This is the documentation for Wazuh 3.9. Check out the
docs for the latest version of Wazuh
!
Docs
Docs
Product
Blog
Cloud
Services
Community
Contact us
Getting started
Components
Architecture
Use cases
Installation guide
Installing Wazuh server
Amazon Linux
Amazon Linux from packages
Amazon Linux from sources
CentOS
CentOS from packages
CentOS from sources
Debian
Debian from packages
Debian from sources
Fedora
Fedora from packages
Fedora from sources
OpenSUSE
OpenSUSE from packages
OpenSUSE from sources
Oracle Linux
Oracle Linux from packages
Oracle Linux from sources
Red Hat Enterprise Linux
Red Hat Enterprise Linux from packages
Red Hat Enterprise Linux from sources
SUSE
SUSE from packages
SUSE from sources
Ubuntu
Ubuntu from packages
Ubuntu from sources
Installing Elastic Stack
Install Elastic Stack with RPM packages
Install Elastic Stack with Debian packages
Protect your data in the Elastic Stack
X-Pack
Search Guard
NGINX SSL and authentication for Kibana
Transform your data with Logstash
Elasticsearch tuning
Insert a Wazuh API entry automatically
Configure Elasticsearch cluster
Installing Wazuh agent
AIX
AIX from package
HP-UX
HP-UX from package
Linux
Amazon Linux
Amazon Linux from package
Amazon Linux from sources
CentOS 5
CentOS 5 from package
CentOS 6 or greater
CentOS 6 or greater from package
CentOS 6 or greater from sources
Debian
Debian from package
Debian from sources
Fedora
Fedora from package
Fedora from sources
OpenSUSE
OpenSUSE from package
OpenSUSE from sources
Oracle Linux 5
Oracle Linux 5 from package
Oracle Linux 6 or greater
Oracle Linux 6 or greater from package
Oracle Linux 6 or greater from sources
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 5 from package
Red Hat Enterprise Linux 6 or greater
Red Hat Enterprise Linux 6 or greater from package
Red Hat Enterprise Linux 6 or greater from sources
SUSE 11
SUSE 11 from package
SUSE 11 from sources
SUSE 12
SUSE 12 from package
SUSE 12 from sources
Ubuntu
Ubuntu from package
Ubuntu from sources
macOS
macOS from package
macOS from sources
Solaris
Solaris 10
Solaris 10 from package
Solaris 10 from sources
Solaris 11
Solaris 11 from package
Solaris 11 from sources
Windows
Windows from package
Windows from sources
Deployment variables
Deployment variables for AIX
Deployment variables for Linux
Deployment variables for Linux using apt repository
Deployment variables for Linux using dnf repository
Deployment variables for Linux using yum repository
Deployment variables for Linux using zypper repository
Deployment variables for macOS
Deployment variables for Windows
Installing Splunk
Install Splunk in single-instance mode
Installing & Configuring Splunk Cluster
Install Wazuh app for Splunk
Install and configure Splunk Forwarder
Setting up reverse proxy configuration for Splunk
Customize agents status indexation
Virtual Machine
Packages List
Compatibility matrix
Securing the Wazuh API
Upgrade guide
Upgrading Wazuh
Upgrading from a legacy version
Upgrading Wazuh server
Upgrading Elastic Stack server
Upgrading Wazuh agents
Upgrade from the same minor or major version
Upgrade from different major version
Upgrade from the same major version (3.x)
Restore Wazuh alerts from Wazuh 2.x
Upgrading Elastic Stack
Upgrading Elastic Stack from 7.x to 7.y
Upgrading Elastic Stack from 6.8 to 7.x
Upgrading Elastic Stack from 6.x to 6.8
User manual
Overview
Wazuh server administration
Remote service
Defining an alert level threshold
Integration with external APIs
Configuring syslog output
Configuring database output
Generating automatic reports
Configuring email alerts
SMTP server with authentication
Configuring a cluster
Registering agents
The registration process
Registering agents using the command line (CLI)
Using the CLI in Linux hosts
Using the CLI in Windows hosts
Using the CLI in MacOS X hosts
Using the CLI in Unix hosts
Using the simple registration service
Linux and Unix agents
Windows agents
MacOS X agents
Using the registration service with password authorization
Linux and Unix agents
Windows agents
MacOS X agents
