Wazuh
  • Platform
  • Cloud
  • Services
  • Partners
  • Blog
  • Company
    • Customers
    • About us
    • Our team
    • Newsroom
    Search now!
    • Getting started
      • Components
      • Architecture
      • Use cases
    • Installation guide
      • Installing Wazuh server
        • Amazon Linux
          • Amazon Linux from packages
          • Amazon Linux from sources
        • CentOS
          • CentOS from packages
          • CentOS from sources
        • Debian
          • Debian from packages
          • Debian from sources
        • Fedora
          • Fedora from packages
          • Fedora from sources
        • OpenSUSE
          • OpenSUSE from packages
          • OpenSUSE from sources
        • Oracle Linux
          • Oracle Linux from packages
          • Oracle Linux from sources
        • Red Hat Enterprise Linux
          • Red Hat Enterprise Linux from packages
          • Red Hat Enterprise Linux from sources
        • SUSE
          • SUSE from packages
          • SUSE from sources
        • Ubuntu
          • Ubuntu from packages
          • Ubuntu from sources
      • Installing Elastic Stack
        • Install Elastic Stack with RPM packages
        • Install Elastic Stack with Debian packages
        • Protect your data in the Elastic Stack
          • X-Pack
          • Search Guard
          • NGINX SSL and authentication for Kibana
        • Transform your data with Logstash
        • Elasticsearch tuning
        • Insert a Wazuh API entry automatically
        • Configure Elasticsearch cluster
      • Installing Wazuh agent
        • AIX
          • AIX from package
          • AIX from sources
        • HP-UX
          • HP-UX from package
          • HP-UX from sources
        • Linux
          • Amazon Linux
            • Amazon Linux from package
            • Amazon Linux from sources
          • CentOS 5
            • CentOS 5 from package
          • CentOS 6 or greater
            • CentOS 6 or greater from package
            • CentOS 6 or greater from sources
          • Debian
            • Debian from package
            • Debian from sources
          • Fedora
            • Fedora from package
            • Fedora from sources
          • OpenSUSE
            • OpenSUSE from package
            • OpenSUSE from sources
          • Oracle Linux 5
            • Oracle Linux 5 from package
          • Oracle Linux 6 or greater
            • Oracle Linux 6 or greater from package
            • Oracle Linux 6 or greater from sources
          • Red Hat Enterprise Linux 5
            • Red Hat Enterprise Linux 5 from package
          • Red Hat Enterprise Linux 6 or greater
            • Red Hat Enterprise Linux 6 or greater from package
            • Red Hat Enterprise Linux 6 or greater from sources
          • SUSE 11
            • SUSE 11 from package
            • SUSE 11 from sources
          • SUSE 12
            • SUSE 12 from package
            • SUSE 12 from sources
          • Ubuntu
            • Ubuntu from package
            • Ubuntu from sources
        • macOS
          • macOS from package
          • macOS from sources
        • Solaris
          • Solaris 10
            • Solaris 10 from package
            • Solaris 10 from sources
          • Solaris 11
            • Solaris 11 from package
            • Solaris 11 from sources
        • Windows
          • Windows from package
          • Windows from sources
        • Deployment variables
          • Deployment variables for AIX
          • Deployment variables for Linux
            • Deployment variables for Linux using apt repository
            • Deployment variables for Linux using dnf repository
            • Deployment variables for Linux using yum repository
            • Deployment variables for Linux using zypper repository
          • Deployment variables for macOS
          • Deployment variables for Windows
      • Installing Splunk
        • Install Splunk in single-instance mode
        • Installing & Configuring Splunk Cluster
        • Install Wazuh app for Splunk
        • Install and configure Splunk Forwarder
        • Setting up reverse proxy configuration for Splunk
        • Customize agents status indexation
      • Virtual machine
      • Packages list
      • Compatibility matrix
      • Securing the Wazuh API
    • Upgrade guide
      • Upgrading Wazuh
        • Upgrading from a legacy version
          • Upgrading Wazuh server
