Reference¶
This API reference is organized by resources:
Below is the Request List that shows all of the available requests.
Request List¶
- Agents
DELETE /agents (Delete agents)
DELETE /agents/:agent_id (Delete an agent)
DELETE /agents/:agent_id/group (Unset the agent group)
DELETE /agents/groups (Delete a list of groups)
DELETE /agents/groups/:group_id (Remove group)
GET /agents (Get all agents)
GET /agents/:agent_id (Get an agent)
GET /agents/:agent_id/key (Get agent key)
GET /agents/:agent_id/upgrade_result (Get upgrade result from agent)
GET /agents/groups (Get groups)
GET /agents/groups/:group_id (Get agents in a group)
GET /agents/groups/:group_id/configuration (Get group configuration)
GET /agents/groups/:group_id/files (Get group files)
GET /agents/groups/:group_id/files/:filename (Get a file in group)
GET /agents/name/:agent_name (Get an agent by its name)
GET /agents/no_group (Get agents without group)
GET /agents/outdated (Get outdated agents)
GET /agents/stats/distinct (Get distinct fields in agents)
GET /agents/summary (Get agents summary)
GET /agents/summary/os (Get OS summary)
POST /agents (Add agent)
POST /agents/insert (Insert agent)
POST /agents/restart (Restart a list of agents)
PUT /agents/:agent_id/group/:group_id (Set agent group)
PUT /agents/:agent_id/restart (Restart an agent)
PUT /agents/:agent_id/upgrade (Upgrade agent using online repository)
PUT /agents/:agent_id/upgrade_custom (Upgrade agent using custom file)
PUT /agents/:agent_name (Add agent (quick method))
PUT /agents/groups/:group_id (Create a group)
PUT /agents/restart (Restart all agents)
- Cache
DELETE /cache (Clear group cache)
DELETE /cache (Delete cache index)
GET /cache (Get cache index)
GET /cache/config (Return cache configuration)
- Cluster
GET /cluster/config (Get the cluster configuration)
GET /cluster/healthcheck (Show cluster health)
GET /cluster/node (Get local node info)
GET /cluster/nodes (Get nodes info)
GET /cluster/nodes/:node_name (Get node info)
GET /cluster/status (Get info about cluster status)
- Decoders
GET /decoders (Get all decoders)
GET /decoders/:decoder_name (Get decoders by name)
GET /decoders/files (Get all decoders files)
GET /decoders/parents (Get all parent decoders)
- Experimental
GET /experimental/syscollector/hardware (Get hardware info of all agents)
GET /experimental/syscollector/netaddr (Get network address info of all agents)
GET /experimental/syscollector/netiface (Get network interface info of all agents)
GET /experimental/syscollector/netproto (Get network protocol info of all agents)
GET /experimental/syscollector/os (Get os info of all agents)
GET /experimental/syscollector/packages (Get packages info of all agents)
GET /experimental/syscollector/ports (Get ports info of all agents)
GET /experimental/syscollector/processes (Get processes info of all agents)
- Manager
GET /manager/configuration (Get manager configuration)
GET /manager/info (Get manager information)
GET /manager/logs (Get ossec.log)
GET /manager/logs/summary (Get summary of ossec.log)
GET /manager/stats (Get manager stats)
GET /manager/stats/hourly (Get manager stats by hour)
GET /manager/stats/weekly (Get manager stats by week)
GET /manager/status (Get manager status)
- Rootcheck
DELETE /rootcheck (Clear rootcheck database)
DELETE /rootcheck/:agent_id (Clear rootcheck database of an agent)
GET /rootcheck/:agent_id (Get rootcheck database)
GET /rootcheck/:agent_id/cis (Get rootcheck CIS requirements)
GET /rootcheck/:agent_id/last_scan (Get last rootcheck scan)
GET /rootcheck/:agent_id/pci (Get rootcheck pci requirements)
PUT /rootcheck (Run rootcheck scan in all agents)
PUT /rootcheck/:agent_id (Run rootcheck scan in an agent)
- Rules
GET /rules (Get all rules)
GET /rules/:rule_id (Get rules by id)
GET /rules/files (Get files of rules)
GET /rules/gdpr (Get rule gdpr requirements)
GET /rules/groups (Get rule groups)
GET /rules/pci (Get rule pci requirements)
- Syscheck
DELETE /syscheck (Clear syscheck database)
DELETE /syscheck/:agent_id (Clear syscheck database of an agent)
GET /syscheck/:agent_id (Get syscheck files)
GET /syscheck/:agent_id/last_scan (Get last syscheck scan)
PUT /syscheck (Run syscheck scan in all agents)
PUT /syscheck/:agent_id (Run syscheck scan in an agent)
- Syscollector
GET /syscollector/:agent_id/hardware (Get hardware info)
GET /syscollector/:agent_id/netaddr (Get network address info of an agent)
GET /syscollector/:agent_id/netiface (Get network interface info of an agent)
GET /syscollector/:agent_id/netproto (Get network protocol info of an agent)
GET /syscollector/:agent_id/os (Get os info)
GET /syscollector/:agent_id/packages (Get packages info)
GET /syscollector/:agent_id/ports (Get ports info of an agent)
GET /syscollector/:agent_id/processes (Get processes info)
Agents¶
Add¶
Add agent¶
Add a new agent.
Request:
POST
/agents
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Agent name. |
|
String |
If this is not included, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js. Allowed values:
|
|
Number |
Remove the old agent with the same IP if disconnected since <force> seconds. |
Example Request:
curl -u foo:bar -X POST -d '{"name":"NewHost","ip":"10.0.0.9"}' -H 'Content-Type:application/json' "http://localhost:55000/agents?pretty"
Example Response:
{
"error": 0,
"data": {
"id": "007",
"key": "MDA3IE5ld0hvc3QgMTAuMC4wLjkgYzc2YmZiOTEyYzI0MmMyYzFmMjY2ZTZiMzMyMDM4OTlkMzQ5M2E3OTRkOTMyMDU1MzAzZTE3ZDBkN2I0MmM5Yw=="
}
}
Add agent (quick method)¶
Adds a new agent with name :agent_name. This agent will use ANY as IP.
Request:
PUT
/agents/:agent_name
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Agent name. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/myNewAgent?pretty"
Example Response:
{
"error": 0,
"data": {
"id": "008",
"key": "MDA4IG15TmV3QWdlbnQgYW55IGYwNjI0M2Q4YzIyZjI0N2FmNzZjZDFlNjBjZjBjMmE3NTMzY2VmZDQ0NGY4MDk2MTBlYTVlZWI1YjU1OGQzMjY="
}
}
Insert agent¶
Insert an agent with an existing id and key.
Request:
POST
/agents/insert
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Agent name. |
|
String |
If this is not included, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js. Allowed values:
|
|
String |
Agent ID. |
|
String |
Agent key. Minimum length: 64 characters. Allowed values: ^[a-zA-Z0-9]+$ |
|
Number |
Remove the old agent the with same IP if disconnected since <force> seconds. |
Example Request:
curl -u foo:bar -X POST -d '{"name":"NewHost_2","ip":"10.0.10.10","id":"123","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64"}' -H 'Content-Type:application/json' "http://localhost:55000/agents/insert?pretty"
Example Response:
{
"error": 0,
"data": {
"id": "123",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64"
}
}
Delete¶
Delete a list of groups¶
Removes a list of groups.
Request:
DELETE
/agents/groups
Parameters:
Param |
Type |
Description |
---|---|---|
|
String[] |
Array of group ID’s. |
Example Request:
curl -u foo:bar -X DELETE -H "Content-Type:application/json" -d '{"ids":["webserver","database"]}' "http://localhost:55000/agents/groups?pretty"
Example Response:
{
"error": 0,
"data": {
"msg": "All selected groups were removed",
"ids": [
"webserver",
"database"
],
"affected_agents": [
"002",
"005",
"003"
]
}
}
Delete agents¶
Removes agents, using a list of them or a criterion based on the status or time of the last connection. The Wazuh API must be restarted after removing an agent.
Request:
DELETE
/agents
Parameters:
Param |
Type |
Description |
---|---|---|
|
String[] |
Array of agent ID’s. |
|
Boolean |
Delete an agent from the key store. |
|
String |
Filters by agent status. Use commas to enter multiple statuses. Allowed values:
|
|
String |
Filters out disconnected agents for longer than specified. Time in seconds, ‘[n_days]d’, ‘[n_hours]h’, ‘[n_minutes]m’ or ‘[n_seconds]s’. For never connected agents, uses the register date. |
Example Request:
curl -u foo:bar -X DELETE -H "Content-Type:application/json" -d '{"ids":["003","005"]}' "http://localhost:55000/agents?pretty&older_than=10s"
Example Response:
{
"error": 0,
"data": {
"msg": "All selected agents were removed",
"older_than": "10s",
"affected_agents": [
"003",
"005"
],
"total_affected_agents": 2
}
}
Delete an agent¶
Removes an agent.
