Reference

This API reference is organized by resources:

Below is the Request List that shows all of the available requests.

Request List

Active Response
Agents
Cache
Ciscat
Cluster
Decoders
Experimental
Manager
Rootcheck
Rules
Syscheck
Syscollector

Active Response

Command

Run an AR command in the agent

Runs an Active Response command on a specified agent

Request:

PUT

/active-response/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

command

String

Command.

Custom

Boolean

Custom.

Arguments

Arguments

Command arguments.

Example Request:

curl -u foo:bar -X PUT -d '{"command":"restart-ossec0", "arguments": ["-", "null", "(from_the_server)", "(no_rule_id)"]}' -H 'Content-Type:application/json' "http://localhost:55000/active-response/001?pretty"

Example Response:

{
    "data": "Command sent.",
    "error": 0
}

Agents

Add

Add agent

Add a new agent.

Request:

POST

/agents

Parameters:

Param

Type

Description

name

String

Agent name.

ip

String

If this is not included, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js.

Allowed values:

  • IP

  • IP/NET

  • ANY

force

Number

Remove the old agent with the same IP if disconnected since <force> seconds.

Example Request:

curl -u foo:bar -X POST -d '{"name":"NewHost","ip":"10.0.0.9"}' -H 'Content-Type:application/json' "http://localhost:55000/agents?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "id": "007",
      "key": "MDA3IE5ld0hvc3QgMTAuMC4wLjkgN2Y4OWM2NzVkNWE1NjAwNzA2OTY1ODQwM2NjYzZiNThkMzQ5M2E3OTRkOTMyMDU1MzAzZTE3ZDBkN2I0MmM5Yw=="
   }
}

Add agent (quick method)

Adds a new agent with name :agent_name. This agent will use ANY as IP.

Request:

PUT

/agents/:agent_name

Parameters:

Param

Type

Description

agent_name

String

Agent name.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/myNewAgent?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "id": "008",
      "key": "MDA4IG15TmV3QWdlbnQgYW55IGMwNWQzMTdmZWFkNTllM2I5MzJhZThjZDI2OWVlYWMzNTMzY2VmZDQ0NGY4MDk2MTBlYTVlZWI1YjU1OGQzMjY="
   }
}

Insert agent

Insert an agent with an existing id and key.

Request:

POST

/agents/insert

Parameters:

Param

Type

Description

name

String

Agent name.

ip

String

If this is not included, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js.

Allowed values:

  • IP

  • IP/NET

  • ANY

id

String

Agent ID.

key

String

Agent key. Minimum length: 64 characters. Allowed values: ^[a-zA-Z0-9]+$

force

Number

Remove the old agent the with same IP if disconnected since <force> seconds.

Example Request:

curl -u foo:bar -X POST -d '{"name":"NewHost_2","ip":"10.0.10.10","id":"123","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64"}' -H 'Content-Type:application/json' "http://localhost:55000/agents/insert?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "id": "123",
      "key": "MTIzIE5ld0hvc3RfMiAxMC4wLjEwLjEwIDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ="
   }
}

Config

Get active configuration

Returns the active configuration in JSON format.

Request:

GET

/agents/:agent_id/config/:component/:configuration

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

component

String

Selected component.

configuration

String

Configuration to read.

Component/Configuration options:

Component

Configuration

Type

agent

client

agent

buffer

agent

labels

agent

internal

agent

agentless

agentless

manager

analysis

global

manager

active_response

manager

alerts

manager

command

manager

internal

manager

auth

auth

manager

com

active-response

agent/manager

internal

agent/manager

cluster

manager

csyslog

csyslog

manager

integrator

integration

manager

logcollector

localfile

agent/manager

socket

agent/manager

internal

agent/manager

mail

global

manager

alerts

manager

internal

manager

monitor

internal

manager

request

remote

manager

internal

manager

syscheck

syscheck

agent/manager

rootcheck

agent/manager

internal

agent/manager

wmodules

wmodules

agent/manager

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/001/config/logcollector/localfile?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "localfile": [
         {
            "alias": "df -P",
            "logformat": "command",
            "frequency": 360,
            "command": "df -P",
            "target": [
               "agent"
            ]
         },
         {
            "alias": "netstat listening ports",
            "logformat": "full_command",
            "frequency": 360,
            "command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
            "target": [
               "agent"
            ]
         },
         {
            "alias": "last -n 20",
            "logformat": "full_command",
            "frequency": 360,
            "command": "last -n 20",
            "target": [
               "agent"
            ]
         },
         {
            "logformat": "syslog",
            "target": [
               "agent"
            ],
            "file": "/var/ossec/logs/active-responses.log"
         },
         {
            "logformat": "syslog",
            "target": [
               "agent"
            ],
            "file": "/var/log/auth.log"
         },
         {
            "logformat": "syslog",
            "target": [
               "agent"
            ],
            "file": "/var/log/syslog"
         },
         {
            "logformat": "syslog",
            "target": [
               "agent"
            ],
            "file": "/var/log/dpkg.log"
         },
         {
            "logformat": "syslog",
            "target": [
               "agent"
            ],
            "file": "/var/log/kern.log"
         }
      ]
   }
}

Delete

Delete a list of groups

Removes a list of groups.

Request:

DELETE

/agents/groups

Parameters:

Param

Type

Description

ids

String[]

Array of group ID's.

Example Request:

curl -u foo:bar -X DELETE -H "Content-Type:application/json" -d '{"ids":["webserver","database"]}' "http://localhost:55000/agents/groups?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "All selected groups were removed",
      "ids": [
         "webserver",
         "database"
      ],
      "affected_agents": [
         "002",
         "005",
         "003"
      ]
   }
}

Delete agents

Removes agents, using a list of them or a criterion based on the status or time of the last connection. The Wazuh API must be restarted after removing an agent.

Request:

DELETE

/agents

Parameters:

Param

Type

Description

ids

String[]

Array of agent ID's.

purge

Boolean

Delete an agent from the key store.

status

String

Filters by agent status. Use commas to enter multiple statuses.

Allowed values:

  • active

  • pending

  • neverconnected

  • disconnected

older_than

String

Filters out disconnected agents for longer than specified. Time in seconds, '[n_days]d', '[n_hours]h', '[n_minutes]m' or '[n_seconds]s'. For never connected agents, uses the register date.

Example Request:

curl -u foo:bar -X DELETE -H "Content-Type:application/json" -d '{"ids":["003","005"]}' "http://localhost:55000/agents?pretty&older_than=10s&purge"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "All selected agents were removed",
      "older_than": "10s",
      "affected_agents": [
         "003",
         "005"
      ],
      "total_affected_agents": 2
   }
}

Delete an agent

Removes an agent.

Request:

DELETE

/agents/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

purge

String

Delete an agent from the key store.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/agents/008?pretty&purge"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "All selected agents were removed",
      "affected_agents": [
         "008"
      ]
   }
}

Group

Get sync status of agent

Returns the sync status in JSON format

Request:

GET

/agents/:agent_id/group/is_sync

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/001/group/is_sync?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "synced": false
   }
}

Groups

Add agent group

Adds an agent to the specified group.

Request:

PUT

/agents/:agent_id/group/:group_id

Parameters:

Param

Type

Description

agent_id

Number

Agent unique ID.

group_id

String

Group ID.

force_single_group

Boolean

Wheter to append new group to current agent's group or replace it.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/004/group/dmz?pretty"

Example Response:

{
   "error": 0,
   "data": "Agent '004' already belongs to group 'dmz'."
}

Create a group

Creates a new group.

Request:

PUT

/agents/groups/:group_id

Parameters:

Param

Type

Description

group_id

String

Group ID.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/groups/pciserver?pretty"

Example Response:

{
   "error": 0,
   "data": "Group 'pciserver' created."
}

Get a file in group

Returns the specified file belonging to the group parsed to JSON.

Request:

GET

/agents/groups/:group_id/files/:filename

Parameters:

Param

Type

Description

group_id

String

Group ID.

file_name

String

Filename

type

String

Type of file.

Allowed values:

  • conf

  • rootkit_files

  • rootkit_trojans

  • rcl

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/groups/webserver/files/cis_debian_linux_rcl.txt?pretty"

Example Response:

{
    "data": {
        "controls": [
            {
                "...": "..."
            },
            {
                "condition": "all required",
                "name": "CIS - Testing against the CIS Debian Linux Benchmark v1",
                "reference": "CIS_Debian_Benchmark_v1.0pdf",
                "checks": [
                    "f:/etc/debian_version;"
                ]
            }
        ]
    },
    "error": 0
}

Get agents in a group

Returns the list of agents in a group.

Request:

GET

/agents/groups/:group_id

Parameters:

Param

Type

Description

group_id

String

Group ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

select

String

Select which fields to return (separated by comma).

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters by agent status.

Allowed values:

  • active

  • pending

  • neverconnected

  • disconnected

q

String

Query to filter results by.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/groups/dmz?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "status": "Active",
            "configSum": "ab73af41699f13fdd81903b5f23d8d00",
            "group": [
               "default",
               "dmz"
            ],
            "name": "agent1",
            "mergedSum": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
            "ip": "192.168.185.7",
            "dateAdd": "2018-10-11 09:38:47",
            "node_name": "node02",
            "manager": "manager",
            "version": "Wazuh v3.7.2",
            "lastKeepAlive": "2018-10-11 13:58:08",
            "os": {
               "major": "16",
               "name": "Ubuntu",
               "uname": "Linux |ubuntu |4.4.0-135-generic |#161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 |x86_64",
               "platform": "ubuntu",
               "version": "16.04.5 LTS",
               "codename": "Xenial Xerus",
               "arch": "x86_64",
               "minor": "04"
            },
            "id": "001"
         },
         {
            "status": "Never connected",
            "group": [
               "dmz"
            ],
            "name": "main_database",
            "ip": "10.0.0.15",
            "node_name": "unknown",
            "dateAdd": "2018-10-11 13:58:11",
            "id": "004"
         }
      ]
   }
}

Get agents without group

Returns a list with the available agents without group.