          • Upgrading Elastic Stack server
          • Upgrading Wazuh agents
        • Upgrade from the same minor or major version
        • Upgrade from different major version
        • Upgrade from the same major version (3.x)
        • Restore Wazuh alerts from Wazuh 2.x
      • Upgrading Elastic Stack
        • Upgrading Elastic Stack from 7.x to 7.y
        • Upgrading Elastic Stack from 6.8 to 7.x
        • Upgrading Elastic Stack from 6.x to 6.8
    • User manual
      • Overview
      • Wazuh server administration
        • Remote service
        • Defining an alert level threshold
        • Integration with external APIs
        • Configuring syslog output
        • Configuring database output
        • Generating automatic reports
        • Configuring email alerts
          • SMTP server with authentication
      • Registering agents
        • The registration process
        • Registering agents using the command line (CLI)
          • Using the CLI in Linux hosts
          • Using the CLI in Windows hosts
          • Using the CLI in MacOS X hosts
          • Using the CLI in Unix hosts
        • Using the simple registration service
          • Linux and Unix agents
          • Windows agents
          • MacOS X agents
        • Using the registration service with password authorization
          • Linux and Unix agents
          • Windows agents
          • MacOS X agents
        • Registration service with host verification
          • Manager verification using SSL
            • Linux and Unix agents
            • Windows agents
            • MacOS X agents
          • Agent verification using SSL
            • Linux and Unix agents
            • Windows agents
            • MacOS X agents
        • Using the Wazuh API
          • Linux and UNIX hosts
          • Windows hosts
          • MacOS X hosts
      • Agent management
        • Agent life cycle
        • Listing agents
          • Listing agents using the CLI
          • Listing agents using the Wazuh API
          • Listing agents using the Wazuh app
        • Removing agents
          • Remove agents using the CLI
          • Remove agents using the Wazuh API
        • Checking connection with Manager
        • Grouping agents
        • Remote upgrading
          • Upgrading agent
          • Adding a custom repository
          • Custom WPK packages creation
            • WPK
            • Generate WPK packages manually
          • Installing a custom WPK package
          • WPK List
      • Deploying a Wazuh cluster
        • Basics
        • Agents connections
        • Cluster management
      • Capabilities
        • Log data collection
          • How it works
          • How to collect Windows logs
          • Configuration
          • FAQ
        • File integrity monitoring
          • How it works
          • Configuration
          • FAQ
        • Auditing who-data
          • Auditing who-data in Linux
          • Auditing who-data in Windows
          • Manual configuration of the Local Audit Policies in Windows
        • Anomaly and malware detection
          • How it works
          • Configuration
          • FAQ
        • Security Configuration Assessment
          • What is SCA
          • How SCA works
          • How to configure SCA
          • Creating custom SCA policies
          • Use case: Getting an alert when a check changes its result value
        • Monitoring security policies
          • Rootcheck
            • How it works
            • Configuration
            • FAQ
          • OpenSCAP
            • How it works
            • Configuration
            • FAQ
          • CIS-CAT integration
        • Monitoring system calls
          • How it works
          • Configuration
        • Command monitoring
          • How it works
          • Configuration
          • FAQ
        • Active response
          • How it works
          • Configuration
          • FAQ
        • Agentless monitoring
          • How it works
          • Configuration
          • FAQ
        • Anti-flooding mechanism
        • Agent labels
        • System inventory
        • Vulnerability detection
          • How it works
          • Compatibility matrix
          • Running a vulnerability scan
          • Offline Update
          • Scan vulnerabilities on unsupported systems
          • CPE Helper
        • VirusTotal integration
          • About VirusTotal
          • How it works
        • Osquery
        • Agent key polling