Request:
DELETE
/agents/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
String |
Delete an agent from the key store. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/agents/008?pretty"
Example Response:
{
"error": 0,
"data": {
"msg": "All selected agents were removed",
"affected_agents": [
"008"
]
}
}
Groups¶
Create a group¶
Creates a new group.
Request:
PUT
/agents/groups/:group_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/groups/pciserver?pretty"
Example Response:
{
"error": 0,
"data": "Group 'pciserver' created."
}
Get a file in group¶
Returns the specified file belonging to the group parsed to JSON.
Request:
GET
/agents/groups/:group_id/files/:filename
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
|
String |
Filename |
|
String |
Type of file. Allowed values:
|
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/groups/webserver/files/cis_debian_linux_rcl.txt?pretty"
Example Response:
{
"data": {
"controls": [
{
"...": "..."
},
{
"condition": "all required",
"name": "CIS - Testing against the CIS Debian Linux Benchmark v1",
"reference": "CIS_Debian_Benchmark_v1.0pdf",
"checks": [
"f:/etc/debian_version;"
]
}
]
},
"error": 0
}
Get agents in a group¶
Returns the list of agents in a group.
Request:
GET
/agents/groups/:group_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by agent status. Allowed values:
|
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/groups/dmz?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 2,
"items": [
{
"status": "Active",
"configSum": "ab73af41699f13fdd81903b5f23d8d00",
"group": "dmz",
"name": "ubuntu",
"mergedSum": "a83a96777380449bd8c10719f88f0048",
"ip": "192.168.185.7",
"node_name": "node01",
"dateAdd": "2018-08-02 16:52:04",
"version": "Wazuh v3.5.0",
"key": "ac7b7eddf95d65374cb82003024096effa8d90789d447805c375427cb62c75a2",
"manager_host": "wazuh",
"lastKeepAlive": "2018-08-03 00:26:32",
"os": {
"major": "16",
"name": "Ubuntu",
"uname": "Linux |ubuntu |4.4.0-131-generic |#157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 |x86_64",
"platform": "ubuntu",
"version": "16.04.5 LTS",
"codename": "Xenial Xerus",
"arch": "x86_64",
"minor": "04"
},
"id": "001"
},
{
"status": "Never connected",
"group": "dmz",
"name": "main_database",
"ip": "10.0.0.15",
"node_name": "unknown",
"dateAdd": "2018-08-03 00:24:46",
"key": "af1bdfe73ef104254bc654837c4c3f9b882fbbb208a22abe7c3a3e1f42681c8d",
"id": "004"
}
]
}
}
Get agents without group¶
Returns a list with the available agents without group.
Request:
GET
/agents/no_group
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/no_group?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3,
"items": [
{
"status": "Never connected",
"dateAdd": "2018-08-03 00:25:01",
"name": "server002",
"key": "e4df6380401202714d757ca8b37e76c15c13e58256ee6c380022080da7d21f31",
"ip": "10.0.0.20",
"id": "006",
"node_name": "unknown"
},
{
"status": "Never connected",
"dateAdd": "2018-08-03 00:26:34",
"name": "NewHost",
"key": "c76bfb912c242c2c1f266e6b33203899d3493a794d932055303e17d0d7b42c9c",
"ip": "10.0.0.9",
"id": "007",
"node_name": "unknown"
},
{
"status": "Never connected",
"dateAdd": "2018-08-03 00:26:34",
"name": "NewHost_2",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"ip": "10.0.10.10",
"id": "123",
"node_name": "unknown"
}
]
}
}
Get group configuration¶
Returns the group configuration (agent.conf).
Request:
GET
/agents/groups/:group_id/configuration
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/groups/dmz/configuration?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 1,
"items": [
{
"config": {
"localfile": [
{
"log_format": "syslog",
"location": "/var/log/linux.log"
}
]
},
"filters": {
"os": "Linux"
}
}
]
}
}
Get group files¶
Returns the files belonging to the group.
Request:
GET
/agents/groups/:group_id/files
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/groups/default/files?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 24,
"items": [
{
"hash": "ab73af41699f13fdd81903b5f23d8d00",
"filename": "agent.conf"
},
{
"hash": "76d8be9b97d8eae4c239e530ee7e71c8",
"filename": "ar.conf"
},
{
"hash": "6d9bd718faff778bbeabada6f07f5c2f",
"filename": "cis_apache2224_rcl.txt"
},
{
"hash": "9beed128b4305943eead1a66a86d27d5",
"filename": "cis_debian_linux_rcl.txt"
},
{
"hash": "ee520e627150c8751493bc32540b859a",
"filename": "cis_mysql5-6_community_rcl.txt"
},
{
"hash": "672c92a1f57463e33ff14011b43727de",
"filename": "cis_mysql5-6_enterprise_rcl.txt"
},
{
"hash": "e03345360941dbff248f63765971f87e",
"filename": "cis_rhel5_linux_rcl.txt"
},
{
"hash": "d53e584559b759cb6ec3956f23dee46f",
"filename": "cis_rhel6_linux_rcl.txt"
},
{
"hash": "3b67c8b54d0fa8fdf5afa8d0d43398d8",
"filename": "cis_rhel7_linux_rcl.txt"
},
{
"hash": "24e83427d2678aada50fa401b921a0cd",
"filename": "cis_rhel_linux_rcl.txt"
},
{
"hash": "a3978c24aec520c4bcfb7db62bea41b9",
"filename": "cis_sles11_linux_rcl.txt"
},
{
"hash": "533ec3f8eda8e52edb181e3f6bd44d52",
"filename": "cis_sles12_linux_rcl.txt"
},
{
"hash": "6d762779c44dda24901673c0e715f5a9",
"filename": "cis_win2012r2_domainL1_rcl.txt"
},
{
"hash": "18ae1149bf2db6cc942d4fcb0f17a336",
"filename": "cis_win2012r2_domainL2_rcl.txt"
},
{
"hash": "5f0f6c9c40684b8cdac9bca1fa138ebc",
"filename": "cis_win2012r2_memberL1_rcl.txt"
},
{
"hash": "10b99529e86bedd78accce983eb402b5",
"filename": "cis_win2012r2_memberL2_rcl.txt"
},
{
"hash": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
"filename": "merged.mg"
},
{
"hash": "a403c34392032ace267fbb163fc7cfad",
"filename": "rootkit_files.txt"
},
{
"hash": "b5d427623664d76140acbcb91f42d586",
"filename": "rootkit_trojans.txt"
},
{
"hash": "6cca8467c592a23fcf62cd5f33608fc3",
"filename": "system_audit_rcl.txt"
},
{
"hash": "e778eb44e4e8116a1e4c017b9b23eea2",
"filename": "system_audit_ssh.txt"
},
{
"hash": "0e1f8f16e217a70b9b80047646823587",
"filename": "win_applications_rcl.txt"
},
{
"hash": "4c2207e003d08db69822754271f9cb60",
"filename": "win_audit_rcl.txt"
},
{
"hash": "f9c3330533586eb380f294dcbd9918d8",
"filename": "win_malware_rcl.txt"
}
]
}
}
Get groups¶
Returns the list of existing agent groups.
Request:
GET
/agents/groups
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Select algorithm to generate the sum. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/groups?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3,
"items": [
{
"count": 1,
"mergedSum": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
"configSum": "ab73af41699f13fdd81903b5f23d8d00",
"name": "default"
},
{
"count": 2,
"mergedSum": "bab45db2c0f1440dc60721c468b53265",
"configSum": "3710695280e1f52b18797c882a28df89",
"name": "dmz"
},
{
"count": 0,
"mergedSum": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
"configSum": "ab73af41699f13fdd81903b5f23d8d00",
"name": "pciserver"
}
]
}
}
Remove group¶
Removes the group. Agents that were assigned to the removed group will automatically revert to the ‘default’ group.
Request:
DELETE
/agents/groups/:group_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Group ID. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/agents/groups/dmz?pretty"
Example Response:
{
"error": 0,
"data": {
"msg": "All selected groups were removed",
"ids": [
"dmz"
],
"affected_agents": [
"001",
"004"
]
}
}
Set agent group¶
Sets an agent to the specified group.
Request:
PUT
/agents/:agent_id/group/:group_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent unique ID. |
|
String |
Group ID. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/004/group/webserver?pretty"
Example Response:
{
"error": 0,
"data": "Group 'webserver' set to agent '004'."
}
Unset the agent group¶
Unsets the group of the agent. The agent will automatically revert to the ‘default’ group.
Request:
DELETE
/agents/:agent_id/group
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/agents/004/group?pretty"
Example Response:
{
"error": 0,
"data": "Group unset for agent '004'."
}
Info¶
Get OS summary¶
Returns a summary of the OS.
Request:
GET
/agents/summary/os
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/summary/os?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 1,
"items": [
"ubuntu"
]
}
}
Get agents summary¶
Returns a summary of the available agents.