Request:

GET

/agents/no_group

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

select

String

Select which fields to return (separated by comma).

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

q

String

Query to filter result. For example q=&quot;status=Active&quot;

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/no_group?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:11",
            "name": "server002",
            "ip": "10.0.0.20",
            "id": "006",
            "node_name": "unknown"
         },
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:22",
            "name": "NewHost",
            "ip": "10.0.0.9",
            "id": "007",
            "node_name": "unknown"
         },
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:23",
            "name": "NewHost_2",
            "ip": "10.0.10.10",
            "id": "123",
            "node_name": "unknown"
         }
      ]
   }
}

Get group configuration

Returns the group configuration (agent.conf).

Request:

GET

/agents/groups/:group_id/configuration

Parameters:

Param

Type

Description

group_id

String

Group ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/groups/dmz/configuration?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1,
      "items": [
         {
            "config": {
               "localfile": [
                  {
                     "log_format": "syslog",
                     "location": "/var/log/linux.log"
                  }
               ]
            },
            "filters": {
               "os": "Linux"
            }
         }
      ]
   }
}

Get group files

Returns the files belonging to the group.

Request:

GET

/agents/groups/:group_id/files

Parameters:

Param

Type

Description

group_id

String

Group ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

hash

String

Hash algorithm to use to calculate files checksums.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/groups/default/files?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 24,
      "items": [
         {
            "hash": "ab73af41699f13fdd81903b5f23d8d00",
            "filename": "agent.conf"
         },
         {
            "hash": "76d8be9b97d8eae4c239e530ee7e71c8",
            "filename": "ar.conf"
         },
         {
            "hash": "6d9bd718faff778bbeabada6f07f5c2f",
            "filename": "cis_apache2224_rcl.txt"
         },
         {
            "hash": "9beed128b4305943eead1a66a86d27d5",
            "filename": "cis_debian_linux_rcl.txt"
         },
         {
            "hash": "ee520e627150c8751493bc32540b859a",
            "filename": "cis_mysql5-6_community_rcl.txt"
         },
         {
            "hash": "672c92a1f57463e33ff14011b43727de",
            "filename": "cis_mysql5-6_enterprise_rcl.txt"
         },
         {
            "hash": "e03345360941dbff248f63765971f87e",
            "filename": "cis_rhel5_linux_rcl.txt"
         },
         {
            "hash": "d53e584559b759cb6ec3956f23dee46f",
            "filename": "cis_rhel6_linux_rcl.txt"
         },
         {
            "hash": "3b67c8b54d0fa8fdf5afa8d0d43398d8",
            "filename": "cis_rhel7_linux_rcl.txt"
         },
         {
            "hash": "24e83427d2678aada50fa401b921a0cd",
            "filename": "cis_rhel_linux_rcl.txt"
         },
         {
            "hash": "a3978c24aec520c4bcfb7db62bea41b9",
            "filename": "cis_sles11_linux_rcl.txt"
         },
         {
            "hash": "533ec3f8eda8e52edb181e3f6bd44d52",
            "filename": "cis_sles12_linux_rcl.txt"
         },
         {
            "hash": "6d762779c44dda24901673c0e715f5a9",
            "filename": "cis_win2012r2_domainL1_rcl.txt"
         },
         {
            "hash": "18ae1149bf2db6cc942d4fcb0f17a336",
            "filename": "cis_win2012r2_domainL2_rcl.txt"
         },
         {
            "hash": "5f0f6c9c40684b8cdac9bca1fa138ebc",
            "filename": "cis_win2012r2_memberL1_rcl.txt"
         },
         {
            "hash": "10b99529e86bedd78accce983eb402b5",
            "filename": "cis_win2012r2_memberL2_rcl.txt"
         },
         {
            "hash": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
            "filename": "merged.mg"
         },
         {
            "hash": "a403c34392032ace267fbb163fc7cfad",
            "filename": "rootkit_files.txt"
         },
         {
            "hash": "b5d427623664d76140acbcb91f42d586",
            "filename": "rootkit_trojans.txt"
         },
         {
            "hash": "6cca8467c592a23fcf62cd5f33608fc3",
            "filename": "system_audit_rcl.txt"
         },
         {
            "hash": "e778eb44e4e8116a1e4c017b9b23eea2",
            "filename": "system_audit_ssh.txt"
         },
         {
            "hash": "0e1f8f16e217a70b9b80047646823587",
            "filename": "win_applications_rcl.txt"
         },
         {
            "hash": "4c2207e003d08db69822754271f9cb60",
            "filename": "win_audit_rcl.txt"
         },
         {
            "hash": "f9c3330533586eb380f294dcbd9918d8",
            "filename": "win_malware_rcl.txt"
         }
      ]
   }
}

Get groups

Returns the list of existing agent groups.

Request:

GET

/agents/groups

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

hash

String

Select algorithm to generate the sum.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/groups?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         {
            "count": 2,
            "mergedSum": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
            "configSum": "ab73af41699f13fdd81903b5f23d8d00",
            "name": "default"
         },
         {
            "count": 2,
            "mergedSum": "2c9d1cc2609a8ff8062c2e2dded3221c",
            "configSum": "53b61b583230d823a57ff68a9b94eaf6",
            "name": "dmz"
         },
         {
            "count": 0,
            "configSum": "ab73af41699f13fdd81903b5f23d8d00",
            "name": "pciserver"
         }
      ]
   }
}

Remove a single group of an agent

Remove the group of the agent but will leave the rest of its group if it belongs to a multigroup.

Request:

DELETE

/agents/:agent_id/group/:group_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

group_id

String

Group ID.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/agents/004/group/dmz?pretty"

Example Response:

{
   "error": 0,
   "data": "Group 'dmz' unset for agent '004'."
}

Remove all agent groups.

Removes the group of the agent. The agent will automatically revert to the 'default' group.

Request:

DELETE

/agents/:agent_id/group

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/agents/004/group?pretty"

Example Response:

{
   "error": 0,
   "data": "Group unset for agent '004'."
}

Remove group

Removes the group. Agents that were assigned to the removed group will automatically revert to the 'default' group.

Request:

DELETE

/agents/groups/:group_id

Parameters:

Param

Type

Description

group_id

String

Group ID.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/agents/groups/dmz?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "All selected groups were removed",
      "ids": [
         "dmz"
      ],
      "affected_agents": [
         "001"
      ]
   }
}

Info

Get OS summary

Returns a summary of the OS.

Request:

GET

/agents/summary/os

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

q

String

Query to filter result. For example q=&quot;status=Active&quot;

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/summary/os?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1,
      "items": [
         "ubuntu"
      ]
   }
}

Get agents summary

Returns a summary of the available agents.

Request:

GET

/agents/summary

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/summary?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "Active": 2,
      "Never connected": 5,
      "Total": 7,
      "Disconnected": 0,
      "Pending": 0
   }
}

Get all agents

Returns a list with the available agents.

Request:

GET

/agents

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

select

String

Select which fields to return (separated by comma).

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters by agent status. Use commas to enter multiple statuses.

Allowed values:

  • active

  • pending

  • neverconnected

  • disconnected

q

String

Query to filter results by. For example q=&quot;status=Active&quot;

older_than

String

Filters out disconnected agents for longer than specified. Time in seconds, '[n_days]d', '[n_hours]h', '[n_minutes]m' or '[n_seconds]s'. For never connected agents, uses the register date.

os.platform

String

Filters by OS platform.

os.version

String

Filters by OS version.

manager

String

Filters by manager hostname to which agents are connected.

version

String

Filters by agents version.

group

String

Filters by group of agents.

node_name

String

Filters by node name.

name

String

Filters by agent name.

ip

String

Filters by agent IP.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&offset=0&limit=5&sort=-ip,name"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 7,
      "items": [
         {
            "status": "Active",
            "configSum": "ab73af41699f13fdd81903b5f23d8d00",
            "group": [
               "default"
            ],
            "name": "agent1",
            "mergedSum": "f1a9e24e02ba4cc5ea80a9d3feb3bb9a",
            "ip": "192.168.185.7",
            "manager": "manager",
            "node_name": "node02",
            "dateAdd": "2018-10-11 09:38:47",
            "version": "Wazuh v3.7.2",
            "lastKeepAlive": "2018-10-11 13:58:08",
            "os": {
               "major": "16",
               "name": "Ubuntu",
               "uname": "Linux |ubuntu |4.4.0-135-generic |#161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 |x86_64",
               "platform": "ubuntu",
               "version": "16.04.5 LTS",
               "codename": "Xenial Xerus",
               "arch": "x86_64",
               "minor": "04"
            },
            "id": "001"
         },
         {
            "status": "Active",
            "name": "manager",
            "ip": "127.0.0.1",
            "manager": "manager",
            "node_name": "node01",
            "dateAdd": "2018-10-11 09:37:23",
            "version": "Wazuh v3.7.2",
            "lastKeepAlive": "9999-12-31 23:59:59",
            "os": {
               "major": "18",
               "name": "Ubuntu",
               "uname": "Linux |manager |4.15.0-36-generic |#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 |x86_64",
               "platform": "ubuntu",
               "version": "18.04.1 LTS",
               "codename": "Bionic Beaver",
               "arch": "x86_64",
               "minor": "04"
            },
            "id": "000"
         },
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:23",
            "name": "NewHost_2",
            "ip": "10.0.10.10",
            "id": "123",
            "node_name": "unknown"
         },
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:22",
            "name": "NewHost",
            "ip": "10.0.0.9",
            "id": "007",
            "node_name": "unknown"
         },
         {
            "status": "Never connected",
            "dateAdd": "2018-10-11 13:58:10",
            "group": [
               "default"
            ],
            "name": "server001",
            "ip": "10.0.0.62",
            "id": "002",
            "node_name": "unknown"
         }
      ]
   }
}

Get an agent

Returns various information from an agent.

