How it works¶
The following is required to set up the monitoring of a specific command’s output on agents:
Configure Wazuh agents to accept remote commands from the manager¶
Agents do have the ability to run commands pushed from the manager (via the files in the
shared directory). Before this feature can be used, it needs to be explicitly allowed at an agent level. This can be done by setting the logcollector.remote_commands in
local_internal_options.conf on each agent.
# Logcollector - Whether or not to accept remote commands from the manager logcollector.remote_commands=1
Configure a command to monitor¶
The commands to run and monitor, can be configured either inside the local ossec.conf of individual agents, but the ideal location would be the appropriate config section of agent.conf on the manager.
<localfile> <log_format>full_command</log_format> <command>.....</command> <frequency>120</frequency> </localfile>
Process the output¶
After configuring the system to monitor the command’s output as if it were log data, we can create custom rules like for Log analysis, in order to process the output and alert when is needed.