The agent_control program allows you to query the manager for information about any agent and also allows you to initiate a syscheck/rootcheck scan on an agent the next time it checks in.

With this tool you can check the status of each available agent, which can be any of the following:

  • Active: The agent is correctly connected to the manager.
  • Pending: The agent is waiting for a response from the manager.
  • Disconnected: The agent is not connected to the manager.
  • Never connected: The agent has never connected to the manager.

agent_control options

-h Display the help message
-l List available agents whether they are active or not.
-lc List only the currently connected agents.
-ln List only the currently disconnected agents.
-i <agent_id> Extract information from an agent
-R <agent_id> Restart the Wazuh processes on the agent

Run the integrity/rootcheck checking on agents.

This must be used in conjunction with options -a or -u.

-a Utilizes all agents
-u <agent_id> Perform the requested action on the specified agent.

agent_control options for Active Response

-b <IP> Blocks the specified IP address.
-f <ar> Used with -b, specifies which response to run.
-L List available active responses.
-m Show the limit of agents that can be added.
-s Change the output to CSV format (comma delimited).
-j Change the output to JSON format.