Request:

GET

/agents/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

select

String

List of selected fields.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/000?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "status": "Active",
      "name": "manager",
      "ip": "127.0.0.1",
      "manager": "manager",
      "node_name": "node01",
      "dateAdd": "2018-10-11 09:37:23",
      "version": "Wazuh v3.7.2",
      "lastKeepAlive": "9999-12-31 23:59:59",
      "os": {
         "major": "18",
         "name": "Ubuntu",
         "uname": "Linux |manager |4.15.0-36-generic |#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 |x86_64",
         "platform": "ubuntu",
         "version": "18.04.1 LTS",
         "codename": "Bionic Beaver",
         "arch": "x86_64",
         "minor": "04"
      },
      "id": "000"
   }
}

Get an agent by its name

Returns various information from an agent called :agent_name.

Request:

GET

/agents/name/:agent_name

Parameters:

Param

Type

Description

agent_name

String

Agent name.

select

String

List of selected fields.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/name/NewHost?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "status": "Never connected",
      "name": "NewHost",
      "ip": "10.0.0.9",
      "node_name": "unknown",
      "dateAdd": "2018-10-11 13:58:22",
      "id": "007"
   }
}

Key

Get agent key

Returns the key of an agent.

Request:

GET

/agents/:agent_id/key

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/004/key?pretty"

Example Response:

{
   "error": 0,
   "data": "MDA0IG1haW5fZGF0YWJhc2UgMTAuMC4wLjE1IDcwYjJiZTVlMTI1ZTZiYTYxNmJhNjRkN2E0NDRkZWFjODgyZmJiYjIwOGEyMmFiZTdjM2EzZTFmNDI2ODFjOGQ="
}

Restart

Restart a list of agents

Restarts a list of agents.

Request:

POST

/agents/restart

Parameters:

Param

Type

Description

ids

String[]

Array of agent ID's.

Example Request:

curl -u foo:bar -X POST -H "Content-Type:application/json" -d '{"ids":["002","004"]}' "http://localhost:55000/agents/restart?pretty"

Example Response:

{
    "data": {
        "msg": "All selected agents were restarted",
        "affected_agents": [
            "002",
            "004"
        ]
    },
    "error": 0
}

Restart all agents

Restarts all agents.

Request:

PUT

/agents/restart

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/restart?pretty"

Example Response:

{
    "data": "Restarting all agents",
    "error": 0
}

Restart an agent

Restarts the specified agent.

Request:

PUT

/agents/:agent_id/restart

Parameters:

Param

Type

Description

agent_id

Number

Agent unique ID.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/007/restart?pretty"

Example Response:

{
    "data": {
        "msg": "All selected agents were restarted",
        "affected_agents": [
            "007"
        ]
    },
    "error": 0
}

Stats

Get distinct fields in agents

Returns all the different combinations that agents have for the selected fields. It also indicates the total number of agents that have each combination.

Request:

GET

/agents/stats/distinct

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

fields

String

List of fields affecting the operation.

select

String

List of selected fields.

q

String

Query to filter result. For example q=&quot;status=Active&quot;

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/stats/distinct?pretty&fields=os.platform"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 7,
      "items": [
         {
            "count": 2,
            "os": {
               "platform": "ubuntu"
            }
         },
         {
            "count": 5
         }
      ]
   }
}

Upgrade

Get outdated agents

Returns the list of outdated agents.

Request:

GET

/agents/outdated

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

q

String

Query to filter result. For example q=&quot;status=Active&quot;

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/outdated?pretty"

Example Response:

{
    "data": {
        "totalItems": 2,
        "items": [
            {
                "version": "Wazuh v3.0.0",
                "id": "003",
                "name": "main_database"
            },
            {
                "version": "Wazuh v3.0.0",
                "id": "004",
                "name": "dmz002"
            }
        ]
    },
    "error": 0
}

Get upgrade result from agent

Returns the upgrade result from an agent.

Request:

GET

/agents/:agent_id/upgrade_result

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

timeout

Number

Seconds to wait for the agent to respond.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/agents/003/upgrade_result?pretty"

Example Response:

{
    "data": "Agent upgraded successfully",
    "error": 0
}

Upgrade agent using custom file

Upgrade the agent using a custom file.

Request:

PUT

/agents/:agent_id/upgrade_custom

Parameters:

Param

Type

Description

agent_id

Number

Agent unique ID.

file_path

String

Path to the WPK file. The file must be on a folder on the Wazuh's installation directory (by default, /var/ossec).

installer

String

Installation script.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/002/upgrade_custom?pretty"

Example Response:

{
    "data": "Installation started",
    "error": 0
}

Upgrade agent using online repository

Upgrade the agent using a WPK file from online repository.

Request:

PUT

/agents/:agent_id/upgrade

Parameters:

Param

Type

Description

agent_id

Number

Agent unique ID.

wpk_repo

String

WPK repository.

version

String

Wazuh version.

use_http

Boolean

Use protocol http. If it's false use https. By default the value is set to false.

force

number

Force upgrade.

Allowed values:

  • 0

  • 1

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/agents/002/upgrade?pretty"

Example Response:

{
    "data": "Upgrade procedure started",
    "error": 0
}

Cache

Delete

Clear group cache

Clears cache of the specified group.

Request:

DELETE

/cache

Parameters:

Param

Type

Description

group

String

cache group.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/cache/mygroup?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "all": [
         "/agents/000?pretty",
         "/agents/name/NewHost?pretty",
         "/agents/stats/distinct?pretty&fields=os.platform"
      ],
      "groups": {
         "agents": [
            "/agents/000?pretty",
            "/agents/name/NewHost?pretty",
            "/agents/stats/distinct?pretty&fields=os.platform"
         ]
      }
   }
}

Delete cache index

Clears entire cache.

Request:

DELETE

/cache

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/cache?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "all": [],
      "groups": {}
   }
}

Info

Get cache index

Returns current cache index.

Request:

GET

/cache

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cache?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "all": [],
      "groups": {}
   }
}

Return cache configuration

Returns cache configuration.

Request:

GET

/cache/config

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cache/config?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "debug": false,
      "defaultDuration": 750,
      "enabled": true,
      "appendKey": [],
      "jsonp": false,
      "redisClient": false
   }
}

Ciscat

Results

Get CIS-CAT results from an agent

Returns the agent's ciscat results info

Request:

GET

/ciscat/:agent_id/results

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

benchmark

String

Filters by benchmark.

profile

String

Filters by evaluated profile.

pass

Number

Filters by passed checks.

fail

Number

Filters by failed checks.

error

Number

Filters by encountered errors.

notchecked

Number

Filters by not checked.

unknown

Number

Filters by unknown results.

score

Number

Filters by final score.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/ciscat/000/results?pretty&sort=-score"

Example Response:

{
    "data": {
        "totalItems": 2,
        "items": [
            {
                "profile": "xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server",
                "score": 57,
                "error": 0,
                "scan": {
                    "id": 1406741147,
                    "time": "2018-09-06T07:50:15.632-07:00"
                },
                "fail": 79,
                "benchmark": "CIS Ubuntu Linux 16.04 LTS Benchmark",
                "pass": 104,
                "notchecked": 36,
                "unknown": 1
            },
            {
                "profile": "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Workstation",
                "score": 64,
                "error": 0,
                "scan": {
                    "id": 1406741147,
                    "time": "2018-09-06T07:50:52.630-07:00"
                },
                "fail": 53,
                "benchmark": "CIS Ubuntu Linux 16.04 LTS Benchmark",
                "pass": 96,
                "notchecked": 71,
                "unknown": 0
            }
        ]
    },
    "error": 0
}

Cluster

Configuration

Get node node_id's configuration

Returns ossec.conf in JSON format.

Request:

GET

/cluster/:node_id/configuration

Parameters:

Param

Type

Description

section

String

Indicates the ossec.conf section: global, rules, syscheck, rootcheck, remote, alerts, command, active-response, localfile.

field

String

Indicates a section child, e.g, fields for rule section are: include, decoder_dir, etc.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/configuration?section=global&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "email_notification": "no",
      "alerts_log": "yes",
      "jsonout_output": "yes",
      "smtp_server": "smtp.example.wazuh.com",
      "queue_size": "131072",
      "email_to": "recipient@example.wazuh.com",
      "logall": "no",
      "email_maxperhour": "12",
      "white_list": [
         "127.0.0.1",
         "^localhost.localdomain$",
         "127.0.0.53"
      ],
      "email_from": "ossecm@example.wazuh.com",
      "logall_json": "no"
   }
}

Get the cluster configuration

Returns the cluster configuration

Request:

GET

/cluster/config

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/config?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "disabled": "no",
      "hidden": "no",
      "name": "wazuh",
      "node_name": "node01",
      "bind_addr": "0.0.0.0",
      "node_type": "master",
      "key": "1b4e9e17d9dffffec33e248b53878012",
      "nodes": [
         "192.168.185.3"
      ],
      "port": 1516
   }
}

Info

Get info about cluster status

Returns whether the cluster is enabled or disabled

Request:

GET

/cluster/status

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/status?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "running": "yes",
      "enabled": "yes"
   }
}

Get node node_id's status

Returns the status of the manager processes.

Request:

GET

/cluster/:node_id/status

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/status?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": "running",
      "ossec-authd": "stopped",
      "ossec-syscheckd": "running",
      "ossec-monitord": "running",
      "ossec-logcollector": "running",
      "ossec-execd": "running",
      "ossec-remoted": "running",
      "wazuh-clusterd": "running",
      "ossec-analysisd": "running",
      "ossec-maild": "stopped"
   }
}

Get node_id's information

Returns basic information about manager.

