle name="vulnerability-detector"/>, applying it the default configuration for that module.

Wazuh API

The request to delete agents includes two new fields with the affected agents by the deletion request, as well as the failed IDs.
Fixed error when trying to upgrade Never connected agents by the API.

3.3.0 Release notes - 8 June 2018

This section shows the most relevant improvements and fixes in version 3.3.0. More details about these changes are provided in each component changelog.

Wazuh core

Logcollector now supports socket connection for log output mirroring. This feature allows to send the same event to the Wazuh manager and to a 3rd party log processor like Fluent Bit. You can find more information here.

The analysis engine includes new options for the plugin decoders to set the input offset with respect to the prematch expression or the parent decoder. See an example about this on this section. In addition, plugin decoders and multi-regex decoders can be used together.

We have also introduced an event formatter in the log collector to build custom events, this allows to add some data into the event.

As of this version, the timestamp of the alerts in JSON format will include milliseconds.

The implementation of the Agentless daemon has been improved for enhanced security.

Some other fixes and improvements have been introduced in the Framework and the Cluster.

Wazuh API

The API now has filters by group on the GET /agents call and by status on the GET /agents/groups/:group_id and GET /agents/groups/:group_id calls.

Now the limit parameter has been modified to retrieve all items using limit=0.

In addition to this, several bugfixes and performance improvements for the API have been added.

Wazuh app for Kibana

New design for the Overview and Agents tabs, following a breadcrumbs-based navigability to change between different sections.
New Reporting option, for generating logs about the current state of the visualizations on the Overview and Agents tabs.
New filters for agent version and cluster node on the Agents Preview tab.
Added a warning when your system doesn't have more than 3GB of RAM.
Several bugfixes and performance improvements.

Wazuh app for Splunk

Added monitoring for collecting periodical agent status data.
Now the .wazuh index will be the default one if no one is selected.
Several bugfixes and performance improvements.

3.2.4 Release notes - 1 June 2018

This section shows the most relevant improvements and fixes in version 3.2.4. More details about these changes are provided in each component changelog.

Wazuh minor fixes

Most of the bug fixes in this release are fairly minor, but a few fixes deserve special mention:

<queue_size> setting was not properly parsed by maild causing the termination of the process.

Python 3 incompatibilities in the framework that may affect the correct behavior of the cluster.

Wazuh app for Splunk

This release includes:

New GDPR tab.

Multi-API support.

Multi-index support.

Several performance improvements and bug fixes.

Wazuh app for Kibana

Relevant changes in the Wazuh app are:

New reporting feature: Generate reports from Overview and Agents tab.

New check included to warn about systems with low RAM (less than 3GB).

Several performance improvements and bug fixes.

3.2.3 Release notes - 28 May 2018

This section shows the most relevant improvements and fixes in version 3.2.3. More details about these changes are provided in each component changelog.

Wazuh cluster

This version fixes several performance issues (like CPU usage) and synchronization errors. The communications and synchronization algorithm have been redesigned in order to improve the cluster performance and reliability.

Now, the client nodes initialize the communication and only the master node is included in the client configuration.

The number of daemons has been reduced to one: wazuh-clusterd.

You can check our documentation for Wazuh cluster in the following Cluster basics.

Core improvements

These are the most relevant changes in the Wazuh core:

Vulnerability-detector continues to expand its scope, now adding support for Amazon Linux. A bug when comparing epoch versions has also been fixed.
The agent limit has been increased to 14000 by default, improving the manager availability in large environments.
More internal bugs reported by the community have been fixed for this version.

Wazuh app for Splunk

New section describing the installation process for the Wazuh app for Splunk.

Wazuh app for Kibana

The Dev tools tab has been added in this version. You can use it to interact with the managers by API requests.

Similar to PCI DSS, a new tab for GDPR is included in order to visualize the related alerts.

