The agent_control program allows you to query the manager for information about any agent and also allows you to initiate a syscheck/rootcheck scan on an agent the next time it checks in.
With this tool you can check the status of each available agent, which can be any of the following:
- Active: The agent is correctly connected to the manager.
- Pending: The agent is waiting for a response from the manager.
- Disconnected: The agent is not connected to the manager.
- Never connected: The agent has never connected to the manager.
|-h||Display the help message|
|-l||List available agents whether they are active or not.|
|-lc||List only the currently connected agents.|
|-ln||List only the currently disconnected agents.|
|-i <agent_id>||Extract information from an agent|
|-R <agent_id>||Restart the Wazuh processes on the agent|
Run the integrity/rootcheck checking on agents.
This must be used in conjunction with options -a or -u.
|-a||Utilizes all agents|
|-u <agent_id>||Perform the requested action on the specified agent.|
agent_control options for Active Response¶
|-b <IP>||Blocks the specified IP address.|
|-f <ar>||Used with -b, specifies which response to run.|
|-L||List available active responses.|
|-m||Show the limit of agents that can be added.|
|-s||Change the output to CSV format (comma delimited).|
|-j||Change the output to JSON format.|