Request:

GET

/cluster/:node_id/info

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/info?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "compilation_date": "Thu Oct 11 09:37:45 UTC 2018",
      "openssl_support": "yes",
      "ruleset_version": "3700",
      "tz_name": "UTC",
      "tz_offset": "+0000",
      "version": "v3.7.2",
      "path": "/var/ossec",
      "max_agents": "14000",
      "type": "manager"
   }
}

Show cluster health

Show cluster health

Request:

GET

/cluster/healthcheck

Parameters:

Param

Type

Description

node

String

Filter information by node name.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/healthcheck?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "nodes": {
         "node02": {
            "info": {
               "ip": "192.168.185.4",
               "version": "3.7.2",
               "type": "worker",
               "name": "node02",
               "n_active_agents": 1
            },
            "status": {
               "last_sync_agentinfo": {
                  "date_start_master": "2018-10-11 13:58:20.74",
                  "date_end_master": "2018-10-11 13:58:20.74",
                  "total_agentinfo": 1
               },
               "sync_integrity_free": true,
               "last_sync_agentgroups": {
                  "date_end_master": "n/a",
                  "total_agentgroups": 0,
                  "date_start_master": "n/a"
               },
               "last_sync_integrity": {
                  "total_files": {
                     "shared": 2,
                     "missing": 4,
                     "extra_valid": 0,
                     "extra": 0
                  },
                  "date_end_master": "2018-10-11 13:58:21.75",
                  "date_start_master": "2018-10-11 13:58:20.63"
               },
               "last_keep_alive": "2018-10-11 13:58:13.431503",
               "sync_agentinfo_free": true,
               "sync_extravalid_free": true
            }
         },
         "node01": {
            "info": {
               "ip": "192.168.185.3",
               "version": "3.7.2",
               "type": "master",
               "name": "node01",
               "n_active_agents": 1
            }
         }
      },
      "n_connected_nodes": 2
   }
}

Logs

Get ossec.log from a specific node in cluster.

Returns the three last months of ossec.log.

Request:

GET

/cluster/:node_id/logs

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

type_log

String

Filters by type of log.

Allowed values:

  • all

  • error

  • warning

  • info

category

String

Filters by category of log.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/logs?offset=0&limit=5&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1809,
      "items": [
         {
            "timestamp": "2018-10-11 13:58:30",
            "tag": "ossec-remoted",
            "description": "(1409): Authentication file changed. Updating.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:58:30",
            "tag": "ossec-remoted",
            "description": "(1410): Reading authentication keys file.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:41:57",
            "tag": "wazuh-modulesd:syscollector",
            "description": "Evaluation finished.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:41:49",
            "tag": "wazuh-modulesd:syscollector",
            "description": "Starting evaluation.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:31:30",
            "tag": "ossec-remoted",
            "description": "(1409): Authentication file changed. Updating.",
            "level": "info"
         }
      ]
   }
}

Get summary of ossec.log from a specific node in cluster.

Returns a summary of the last three months of the <code>ossec.log</code> file.

Request:

GET

/cluster/:node_id/logs/summary

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/logs/summary?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": {
         "info": 2,
         "all": 616,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 614
      },
      "wazuh-modulesd:oscap": {
         "info": 2,
         "all": 2,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-db": {
         "info": 3,
         "all": 3,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:ciscat": {
         "info": 2,
         "all": 2,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:syscollector": {
         "info": 15,
         "all": 15,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-rootcheck": {
         "info": 6,
         "all": 6,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-monitord": {
         "info": 3,
         "all": 3,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-logcollector": {
         "info": 19,
         "all": 19,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-execd": {
         "info": 4,
         "all": 4,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-remoted": {
         "info": 115,
         "all": 564,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 449
      },
      "ossec-syscheckd": {
         "info": 55,
         "all": 55,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:osquery": {
         "info": 2,
         "all": 2,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:download": {
         "info": 2,
         "all": 2,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-analysisd": {
         "info": 449,
         "all": 449,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:database": {
         "info": 2,
         "all": 67,
         "critical": 0,
         "error": 65,
         "debug": 0,
         "warning": 0
      }
   }
}

Nodes

Get local node info

Returns the local node info

Request:

GET

/cluster/node

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "node": "node01",
      "cluster": "wazuh",
      "type": "master"
   }
}

Get node info

Returns the node info

Request:

GET

/cluster/nodes/:node_name

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/nodes/node01?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "ip": "192.168.185.3",
      "version": "3.7.2",
      "type": "master",
      "name": "node01"
   }
}

Get nodes info

Returns the nodes info

Request:

GET

/cluster/nodes

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

type

String

Filters by node type.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/nodes?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "ip": "192.168.185.4",
            "version": "3.7.2",
            "type": "worker",
            "name": "node02"
         },
         {
            "ip": "192.168.185.3",
            "version": "3.7.2",
            "type": "master",
            "name": "node01"
         }
      ]
   }
}

Stats

Get node node_id's stats

Returns Wazuh statistical information for the current or specified date.

Request:

GET

/cluster/:node_id/stats

Parameters:

Param

Type

Description

date

String

Selects the date for getting the statistical information. Format: YYYYMMDD

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/stats?pretty"

Example Response:

{
    "data": [
        {
            "hour": 5,
            "firewall": 0,
            "alerts": [
                {
                    "level": 3,
                    "sigid": 5715,
                    "times": 4
                },
                {
                    "level": 2,
                    "sigid": 1002,
                    "times": 2
                },
                {
                    "...": "..."
                }
            ],
            "totalAlerts": 107,
            "syscheck": 1257,
            "events": 1483
        },
        {
            "...": "..."
        }
    ],
    "error": 0
}

Get node node_id's stats by hour

Returns Wazuh statistical information per hour. Each number in the averages field represents the average of alerts per hour.

Request:

GET

/cluster/:node_id/stats/hourly

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/stats/hourly?pretty"

Example Response:

{
    "data": {
        "averages": [
            100,
            357,
            242,
            500,
            422,
            "...",
            123
        ],
        "interactions": 0
    },
    "error": 0
}

Get node node_id's stats by week

Returns Wazuh statistical information per week. Each number in the hours field represents the average alerts per hour for that specific day.

Request:

GET

/cluster/:node_id/stats/weekly

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/cluster/node02/stats/weekly?pretty"

Example Response:

{
    "data": {
        "Wed": {
            "hours": [
                223,
                "...",
                456
            ],
            "interactions": 0
        },
        "Sun": {
            "hours": [
                332,
                "...",
                313
            ],
            "interactions": 0
        },
        "Thu": {
            "hours": [
                888,
                "...",
                123
            ],
            "interactions": 0
        },
        "Tue": {
            "hours": [
                536,
                "...",
                345
            ],
            "interactions": 0
        },
        "Mon": {
            "hours": [
                444,
                "...",
                556
            ],
            "interactions": 0
        },
        "Fri": {
            "hours": [
                131,
                "...",
                432
            ],
            "interactions": 0
        },
        "Sat": {
            "hours": [
                134,
                "...",
                995
            ],
            "interactions": 0
        }
    },
    "error": 0
}

Decoders

Info

Get all decoders

Returns all decoders included in ossec.conf.

Request:

GET

/decoders

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

file

String

Filters by filename.

path

String

Filters by path.

status

String

Filters the decoders by status.

Allowed values:

  • enabled

  • disabled

  • all

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/decoders?pretty&offset=0&limit=2&sort=+file,position"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 571,
      "items": [
         {
            "status": "enabled",
            "name": "wazuh",
            "details": {
               "prematch": "^wazuh: "
            },
            "file": "0005-wazuh_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "agent-buffer",
            "details": {
               "regex": "^ '(\\S+)'.",
               "prematch": "^Agent buffer:",
               "parent": "wazuh",
               "order": "level"
            },
            "file": "0005-wazuh_decoders.xml",
            "position": 1,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Get all decoders files

Returns all decoders files included in ossec.conf.

Request:

GET

/decoders/files

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters the decoders by status.

Allowed values:

  • enabled

  • disabled

  • all

file

String

Filters by filename.

path

String

Filters by path.

download

String

Downloads the file

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/decoders/files?pretty&offset=0&limit=10&sort=-path"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 96,
      "items": [
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0025-apache_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0385-wordpress_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0345-unbound_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0260-rsa-auth-manager_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0460-kaspersky_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0160-netscaler_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0350-unix_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0200-ossec_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0355-vm-pop3_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0050-checkpoint_decoders.xml"
         }
      ]
   }
}

Get all parent decoders

Returns all parent decoders included in ossec.conf

Request:

GET

/decoders/parents

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/decoders/parents?pretty&offset=0&limit=2&sort=-file"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 153,
      "items": [
         {
            "status": "enabled",
            "name": "local_decoder_example",
            "details": {
               "program_name": "local_decoder_example"
            },
            "file": "local_decoder.xml",
            "position": 0,
            "path": "/var/ossec/etc/decoders"
         },
         {
            "status": "enabled",
            "name": "azure-storage",
            "details": {
               "regex": "^azure_storage_tag: (\\S+)",
               "order": "tag",
               "prematch": "^azure_tag: azure-storage. "
            },
            "file": "0465-azure_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Get decoders by name

Returns the decoders with the specified name.

Request:

GET

/decoders/:decoder_name

Parameters:

Param

Type

Description

decoder_name

String

Decoder name.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/decoders/apache-errorlog?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "program_name": "^apache2|^httpd"
            },
            "file": "0025-apache_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "prematch": "^[warn] |^[notice] |^[error] "
            },
            "file": "0025-apache_decoders.xml",
            "position": 1,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "prematch": "^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:warn] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:notice] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S*:error] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:info] "
            },
            "file": "0025-apache_decoders.xml",
            "position": 2,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Experimental

Clear

Clear syscheck database

Clears the syscheck database for all agents.