Other relevant changes in the Wazuh app are:

New button for downloading lists on a CSV format. Currently available for the Ruleset, Logs and Groups sections on the Manager tab and also the Agents tab.
New option on the configuration file for enabling or disabling the wazuh-monitoring indices creation/visualization.
Design improvements for the Ruleset tab.
Performance improvements on visualization filters.
And many bugfixes for the overall app.

3.2.2 Release notes - 7 May 2018

From the Wazuh team, we continue working hard improving the existing features as well as fixing bugs. This section shows the most relevant improvements and fixes in version 3.2.2. Find more details in each component changelog.

Manager-agent communication

It has been created an input buffer in the manager side, this queue will act as a congestion control by processing all the events incoming from agents.

Between other features of this queue, it dispatches events as fast as possible avoiding any delay in the communication process, and it warns when gets full stopping to ingest more events.

In addition, the capacity of the buffer is configurable in the remote section of the Local configuration.

Wazuh modules

Vulnerability-detector module has an improvement within the version comparator algorithm to avoid false positive alerts. It also has been fixed the behavior when the software inventory of an agent is missing.

Wazuh app: Kibana

The Wazuh app received lots of new improvements for this release. In addition to several bugfixes and performance improvements, these are the major highlights for this Wazuh app version:

New dynamic visualization loading system. Now the app loads visualizations on demand, and never store them on the .kibana index.
A new design for the Ruleset tab, providing the information about the rules and decoders in a cleaner, more organized way.
A new system for role detection over index patterns when using the X-Pack plugin for the Elastic Stack.
Refinements and adjustments to the user interface.

Other relevant changes

In addition to the previous points, another more changes included are:

The Slack integration has been updated since some used parameters were deprecated by Slack. This integration allows Wazuh to send notifications to Slack when desired alerts are triggered.
It has been fixed the agent group file deletion when using the Auth daemon. As well as the client of the daemon for old versions of Windows.
Fixed the filter of the output syslog daemon when filtering by rule group.

3.2.1 Release notes - 2 March 2018

This release is a bug fix release. This section shows the most relevant improvements and fixes of Wazuh v3.2.1. You will find more detailed information in the changelog file.

Wazuh modules
Cluster
Agents management
OpenSSL library

Wazuh modules

The Wazuh modules include several fixes in this release to improve their performance and reliability. The most relevant changes are described in this section.

To avoid the agent flooding, a maximum of events sent per second has been established for every module. This limit is configurable by the wazuh_modules.max_eps parameter of the internal configuration.

For the vulnerability-detector module the following bugs have been fixed: a problem when detecting agents with supported operating systems, and another ones related to duplicated alerts and RAM consumption. Furthermore, this module is no longer included in the agents, reducing package size and preventing errors.

In addition, a bug that made it impossible to set the centralized configuration of the agents software collector has been solved.

For the CIS-CAT wodle it has been improved the JAVA binary selection, updated its rules, and added support for relative/full/network paths in its configuration.

Finally, some memory leaks and other bugs reported by Coverity have been solved.

Cluster

Several bugs have been fixed in the Wazuh cluster, among them, dealing with too long file paths.

The cluster-control tool was improved to retrieve more information about type of nodes, as well as adding the possibility to enable a debug mode for it.

Agents management

Related to the agents management, the Operating System name detection in macOS and old Linux distributions has been fixed, retrieving the needed information correctly.

In addition, agent labels are also inserted in JSON archives even when the event does not match any rule.

The API call GET/agents/purgeable/: timeframe has been restructured to add a new field called totalItems. This field contains the number of agents that can be removed.

OpenSSL library

OpenSSL library has been updated from 1.0.2k to 1.1.0g . This version fixes two security vulnerabilities:

CVE-2017-3736 : It can allow an attacker to recover the encryption keys used to protect communications.
CVE-2017-3735 : It can allow a malicious user to do a one-byte overread.

3.2.0 Release notes - 8 February 2018

This section shows the most relevant new features of Wazuh v3.2.0. You will find more detailed information in our changelog file.

