How it works

The following is required to set up the monitoring of a specific command's output on agents:

Configure Wazuh agents to accept remote commands from the manager

Agents have the ability to run commands pushed from the manager (via the files in the shared directory). Before this feature can be used, however, the agents must be explicitly configured to accept remote commands. This can be done by setting the logcollector.remote_commands in the local_internal_options.conf file on each agent as shown below:

# Logcollector - Whether or not to accept remote commands from the manager
logcollector.remote_commands=1

Configure a command to monitor

The commands to run and monitor can be configured in the local the ossec.conf file of individual agents, however, the ideal location for this configuration is in the appropriate configuration section of the agent.conf file on the manager.

Example:

<localfile>
     <log_format>full_command</log_format>
     <command>.....</command>
     <frequency>120</frequency>
</localfile>

Process the output

After configuring the system to monitor the command's output as if it were log data, custom rules can be created, like for Log analysis for instance, in order to process the output and trigger an alert when alert criteria are met.

Note

Read the Scheduling remote commands for Wazuh agents document for more information and remote command use cases.