Request:

DELETE

/experimental/syscheck

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/experimental/syscheck?pretty"

Example Response:

{
    "data": "Syscheck database deleted",
    "error": 0
}

Hardware

Get hardware info of all agents

Returns the agent's hardware info

Request:

GET

/experimental/syscollector/hardware

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

ram_free

String

Filters by ram_free.

ram_total

String

Filters by ram_total.

cpu_cores

String

Filters by cpu_cores.

cpu_mhz

String

Filters by cpu_mhz.

cpu_name

String

Filters by cpu_name.

board_serial

String

Filters by board_serial.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/hardware?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 4,
      "items": [
         {
            "cpu": {
               "cores": 2,
               "mhz": 1992.002,
               "name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
            },
            "ram": {
               "usage": 31,
               "total": 4039540,
               "free": 2823368
            },
            "scan": {
               "id": 290336726,
               "time": "2018/10/11 13:41:49"
            },
            "agent_id": "000",
            "board_serial": "0"
         },
         {
            "cpu": {
               "cores": 1,
               "mhz": 1992.002,
               "name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
            },
            "ram": {
               "usage": 78,
               "total": 1015964,
               "free": 232516
            },
            "scan": {
               "id": 991251367,
               "time": "2018/10/11 06:28:28"
            },
            "agent_id": "001",
            "board_serial": "0"
         },
         {
            "cpu": {
               "cores": 2,
               "mhz": 1992.002,
               "name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
            },
            "ram": {
               "usage": 30,
               "total": 4039540,
               "free": 2830096
            },
            "scan": {
               "id": 6482164,
               "time": "2018/10/11 13:58:02"
            },
            "agent_id": "000",
            "board_serial": "0"
         }
      ]
   }
}

Netaddr

Get network address info of all agents

Returns the agent's network address info

Request:

GET

/experimental/syscollector/netaddr

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

proto

String

Filters by proto.

address

String

Filters by address.

broadcast

String

Filters by broadcast.

netmask

String

Filters by netmask.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/netaddr?pretty&limit=2&sort=proto"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 16,
      "items": [
         {
            "scan_id": 180208171,
            "address": "fe80::a00:27ff:fe08:79e2",
            "netmask": "ffff:ffff:ffff:ffff::",
            "agent_id": "000",
            "proto": "ipv6"
         },
         {
            "scan_id": 180208171,
            "address": "fe80::a00:27ff:fe9c:3a87",
            "netmask": "ffff:ffff:ffff:ffff::",
            "agent_id": "000",
            "proto": "ipv6"
         }
      ]
   }
}

Netiface

Get network interface info of all agents

Returns the agent's network interface info

Request:

GET

/experimental/syscollector/netiface

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

name

String

Filters by name.

adapter

String

Filters by adapter.

type

String

Filters by type.

state

String

Filters by state.

mtu

String

Filters by mtu.

tx_packets

String

Filters by tx_packets.

rx_packets

String

Filters by rx_packets.

tx_bytes

String

Filters by tx_bytes.

rx_bytes

String

Filters by rx_bytes.

tx_errors

String

Filters by tx_errors.

rx_errors

String

Filters by rx_errors.

tx_dropped

String

Filters by tx_dropped.

rx_dropped

String

Filters by rx_dropped.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/netiface?pretty&limit=2"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 8,
      "items": [
         {
            "name": "enp0s3",
            "tx": {
               "bytes": 203153,
               "errors": 0,
               "packets": 2066,
               "dropped": 0
            },
            "scan": {
               "id": 180208171,
               "time": "2018/10/11 13:41:49"
            },
            "rx": {
               "bytes": 4785004,
               "errors": 0,
               "packets": 3906,
               "dropped": 0
            },
            "state": "up",
            "mtu": 1500,
            "mac": "08:00:27:08:79:E2",
            "agent_id": "000",
            "type": "ethernet"
         },
         {
            "name": "enp0s8",
            "tx": {
               "bytes": 3932457,
               "errors": 0,
               "packets": 19252,
               "dropped": 0
            },
            "scan": {
               "id": 180208171,
               "time": "2018/10/11 13:41:49"
            },
            "rx": {
               "bytes": 17143171,
               "errors": 0,
               "packets": 55513,
               "dropped": 0
            },
            "state": "up",
            "mtu": 1500,
            "mac": "08:00:27:9C:3A:87",
            "agent_id": "000",
            "type": "ethernet"
         }
      ]
   }
}

Netproto

Get network protocol info of all agents

Returns the agent's network protocol info

Request:

GET

/experimental/syscollector/netproto

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

select

String

List of selected fields.

search

String

Looks for elements with the specified string.

iface

String

Filters by iface.

type

String

Filters by type.

gateway

String

Filters by gateway.

dhcp

String

Filters by dhcp.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/netproto?pretty&limit=2&sort=type"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 16,
      "items": [
         {
            "dhcp": "enabled",
            "scan_id": 180208171,
            "iface": "enp0s3",
            "type": "ipv6",
            "agent_id": "000"
         },
         {
            "dhcp": "enabled",
            "scan_id": 180208171,
            "iface": "enp0s8",
            "type": "ipv6",
            "agent_id": "000"
         }
      ]
   }
}

OS

Get os info of all agents

Returns the agent's os info

Request:

GET

/experimental/syscollector/os

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

os_name

String

Filters by os_name.

architecture

String

Filters by architecture.

os_version

String

Filters by os_version.

version

String

Filters by version.

release

String

Filters by release.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/os?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 4,
      "items": [
         {
            "sysname": "Linux",
            "scan": {
               "id": 1546263850,
               "time": "2018/10/11 13:41:49"
            },
            "hostname": "manager",
            "version": "#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018",
            "agent_id": "000",
            "release": "4.15.0-36-generic",
            "os": {
               "major": "18",
               "name": "Ubuntu",
               "platform": "ubuntu",
               "version": "18.04.1 LTS (Bionic Beaver)",
               "codename": "Bionic Beaver",
               "minor": "04"
            },
            "architecture": "x86_64"
         },
         {
            "sysname": "Linux",
            "scan": {
               "id": 1321691712,
               "time": "2018/10/11 06:28:28"
            },
            "hostname": "ubuntu",
            "version": "#161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018",
            "agent_id": "001",
            "release": "4.4.0-135-generic",
            "os": {
               "major": "16",
               "name": "Ubuntu",
               "platform": "ubuntu",
               "version": "16.04.5 LTS (Xenial Xerus)",
               "codename": "Xenial Xerus",
               "minor": "04"
            },
            "architecture": "x86_64"
         },
         {
            "sysname": "Linux",
            "scan": {
               "id": 1365560089,
               "time": "2018/10/11 13:58:02"
            },
            "hostname": "manager",
            "version": "#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018",
            "agent_id": "000",
            "release": "4.15.0-36-generic",
            "os": {
               "major": "18",
               "name": "Ubuntu",
               "platform": "ubuntu",
               "version": "18.04.1 LTS (Bionic Beaver)",
               "codename": "Bionic Beaver",
               "minor": "04"
            },
            "architecture": "x86_64"
         }
      ]
   }
}

Packages

Get packages info of all agents

Returns the agent's packages info

Request:

GET

/experimental/syscollector/packages

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

vendor

String

Filters by vendor.

name

String

Filters by name.

architecture

String

Filters by architecture.

format

String

Filters by format.

select

String

List of selected fields.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/packages?pretty&sort=-name&limit=2"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2211,
      "items": [
         {
            "description": "Access control list utilities",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "name": "acl",
            "format": "deb",
            "section": "utils",
            "scan": {
               "id": 734249799,
               "time": "2018/10/11 13:41:49"
            },
            "priority": "optional",
            "version": "2.2.52-3build1",
            "architecture": "amd64",
            "multiarch": "foreign",
            "size": 200,
            "agent_id": "000"
         },
         {
            "description": "Access control list utilities",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "name": "acl",
            "format": "deb",
            "section": "utils",
            "scan": {
               "id": 1016339758,
               "time": "2018/10/11 13:58:02"
            },
            "priority": "optional",
            "version": "2.2.52-3build1",
            "architecture": "amd64",
            "multiarch": "foreign",
            "size": 200,
            "agent_id": "000"
         }
      ]
   }
}

Ports

Get ports info of all agents

Returns the agent's ports info

Request:

GET

/experimental/syscollector/ports

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

pid

Number

Filters by pid.

protocol

String

Filters by protocol.

local_ip

String

Filters by local_ip.

local_port

Number

Filters by local_port.

remote_ip

String

Filters by remote_ip.

tx_queue

Number

Filters by tx_queue.

state

String

Filters by state.

process

String

Filters by process.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/ports?pretty&limit=2&sort=protocol"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 38,
      "items": [
         {
            "remote": {
               "ip": "::",
               "port": 0
            },
            "scan": {
               "id": 1669880808,
               "time": "2018/10/11 13:41:56"
            },
            "local": {
               "ip": "::",
               "port": 22
            },
            "state": "listening",
            "tx_queue": 0,
            "agent_id": "000",
            "protocol": "tcp6",
            "rx_queue": 0,
            "inode": 19254
         },
         {
            "remote": {
               "ip": "::",
               "port": 0
            },
            "scan": {
               "id": 1669880808,
               "time": "2018/10/11 13:41:56"
            },
            "local": {
               "ip": "::",
               "port": 55000
            },
            "state": "listening",
            "tx_queue": 0,
            "agent_id": "000",
            "protocol": "tcp6",
            "rx_queue": 0,
            "inode": 468831
         }
      ]
   }
}

Processes

Get processes info of all agents

Returns the agent's processes info

Request:

GET

/experimental/syscollector/processes

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

pid

Number

Filters by process pid.

state

String

Filters by process state.

ppid

Number

Filters by process parent pid.

egroup

String

Filters by process egroup.

euser

String

Filters by process euser.

fgroup

String

Filters by process fgroup.

name

String

Filters by process name.

nlwp

Number

Filters by process nlwp.

pgrp

Number

Filters by process pgrp.

priority

Number

Filters by process priority.

rgroup

String

Filters by process rgroup.

ruser

String

Filters by process ruser.

sgroup

String

Filters by process sgroup.