New features:

Vulnerability detection
Module for AWS Cloudtrail integration
CIS-CAT integration now supports Windows OS
Cluster: Ruleset synchronization and performance improvements

Vulnerability detection

A native vulnerability detector has been implemented, making use of agents new feature to report inventory data (e.g. applications installed, network configuration, hardware information). The manager is now capable of building a vulnerability database, making use of public OVAL repositories (published and maintained by different vendors). This database is used to do correlation with agents reported applications inventory data, identifying packages with a CVE.

In version 3.1.0, detecting vulnerabilities was already possible using Wazuh agents integration with Vuls (a third party open source project), but this integration required the installation of additional software on the monitored hosts (adding extra complexity, and making it difficult to manage in a centralized way). Now, in this version, Vuls is not required anymore as this capability is now natively supported using the new agent and manager features.

The new architecture design keeps agents footprint small, not impacting monitored hosts performance or consuming unnecessary resources. Agents just read and report applications installed (RPM, Deb or MSI packages), while the manager is the one that uses the vulnerability database to identify CVEs.

See below an example of results when an application vulnerability is identified:

** Alert 1518102634.685428: - vulnerability-detector,
2018 Feb 08 16:10:34 (PC) ->vulnerability-detector
Rule: 23504 (level 7) -> 'CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium.'
vulnerability.cve: CVE-2017-7226
vulnerability.title: CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium.
vulnerability.severity: Medium
vulnerability.published: 2017-03-22
vulnerability.updated: 2017-03-22
vulnerability.reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226
vulnerability.rationale: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.
vulnerability.state: Unfixed
vulnerability.affected_package: binutils
vulnerability.version: 2.26.1-1ubuntu1~16.04.6

You can read more about this new module in the Vulnerability detection section.

Module for AWS Cloudtrail integration

This module provides the ability to read your AWS CloudTrail logs directly from an AWS S3 bucket. Amazon CloudTrail support is now a built-in Wazuh feature, giving you the ability to search, analyze, and generate alerts for AWS CloudTrail events.

Below is an example of the JSON alert generated by this module:

** Alert 1518488581.32874246: - amazon,authentication_success,pci_dss_10.2.5,
2018 Feb 13 02:23:01 manager->Wazuh-AWS
Rule: 80253 (level 3) -> 'Amazon: signin.amazonaws.com - ConsoleLogin - User Login Success.'
aws.eventVersion: 1.05
aws.eventID: 2fb29f0f-4d7f-4384-8170-xxxx
aws.eventTime: 2018-02-13T02:12:26Z
aws.log_file: 1661xxx_CloudTrail_us-east-1_20180xxx_S4Wouyxxx.json.gz
aws.additionalEventData.MFAUsed: No
aws.additionalEventData.LoginTo: https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true
aws.additionalEventData.MobileVersion: No
aws.eventType: AwsConsoleSignIn
aws.responseElements.ConsoleLogin: Success
aws.awsRegion: us-east-1
aws.eventName: ConsoleLogin
aws.userIdentity.userName: wazuh
aws.userIdentity.type: IAMUser
aws.userIdentity.arn: arn:aws:iam::166157441623:user/wazuh
aws.userIdentity.principalId: AIDAJxxx
aws.userIdentity.accountId: 1661xx4xxx
aws.eventSource: signin.amazonaws.com
aws.userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
aws.sourceIPAddress: 67.161.xx.xx
aws.recipientAccountId: 166157441623
integration: aws

You can read more about this new module in the AWS CloudTrail section.

CIS-CAT integration now supports Windows OS

In our previous release, the module for integration with CIS-CAT scanner only supported Linux systems. Now, it also supports Windows systems.

