This is the documentation for Wazuh 3.0. Check out the docs for the latest version of Wazuh!

3.0.0 Release Notes

This section shows the most relevant new features of Wazuh v3.0.0. You will find more detailed information in our changelog file.

For deploying your Wazuh environment see the Installation guide.

New features:

Grouping agents

Groups support have been included at Wazuh manager level, now agents can be assign to a particular group, each group could have different agent configuration, rootcheck policies and hardening checks. The manager will perform a selective remote pushing, sending only the necessary files to each agent. Once the new configuration is received, the agent will restart ifself to apply the changes.

Groups management is available via terminal using a CLI included in Wazuh Manager, as well using Wazuh API requests.

Centralized configuration is now more flexible and efficient.

More information about this feature is found at Grouping agents.

Remote agent upgrades

The manager can upgrade the agents remotely, information about agent version and OS is available to detect if the agent is outdated. A custom procedure has been created to perform the upgrades without relaying in external package managers (apt/yum), the manager will send a WPK (Wazuh Signed Package) file compressed and signed, this package contains binaries and instructions to upgrade the agent. Roll back is built in the process, if the agent loses the connection after the upgrade, a rollback will be executed to recover agent connectivity.

WPK files will be generated by Wazuh project for every new release, additionally, it is possible as well to use custom WPK files.

In our dedicated section for Remote upgrading you can find more useful information about this procedure.

Wazuh cluster for managers

Wazuh cluster provides the capability to scale horizontally, adding as many nodes as needed to increase events per second ingestion ratio.

Cluster architecture is master/client based, synchronizing internal configuration files (agent keys, groups configuration, agents configuration and agent statuses) between all clients nodes. Thanks to this, agents can now report to multiple managers(cluster nodes), allowing Wazuh ecosystem to work in high availability and support failover prevention.

If you want read more about this functionality see its dedicated section at Wazuh cluster.

Automatic decoding for JSON events

Wazuh manager now includes a native decoder for JSON format which can read any JSON event and extract its fields dynamically. This way, we are able to use all JSON fields/values for creating rules.

See the complete section of the JSON decoder for knowing how it works.

In combination with the JSON decoder, we included a new a log source type in Logcollector to monitor JSON log files. Custom labels can be included from the endpoint, adding valuable metadata to our monitored JSON logs.

Here we can see a simple configuration where adding labels to a monitored JSON log file.

<localfile>
  <location>/var/log/myapp/log.json</location>
  <log_format>json</log_format>
  <label key="@source">myapp</label>
  <label key="agent.type">webserver</label>
</localfile>

Here we have a JSON log from the monitored file.

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01"
  }
}

Joining the previous configuration with the JSON log, we obtain the following result.

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01",
    "type": "webserver"
  },
  "@source": "myapp"
}

In the localfile section of ossec.conf can be found how to configure this feature.

VirusTotal Integration

An integration with the VirusTotal platform is included in version 3.0. It allows the Manager to send collected files hashes (via Syscheck) to VirusTotal API, reporting back the scan results and generating an alert based on the positives found.

Adding VirusTotal as a thread intelligence source to the already FIM capabilities supposes a great improvement in malware detection.

An example of alert with a positive result is shown below.

** Alert 1510684984.55826: mail  - virustotal,
2017 Nov 14 18:43:04 PC->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /media/user/software/suspicious-file.exe - 7 engines detected this file'
{"virustotal": {"permalink": "https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "malicious": 1, "source": {"alert_id": "1510684983.55139", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "file": "/media/user/software/suspicious-file.exe", "agent": {"id": "006", "name": "agent_centos"}, "md5": "9519135089d69ad7ae6b00a78480bb2b"}, "positives": 7, "found": 1, "total": 67, "scan_date": "2017-11-14 17:24:37"}, "integration": "virustotal"}
virustotal.permalink: https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/
virustotal.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.malicious: 1
virustotal.source.alert_id: 1510684983.55139
virustotal.source.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.source.file: /media/user/software/suspicious-file.exe
virustotal.source.agent.id: 006
virustotal.source.agent.name: agent_centos
virustotal.source.md5: 9519135089d69ad7ae6b00a78480bb2b
virustotal.positives: 7
virustotal.found: 1
virustotal.total: 67
virustotal.scan_date: 2017-11-14 17:24:37
integration: virustotal

The complete documentation about this integration is located at VirusTotal integration section.

MSI Windows installer for agents

A new digitally signed MSI Windows installer has been developed in order to improve the installation process for Windows agents. Among its many advantages, the new installer can be launched in unattended mode via command line, simplifying the agent installation, configuration, registration and connection to one single step.

The procedure for using the MSI installer can be found at the following section: Install Wazuh agent on Windows

Wazuh API

The Wazuh API now includes functionality to manage all the features included in this release:

  • Management of remote agent upgrades.
  • Requests for managing groups.
  • Management of the new Wazuh Cluster.

In addition, more new features could be found in the API changelog.

Ruleset

The Ruleset has been improved along with the other components, including the necessary rules for the VirusTotal integration for example.

For getting more details about the included changes in the Ruleset you can visit its own Ruleset changelog.

Updated external libraries

External libraries used by Wazuh have been updated to improve their integration with our components.

More relevant features

Additional features have been added to Wazuh 3.0.0 in order to improve its performance. Most relevant of them are the following:

  • Possibility of choosing the Cipher suite in Authd settings.
  • When a new shared configuration is added from the manager to an agent, this agent will be restarted automatically.
  • New state ‘pending’ is shown for agents which are waiting for a manager response.
  • Possibility of configuring several manager for each agent, specifying its own protocol and port for each one of them.
  • New function to rotate and compress internal logs by size.