suser

String

Filters by process suser.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/syscollector/processes?pretty&limit=2&sort=priority"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 448,
      "items": [
         {
            "tty": 0,
            "rgroup": "root",
            "sgroup": "root",
            "scan": {
               "id": 1000352755,
               "time": "2018/10/11 13:41:56"
            },
            "resident": 0,
            "pid": "28",
            "session": 0,
            "size": 0,
            "egroup": "root",
            "tgid": 28,
            "priority": 25,
            "fgroup": "root",
            "state": "S",
            "ppid": 2,
            "nice": 5,
            "euser": "root",
            "share": 0,
            "start_time": 2,
            "agent_id": "000",
            "vm_size": 0,
            "utime": 0,
            "nlwp": 1,
            "name": "ksmd",
            "pgrp": 0,
            "ruser": "root",
            "suser": "root",
            "processor": 1,
            "stime": 0
         },
         {
            "tty": 0,
            "rgroup": "root",
            "sgroup": "root",
            "scan": {
               "id": 422134722,
               "time": "2018/10/11 13:58:09"
            },
            "resident": 0,
            "pid": "28",
            "session": 0,
            "size": 0,
            "egroup": "root",
            "tgid": 28,
            "priority": 25,
            "fgroup": "root",
            "state": "S",
            "ppid": 2,
            "nice": 5,
            "euser": "root",
            "share": 0,
            "start_time": 2,
            "agent_id": "000",
            "vm_size": 0,
            "utime": 0,
            "nlwp": 1,
            "name": "ksmd",
            "pgrp": 0,
            "ruser": "root",
            "suser": "root",
            "processor": 1,
            "stime": 0
         }
      ]
   }
}

Results

Get CIS-CAT results

Returns the agent's ciscat results info

Request:

GET

/experimental/ciscat/results

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

benchmark

String

Filters by benchmark.

profile

String

Filters by evaluated profile.

pass

Number

Filters by passed checks.

fail

Number

Filters by failed checks.

error

Number

Filters by encountered errors.

notchecked

Number

Filters by not checked.

unknown

Number

Filters by unknown results.

score

Number

Filters by final score.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/experimental/ciscat/results?pretty&sort=-score"

Example Response:

{
    "data": {
        "totalItems": 2,
        "items": [
            {
                "profile": "xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Workstation",
                "score": 64,
                "agent_id": "001",
                "error": 0,
                "scan": {
                    "id": 1260865673,
                    "time": "2018-09-06T07:59:25.682-07:00"
                },
                "fail": 53,
                "benchmark": "CIS Ubuntu Linux 16.04 LTS Benchmark",
                "pass": 96,
                "notchecked": 71,
                "unknown": 0
            },
            {
                "profile": "xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server",
                "score": 57,
                "agent_id": "001",
                "error": 0,
                "scan": {
                    "id": 1260865673,
                    "time": "2018-09-06T07:58:39.342-07:00"
                },
                "fail": 79,
                "benchmark": "CIS Ubuntu Linux 16.04 LTS Benchmark",
                "pass": 104,
                "notchecked": 36,
                "unknown": 1
            }
        ]
    },
    "error": 0
}

Manager

Configuration

Get manager configuration

Returns ossec.conf in JSON format.

Request:

GET

/manager/configuration

Parameters:

Param

Type

Description

section

String

Indicates the ossec.conf section: global, rules, syscheck, rootcheck, remote, alerts, command, active-response, localfile.

field

String

Indicates a section child, e.g, fields for rule section are: include, decoder_dir, etc.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/configuration?section=global&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "email_notification": "no",
      "alerts_log": "yes",
      "jsonout_output": "yes",
      "smtp_server": "smtp.example.wazuh.com",
      "queue_size": "131072",
      "email_to": "recipient@example.wazuh.com",
      "logall": "no",
      "email_maxperhour": "12",
      "white_list": [
         "127.0.0.1",
         "^localhost.localdomain$",
         "127.0.0.53"
      ],
      "email_from": "ossecm@example.wazuh.com",
      "logall_json": "no"
   }
}

Info

Get manager information

Returns basic information about manager.

Request:

GET

/manager/info

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/info?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "compilation_date": "Thu Oct 11 09:37:22 UTC 2018",
      "version": "v3.7.2",
      "openssl_support": "yes",
      "max_agents": "14000",
      "ruleset_version": "3700",
      "path": "/var/ossec",
      "tz_name": "UTC",
      "type": "manager",
      "tz_offset": "+0000"
   }
}

Get manager status

Returns the status of the manager processes.

Request:

GET

/manager/status

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/status?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": "running",
      "ossec-authd": "stopped",
      "wazuh-clusterd": "running",
      "ossec-monitord": "running",
      "ossec-logcollector": "running",
      "ossec-execd": "running",
      "ossec-remoted": "running",
      "ossec-syscheckd": "running",
      "ossec-analysisd": "running",
      "ossec-maild": "stopped"
   }
}

Logs

Get ossec.log

Returns the three last months of ossec.log.

Request:

GET

/manager/logs

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

type_log

String

Filters by type of log.

Allowed values:

  • all

  • error

  • warning

  • info

category

String

Filters by category of log.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/logs?offset=0&limit=5&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2000,
      "items": [
         {
            "timestamp": "2018-10-11 13:58:31",
            "tag": "ossec-remoted",
            "description": "(1409): Authentication file changed. Updating.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:58:31",
            "tag": "ossec-remoted",
            "description": "(1410): Reading authentication keys file.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:58:31",
            "tag": "ossec-rootcheck",
            "description": "Ending rootcheck scan.",
            "level": "info"
         },
         {
            "timestamp": "2018-10-11 13:58:26",
            "tag": "wazuh-modulesd:database",
            "description": "Couldn't get database status for agent '3'.",
            "level": "error"
         },
         {
            "timestamp": "2018-10-11 13:58:26",
            "tag": "wazuh-modulesd:database",
            "description": "Couldn't get database status for agent '5'.",
            "level": "error"
         }
      ]
   }
}

Get summary of ossec.log

Returns a summary of the last three months of the <code>ossec.log</code> file.

Request:

GET

/manager/logs/summary

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/logs/summary?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": {
         "info": 18,
         "all": 614,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 596
      },
      "wazuh-modulesd:oscap": {
         "info": 18,
         "all": 18,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-db": {
         "info": 35,
         "all": 35,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-authd": {
         "info": 8,
         "all": 17,
         "critical": 0,
         "error": 0,
         "debug": 9,
         "warning": 0
      },
      "wazuh-modulesd:ciscat": {
         "info": 18,
         "all": 18,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:syscollector": {
         "info": 75,
         "all": 75,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-rootcheck": {
         "info": 82,
         "all": 82,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-monitord": {
         "info": 35,
         "all": 35,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-logcollector": {
         "info": 179,
         "all": 179,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-execd": {
         "info": 52,
         "all": 52,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-remoted": {
         "info": 237,
         "all": 251,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 14
      },
      "ossec-syscheckd": {
         "info": 531,
         "all": 531,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:osquery": {
         "info": 18,
         "all": 18,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:download": {
         "info": 18,
         "all": 18,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "ossec-analysisd": {
         "info": 4049,
         "all": 4049,
         "critical": 0,
         "error": 0,
         "debug": 0,
         "warning": 0
      },
      "wazuh-modulesd:database": {
         "info": 18,
         "all": 94,
         "critical": 0,
         "error": 76,
         "debug": 0,
         "warning": 0
      }
   }
}

Stats

Get analysisd stats

Returns a summary of the current analysisd stats.

Request:

GET

/manager/stats/analysisd

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/stats/analysisd?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "archives_queue_size": 16384,
      "events_dropped": 0,
      "alerts_queue_size": 16384,
      "rule_matching_queue_usage": 0,
      "events_processed": 5,
      "event_queue_usage": 0,
      "events_edps": 1,
      "hostinfo_events_decoded": 0,
      "syscollector_events_decoded": 0,
      "rootcheck_edps": 0,
      "firewall_queue_usage": 0,
      "alerts_queue_usage": 0,
      "firewall_queue_size": 16384,
      "alerts_written": 0,
      "firewall_written": 0,
      "syscheck_queue_size": 16384,
      "events_received": 5,
      "rootcheck_queue_usage": 0,
      "rootcheck_events_decoded": 0,
      "rootcheck_queue_size": 16384,
      "syscheck_edps": 0,
      "fts_written": 0,
      "syscheck_queue_usage": 0,
      "other_events_edps": 1,
      "statistical_queue_usage": 0,
      "hostinfo_edps": 0,
      "hostinfo_queue_usage": 0,
      "syscheck_events_decoded": 0,
      "syscollector_queue_usage": 0,
      "archives_queue_usage": 0,
      "statistical_queue_size": 16384,
      "total_events_decoded": 5,
      "hostinfo_queue_size": 16384,
      "syscollector_queue_size": 16384,
      "rule_matching_queue_size": 16384,
      "other_events_decoded": 5,
      "event_queue_size": 16384,
      "syscollector_edps": 0
   }
}

Get manager stats

Returns Wazuh statistical information for the current or specified date.

Request:

GET

/manager/stats

Parameters:

Param

Type

Description

date

String

Selects the date for getting the statistical information. Format: YYYYMMDD

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/stats?pretty"

Example Response:

{
    "data": [
        {
            "hour": 5,
            "firewall": 0,
            "alerts": [
                {
                    "level": 3,
                    "sigid": 5715,
                    "times": 4
                },
                {
                    "level": 2,
                    "sigid": 1002,
                    "times": 2
                },
                {
                    "...": "..."
                }
            ],
            "totalAlerts": 107,
            "syscheck": 1257,
            "events": 1483
        },
        {
            "...": "..."
        }
    ],
    "error": 0
}

Get manager stats by hour

Returns Wazuh statistical information per hour. Each number in the averages field represents the average of alerts per hour.

Request:

GET

/manager/stats/hourly

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/stats/hourly?pretty"

Example Response:

{
    "data": {
        "averages": [
            100,
            357,
            242,
            500,
            422,
            "...",
            123
        ],
        "interactions": 0
    },
    "error": 0
}

Get manager stats by week

Returns Wazuh statistical information per week. Each number in the hours field represents the average alerts per hour for that specific day.