CIS-CAT alerts have been also enriched and reports are parsed natively now, improving its efficiency considerably. See below an example of an alert:

** Alert 1518508994.718592: - ciscat,
2018 Feb 13 00:03:14 (Windows7) 192.168.1.201->wodle_cis-cat
Rule: 87409 (level 7) -> ’CIS-CAT: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’ (failed)'
type: scan_result
scan_id: 589117374
cis.rule_id: 19.7.43.2.1
cis.rule_title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
cis.group: Administrative Templates (User)
cis.description: This setting controls whether Windows Media Player is allowed to download additional codecs for decoding media files it does not already understand. The recommended state for this setting is: Enabled.
cis.rationale: This has some potential for risk if a malicious data file is opened in Media Player that requires an additional codec to be installed. If a special codec is required for a necessary job function, then that codec should be tested and supplied by the IT department in the organization.
cis.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: User Configuration\Policies\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec Download  Impact: The Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
cis.result: fail

Cluster: Ruleset synchronization and performance improvements

Several bugs have been fixed in the cluster. Also, its general performance has been improved.

The cluster is now able to synchronize decoders, rules and CDB lists. It also makes use of ossec-logtest tool to test that new rules, decoders or CDB lists are correctly formatted, before sending those to the rest of the cluster nodes.

The full list of files synchronized across cluster nodes is:

/etc/client.keys

/etc/shared

/etc/decoders*

/etc/rules*

/etc/lists*

/queue/agent-groups

/queue/agent-info

(*) Nodes are restarted when these files are updated.

3.1.0 Release notes - 22 December 2017

This section shows the most relevant new features of Wazuh v3.1.0. You will find more detailed information in our changelog file.

New features:

VULS integration
CIS-CAT Wazuh module to scan CIS policies
New "Command" Wazuh module
New rotation capabilities for alerts
Wazuh API
Ruleset
More relevant features

VULS integration

Vuls (VULnerability Scanner) is a tool that was created for analyzing the vulnerability of Linux systems. This tool looks for known vulnerabilities referenced in databases such as the National Vulnerability Database (NVD).

This integration is achieved through the use of the new Command wodle. This module allows you to run a command at a specified interval or to ignore the output of the command. The Vuls script is designed run Vuls on the agent and send results directly back to the manager and triggering alerts when a vulnerability is identified.

Below is an example of results where a vulnerability is identified:

** Alert 1513880084.806869: - vuls,
2017 Dec 21 18:14:44 ip-172-31-42-67->Wazuh-VULS
Rule: 22405 (level 10) -> 'High vulnerability CVE-2017-16649 detected in scanning launched on 2017-12-21 18:14:36 with 100% reliability (OvalMatch). Score: 7.200000 (National Vulnerability Database). Affected packages: linux-aws (Not fixable)'
{"KernelVersion": "4.4.0-1044-aws", "Source": "National Vulnerability Database", "LastModified": "2017-11-28 14:05:55", "AffectedPackagesInfo": {"linux-aws": {"Repository": "", "NewVersion": "", "Version": "4.4.0-1044.53", "NewRelease": "", "Release": "", "Fixable": "No", "Arch": ""}}, "integration": "vuls", "ScannedCVE": "CVE-2017-16649", "AffectedPackages": "linux-aws (Not fixable)", "DetectionMethod": "OvalMatch", "Score": 7.2, "Link": "https://nvd.nist.gov/vuln/detail/CVE-2017-16649", "OSversion": "ubuntu 16.04", "Assurance": "100%", "ScanDate": "2017-12-21 18:14:36"}
KernelVersion: 4.4.0-1044-aws
Source: National Vulnerability Database
LastModified: 2017-11-28 14:05:55
AffectedPackagesInfo.linux-aws.Repository: Update
AffectedPackagesInfo.linux-aws.NewVersion:
AffectedPackagesInfo.linux-aws.Version: 4.4.0-1044.53
AffectedPackagesInfo.linux-aws.NewRelease:
AffectedPackagesInfo.linux-aws.Release:
AffectedPackagesInfo.linux-aws.Fixable: No
AffectedPackagesInfo.linux-aws.Arch:
integration: vuls
ScannedCVE: CVE-2017-16649
AffectedPackages: linux-aws (Not fixable)
DetectionMethod: OvalMatch
Score: 7.200000
Link: https://nvd.nist.gov/vuln/detail/CVE-2017-16649
OSversion: ubuntu 16.04
Assurance: 100%
ScanDate: 2017-12-21 18:14:36

CIS-CAT Wazuh module to scan CIS policies

The new CIS-CAT module was developed for evaluating CIS benchmarks in Wazuh agents. This module assesses an agent's compliance with CIS policies to ensure the application of the best practices in in the security of your IT systems.