Request:
GET
/agents/summary
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/summary?pretty"
Example Response:
{
"error": 0,
"data": {
"Active": 2,
"Never connected": 5,
"Total": 7,
"Disconnected": 0
}
}
Get all agents¶
Returns a list with the available agents.
Request:
GET
/agents
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by agent status. Use commas to enter multiple statuses. Allowed values:
|
|
String |
Filters out disconnected agents for longer than specified. Time in seconds, ‘[n_days]d’, ‘[n_hours]h’, ‘[n_minutes]m’ or ‘[n_seconds]s’. For never connected agents, uses the register date. |
|
String |
Filters by OS platform. |
|
String |
Filters by OS version. |
|
String |
Filters by manager hostname to which agents are connected. |
|
String |
Filters by agents version. |
|
String |
Filters by group of agents. |
|
String |
Filters by node name. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&offset=0&limit=5&sort=-ip,name"
Example Response:
{
"error": 0,
"data": {
"totalItems": 7,
"items": [
{
"status": "Active",
"configSum": "ab73af41699f13fdd81903b5f23d8d00",
"group": "default",
"name": "ubuntu",
"mergedSum": "a83a96777380449bd8c10719f88f0048",
"ip": "192.168.185.7",
"node_name": "node01",
"dateAdd": "2018-08-02 16:52:04",
"version": "Wazuh v3.5.0",
"key": "ac7b7eddf95d65374cb82003024096effa8d90789d447805c375427cb62c75a2",
"manager_host": "wazuh",
"lastKeepAlive": "2018-08-03 00:26:32",
"os": {
"major": "16",
"name": "Ubuntu",
"uname": "Linux |ubuntu |4.4.0-131-generic |#157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 |x86_64",
"platform": "ubuntu",
"version": "16.04.5 LTS",
"codename": "Xenial Xerus",
"arch": "x86_64",
"minor": "04"
},
"id": "001"
},
{
"status": "Active",
"name": "wazuh",
"ip": "127.0.0.1",
"node_name": "node01",
"dateAdd": "2018-08-02 16:48:58",
"version": "Wazuh v3.5.0",
"manager_host": "wazuh",
"lastKeepAlive": "9999-12-31 23:59:59",
"os": {
"major": "18",
"name": "Ubuntu",
"uname": "Linux |wazuh |4.15.0-29-generic |#31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 |x86_64",
"platform": "ubuntu",
"version": "18.04 LTS",
"codename": "Bionic Beaver",
"arch": "x86_64",
"minor": "04"
},
"id": "000"
},
{
"status": "Never connected",
"dateAdd": "2018-08-03 00:26:34",
"name": "NewHost_2",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"ip": "10.0.10.10",
"id": "123",
"node_name": "unknown"
},
{
"status": "Never connected",
"dateAdd": "2018-08-03 00:26:34",
"name": "NewHost",
"key": "c76bfb912c242c2c1f266e6b33203899d3493a794d932055303e17d0d7b42c9c",
"ip": "10.0.0.9",
"id": "007",
"node_name": "unknown"
},
{
"status": "Never connected",
"group": "default",
"name": "server001",
"ip": "10.0.0.62",
"node_name": "unknown",
"dateAdd": "2018-08-03 00:24:35",
"key": "3cb62630ddc77dccbda46542e8c469728a030e7696384195d61968bd7d107bb7",
"id": "002"
}
]
}
}
Get an agent¶
Returns various information from an agent.
Request:
GET
/agents/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/000?pretty"
Example Response:
{
"error": 0,
"data": {
"status": "Active",
"name": "wazuh",
"ip": "127.0.0.1",
"dateAdd": "2018-08-02 16:48:58",
"version": "Wazuh v3.5.0",
"manager_host": "wazuh",
"lastKeepAlive": "9999-12-31 23:59:59",
"os": {
"major": "18",
"name": "Ubuntu",
"platform": "ubuntu",
"uname": "Linux |wazuh |4.15.0-29-generic |#31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 |x86_64",
"version": "18.04 LTS",
"codename": "Bionic Beaver",
"arch": "x86_64",
"minor": "04"
},
"id": "000"
}
}
Get an agent by its name¶
Returns various information from an agent called :agent_name.
Request:
GET
/agents/name/:agent_name
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Agent name. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/name/NewHost?pretty"
Example Response:
{
"error": 0,
"data": {
"status": "Never connected",
"ip": "10.0.0.9",
"dateAdd": "2018-08-03 00:26:34",
"id": "007",
"name": "NewHost"
}
}
Key¶
Get agent key¶
Returns the key of an agent.
Request:
GET
/agents/:agent_id/key
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/004/key?pretty"
Example Response:
{
"error": 0,
"data": "MDA0IG1haW5fZGF0YWJhc2UgMTAuMC4wLjE1IGFmMWJkZmU3M2VmMTA0MjU0YmM2NTQ4MzdjNGMzZjliODgyZmJiYjIwOGEyMmFiZTdjM2EzZTFmNDI2ODFjOGQ="
}
Restart¶
Restart a list of agents¶
Restarts a list of agents.
Request:
POST
/agents/restart
Parameters:
Param |
Type |
Description |
---|---|---|
|
String[] |
Array of agent ID’s. |
Example Request:
curl -u foo:bar -X POST -H "Content-Type:application/json" -d '{"ids":["002","004"]}' "http://localhost:55000/agents/restart?pretty"
Example Response:
{
"data": "All selected agents were restarted",
"error": 0
}
Restart all agents¶
Restarts all agents.
Request:
PUT
/agents/restart
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/restart?pretty"
Example Response:
{
"data": "Restarting all agents",
"error": 0
}
Restart an agent¶
Restarts the specified agent.
Request:
PUT
/agents/:agent_id/restart
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent unique ID. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/007/restart?pretty"
Example Response:
{
"data": "Restarting agent",
"error": 0
}
Stats¶
Get distinct fields in agents¶
Returns all the different combinations that agents have for the selected fields. It also indicates the total number of agents that have each combination.
Request:
GET
/agents/stats/distinct
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of fields affecting the operation. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/stats/distinct?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
{
"count": 1,
"version": "Wazuh v3.5.0",
"group": null,
"manager_host": "wazuh",
"os": {
"major": "18",
"name": "Ubuntu",
"uname": "Linux |wazuh |4.15.0-29-generic |#31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 |x86_64",
"platform": "ubuntu",
"version": "18.04 LTS",
"build": null,
"codename": "Bionic Beaver",
"arch": "x86_64",
"minor": "04"
},
"node_name": "node01"
},
{
"count": 1,
"version": "Wazuh v3.5.0",
"group": "default",
"manager_host": "wazuh",
"os": {
"major": "16",
"name": "Ubuntu",
"uname": "Linux |ubuntu |4.4.0-131-generic |#157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 |x86_64",
"platform": "ubuntu",
"version": "16.04.5 LTS",
"build": null,
"codename": "Xenial Xerus",
"arch": "x86_64",
"minor": "04"
},
"node_name": "node01"
},
{
"count": 2,
"version": null,
"group": "default",
"manager_host": null,
"os": {
"major": null,
"name": null,
"uname": null,
"platform": null,
"version": null,
"build": null,
"codename": null,
"arch": null,
"minor": null
},
"node_name": "unknown"
},
{
"count": 3,
"version": null,
"group": null,
"manager_host": null,
"os": {
"major": null,
"name": null,
"uname": null,
"platform": null,
"version": null,
"build": null,
"codename": null,
"arch": null,
"minor": null
},
"node_name": "unknown"
}
]
}
}
Upgrade¶
Get outdated agents¶
Returns the list of outdated agents.
Request:
GET
/agents/outdated
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/outdated?pretty"
Example Response:
{
"data": {
"totalItems": 2,
"items": [
{
"version": "Wazuh v3.0.0",
"id": "003",
"name": "main_database"
},
{
"version": "Wazuh v3.0.0",
"id": "004",
"name": "dmz002"
}
]
},
"error": 0
}
Get upgrade result from agent¶
Returns the upgrade result from an agent.
Request:
GET
/agents/:agent_id/upgrade_result
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
Seconds to wait for the agent to respond. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/agents/003/upgrade_result?pretty"
Example Response:
{
"data": "Agent upgraded successfully",
"error": 0
}
Upgrade agent using custom file¶
Upgrade the agent using a custom file.
Request:
PUT
/agents/:agent_id/upgrade_custom
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent unique ID. |
|
String |
WPK file path. |
|
String |
Installation script. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/002/upgrade_custom?pretty"
Example Response:
{
"data": "Installation started",
"error": 0
}
Upgrade agent using online repository¶
Upgrade the agent using a WPK file from online repository.
Request:
PUT
/agents/:agent_id/upgrade
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent unique ID. |
|
String |
WPK repository. |
|
String |
Wazuh version. |
|
Boolean |
Use protocol http. If it’s false use https. By default the value is set to false. |
|
number |
Force upgrade. Allowed values:
|
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/agents/002/upgrade?pretty"
Example Response:
{
"data": "Upgrade procedure started",
"error": 0
}
Cache¶
Delete¶
Clear group cache¶
Clears cache of the specified group.