Request:

GET

/manager/stats/weekly

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/stats/weekly?pretty"

Example Response:

{
    "data": {
        "Wed": {
            "hours": [
                223,
                "...",
                456
            ],
            "interactions": 0
        },
        "Sun": {
            "hours": [
                332,
                "...",
                313
            ],
            "interactions": 0
        },
        "Thu": {
            "hours": [
                888,
                "...",
                123
            ],
            "interactions": 0
        },
        "Tue": {
            "hours": [
                536,
                "...",
                345
            ],
            "interactions": 0
        },
        "Mon": {
            "hours": [
                444,
                "...",
                556
            ],
            "interactions": 0
        },
        "Fri": {
            "hours": [
                131,
                "...",
                432
            ],
            "interactions": 0
        },
        "Sat": {
            "hours": [
                134,
                "...",
                995
            ],
            "interactions": 0
        }
    },
    "error": 0
}

Get remoted stats

Returns a summary of the current remoted stats.

Request:

GET

/manager/stats/remoted

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/manager/stats/remoted?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "discarded_count": 0,
      "msg_sent": 0,
      "queue_size": 0,
      "ctrl_msg_count": 0,
      "evt_count": 0,
      "tcp_sessions": 0,
      "total_queue_size": 131072
   }
}

Rootcheck

Clear

Clear rootcheck database

Clears the rootcheck database for all agents.

Request:

DELETE

/rootcheck

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/rootcheck?pretty"

Example Response:

{
    "data": "Rootcheck database deleted",
    "error": 0
}

Clear rootcheck database of an agent

Clears the rootcheck database for a specific agent.

Request:

DELETE

/rootcheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/rootcheck/000?pretty"

Example Response:

{
    "data": "Rootcheck database deleted",
    "error": 0
}

Info

Get last rootcheck scan

Returns the timestamp of the last rootcheck scan.

Request:

GET

/rootcheck/:agent_id/last_scan

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/last_scan?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "start": "2018-10-11 13:58:03",
      "end": "2018-10-11 13:58:31"
   }
}

Get rootcheck CIS requirements

Returns the CIS requirements of all rootchecks of the specified agent.

Request:

GET

/rootcheck/:agent_id/cis

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/cis?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         "2.3 Debian Linux",
         "1.4 Debian Linux"
      ]
   }
}

Get rootcheck database

Returns the rootcheck database of an agent.

Request:

GET

/rootcheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

pci

String

Filters by pci requirement.

cis

String

Filters by CIS.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters by status.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 26,
      "items": [
         {
            "status": "outstanding",
            "oldDay": "2018-10-11 09:37:44",
            "event": "File '/etc/systemd/system/wazuh-manager.service' is owned by root and has written permissions to anyone.",
            "readDay": "2018-10-11 13:58:08"
         },
         {
            "status": "outstanding",
            "oldDay": "2018-10-11 09:37:45",
            "event": "File '/usr/local/lib/python2.7/dist-packages/pip-10.0.1-py2.7.egg/EGG-INFO/PKG-INFO' is owned by root and has written permissions to anyone.",
            "readDay": "2018-10-11 13:58:08"
         }
      ]
   }
}

Get rootcheck pci requirements

Returns the PCI requirements of all rootchecks of the agent.

Request:

GET

/rootcheck/:agent_id/pci

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rootcheck/000/pci?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         "4.1",
         "2.2.4"
      ]
   }
}

Run

Run rootcheck scan in all agents

Runs syscheck and rootcheck on all agents (Wazuh launches both processes simultaneously).

Request:

PUT

/rootcheck

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/rootcheck?pretty"

Example Response:

{
    "data": "Restarting Syscheck/Rootcheck on all agents",
    "error": 0
}

Run rootcheck scan in an agent

Runs syscheck and rootcheck on a specified agent (Wazuh launches both processes simultaneously)

Request:

PUT

/rootcheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/rootcheck/000?pretty"

Example Response:

{
   "error": 0,
   "data": "Restarting Syscheck/Rootcheck locally"
}

Rules

Info

Get all rules

Returns all rules.

Request:

GET

/rules

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters the rules by status.

Allowed values:

  • enabled

  • disabled

  • all

group

String

Filters the rules by group.

level

Range

Filters the rules by level. level=2 or level=2-5.

path

String

Filters the rules by path.

file

String

Filters the rules by file name.

pci

String

Filters the rules by pci requirement.

gdpr

String

Filters the rules by gdpr.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1681,
      "items": [
         {
            "status": "enabled",
            "pci": [],
            "description": "Generic template for all syslog rules.",
            "file": "0010-rules_config.xml",
            "level": 0,
            "path": "/var/ossec/ruleset/rules",
            "details": {
               "category": "syslog",
               "noalert": "1"
            },
            "groups": [
               "syslog"
            ],
            "id": 1,
            "gdpr": []
         },
         {
            "status": "enabled",
            "pci": [],
            "description": "Generic template for all firewall rules.",
            "file": "0010-rules_config.xml",
            "level": 0,
            "path": "/var/ossec/ruleset/rules",
            "details": {
               "category": "firewall",
               "noalert": "1"
            },
            "groups": [
               "firewall"
            ],
            "id": 2,
            "gdpr": []
         }
      ]
   }
}

Get files of rules

Returns the files of all rules.

Request:

GET

/rules/files

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

status

String

Filters files by status.

Allowed values:

  • enabled

  • disabled

  • all

path

String

Filters the rules by path.

file

String

Filters the rules by filefile.

download

String

Downloads the file

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules/files?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 110,
      "items": [
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0010-rules_config.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0015-ossec_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0016-wazuh_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0020-syslog_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0025-sendmail_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0030-postfix_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0035-spamd_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0040-imapd_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0045-mailscanner_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0050-ms-exchange_rules.xml"
         }
      ]
   }
}

Get rule gdpr requirements

Returns the GDPR requirements of all rules.

Request:

GET

/rules/gdpr

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules/gdpr?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 4,
      "items": [
         "II_5.1.f",
         "IV_30.1.g",
         "IV_32.2",
         "IV_35.7.d"
      ]
   }
}

Get rule groups

Returns the groups of all rules.

Request:

GET

/rules/groups

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules/groups?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 303,
      "items": [
         "access_control",
         "access_denied",
         "accesslog",
         "account_changed",
         "active_response",
         "adduser",
         "agent",
         "agent_flooding",
         "agent_restarting",
         "agentless"
      ]
   }
}

Get rule pci requirements

Returns the PCI requirements of all rules.

Request:

GET

/rules/pci

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules/pci?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 38,
      "items": [
         "1.1.1",
         "1.3.4",
         "1.4",
         "10.1",
         "10.2.1",
         "10.2.2",
         "10.2.4",
         "10.2.5",
         "10.2.6",
         "10.2.7"
      ]
   }
}

Get rules by id

Returns the rules with the specified id.

Request:

GET

/rules/:rule_id

Parameters:

Param

Type

Description

id

Number

rule.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/rules/1002?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1,
      "items": [
         {
            "status": "enabled",
            "pci": [],
            "description": "Unknown problem somewhere in the system.",
            "file": "0020-syslog_rules.xml",
            "level": 2,
            "path": "/var/ossec/ruleset/rules",
            "details": {
               "match": "$BAD_WORDS"
            },
            "groups": [
               "gpg13_4.3",
               "syslog",
               "errors"
            ],
            "id": 1002,
            "gdpr": []
         }
      ]
   }
}

Syscheck

Clear

Clear syscheck database of an agent

Clears the syscheck database for the specified agent.

Request:

DELETE

/syscheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X DELETE "http://localhost:55000/syscheck/000?pretty"

Example Response:

{
    "data": "Syscheck database deleted",
    "error": 0
}

Info

Get last syscheck scan

Return the timestamp of the last syscheck scan.

Request:

GET

/syscheck/:agent_id/last_scan

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscheck/000/last_scan?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "start": "2018-10-11 13:58:03",
      "end": "2018-10-11 13:58:10"
   }
}

Get syscheck files

Returns the syscheck files of an agent.

Request:

GET

/syscheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

file

String

Filters file by filename.

type

String

Selects type of file.

Allowed values:

  • file

  • registry

summary

String

Returns a summary grouping by filename.

Allowed values:

  • yes

  • no

select

String

List of selected fields.

md5

String

Returns the files with the specified md5 hash.

sha1

String

Returns the files with the specified sha1 hash.

sha256

String

Returns the files with the specified sha256 hash.

hash

String

Returns the files with the specified hash (md5, sha1 or sha256).

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscheck/000?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3081,
      "items": [
         {
            "sha1": "a455c6f041e39513a68542a986e7c2cd317b4c8c",
            "uid": "0",
            "type": "file",
            "gname": "root",
            "perm": "100644",
            "uname": "root",
            "gid": "0",
            "file": "/etc/group-",
            "mtime": "2018-10-04 13:57:52",
            "date": "2018-10-11 13:58:03",
            "sha256": "bc926b88b941093c163e94f4f04c90b44d1ed758dacc897510ff65f39c748e20",
            "inode": 537242,
            "md5": "64c1512d021be5fff1df63d33de8839b",
            "size": 842
         },
         {
            "sha1": "7ec9bb595034a09cf8f1b54343500781e2a1649a",
            "uid": "0",
            "type": "file",
            "gname": "root",
            "perm": "100644",
            "uname": "root",
            "gid": "0",
            "file": "/etc/locale.alias",
            "mtime": "2018-04-16 20:14:20",
            "date": "2018-10-11 13:58:03",
            "sha256": "d00a79e710fba98d48022903f7770b30c7474b1b980b830769c17af7bf6be95e",
            "inode": 525034,
            "md5": "d7a66c8ca60c85abc6f2db2b43209105",
            "size": 2995
         }
      ]
   }
}

Run

Run syscheck scan in all agents

Runs syscheck and rootcheck on all agents (Wazuh launches both processes simultaneously).