With the CIS-CAT wodle assessments can be scheduled to run periodically, sending reports to the manager and displaying results for each check. A report overview is also displayed as in the example below:

** Alert 1513886205.7639319: - ciscat,
2017 Dec 21 11:56:45 ubuntu->wodle_cis-cat
Rule: 87411 (level 5) -> 'CIS-CAT Report overview: Score less than 80 % (53 %)'
{"type":"scan_info","scan_id":1222716123,"cis-data":{"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","hostname":"ubuntu","timestamp":"2017-12-21T11:55:50.143-08:00","score":53}}
type: scan_info
scan_id: 1222716123
cis-data.benchmark: CIS Ubuntu Linux 16.04 LTS Benchmark
cis-data.hostname: ubuntu
cis-data.timestamp: 2017-12-21T11:55:50.143-08:00
cis-data.score: 53

Currently, this module is focused only on Linux systems, however, this will also be available for Windows systems in future versions.

You will find further information about this new module in the CIS-CAT integration section.

New "Command" Wazuh module

The new Command wodle has been included in this version to allow commands to be run asynchronously. This module allows commands to be run at specified intervals and includes an option to ignore the output.

The complete configuration guide for this command can be found at Command wodle configuration.

New rotation capabilities for alerts

In large environments, the alerts file may take up a large amount of disk space. To address this, Wazuh 3.1 includes support for rotating the following files by time or size:

alerts (plain-text and JSON),
archives (plain-text and JSON), and
firewall events (plain-text).

Until this release, alert files were rotated once a day. With this release, you now have the ability to set a more frequent rotation interval (maximum one day) and specify a maximum file size that will trigger the rotation procedure. Rotated files are compresses and signed and stored in the same way they were previously.

In the <global> section of the Local configuration you will find information on how to configure this feature.

Wazuh API

The Wazuh API has been enhanced with new requests, such as:

a request for getting agent information by agent name,
a request for purging never connected or disconnected agents after a defined time-frame, and
a request for getting purgeable agents.

In addition, more new features can be found in the API changelog.

Ruleset

The Ruleset has been improved to include the necessary rules for the CIS-CAT and VULS integrations.

More information on changes to the Ruleset can be found on the Ruleset changelog.

More relevant features

Additional features have been added to Wazuh 3.1.0 in order to improve its performance, including, but not limited to:

a new field in JSON alerts including timestamp from predecoded logs,
the ability to refuse shared configuration in agents locally using the agent.remote_conf option as explained in the Internal configuration section,
When ossec is used to disable a component, the relevant daemon is now immediately stopped,
The Syscheck reporting_changes feature formerly suppressed inclusion of file change details in alerts if the changes were detected during the first Syscheck scan after an agent restarted. Now, file changes will be included every time textual file change data is available, and
fixes to reported bugs.

3.0.0 Release notes - 3 December 2017

This section shows the most relevant new features of Wazuh v3.0.0. You will find more detailed information in our changelog file.

For deploying your Wazuh environment see the Installation guide.

New features:

Grouping agents
Remote agent upgrades
Wazuh cluster for managers
Automatic decoding for JSON events
VirusTotal integration
MSI Windows installer for agents
Wazuh API
Ruleset
Updated external libraries
More relevant features

Grouping agents

Support for the grouping of agents has now been included at the Wazuh manager level, which makes centralized configuration more flexible and efficient.

Version 3.0.0 allows agents to be assigned to a specific group which may have different agent configuration, rootcheck policies and hardening checks than other groups. The manager will then send only the necessary files to each agent based on this assignment. Once the new configuration is received, the agent will restart itself to apply the changes.

This groups management feature is available via terminal using a CLI included in the Wazuh manager, as well using Wazuh API requests.

More information about this feature is found at Grouping agents.