Request:
DELETE
/cache
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
cache group. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/cache/mygroup?pretty"
Example Response:
{
"error": 0,
"data": {
"all": [
"/agents?pretty&offset=0&limit=5&sort=-ip,name",
"/agents/000?pretty",
"/agents/name/NewHost?pretty",
"/agents/stats/distinct?pretty"
],
"groups": {
"agents": [
"/agents?pretty&offset=0&limit=5&sort=-ip,name",
"/agents/000?pretty",
"/agents/name/NewHost?pretty"
],
"manager": [
"/agents/stats/distinct?pretty"
]
}
}
}
Delete cache index¶
Clears entire cache.
Request:
DELETE
/cache
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/cache?pretty"
Example Response:
{
"error": 0,
"data": {
"all": [],
"groups": {}
}
}
Info¶
Get cache index¶
Returns current cache index.
Request:
GET
/cache
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cache?pretty"
Example Response:
{
"error": 0,
"data": {
"all": [],
"groups": {}
}
}
Return cache configuration¶
Returns cache configuration.
Request:
GET
/cache/config
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cache/config?pretty"
Example Response:
{
"error": 0,
"data": {
"debug": false,
"defaultDuration": 750,
"enabled": true,
"appendKey": [],
"jsonp": false,
"redisClient": false
}
}
Cluster¶
Configuration¶
Get the cluster configuration¶
Returns the cluster configuration
Request:
GET
/cluster/config
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/config?pretty"
Example Response:
{
"error": 0,
"data": {
"disabled": "no",
"hidden": "no",
"name": "wazuh",
"node_name": "node01",
"bind_addr": "0.0.0.0",
"node_type": "master",
"key": "b36430de0e4f51627cd8c468f1a3c681",
"nodes": [
"192.168.185.3"
],
"port": 1516
}
}
Info¶
Get info about cluster status¶
Returns whether the cluster is enabled or disabled
Request:
GET
/cluster/status
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/status?pretty"
Example Response:
{
"error": 0,
"data": {
"running": "yes",
"enabled": "yes"
}
}
Show cluster health¶
Show cluster health
Request:
GET
/cluster/healthcheck
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Filter information by node name. * |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/healthcheck?pretty"
Example Response:
{
"error": 0,
"data": {
"nodes": {
"node02": {
"info": {
"ip": "192.168.185.4",
"version": "3.5.0",
"type": "worker",
"name": "node02",
"n_active_agents": 0
},
"status": {
"last_sync_agentinfo": {
"date_start_master": "n/a",
"date_end_master": "n/a",
"total_agentinfo": 0
},
"sync_integrity_free": true,
"last_sync_agentgroups": {
"date_end_master": "2018-08-02 23:46:16.58",
"total_agentgroups": 0,
"date_start_master": "2018-08-02 23:46:16.58"
},
"last_sync_integrity": {
"total_files": {
"shared": 1,
"missing": 0,
"extra_valid": 0,
"extra": 0
},
"date_end_master": "2018-08-03 00:26:20.77",
"date_start_master": "2018-08-03 00:26:19.63"
},
"sync_agentinfo_free": true,
"sync_extravalid_free": true
}
},
"node01": {
"info": {
"ip": "192.168.185.3",
"version": "3.5.0",
"type": "master",
"name": "node01",
"n_active_agents": 2
}
}
},
"n_connected_nodes": 2
}
}
Nodes¶
Get local node info¶
Returns the local node info
Request:
GET
/cluster/node
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/node?pretty"
Example Response:
{
"error": 0,
"data": {
"node": "node01",
"cluster": "wazuh",
"type": "master"
}
}
Get node info¶
Returns the node info
Request:
GET
/cluster/nodes/:node_name
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/nodes/node01?pretty"
Example Response:
{
"error": 0,
"data": {
"ip": "192.168.185.3",
"version": "3.5.0",
"type": "master",
"name": "node01"
}
}
Get nodes info¶
Returns the nodes info
Request:
GET
/cluster/nodes
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by node type. * |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/cluster/nodes?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 2,
"items": [
{
"ip": "192.168.185.4",
"version": "3.5.0",
"type": "worker",
"name": "node02"
},
{
"ip": "192.168.185.3",
"version": "3.5.0",
"type": "master",
"name": "node01"
}
]
}
}
Decoders¶
Info¶
Get all decoders¶
Returns all decoders included in ossec.conf.
Request:
GET
/decoders
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters by filename. |
|
String |
Filters by path. |
|
String |
Filters the decoders by status. Allowed values:
|
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/decoders?pretty&offset=0&limit=2&sort=+file,position"
Example Response:
{
"error": 0,
"data": {
"totalItems": 555,
"items": [
{
"status": "enabled",
"name": "wazuh",
"details": {
"prematch": "^wazuh: "
},
"file": "0005-wazuh_decoders.xml",
"position": 0,
"path": "/var/ossec/ruleset/decoders"
},
{
"status": "enabled",
"name": "agent-buffer",
"details": {
"regex": "^ '(\\S+)'.",
"prematch": "^Agent buffer:",
"parent": "wazuh",
"order": "level"
},
"file": "0005-wazuh_decoders.xml",
"position": 1,
"path": "/var/ossec/ruleset/decoders"
}
]
}
}
Get all decoders files¶
Returns all decoders files included in ossec.conf.
Request:
GET
/decoders/files
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters the decoders by status. Allowed values:
|
|
String |
Filters by filename. |
|
String |
Filters by path. |
|
String |
Downloads the file |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/decoders/files?pretty&offset=0&limit=10&sort=-path"
Example Response:
{
"error": 0,
"data": {
"totalItems": 93,
"items": [
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0275-sendmail_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0410-docker_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0440-proxmox-ve_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0065-cisco-ios_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0325-suhosin_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0340-trend-osce_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0195-oscap_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0115-grandstream_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0380-windows_decoders.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/decoders",
"file": "0005-wazuh_decoders.xml"
}
]
}
}
Get all parent decoders¶
Returns all parent decoders included in ossec.conf
Request:
GET
/decoders/parents
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/decoders/parents?pretty&offset=0&limit=2&sort=-file"
Example Response:
{
"error": 0,
"data": {
"totalItems": 150,
"items": [
{
"status": "enabled",
"name": "local_decoder_example",
"details": {
"program_name": "local_decoder_example"
},
"file": "local_decoder.xml",
"position": 0,
"path": "/var/ossec/etc/decoders"
},
{
"status": "enabled",
"name": "pf",
"details": {
"program_name": "filterlog"
},
"file": "0455-pfsense_decoders.xml",
"position": 0,
"path": "/var/ossec/ruleset/decoders"
}
]
}
}
Get decoders by name¶
Returns the decoders with the specified name.