        • Fluentd forwarder
      • Ruleset
        • Getting started
        • Update ruleset
        • JSON decoder
        • Custom rules and decoders
        • Dynamic fields
        • Ruleset XML syntax
          • Decoders Syntax
          • Rules Syntax
          • Regular Expression Syntax
          • Sibling Decoders
        • Testing decoders and rules
        • Using CDB lists
        • Contribute to the ruleset
        • Rules classification
      • RESTful API
        • Getting started
        • Filtering data using queries
        • Configuration
        • Reference
        • Examples
      • Kibana app
        • Setting up the app
        • App features
          • App overview
          • Ruleset
          • Settings
          • Dev tools
          • Reporting
          • Index pattern selector
          • Download as CSV
          • Query configuration
        • Troubleshooting
        • Reference
          • Configuration file
          • Elasticsearch indices
          • Configure the name of Elasticsearch indices
          • Create a custom dashboard
      • Reference
        • Local configuration (ossec.conf)
          • active-response
          • agentless
          • alerts
          • auth
          • client
          • client_buffer
          • cluster
          • command
          • database_output
          • email_alerts
          • global
          • integration
          • labels
          • localfile
          • logging
          • remote
          • reports
          • rootcheck
          • sca
          • ruleset
          • socket
          • syscheck
          • syslog_output
          • fluent-forward
          • wodle name="open-scap"
          • wodle name="command"
          • wodle name="cis-cat"
          • wodle name="aws-s3"
          • wodle name="syscollector"
          • vulnerability-detector
          • wodle name="osquery"
          • wodle name="docker-listener"
          • wodle name="azure-logs"
          • wodle name="agent-key-polling"
          • Verifying configuration
        • Centralized configuration (agent.conf)
        • Internal configuration
        • Daemons
          • ossec-agentd
          • ossec-agentlessd
          • ossec-analysisd
          • ossec-authd
          • ossec-csyslogd
          • ossec-dbd
          • ossec-execd
          • ossec-logcollector
          • ossec-maild
          • ossec-monitord
          • ossec-remoted
          • ossec-reportd
          • ossec-syscheckd
          • wazuh-clusterd
          • wazuh-modulesd
          • wazuh-db
          • Tables available for wazuh-db
          • ossec-integratord
        • Tools
          • agent-auth
          • agent_control
          • manage_agents
          • ossec-control
          • ossec-logtest
          • ossec-makelists
          • rootcheck_control
          • syscheck_control
          • syscheck_update
          • clear_stats
          • ossec-regex
          • update_ruleset
          • util.sh
          • verify-agent-conf
          • agent_groups
          • agent_upgrade
          • cluster_control
          • fim_migrate
        • Unattended Installation
        • Statistics files
          • ossec-agentd.state
          • ossec-remoted.state
          • ossec-analysisd.state
    • Development
      • Client keys file
      • Standard OSSEC message format
      • Makefile options
      • Wazuh Cluster
      • Wazuh packages generation guide
        • AIX
        • Debian
        • HPUX
        • Wazuh Kibana plugin
        • macOS
        • RPM
        • Solaris
        • Splunk App
        • Virtual machine
        • Windows
        • WPK
    • Containers
      • Docker
        • Docker installation
        • Wazuh Docker deployment
        • Wazuh Docker utilities
        • FAQ
      • Deploying with Kubernetes
        • Kubernetes configuration
        • Upgrade Wazuh installed in Kubernetes
        • Clean Up
    • Deployment
      • Deploying with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • PuppetDB installation (Optional)
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Scan paths configuration
          • Wazuh agent class
          • Wazuh manager class
      • Deploying with Ansible
        • Installation Guide
          • Install Ansible
          • Install Wazuh Manager
          • Install Elastic Stack Server
          • Install Wazuh Agent
        • Remote Hosts Connection
        • Roles
          • Wazuh Manager