Remote agent upgrades

The manager can now upgrade agents remotely. The agent version and OS it is running on are registered with the manager. The manager uses this information to know which agents need to be upgraded and which upgrade package to send.

A custom procedure has been created to perform these upgrades without relying on external package managers (apt/yum). The manager will instead send a compressed and signed WPK (Wazuh Signed Package) that contains the necessary binaries and instructions to upgrade the agent.

The ability to roll back the upgrade is built into the process. If the agent loses connection with the manager after the upgrade, the agent will automatically be rolled back to recover the agent connectivity.

WPK files will be generated by Wazuh for every new release. You may also use your own custom WPK files.

In our dedicated section for Remote upgrading, you can find more information about this procedure.

Wazuh cluster for managers

The Wazuh cluster provides new capability to scale Wazuh horizontally by adding as many manager nodes as needed to process events from the reporting agents.

The cluster architecture is master/client based, synchronizing internal configuration files (agent keys, groups configuration, agents configuration and agent statuses) between all clients nodes. This allows agents to report to multiple managers (cluster nodes) which increases availability and fault tolerance.

More information on this new functionality can be found in the dedicated section at Cluster basics.

Automatic decoding for JSON events

The Wazuh manager now includes a native decoder for the JSON format which can read any JSON event and extract its fields dynamically. This new decoder enables Wazuh to use all JSON fields/values for creating rules.

See the JSON decoder section for further information.

Along with this, we introduced a new log format in Logcollector to be able to monitor JSON log files. Custom labels can be included from the endpoint which will add valuable metadata to the monitored JSON logs.

See below for sample configuration:

<localfile>
  <location>/var/log/myapp/log.json</location>
  <log_format>json</log_format>
  <label key="@source">myapp</label>
  <label key="agent.type">webserver</label>
</localfile>

Below is a sample JSON log from the monitored file.

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01"
  }
}

The following will be the result when the above configuration is applied to the JSON log:

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01",
    "type": "webserver"
  },
  "@source": "myapp"
}

Information on how to configure this feature can be found in the localfile section of ossec.conf.

VirusTotal Integration

This new version includes an integration with the VirusTotal platform.

This allows the Manager to send the hashes of collected files (via Syscheck) to the VirusTotal API, reporting back the scan results and generating an alert when there is a positive result.

The integration with VirusTotal as a threat intelligence source, along with the existing FIM capabilities is a significant improvement in Wazuh's malware detection.

Below is an example of an alert triggered from a positive result:

** Alert 1510684984.55826: mail  - virustotal,
2017 Nov 14 18:43:04 PC->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /media/user/software/suspicious-file.exe - 7 engines detected this file'
{"virustotal": {"permalink": "https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "malicious": 1, "source": {"alert_id": "1510684983.55139", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "file": "/media/user/software/suspicious-file.exe", "agent": {"id": "006", "name": "agent_centos"}, "md5": "9519135089d69ad7ae6b00a78480bb2b"}, "positives": 7, "found": 1, "total": 67, "scan_date": "2017-11-14 17:24:37"}, "integration": "virustotal"}
virustotal.permalink: https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/
virustotal.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.malicious: 1
virustotal.source.alert_id: 1510684983.55139
virustotal.source.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.source.file: /media/user/software/suspicious-file.exe
virustotal.source.agent.id: 006
virustotal.source.agent.name: agent_centos
virustotal.source.md5: 9519135089d69ad7ae6b00a78480bb2b
virustotal.positives: 7
virustotal.found: 1
virustotal.total: 67
virustotal.scan_date: 2017-11-14 17:24:37
integration: virustotal

The complete documentation of this integration is located at VirusTotal integration section.

MSI Windows installer for agents

A new digitally signed MSI Windows installer has been developed in order to improve the installation process for Windows agents.

This installer can be launched in unattended mode from the command line and combines the agent installation, configuration, registration and connection into a single step.

The procedure for using the MSI installer can be found at: Install Wazuh agent on Windows

Wazuh API

The Wazuh API now includes functionality to manage all the features included in this release, such as:

the management of remote agent upgrades,
the requests for managing groups, and
the management of the new Wazuh Cluster.