Request:
GET
/decoders/:decoder_name
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Decoder name. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/decoders/apache-errorlog?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3,
"items": [
{
"status": "enabled",
"name": "apache-errorlog",
"details": {
"program_name": "^apache2|^httpd"
},
"file": "0025-apache_decoders.xml",
"position": 0,
"path": "/var/ossec/ruleset/decoders"
},
{
"status": "enabled",
"name": "apache-errorlog",
"details": {
"prematch": "^[warn] |^[notice] |^[error] "
},
"file": "0025-apache_decoders.xml",
"position": 1,
"path": "/var/ossec/ruleset/decoders"
},
{
"status": "enabled",
"name": "apache-errorlog",
"details": {
"prematch": "^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:warn] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:notice] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S*:error] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:info] "
},
"file": "0025-apache_decoders.xml",
"position": 2,
"path": "/var/ossec/ruleset/decoders"
}
]
}
}
Experimental¶
Hardware¶
Get hardware info of all agents¶
Returns the agent’s hardware info
Request:
GET
/experimental/syscollector/hardware
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by ram_free. |
|
String |
Filters by ram_total. |
|
String |
Filters by cpu_cores. |
|
String |
Filters by cpu_mhz. |
|
String |
Filters by cpu_name. |
|
String |
Filters by board_serial. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/hardware?pretty&sort=-ram_free"
Example Response:
{
"error": 0,
"data": {
"totalItems": 2,
"items": [
{
"board_serial": "0",
"agent_id": "000",
"ram": {
"usage": 56,
"total": 6053772,
"free": 2677484
},
"cpu": {
"cores": 2,
"mhz": 1991.998,
"name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
},
"scan": {
"id": 208137997,
"time": "2018/08/02 23:45:54"
}
},
{
"board_serial": "0",
"agent_id": "001",
"ram": {
"usage": 71,
"total": 1015976,
"free": 297140
},
"cpu": {
"cores": 1,
"mhz": 1991.998,
"name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
},
"scan": {
"id": 2056454263,
"time": "2018/08/02 17:25:53"
}
}
]
}
}
Netaddr¶
Get network address info of all agents¶
Returns the agent’s network address info
Request:
GET
/experimental/syscollector/netaddr
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by proto. |
|
String |
Filters by address. |
|
String |
Filters by broadcast. |
|
String |
Filters by netmask. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/netaddr?pretty&limit=2&sort=proto"
Example Response:
{
"error": 0,
"data": {
"totalItems": 8,
"items": [
{
"scan_id": 483670720,
"agent_id": "000",
"proto": "ipv6",
"address": "fe80::a00:27ff:fed6:8e4f",
"netmask": "ffff:ffff:ffff:ffff::",
"id": 17
},
{
"scan_id": 483670720,
"agent_id": "000",
"proto": "ipv6",
"address": "fe80::a00:27ff:fea9:6759",
"netmask": "ffff:ffff:ffff:ffff::",
"id": 18
}
]
}
}
Netiface¶
Get network interface info of all agents¶
Returns the agent’s network interface info
Request:
GET
/experimental/syscollector/netiface
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by name. |
|
String |
Filters by adapter. |
|
String |
Filters by type. |
|
String |
Filters by state. |
|
String |
Filters by mtu. |
|
String |
Filters by tx_packets. |
|
String |
Filters by rx_packets. |
|
String |
Filters by tx_bytes. |
|
String |
Filters by rx_bytes. |
|
String |
Filters by tx_errors. |
|
String |
Filters by rx_errors. |
|
String |
Filters by tx_dropped. |
|
String |
Filters by rx_dropped. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/netiface?pretty&limit=2&sort=rx_bytes"
Example Response:
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
{
"name": "enp0s3",
"tx": {
"packets": 144,
"errors": 0,
"bytes": 16993,
"dropped": 0
},
"scan": {
"id": 483670720,
"time": "2018/08/02 23:45:54"
},
"rx": {
"packets": 352,
"errors": 0,
"bytes": 346608,
"dropped": 0
},
"mac": "08:00:27:D6:8E:4F",
"mtu": 1500,
"state": "up",
"agent_id": "000",
"type": "ethernet",
"id": 17
},
{
"name": "enp0s8",
"tx": {
"packets": 1580,
"errors": 0,
"bytes": 229506,
"dropped": 0
},
"scan": {
"id": 483670720,
"time": "2018/08/02 23:45:54"
},
"rx": {
"packets": 6032,
"errors": 0,
"bytes": 1600051,
"dropped": 0
},
"mac": "08:00:27:A9:67:59",
"mtu": 1500,
"state": "up",
"agent_id": "000",
"type": "ethernet",
"id": 18
}
]
}
}
Netproto¶
Get network protocol info of all agents¶
Returns the agent’s network protocol info
Request:
GET
/experimental/syscollector/netproto
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by iface. |
|
String |
Filters by type. |
|
String |
Filters by gateway. |
|
String |
Filters by dhcp. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/experimental/syscollector/netproto?pretty&limit=2&sort=type"
Example Response:
{
"error": 0,
"data": {
"totalItems": 8,
"items": [
{
"scan_id": 483670720,
"iface": "enp0s3",
"agent_id": "000",
"dhcp": "enabled",
"type": "ipv6",
"id": 17
},
{
"scan_id": 483670720,
"iface": "enp0s8",
"agent_id": "000",
"dhcp": "enabled",
"type": "ipv6",
"id": 18
}
]
}
}
OS¶
Get os info of all agents¶
Returns the agent’s os info
Request:
GET
/experimental/syscollector/os
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by os_name. |
|
String |
Filters by architecture. |
|
String |
Filters by os_version. |
|
String |
Filters by version. |
|
String |
Filters by release. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/experimental/syscollector/os?pretty&sort=-os_name"
Example Response:
{
"error": 0,
"data": {
"totalItems": 2,
"items": [
{
"sysname": "Linux",
"scan": {
"id": 433934775,
"time": "2018/08/02 23:45:54"
},
"hostname": "wazuh",
"version": "#31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018",
"agent_id": "000",
"release": "4.15.0-29-generic",
"os": {
"major": "18",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "18.04 LTS (Bionic Beaver)",
"codename": "Bionic Beaver",
"minor": "04"
},
"architecture": "x86_64"
},
{
"sysname": "Linux",
"scan": {
"id": 2004741248,
"time": "2018/08/02 17:25:53"
},
"hostname": "ubuntu",
"version": "#157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018",
"agent_id": "001",
"release": "4.4.0-131-generic",
"os": {
"major": "16",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "16.04.5 LTS (Xenial Xerus)",
"codename": "Xenial Xerus",
"minor": "04"
},
"architecture": "x86_64"
}
]
}
}
Packages¶
Get packages info of all agents¶
Returns the agent’s packages info
Request:
GET
/experimental/syscollector/packages
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters by vendor. |
|
String |
Filters by name. |
|
String |
Filters by architecture. |
|
String |
Filters by format. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/experimental/syscollector/packages?pretty&sort=-name&limit=2&offset=4"
Example Response:
{
"error": 0,
"data": {
"totalItems": 1107,
"items": [
{
"vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
"name": "apache2",
"scan": {
"id": 1222412658,
"time": "2018/08/02 23:45:54"
},
"section": "httpd",
"format": "deb",
"architecture": "amd64",
"priority": "optional",
"version": "2.4.29-1ubuntu4.2",
"agent_id": "000",
"size": 520,
"description": "Apache HTTP Server"
},
{
"vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
"name": "amd64-microcode",
"scan": {
"id": 1222412658,
"time": "2018/08/02 23:45:54"
},
"section": "non-free/admin",
"format": "deb",
"architecture": "amd64",
"priority": "standard",
"version": "3.20180524.1~ubuntu0.18.04.1",
"agent_id": "000",
"size": 74,
"description": "Processor microcode firmware for AMD CPUs"
}
]
}
}
Ports¶
Get ports info of all agents¶
Returns the agent’s ports info
Request:
GET
/experimental/syscollector/ports
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
Number |
Filters by pid. |
|
String |
Filters by protocol. |
|
String |
Filters by local_ip. |
|
Number |
Filters by local_port. |
|
String |
Filters by remote_ip. |
|
Number |
Filters by tx_queue. |
|
String |
Filters by state. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/experimental/syscollector/ports?pretty&limit=2&sort=protocol"
Example Response:
{
"error": 0,
"data": {
"totalItems": 16,
"items": [
{
"remote": {
"ip": "::",
"port": 0
},
"scan": {
"id": 1219576791,
"time": "2018/08/02 23:45:56"
},
"inode": 164751,
"state": "listening",
"tx_queue": 0,
"agent_id": "000",
"protocol": "tcp6",
"rx_queue": 0,
"local": {
"ip": "::ffff:127.0.0.1",
"port": 9600
}
},
{
"remote": {
"ip": "::",
"port": 0
},
"scan": {
"id": 1219576791,
"time": "2018/08/02 23:45:56"
},
"inode": 164667,
"state": "listening",
"tx_queue": 0,
"agent_id": "000",
"protocol": "tcp6",
"rx_queue": 0,
"local": {
"ip": "::ffff:127.0.0.1",
"port": 9200
}
}
]
}
}
Processes¶
Get processes info of all agents¶
Returns the agent’s processes info
Request:
GET
/experimental/syscollector/processes
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
Number |
Filters by process pid. |
|
String |
Filters by process egroup. |
|
String |
Filters by process euser. |
|
String |
Filters by process fgroup. |
|
Number |
Filters by process nlwp. |
|
Number |
Filters by process pgrp. |
|
Number |
Filters by process priority. |
|
String |
Filters by process rgroup. |
|
String |
Filters by process ruser. |
|
String |
Filters by process sgroup. |
|
String |
Filters by process suser. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/experimental/syscollector/processes?pretty&limit=2&sort=priority"
Example Response:
{
"error": 0,
"data": {
"totalItems": 206,
"items": [
{
"euser": "root",
"tty": 0,
"rgroup": "root",
"sgroup": "root",
"scan": {
"id": 2147483647,
"time": "2018/08/02 23:45:56"
},
"resident": 0,
"share": 0,
"start_time": 3,
"pid": "29",
"session": 0,
"stime": 0,
"vm_size": 0,
"size": 0,
"agent_id": "000",
"ppid": 2,
"egroup": "root",
"name": "khugepaged",
"pgrp": 0,
"tgid": 29,
"utime": 0,
"priority": 39,
"fgroup": "root",
"state": "S",
"ruser": "root",
"suser": "root",
"nlwp": 1,
"processor": 1,
"nice": 19
},
{
"euser": "logstash",
"tty": 0,
"rgroup": "logstash",
"sgroup": "logstash",
"scan": {
"id": 2147483647,
"time": "2018/08/02 23:45:56"
},
"resident": 152574,
"share": 5026,
"start_time": 1178,
"pid": "975",
"tgid": 975,
"session": 975,
"stime": 733,
"vm_size": 3631444,
"size": 907861,
"agent_id": "000",
"ppid": 1,
"egroup": "logstash",
"name": "java",
"pgrp": 975,
"argvs": "-Xms1g,-Xmx1g,-XX:+UseParNewGC,-XX:+UseConcMarkSweepGC,-XX:CMSInitiatingOccupancyFraction=75,-XX:+UseCMSInitiatingOccupancyOnly,-Djava.awt.headless=true,-Dfile.encoding=UTF-8,-Djruby.compile.invokedynamic=true,-Djruby.jit.threshold=0,-XX:+HeapDumpOnOutOfMemoryError,-Djava.security.egd=file:/dev/urandom,-cp,/usr/share/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/usr/share/logstash/logstash-core/lib/jars/guava-19.0.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-annotations-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-core-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-databind-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/jackson-dataformat-cbor-2.9.5.jar:/usr/share/logstash/logstash-core/lib/jars/janino-3.0.8.jar:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.1.13.0.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar:/usr/share/logstash/logstash-core/lib/jars/logstash-core.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.commands-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.contenttype-3.4.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.expressions-3.4.300.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.filesystem-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.jobs-3.5.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.resources-3.7.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.core.runtime-3.7.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.app-1.3.100.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.common-3.6.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.preferences-3.4.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.equinox.registry-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.jdt.core-3.10.0.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.osgi-3.7.1.jar:/usr/share/logstash/logstash-core/lib/jars/org.eclipse.text-3.5.101.jar:/usr/share/logstash/logstash-core/lib/jars/slf4j-api-1.7.25.jar,org.logstash.Logstash,--path.settings,/etc/logstash",
"utime": 13764,
"cmd": "/usr/bin/java",
"priority": 39,
"fgroup": "logstash",
"state": "S",
"ruser": "logstash",
"suser": "logstash",
"nlwp": 31,
"processor": 0,
"nice": 19
}
]
}
}
Manager¶
Configuration¶
Get manager configuration¶
Returns ossec.conf in JSON format.