Request:

PUT

/syscheck

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/syscheck?pretty"

Example Response:

{
    "data": "Restarting Syscheck/Rootcheck on all agents",
    "error": 0
}

Run syscheck scan in an agent

Runs syscheck and rootcheck on an agent (Wazuh launches both processes simultaneously).

Request:

PUT

/syscheck/:agent_id

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

Example Request:

curl -u foo:bar -X PUT "http://localhost:55000/syscheck/000?pretty"

Example Response:

{
   "error": 0,
   "data": "Restarting Syscheck/Rootcheck locally"
}

Syscollector

Hardware

Get hardware info

Returns the agent's hardware info

Request:

GET

/syscollector/:agent_id/hardware

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

select

String

List of selected fields.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/hardware?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "ram": {
         "usage": 30,
         "total": 4039540,
         "free": 2830096
      },
      "scan": {
         "id": 6482164,
         "time": "2018/10/11 13:58:02"
      },
      "cpu": {
         "cores": 2,
         "mhz": 1992.002,
         "name": "Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz"
      },
      "board_serial": "0"
   }
}

Netaddr

Get network address info of an agent

Returns the agent's network address info

Request:

GET

/syscollector/:agent_id/netaddr

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

proto

String

Filters by proto.

address

String

Filters by address.

broadcast

String

Filters by broadcast.

netmask

String

Filters by netmask.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/netaddr?pretty&limit=2&sort=proto"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 4,
      "items": [
         {
            "scan_id": 1704830323,
            "address": "fe80::a00:27ff:fe55:be81",
            "netmask": "ffff:ffff:ffff:ffff::",
            "proto": "ipv6"
         },
         {
            "scan_id": 1704830323,
            "address": "fe80::a00:27ff:fe3f:7ce",
            "netmask": "ffff:ffff:ffff:ffff::",
            "proto": "ipv6"
         }
      ]
   }
}

Netiface

Get network interface info of an agent

Returns the agent's network interface info

Request:

GET

/syscollector/:agent_id/netiface

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

name

String

Filters by name.

adapter

String

Filters by adapter.

type

String

Filters by type.

state

String

Filters by state.

mtu

String

Filters by mtu.

tx_packets

String

Filters by tx_packets.

rx_packets

String

Filters by rx_packets.

tx_bytes

String

Filters by tx_bytes.

rx_bytes

String

Filters by rx_bytes.

tx_errors

String

Filters by tx_errors.

rx_errors

String

Filters by rx_errors.

tx_dropped

String

Filters by tx_dropped.

rx_dropped

String

Filters by rx_dropped.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/netiface?pretty&limit=2&sort=state"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         {
            "name": "enp0s3",
            "tx": {
               "bytes": 310335,
               "errors": 0,
               "packets": 3060,
               "dropped": 0
            },
            "scan": {
               "id": 1704830323,
               "time": "2018/10/11 13:58:02"
            },
            "rx": {
               "bytes": 6688620,
               "errors": 0,
               "packets": 5625,
               "dropped": 0
            },
            "mac": "08:00:27:55:BE:81",
            "mtu": 1500,
            "state": "up",
            "type": "ethernet"
         },
         {
            "name": "enp0s8",
            "tx": {
               "bytes": 11711492,
               "errors": 0,
               "packets": 100663,
               "dropped": 0
            },
            "scan": {
               "id": 1704830323,
               "time": "2018/10/11 13:58:02"
            },
            "rx": {
               "bytes": 7492113,
               "errors": 0,
               "packets": 66040,
               "dropped": 0
            },
            "mac": "08:00:27:3F:07:CE",
            "mtu": 1500,
            "state": "up",
            "type": "ethernet"
         }
      ]
   }
}

Netproto

Get network protocol info of an agent

Returns the agent's network protocol info

Request:

GET

/syscollector/:agent_id/netproto

Parameters:

Param

Type

Description

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

iface

String

Filters by iface.

type

String

Filters by type.

gateway

String

Filters by gateway.

dhcp

String

Filters by dhcp.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/netproto?pretty&limit=2&sort=type"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 4,
      "items": [
         {
            "dhcp": "enabled",
            "scan_id": 1704830323,
            "iface": "enp0s3",
            "type": "ipv6"
         },
         {
            "dhcp": "enabled",
            "scan_id": 1704830323,
            "iface": "enp0s8",
            "type": "ipv6"
         }
      ]
   }
}

OS

Get os info

Returns the agent's OS info

Request:

GET

/syscollector/:agent_id/os

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

select

String

List of selected fields.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/os?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "sysname": "Linux",
      "scan": {
         "id": 1365560089,
         "time": "2018/10/11 13:58:02"
      },
      "hostname": "manager",
      "version": "#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018",
      "architecture": "x86_64",
      "release": "4.15.0-36-generic",
      "os": {
         "major": "18",
         "name": "Ubuntu",
         "platform": "ubuntu",
         "version": "18.04.1 LTS (Bionic Beaver)",
         "codename": "Bionic Beaver",
         "minor": "04"
      }
   }
}

Packages

Get packages info

Returns the agent's packages info

Request:

GET

/syscollector/:agent_id/packages

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

vendor

String

Filters by vendor.

name

String

Filters by name.

architecture

String

Filters by architecture.

format

String

Filters by format.

version

String

Filters by version.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/packages?pretty&limit=2&offset=10&sort=-name"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 585,
      "items": [
         {
            "description": "Delayed job execution and batch processing",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "name": "at",
            "format": "deb",
            "section": "admin",
            "scan": {
               "id": 1016339758,
               "time": "2018/10/11 13:58:02"
            },
            "priority": "standard",
            "version": "3.1.20-3.1ubuntu2",
            "architecture": "amd64",
            "multiarch": "foreign",
            "size": 151
         },
         {
            "description": "Debian base system miscellaneous files",
            "vendor": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
            "name": "base-files",
            "format": "deb",
            "section": "admin",
            "scan": {
               "id": 1016339758,
               "time": "2018/10/11 13:58:02"
            },
            "priority": "required",
            "version": "10.1ubuntu2.2",
            "architecture": "amd64",
            "multiarch": "foreign",
            "size": 375
         }
      ]
   }
}

Ports

Get ports info of an agent

Returns the agent's ports info

Request:

GET

/syscollector/:agent_id/ports

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

pid

Number

Filters by pid.

protocol

String

Filters by protocol.

local_ip

String

Filters by local_ip.

local_port

Number

Filters by local_port.

remote_ip

String

Filters by remote_ip.

tx_queue

Number

Filters by tx_queue.

state

String

Filters by state.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/ports?pretty&sort=-protocol&limit=2"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 15,
      "items": [
         {
            "remote": {
               "ip": "0.0.0.0",
               "port": 0
            },
            "scan": {
               "id": 1923359643,
               "time": "2018/10/11 13:58:09"
            },
            "local": {
               "ip": "127.0.0.53",
               "port": 53
            },
            "state": "listening",
            "tx_queue": 0,
            "protocol": "tcp",
            "rx_queue": 0,
            "inode": 16255
         },
         {
            "remote": {
               "ip": "0.0.0.0",
               "port": 0
            },
            "scan": {
               "id": 1923359643,
               "time": "2018/10/11 13:58:09"
            },
            "local": {
               "ip": "0.0.0.0",
               "port": 22
            },
            "state": "listening",
            "tx_queue": 0,
            "protocol": "tcp",
            "rx_queue": 0,
            "inode": 19405
         }
      ]
   }
}

Processes

Get processes info

Returns the agent's processes info

Request:

GET

/syscollector/:agent_id/processes

Parameters:

Param

Type

Description

agent_id

Number

Agent ID.

offset

Number

First element to return in the collection.

limit

Number

Maximum number of elements to return.

sort

String

Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to list in ascending or descending order.

search

String

Looks for elements with the specified string.

select

String

List of selected fields.

pid

Number

Filters by process pid.

state

String

Filters by process state.

ppid

Number

Filters by process parent pid.

egroup

String

Filters by process egroup.

euser

String

Filters by process euser.

fgroup

String

Filters by process fgroup.

name

String

Filters by process name.

nlwp

Number

Filters by process nlwp.

pgrp

Number

Filters by process pgrp.

priority

Number

Filters by process priority.

rgroup

String

Filters by process rgroup.

ruser

String

Filters by process ruser.

sgroup

String

Filters by process sgroup.

suser

String

Filters by process suser.

Example Request:

curl -u foo:bar -X GET "http://localhost:55000/syscollector/000/processes?pretty&limit=2&offset=10&sort=-name"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 118,
      "items": [
         {
            "tty": 0,
            "rgroup": "root",
            "sgroup": "root",
            "scan": {
               "id": 422134722,
               "time": "2018/10/11 13:58:09"
            },
            "resident": 0,
            "pid": "13",
            "session": 0,
            "size": 0,
            "egroup": "root",
            "tgid": 13,
            "priority": 20,
            "fgroup": "root",
            "state": "S",
            "ppid": 2,
            "nice": 0,
            "euser": "root",
            "share": 0,
            "start_time": 0,
            "stime": 0,
            "vm_size": 0,
            "utime": 0,
            "nlwp": 1,
            "name": "cpuhp/1",
            "pgrp": 0,
            "ruser": "root",
            "suser": "root",
            "processor": 1
         },
         {
            "tty": 0,
            "rgroup": "root",
            "sgroup": "root",
            "scan": {
               "id": 422134722,
               "time": "2018/10/11 13:58:09"
            },
            "resident": 794,
            "pid": "928",
            "session": 928,
            "size": 7507,
            "egroup": "root",
            "pgrp": 928,
            "argvs": "-f",
            "priority": 20,
            "fgroup": "root",
            "state": "S",
            "ppid": 1,
            "nice": 0,
            "euser": "root",
            "share": 723,
            "start_time": 1112,
            "stime": 0,
            "vm_size": 30028,
            "utime": 1,
            "nlwp": 1,
            "name": "cron",
            "cmd": "/usr/sbin/cron",
            "tgid": 928,
            "ruser": "root",
            "suser": "root",
            "processor": 0
         }
      ]
   }
}