In addition, more new features can be found in the API changelog.

Ruleset

The Ruleset has also been improved and now includes the necessary rules for the VirusTotal integration.

For details on changes in the Ruleset, please visit the Ruleset changelog.

Updated external libraries

External libraries used by Wazuh have been updated to improve their integration with our components.

More relevant features

Additional features have been added to Wazuh 3.0.0 in order to improve its performance, including, but not limited to:

the ability to choose the Cipher suite in Authd settings,
the Automatic restarting of an agent when a new shared configuration is added from the manager,
the 'pending' state that is now shown for agents that are waiting for a manager response,
the ability to configure several managers for each agent, specifying its own protocol and port for each, and
the new functionality to rotate and compress internal logs by size.

2.x

This section summarizes the most important features of each Wazuh 2.x release.

Wazuh version	Release date
2.1.0	17 August 2017

2.1 Release notes - 17 August 2017

This section shows the most relevant new features of Wazuh v2.1. You will find more detailed information in our changelog file.

New features:

Anti-flooding mechanism
Labels for agent alerts
Improved Authd performance
New features for internal logs
Updated external libraries
Wazuh API
Ruleset

Anti-flooding mechanism

The Anti-flooding mechanism is designed to prevent large bursts of events on an agent from negatively impacting the network or the manager. It uses a leaky bucket queue that collects all generated events and sends them to the manager at a rate below a specified events per second threshold.

Learn more about this new mechanism at Anti-flooding mechanism.

Labels for agent alerts

This feature allows agent-specific attributes to be included in each alert. These labels provide a simple way of adding valuable metadata to alert records and can include data points like who is in charge of a particular agent or the agent's installation date and .

For more details about this new feature see our Labels section.

Improved Authd performance

The Authd program has been improved in this version such that the Wazuh API and the manage_agents tools can now register an agent while ossec-authd is running.

Additionally, ossec-authd now runs in the background and can be enabled using the command ossec-control enable auth. See the auth section of ossec.conf for configuration options and sample configuration.

Finally, the new force_insert and force_time options in Authd (-F<time> from the ossec-authd command line) allow for the automatic deletion of agents that match the name or IP address of a new agent you are attempting to register.

New features for internal logs

As JSON is one of the most popular logging formats, we have made it possible in this new version to have internal logs written in JSON format, plain text or both. This can be configured in the logging section of ossec.conf.

In addition, we have simplified the management of internal logs such that they are rotated and compressed daily. We have further made it possible to control the use of disk space by configuring a the length of time for between the rotated logs before they are automatically deleted.

These parameters are configured in the monitord section of Internal configuration.

Updated external libraries

External libraries used by Wazuh have been updated to improve their integration with our components.

Wazuh API

The request /agents now returns information about the OS and a specified list of agents can now be restarted or deleted.

Ruleset

The previous Windows decoders extracted a wrong user (the subject user) but this has been corrected in this version and new fields have also been added.

Expressions	Actions
^	To specify the beginning of the text
$	To specify the end of the text
\|	To create a logical or between multiple patterns