Request:
GET
/manager/configuration
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Indicates the ossec.conf section: global, rules, syscheck, rootcheck, remote, alerts, command, active-response, localfile. |
|
String |
Indicates a section child, e.g, fields for rule section are: include, decoder_dir, etc. |
Example Request:
curl -u foo:bar -X GET "https://localhost:55000/manager/configuration?section=global&pretty"
Example Response:
{
"error": 0,
"data": {
"email_notification": "no",
"alerts_log": "yes",
"jsonout_output": "yes",
"smtp_server": "smtp.example.wazuh.com",
"queue_size": "131072",
"email_to": "recipient@example.wazuh.com",
"logall": "no",
"email_maxperhour": "12",
"white_list": [
"127.0.0.1",
"^localhost.localdomain$",
"127.0.0.53"
],
"email_from": "ossecm@example.wazuh.com",
"logall_json": "no"
}
}
Info¶
Get manager information¶
Returns basic information about manager.
Request:
GET
/manager/info
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/info?pretty"
Example Response:
{
"error": 0,
"data": {
"compilation_date": "Thu Aug 2 16:48:56 UTC 2018",
"version": "v3.5.0",
"openssl_support": "yes",
"max_agents": "14000",
"ruleset_version": "3500",
"path": "/var/ossec",
"tz_name": "UTC",
"type": "manager",
"tz_offset": "+0000"
}
}
Get manager status¶
Returns the status of the manager processes.
Request:
GET
/manager/status
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/status?pretty"
Example Response:
{
"error": 0,
"data": {
"wazuh-modulesd": "running",
"ossec-authd": "stopped",
"wazuh-clusterd": "running",
"ossec-monitord": "running",
"ossec-logcollector": "running",
"ossec-execd": "running",
"ossec-remoted": "running",
"ossec-syscheckd": "running",
"ossec-analysisd": "running",
"ossec-maild": "stopped"
}
}
Logs¶
Get ossec.log¶
Returns the three last months of ossec.log.
Request:
GET
/manager/logs
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters by type of log. Allowed values:
|
|
String |
Filters by category of log. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/logs?offset=0&limit=5&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 29,
"items": [
{
"timestamp": "2018-08-03 00:26:35",
"tag": "wazuh-modulesd:database",
"description": "Couldn't get database status for agent '3'.",
"level": "error"
},
{
"timestamp": "2018-08-03 00:26:35",
"tag": "wazuh-modulesd:database",
"description": "Couldn't get database status for agent '5'.",
"level": "error"
},
{
"timestamp": "2018-08-03 00:26:34",
"tag": "ossec-remoted",
"description": "(1409): Authentication file changed. Updating.",
"level": "info"
},
{
"timestamp": "2018-08-03 00:26:34",
"tag": "ossec-remoted",
"description": "(1410): Reading authentication keys file.",
"level": "info"
},
{
"timestamp": "2018-08-03 00:25:54",
"tag": "wazuh-db",
"description": "at wdb_process_insert(): sqlite3_step(): UNIQUE constraint failed: sys_processes.scan_id, sys_processes.pid",
"level": "error"
}
]
}
}
Get summary of ossec.log¶
Returns a summary of the last three months of the <code>ossec.log</code> file.
Request:
GET
/manager/logs/summary
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/logs/summary?pretty"
Example Response:
{
"error": 0,
"data": {
"ossec-remoted": {
"info": 8,
"all": 8,
"critical": 0,
"error": 0,
"debug": 0,
"warning": 0
},
"ossec-analysisd": {
"info": 0,
"all": 1,
"critical": 0,
"error": 1,
"debug": 0,
"warning": 0
},
"wazuh-db": {
"info": 0,
"all": 2,
"critical": 0,
"error": 2,
"debug": 0,
"warning": 0
},
"ossec-monitord": {
"info": 16,
"all": 16,
"critical": 0,
"error": 0,
"debug": 0,
"warning": 0
},
"wazuh-modulesd:database": {
"info": 0,
"all": 2,
"critical": 0,
"error": 2,
"debug": 0,
"warning": 0
}
}
}
Stats¶
Get manager stats¶
Returns Wazuh statistical information for the current or specified date.
Request:
GET
/manager/stats
Parameters:
Param |
Type |
Description |
---|---|---|
|
String |
Selects the date for getting the statistical information. Format: YYYYMMDD |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/stats?pretty"
Example Response:
{
"data": [
{
"hour": 5,
"firewall": 0,
"alerts": [
{
"level": 3,
"sigid": 5715,
"times": 4
},
{
"level": 2,
"sigid": 1002,
"times": 2
},
{
"...": "..."
}
],
"totalAlerts": 107,
"syscheck": 1257,
"events": 1483
},
{
"...": "..."
}
],
"error": 0
}
Get manager stats by hour¶
Returns Wazuh statistical information per hour. Each number in the averages field represents the average of alerts per hour.
Request:
GET
/manager/stats/hourly
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/stats/hourly?pretty"
Example Response:
{
"data": {
"averages": [
100,
357,
242,
500,
422,
"...",
123
],
"interactions": 0
},
"error": 0
}
Get manager stats by week¶
Returns Wazuh statistical information per week. Each number in the hours field represents the average alerts per hour for that specific day.
Request:
GET
/manager/stats/weekly
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/manager/stats/weekly?pretty"
Example Response:
{
"data": {
"Wed": {
"hours": [
223,
"...",
456
],
"interactions": 0
},
"Sun": {
"hours": [
332,
"...",
313
],
"interactions": 0
},
"Thu": {
"hours": [
888,
"...",
123
],
"interactions": 0
},
"Tue": {
"hours": [
536,
"...",
345
],
"interactions": 0
},
"Mon": {
"hours": [
444,
"...",
556
],
"interactions": 0
},
"Fri": {
"hours": [
131,
"...",
432
],
"interactions": 0
},
"Sat": {
"hours": [
134,
"...",
995
],
"interactions": 0
}
},
"error": 0
}
Rootcheck¶
Clear¶
Clear rootcheck database¶
Clears the rootcheck database for all agents.
Request:
DELETE
/rootcheck
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/rootcheck?pretty"
Example Response:
{
"data": "Rootcheck database deleted",
"error": 0
}
Clear rootcheck database of an agent¶
Clears the rootcheck database for a specific agent.
Request:
DELETE
/rootcheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/rootcheck/000?pretty"
Example Response:
{
"data": "Rootcheck database deleted",
"error": 0
}
Info¶
Get last rootcheck scan¶
Returns the timestamp of the last rootcheck scan.
Request:
GET
/rootcheck/:agent_id/last_scan
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/last_scan?pretty"
Example Response:
{
"error": 0,
"data": {
"start": "2018-08-02 23:45:59",
"end": "2018-08-02 23:46:31"
}
}
Get rootcheck CIS requirements¶
Returns the CIS requirements of all rootchecks of the specified agent.