          • Filebeat
          • Elasticsearch
          • Kibana
          • Wazuh Agent
        • Variables references
    • Compliance
      • Using Wazuh for PCI DSS
        • Log analysis
        • Policy monitoring
        • Rootkit detection
        • File integrity monitoring
        • Active response
        • Elastic Stack
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
    • Monitoring with Wazuh
      • Using Wazuh to monitor AWS
        • Monitoring AWS instances
        • Monitoring AWS services
          • Prerequisites
            • Configuring an S3 Bucket
            • Configuring AWS credentials
            • Installing dependencies
            • Considerations for configuration
          • Supported services
            • AWS CloudTrail
            • Amazon VPC
            • AWS Config
            • AWS Key Management Service
            • Amazon Macie
            • AWS Trusted Advisor
            • Amazon GuardDuty
            • Amazon Inspector
          • Troubleshooting
      • Using Wazuh to monitor Microsoft Azure
        • Monitoring Instances
        • Monitoring Activity
        • Monitoring Services
      • Using Wazuh to monitor Docker
        • Monitoring Docker server
        • Monitoring containers activity
    • Migrating from OSSEC
      • Migrating OSSEC server
      • Migrating OSSEC agent
    • Learning Wazuh
      • Prepare your Wazuh Lab Environment
        • Build the Wazuh Lab VPC
        • Launch the EC2 instances
        • Establish access to your EC2 instances
        • Install Wazuh server Components
        • Install the Elastic Stack
        • Configure X-Pack Security
        • Install the Linux Wazuh agents
        • Install the Windows Wazuh agent
      • Detect an SSH brute-force attack
      • Detect an RDP brute force attack
      • Expose hiding processes
      • Detect filesystem changes
      • Change the rules
      • Survive a log flood
      • Detect and react to a Shellshock attack
      • Keep watch for malicious command execution
      • Catch suspicious network traffic
      • Track down vulnerable applications
    • Release notes
      • 3.11.4 Release notes
      • 3.11.3 Release notes
      • 3.11.2 Release notes
      • 3.11.1 Release notes
      • 3.11.0 Release notes
      • 3.10.2 Release notes
      • 3.10.1 Release notes
      • 3.10.0 Release notes
      • 3.9.5 Release notes
      • 3.9.4 Release notes
      • 3.9.3 Release notes
      • 3.9.2 Release notes
      • 3.9.1 Release notes
      • 3.9.0 Release notes
      • 3.8.2 Release notes
      • 3.8.1 Release notes
      • 3.8.0 Release notes
      • 3.7.2 Release notes
      • 3.7.1 Release notes
      • 3.7.0 Release notes
      • 3.6.1 Release notes
      • 3.6.0 Release notes
      • 3.5.0 Release notes
      • 3.4.0 Release notes
      • 3.3.1 Release notes
      • 3.3.0 Release notes
      • 3.2.4 Release notes
      • 3.2.3 Release notes
      • 3.2.2 Release notes
      • 3.2.1 Release notes
      • 3.2.0 Release notes
      • 3.1.0 Release notes
      • 3.0.0 Release notes
      • 2.1 Release notes
    Attention This documentation does not apply to the most recent version of Wazuh. Check out the docs for the latest version.
    • User manual
    • Capabilities
    • Command monitoring

    Command monitoring

    There are times when you may want to monitor things that are not in the logs. To address this, Wazuh incorporates the ability to monitor the output of specific commands and treat the output as though it were log file content.

    Contents

    • How it works
      • Configure Wazuh agents to accept remote commands from the manager
      • Configure a command to monitor
      • Process the output
    • Configuration
      • Basic usage
      • Monitor running Windows processes
      • Disk space utilization
      • Check if the output changed
      • Load average
      • Detect USB Storage
    • FAQ
      • Can I monitor commands on Linux and Windows?
      • What are the command monitoring capabilities?
      • Can I check if an application is running on an agent?
    Configuration How it works
    EXPLORE
    • Platform
    • Cloud
    Documentation
    • Quickstart
    • Getting started
    • Installation guide
    Services
    • Support
    • Training
    Resources
    • Blog
    • Community
    Company
    • About us
    • Customers
    • Our partners
    • Careers
    • Contact us
    • Community
    • Contact us
    © 2022 · Wazuh Inc.
    Edit on GitHub