This is the documentation for Wazuh 3.7. Check out the docs for the latest version of Wazuh!

3.5.0 Release Notes

This section shows the most relevant improvements and fixes in version 3.5.0. More details about these changes are provided in each component changelog.

Wazuh core

  • A new integration with osquery is shown, this will provide new scheduled results for the manager:

    • The osquery daemon will be launched in background.
    • Filter events by osquery by adding a new option in <location> rules.
    • Enrich osquery configuration with pack files aggregation and agent labels.
    • Support folders in shared configuration.
  • Parallelized remoted daemon:

    • Up to 16 parallel threads to decrypt messages from agents.
    • Frequency of agent keys reloading limited.
    • Message input buffer in Analysisd to prevent control messages starvation in Remoted.
  • Vulnerability Detector has been enhanced, adding support for other operating systems and improving the configuration of OVAL updates.

    • Added feed tag for updating each operating system OVAL, allowing to set a different configuration for each of them.
    • Packages already scanned won’t be checked unless no Syscollector scans are detected in a period longer than 24 hours.
    • Added arch check for Red Hat’s OVAL.
    • Force the vulnerability detection in unsupported OS with the <allow> attribute.
  • Fixed alerts format in Vulnerability Detector. When showing Vulnerability Detector alerts from a Red Hat agent, an RHSA patch was shown instead of a CVE. This patch consists in various CVEs compressed. The RHSA patches are unpackaged and alerts manifest that the system is vulnerable to each of the CVEs contained in that RHSA.

  • Added new support for AES encryption for manager and agent.

  • Enhanced active response process. Added a new feature which allows the user to customize the parameters sent to the agent’s active response script.

  • Added synchronization for remoted counters (rids), being reloaded if the inode of the file has changed.

  • Windows deletes pending active-responses when an output signal is received.

  • Rootcheck searchs for 32-bit and 64-bit keys. As Windows agent only runs in 32-bit mode, by default Rootcheck was searching only for 32-bit keys.

  • Get Linux packages, DEB and RPM, for Syscollector.

  • Added a new module for downloading shared files for agent groups dynamically.

  • Get running processes, opened ports, network interfaces, Linux (DEB/RPM) and Windows inventories natively for Syscollector.

    • Added field to the hardware inventory about the RAM usage, without using wmic.
    • Storage of multiple addresses/netmasks/broadcasts per interface in the DB.
    • CentOS 5 compatibility to run the network scan.

Wazuh API

  • Added information about the user who made the request in the API logs.
  • New option for downloading the wpk using HTTP in agent_upgrade.
  • Rotation of log files at midnight.
  • Added new API requests for syscollector.
  • Ignore uppercase and lowercase sorting an array.

Wazuh ruleset

  • Added rules for the new osquery integration.
  • Improved CIS-CAT rules.
  • Ingoring syscollector events rule added.

Wazuh app for Kibana

  • As part of the Elastic Stack v6.3.x compatibility process, now we have support for Kuery as query language for the app search bars.
  • Added new tab on Configuration to show the current Wazuh app configuration file values.
  • Added new tab on Configuration to show the latest Wazuh app logs.
  • Added XML/JSON viewer to Management → Configuration.
  • Improved reports, now with a better design and document structure.
  • Human-readability improvements for visualizations, tables and CSV files.
  • Now it’s possible to remove all the API entries from Settings.
  • More design improvements for the Welcome tab on some app sections.
  • More bug fixes, code refactoring and performance improvements.

In addition to this, the documentation now has a dedicated section for the Wazuh app, where you can learn more about its capabilities, how to configure it and install the X-Pack Security plugin.