Options	Purpose
`-a\|--change-all`	Changes all the Wazuh indexer and Wazuh server API user passwords and prints them on screen. Changing API passwords requires `-au\|--admin-user <ADMIN_USER>` and `-ap\|--admin-password <ADMIN_PASSWORD>`.
`-A\|--api`	Change the Wazuh server API password given the current password. Requires `-u\|--user <USER>`, `-p\|--password <PASSWORD>`, `-au\|--admin-user <ADMIN_USER>`, and `-ap\|--admin-password <ADMIN_PASSWORD>`.
`-au\|--admin-user <ADMIN_USER>`	Admin user for the Wazuh server API. Required for changing the Wazuh server API passwords. Requires `-A\|--api`.
`-ap\|--admin-password <ADMIN_PASSWORD>`	Password for the Wazuh server API admin user. Required for changing the Wazuh server API passwords. Requires `-A\|--api`.
`-u\|--user <USER>`	Indicates the name of the user whose password will be changed. If no password is specified, it will generate a random one.
`-p\|--password <PASSWORD>`	Indicates the new password. Must be used with option `-u\|--user <USER>`.
`-c\|--cert <ROUTE_ADMIN_CERTIFICATE>`	Indicates route to the admin certificate.
`-k\|--certkey <ROUTE_ADMIN_CERTIFICATE_KEY>`	Indicates route to the admin certificate key.
`-v\|--verbose`	Shows the complete script execution output.
`-f\|--file <PASSWORD_FILE.yml>`	Changes the passwords for the ones given in the file. Wazuh indexer users must have this format: # Description indexer_username: <USER> indexer_password: <PASSWORD> Wazuh server API users must have this format: # Description api_username: <USER> api_password: <PASSWORD>
`-gf\|--generate-file <passwords.wazuh>`	Generate password file with random passwords for standard users.
`-h\|--help`	Shows help.

Attribute	Default value	Allowed values	Description
`check_all`	yes	yes, no	Records the values of all attributes below.
`check_sum`	yes	yes, no	Records the MD5, SHA-1 and SHA-256 hashes of the files. Same as using `check_md5sum="yes"`, `check_sha1sum="yes"`, and `check_sha256sum="yes"` at the same time.
`check_sha1sum`	yes	yes, no	Records the SHA-1 hash of the files.
`check_md5sum`	yes	yes, no	Records the MD5 hash of the files.
`check_sha256sum`	yes	yes, no	Records the SHA-256 hash of the files.
`check_size`	yes	yes, no	Records the size of the files.
`check_owner`	yes	yes, no	Records the owner of the files in Linux.
`check_group`	yes	yes, no	Records the group owner of the files/directories. On Windows, `gid` is always 0 and the group name is blank.
`check_perm`	yes	yes, no	Records the permission of the files/directories. On Windows, a list of denied and allowed permissions is recorded for each user or group. It works on Linux and Windows with NTFS partitions.
`check_attrs`	yes	yes, no	Records the attributes of files in Windows.
`check_mtime`	yes	yes, no	Records the modification time of a file.
`check_inode`	yes	yes, no	Records the file inode on Linux.
`check_device`	yes	yes, no	Records the device on Linux.

Audit field	Alert field	Fields description
User	audit.user.id audit.user.name	Contains information about who started the process that modified the monitored file.
Login user	audit.login_user.id audit.login_user.name	Contains information about the user who started the session. They correspond respectively to the login UID and login name. Upon login, this ID is assigned to a user and is inherited by every process, even when the user's identity changes.
Effective user	audit.effective_user.id audit.effective_user.name	Contains the effective ID and name of the user who started the process that modified the monitored file. When a user executes a command using sudo, the effective user ID changes to `0`, and the effective username becomes root.
Group	audit.group.id audit.group.name	Contains the group ID and group name of the user who started the process that modified the monitored file.
Process ID	audit.process.id	Contains the ID of the process used to modify the monitored file.
Process name	audit.process.name	Contains the name of the process used to modify the monitored file.
Process ppid	audit.process.ppid	Contains the parent process ID of the process used to modify the monitored file.

Audit field	Alert field	Fields description
User	audit.user.id audit.user.name	Contain the ID and name of the user who started the process that modified the monitored file.
Process id	audit.process.id	Contain the ID of the process used to modify the monitored file.
Process name	audit.process.name	Contain the name of the process used to modify the monitored file.

Endpoint	Description
Ubuntu 22.04	This is the attacker endpoint that performs a brute-force attack. You must install an SSH client on this endpoint.
RHEL 9.0	We perform an SSH brute-force attack against this victim endpoint. You must install an SSH server on this endpoint.

Default value	n/a
Allowed values	Any category used is allowed.

-h	Display the help message.
-d	Run in debug mode. Use twice to increase verbosity.
-f	Run in the foreground.
-r	Run as root. Use only for debugging purposes.
-V	Print version.