Request:
GET
/rootcheck/:agent_id/cis
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/cis?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3,
"items": [
"1.4 Debian Linux",
"2.3 Debian Linux",
"4.13 Debian Linux"
]
}
}
Get rootcheck database¶
Returns the rootcheck database of an agent.
Request:
GET
/rootcheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
String |
Filters by pci requirement. |
|
String |
Filters by CIS. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters by status. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000?offset=0&limit=2&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 14,
"items": [
{
"status": "outstanding",
"oldDay": "2018-08-02 16:50:41",
"cis": "1.4 Debian Linux",
"readDay": "2018-08-02 23:46:02",
"event": "System Audit: CIS - Debian Linux - 1.4 - Robust partition scheme - /opt is not on its own partition {CIS: 1.4 Debian Linux}. File: /opt. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf ."
},
{
"status": "outstanding",
"oldDay": "2018-08-02 16:50:41",
"cis": "1.4 Debian Linux",
"readDay": "2018-08-02 23:46:02",
"event": "System Audit: CIS - Debian Linux - 1.4 - Robust partition scheme - /tmp is not on its own partition {CIS: 1.4 Debian Linux}. File: /etc/fstab. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf ."
}
]
}
}
Get rootcheck pci requirements¶
Returns the PCI requirements of all rootchecks of the agent.
Request:
GET
/rootcheck/:agent_id/pci
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/pci?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3,
"items": [
"2.2.2",
"2.2.4",
"4.1"
]
}
}
Run¶
Run rootcheck scan in all agents¶
Runs syscheck and rootcheck on all agents (Wazuh launches both processes simultaneously).
Request:
PUT
/rootcheck
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/rootcheck?pretty"
Example Response:
{
"data": "Restarting Syscheck/Rootcheck on all agents",
"error": 0
}
Run rootcheck scan in an agent¶
Runs syscheck and rootcheck on a specified agent (Wazuh launches both processes simultaneously)
Request:
PUT
/rootcheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/rootcheck/000?pretty"
Example Response:
{
"error": 0,
"data": "Restarting Syscheck/Rootcheck locally"
}
Rules¶
Info¶
Get all rules¶
Returns all rules.
Request:
GET
/rules
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters the rules by status. Allowed values:
|
|
String |
Filters the rules by group. |
|
Range |
Filters the rules by level. level=2 or level=2-5. |
|
String |
Filters the rules by path. |
|
String |
Filters the rules by file name. |
|
String |
Filters the rules by pci requirement. |
|
String |
Filters the rules by gdpr. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules?offset=0&limit=2&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 1644,
"items": [
{
"status": "enabled",
"pci": [],
"description": "Generic template for all syslog rules.",
"file": "0010-rules_config.xml",
"level": 0,
"path": "/var/ossec/ruleset/rules",
"details": {
"category": "syslog",
"noalert": "1"
},
"groups": [
"syslog"
],
"id": 1,
"gdpr": []
},
{
"status": "enabled",
"pci": [],
"description": "Generic template for all firewall rules.",
"file": "0010-rules_config.xml",
"level": 0,
"path": "/var/ossec/ruleset/rules",
"details": {
"category": "firewall",
"noalert": "1"
},
"groups": [
"firewall"
],
"id": 2,
"gdpr": []
}
]
}
}
Get files of rules¶
Returns the files of all rules.
Request:
GET
/rules/files
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters files by status. Allowed values:
|
|
String |
Filters the rules by path. |
|
String |
Filters the rules by filefile. |
|
String |
Downloads the file |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules/files?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 107,
"items": [
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0010-rules_config.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0015-ossec_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0016-wazuh_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0020-syslog_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0025-sendmail_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0030-postfix_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0035-spamd_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0040-imapd_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0045-mailscanner_rules.xml"
},
{
"status": "enabled",
"path": "/var/ossec/ruleset/rules",
"file": "0050-ms-exchange_rules.xml"
}
]
}
}
Get rule gdpr requirements¶
Returns the GDPR requirements of all rules.
Request:
GET
/rules/gdpr
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules/gdpr?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
"II_5.1.f",
"IV_30.1.g",
"IV_32.2",
"IV_35.7.d"
]
}
}
Get rule groups¶
Returns the groups of all rules.
Request:
GET
/rules/groups
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules/groups?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 292,
"items": [
"access_control",
"access_denied",
"accesslog",
"account_changed",
"active_response",
"adduser",
"agent",
"agent_flooding",
"agent_restarting",
"agentless"
]
}
}
Get rule pci requirements¶
Returns the PCI requirements of all rules.
Request:
GET
/rules/pci
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules/pci?offset=0&limit=10&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 38,
"items": [
"1.1.1",
"1.3.4",
"1.4",
"10.1",
"10.2.1",
"10.2.2",
"10.2.4",
"10.2.5",
"10.2.6",
"10.2.7"
]
}
}
Get rules by id¶
Returns the rules with the specified id.
Request:
GET
/rules/:rule_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
rule. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/rules/1002?pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 1,
"items": [
{
"status": "enabled",
"pci": [],
"description": "Unknown problem somewhere in the system.",
"file": "0020-syslog_rules.xml",
"level": 2,
"path": "/var/ossec/ruleset/rules",
"details": {
"match": "$BAD_WORDS"
},
"groups": [
"gpg13_4.3",
"syslog",
"errors"
],
"id": 1002,
"gdpr": []
}
]
}
}
Syscheck¶
Clear¶
Clear syscheck database¶
Clears the syscheck database for all agents.
Request:
DELETE
/syscheck
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/syscheck?pretty"
Example Response:
{
"data": "Syscheck database deleted",
"error": 0
}
Clear syscheck database of an agent¶
Clears the syscheck database for the specified agent.
Request:
DELETE
/syscheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X DELETE "http://localhost:55000/syscheck/000?pretty"
Example Response:
{
"data": "Syscheck database deleted",
"error": 0
}
Info¶
Get last syscheck scan¶
Return the timestamp of the last syscheck scan.
Request:
GET
/syscheck/:agent_id/last_scan
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscheck/000/last_scan?pretty"
Example Response:
{
"error": 0,
"data": {
"start": "2018-08-02 23:45:55",
"end": "2018-08-02 23:45:59"
}
}
Get syscheck files¶
Returns the syscheck files of an agent.
Request:
GET
/syscheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
Filters files by event. Allowed values:
|
|
String |
Filters file by filename. |
|
String |
Selects type of file. Allowed values:
|
|
String |
Returns a summary grouping by filename. Allowed values:
|
|
String |
Returns the files with the specified md5 hash. |
|
String |
Returns the files with the specified sha1 hash. |
|
String |
Returns the files with the specified hash (md5 or sha1). |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscheck/000?offset=0&limit=2&pretty"
Example Response:
{
"error": 0,
"data": {
"totalItems": 3494,
"items": [
{
"sha1": "4d6b55312cbfedc71a7f52158de7d2eb59443bde",
"group": "root",
"uid": 0,
"scanDate": "2018-08-02 16:50:19",
"gid": 0,
"user": "root",
"file": "/boot/System.map-4.15.0-29-generic",
"modificationDate": "2018-07-17 08:57:50",
"octalMode": "100600",
"permissions": "-rw-------",
"md5": "b8f99e91ffa3c53c05b7e03cdbdf408d",
"inode": 535047,
"event": "modified",
"size": 4040379
},
{
"sha1": "7a604af2743cee6a5b19b0f7e0728c824f69efd5",
"group": "root",
"uid": 0,
"scanDate": "2018-08-02 16:50:19",
"gid": 0,
"user": "root",
"file": "/boot/initrd.img-4.15.0-23-generic",
"modificationDate": "2018-07-10 01:08:40",
"octalMode": "100644",
"permissions": "-rw-r--r--",
"md5": "66b71b3d5881277a3620972a702e631f",
"inode": 524297,
"event": "modified",
"size": 54209624
}
]
}
}
Run¶
Run syscheck scan in all agents¶
Runs syscheck and rootcheck on all agents (Wazuh launches both processes simultaneously).
Request:
PUT
/syscheck
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/syscheck?pretty"
Example Response:
{
"data": "Restarting Syscheck/Rootcheck on all agents",
"error": 0
}
Run syscheck scan in an agent¶
Runs syscheck and rootcheck on an agent (Wazuh launches both processes simultaneously).
Request:
PUT
/syscheck/:agent_id
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
Example Request:
curl -u foo:bar -X PUT "http://localhost:55000/syscheck/000?pretty"
Example Response:
{
"error": 0,
"data": "Restarting Syscheck/Rootcheck locally"
}
Syscollector¶
Hardware¶
Get hardware info¶
Returns the agent’s hardware info
Request:
GET
/syscollector/:agent_id/hardware
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/hardware?pretty"
Example Response:
{
"error": 0,
"data": {
"board_serial": "0",
"ram": {
"usage": 56,
"total": 6053772,
"free": 2677484
},
"cpu": {
"cores": 2,
"mhz": 1991.998,
"name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
},
"scan": {
"id": 208137997,
"time": "2018/08/02 23:45:54"
}
}
}
Netaddr¶
Get network address info of an agent¶
Returns the agent’s network address info
Request:
GET
/syscollector/:agent_id/netaddr
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by proto. |
|
String |
Filters by address. |
|
String |
Filters by broadcast. |
|
String |
Filters by netmask. |
Example Request:
curl -u foo:bar -X GET "http://localhosr:55000/syscollector/000/netaddr?pretty&limit=2&sort=proto"
Example Response:
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
{
"id": 17,
"scan_id": 483670720,
"address": "fe80::a00:27ff:fed6:8e4f",
"netmask": "ffff:ffff:ffff:ffff::",
"proto": "ipv6"
},
{
"id": 18,
"scan_id": 483670720,
"address": "fe80::a00:27ff:fea9:6759",
"netmask": "ffff:ffff:ffff:ffff::",
"proto": "ipv6"
}
]
}
}
Netiface¶
Get network interface info of an agent¶
Returns the agent’s network interface info
Request:
GET
/syscollector/:agent_id/netiface
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by name. |
|
String |
Filters by adapter. |
|
String |
Filters by type. |
|
String |
Filters by state. |
|
String |
Filters by mtu. |
|
String |
Filters by tx_packets. |
|
String |
Filters by rx_packets. |
|
String |
Filters by tx_bytes. |
|
String |
Filters by rx_bytes. |
|
String |
Filters by tx_errors. |
|
String |
Filters by rx_errors. |
|
String |
Filters by tx_dropped. |
|
String |
Filters by rx_dropped. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/netiface?pretty&limit=2&sort=state"
Example Response:
{
"error": 0,
"data": {
"totalItems": 2,
"items": [
{
"name": "enp0s3",
"tx": {
"packets": 144,
"errors": 0,
"bytes": 16993,
"dropped": 0
},
"scan": {
"id": 483670720,
"time": "2018/08/02 23:45:54"
},
"rx": {
"packets": 352,
"errors": 0,
"bytes": 346608,
"dropped": 0
},
"mac": "08:00:27:D6:8E:4F",
"mtu": 1500,
"state": "up",
"type": "ethernet",
"id": 17
},
{
"name": "enp0s8",
"tx": {
"packets": 1580,
"errors": 0,
"bytes": 229506,
"dropped": 0
},
"scan": {
"id": 483670720,
"time": "2018/08/02 23:45:54"
},
"rx": {
"packets": 6032,
"errors": 0,
"bytes": 1600051,
"dropped": 0
},
"mac": "08:00:27:A9:67:59",
"mtu": 1500,
"state": "up",
"type": "ethernet",
"id": 18
}
]
}
}
Netproto¶
Get network protocol info of an agent¶
Returns the agent’s network protocol info
Request:
GET
/syscollector/:agent_id/netproto
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
String |
Filters by id. |
|
String |
Filters by iface. |
|
String |
Filters by type. |
|
String |
Filters by gateway. |
|
String |
Filters by dhcp. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/netproto?pretty&limit=2&sort=type"
Example Response:
{
"error": 0,
"data": {
"totalItems": 4,
"items": [
{
"dhcp": "enabled",
"scan_id": 483670720,
"iface": "enp0s3",
"type": "ipv6",
"id": 17
},
{
"dhcp": "enabled",
"scan_id": 483670720,
"iface": "enp0s8",
"type": "ipv6",
"id": 18
}
]
}
}
OS¶
Get os info¶
Returns the agent’s OS info
Request:
GET
/syscollector/:agent_id/os
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
String |
List of selected fields. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/os?pretty"
Example Response:
{
"error": 0,
"data": {
"sysname": "Linux",
"version": "#31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018",
"architecture": "x86_64",
"scan": {
"id": 433934775,
"time": "2018/08/02 23:45:54"
},
"release": "4.15.0-29-generic",
"hostname": "wazuh",
"os": {
"major": "18",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "18.04 LTS (Bionic Beaver)",
"codename": "Bionic Beaver",
"minor": "04"
}
}
}
Packages¶
Get packages info¶
Returns the agent’s packages info
Request:
GET
/syscollector/:agent_id/packages
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
Looks for elements with the specified string. |
|
String |
List of selected fields. |
|
String |
Filters by vendor. |
|
String |
Filters by name. |
|
String |
Filters by architecture. |
|
String |
Filters by format. |
|
String |
Filters by version. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/packages?pretty&limit=2&offset=10&sort=-name"
Example Response:
{
"error": 0,
"data": {
"totalItems": 644,
"items": [
{
"vendor": "Martin Pitt <martin.pitt@ubuntu.com>",
"name": "apport",
"scan": {
"id": 1222412658,
"time": "2018/08/02 23:45:54"
},
"section": "utils",
"format": "deb",
"priority": "optional",
"version": "2.20.9-0ubuntu7",
"architecture": "all",
"size": 764,
"description": "automatically generate crash reports for debugging"
},
{
"vendor": "Ubuntu Developers <ubuntu-motu@lists.ubuntu.com>",
"name": "apport-symptoms",
"scan": {
"id": 1222412658,
"time": "2018/08/02 23:45:54"
},
"section": "utils",
"format": "deb",
"priority": "optional",
"version": "0.20",
"architecture": "all",
"size": 75,
"description": "symptom scripts for apport"
}
]
}
}
Ports¶
Get ports info of an agent¶
Returns the agent’s ports info
Request:
GET
/syscollector/:agent_id/ports
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
Number |
Filters by pid. |
|
String |
Filters by protocol. |
|
String |
Filters by local_ip. |
|
Number |
Filters by local_port. |
|
String |
Filters by remote_ip. |
|
Number |
Filters by tx_queue. |
|
String |
Filters by state. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/ports?pretty&sort=-protocol&limit=2"
Example Response:
{
"error": 0,
"data": {
"totalItems": 14,
"items": [
{
"remote": {
"ip": "0.0.0.0",
"port": 0
},
"scan": {
"id": 1219576791,
"time": "2018/08/02 23:45:56"
},
"inode": 33140,
"state": "listening",
"tx_queue": 0,
"protocol": "tcp",
"rx_queue": 0,
"local": {
"ip": "0.0.0.0",
"port": 5601
}
},
{
"remote": {
"ip": "0.0.0.0",
"port": 0
},
"scan": {
"id": 1219576791,
"time": "2018/08/02 23:45:56"
},
"inode": 168808,
"state": "listening",
"tx_queue": 0,
"protocol": "tcp",
"rx_queue": 0,
"local": {
"ip": "0.0.0.0",
"port": 1516
}
}
]
}
}
Processes¶
Get processes info¶
Returns the agent’s processes info
Request:
GET
/syscollector/:agent_id/processes
Parameters:
Param |
Type |
Description |
---|---|---|
|
Number |
Agent ID. |
|
Number |
First element to return in the collection. |
|
Number |
Maximum number of elements to return. |
|
String |
Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order. |
|
String |
List of selected fields. |
|
Number |
Filters by process pid. |
|
String |
Filters by process egroup. |
|
String |
Filters by process euser. |
|
String |
Filters by process fgroup. |
|
Number |
Filters by process nlwp. |
|
Number |
Filters by process pgrp. |
|
Number |
Filters by process priority. |
|
String |
Filters by process rgroup. |
|
String |
Filters by process ruser. |
|
String |
Filters by process sgroup. |
|
String |
Filters by process suser. |
Example Request:
curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/processes?pretty&limit=2&offset=10&sort=-name"
Example Response:
{
"error": 0,
"data": {
"totalItems": 111,
"items": [
{
"euser": "root",
"tty": 34816,
"rgroup": "root",
"sgroup": "root",
"scan": {
"id": 2147483647,
"time": "2018/08/02 23:45:56"
},
"resident": 1294,
"share": 835,
"start_time": 2172,
"pid": "1780",
"session": 1780,
"stime": 16,
"vm_size": 21540,
"size": 5385,
"ppid": 1447,
"egroup": "root",
"name": "bash",
"pgrp": 1780,
"tgid": 1780,
"utime": 27,
"cmd": "-bash",
"priority": 20,
"fgroup": "root",
"state": "S",
"ruser": "root",
"suser": "root",
"nlwp": 1,
"processor": 0,
"nice": 0
},
{
"euser": "root",
"tty": 0,
"rgroup": "root",
"sgroup": "root",
"scan": {
"id": 2147483647,
"time": "2018/08/02 23:45:56"
},
"resident": 0,
"share": 0,
"start_time": 105,
"pid": "121",
"session": 0,
"stime": 0,
"vm_size": 0,
"size": 0,
"nlwp": 1,
"egroup": "root",
"name": "charger_manager",
"pgrp": 0,
"tgid": 121,
"utime": 0,
"priority": 0,
"fgroup": "root",
"state": "I",
"ruser": "root",
"suser": "root",
"ppid": 2,
"processor": 1
}
]
}
}