Registration service with host verification
Manager verification using SSL
Linux and Unix agents
Windows agents
MacOS X agents
Agent verification using SSL
Linux and Unix agents
Windows agents
MacOS X agents
Using the Wazuh API
Linux and UNIX hosts
Windows hosts
MacOS X hosts
Agent management
Agent life cycle
Listing agents
Listing agents using the CLI
Listing agents using the Wazuh API
Listing agents using the Wazuh app
Removing agents
Remove agents using the CLI
Remove agents using the Wazuh API
Checking connection with Manager
Grouping agents
Remote upgrading
Upgrading agent
Adding a custom repository
Custom WPK packages creation
Manual custom WPK packages creation
Automated custom WPK packages creation
Installing a custom WPK package
WPK List
Capabilities
Log data collection
How it works
How to collect Windows logs
Configuration
FAQ
File integrity monitoring
How it works
Configuration
FAQ
Auditing who-data
Auditing who-data in Linux
Auditing who-data in Windows
Manual configuration of the Local Audit Policies in Windows
Anomaly and malware detection
How it works
Configuration
FAQ
Security Configuration Assessment
Security Configuration Assessment
How it works
Use case: Getting an alert when a check changes its result value
Monitoring security policies
Rootcheck
How it works
Configuration
FAQ
OpenSCAP
How it works
Configuration
FAQ
CIS-CAT integration
Monitoring system calls
How it works
Configuration
Command monitoring
How it works
Configuration
FAQ
Active response
How it works
Configuration
FAQ
Agentless monitoring
How it works
Configuration
FAQ
Anti-flooding mechanism
Agent labels
System inventory
Vulnerability detection
VirusTotal integration
About VirusTotal
How it works
Osquery
Agent key polling
Fluentd forwarder
Ruleset
Getting started
Update ruleset
JSON decoder
Custom rules and decoders
Dynamic fields
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Testing decoders and rules
Using CDB lists
Contribute to the ruleset
Rules classification
RESTful API
Getting started
Filtering data using queries
Configuration
Reference
Examples
Kibana app
Setting up the app
App features
App overview
Ruleset
Settings
Dev tools
Reporting
Index pattern selector
Download as CSV
Query configuration
Troubleshooting
Reference
Configuration file
Elasticsearch indices
Configure the name of Elasticsearch indices
Create a custom dashboard
Reference
Local configuration (ossec.conf)
active-response
agentless
alerts
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
integration
labels
localfile
logging
remote
reports
rootcheck
sca
ruleset
socket
syscheck
syslog_output
fluent-forward
wodle name=”open-scap”
wodle name=”command”
wodle name=”cis-cat”
wodle name=”aws-s3”
wodle name=”syscollector”
wodle name=”vulnerability-detector”
wodle name=”osquery”
wodle name=”docker-listener”
wodle name=”azure-logs”
wodle name=”agent-key-polling”
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
ossec-agentd
ossec-agentlessd
ossec-analysisd
ossec-authd
ossec-csyslogd
ossec-dbd
ossec-execd
ossec-logcollector
ossec-maild
ossec-monitord
ossec-remoted
ossec-reportd
ossec-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
ossec-integratord
Tools
agent-auth
agent_control
manage_agents
ossec-control
ossec-logtest
ossec-makelists
rootcheck_control
syscheck_control
syscheck_update
clear_stats
ossec-regex
update_ruleset
util.sh
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
Unattended Installation
Statistics files
ossec-agentd.state
ossec-remoted.state
ossec-analysisd.state
Development
Client keys file
Standard OSSEC message format
Makefile options
Containers
Docker
Docker installation
Wazuh Docker deployment
Wazuh Docker utilities
FAQ
Deploying with Kubernetes
Kubernetes configuration
Upgrade Wazuh installed in Kubernetes
Clean Up
Deployment
Deploying with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
PuppetDB installation (Optional)
Setting up Puppet certificates
Wazuh Puppet module
Scan paths configuration
Wazuh agent class
Wazuh server class
Deploying with Ansible
Installation Guide
Install Ansible
Install Wazuh Manager
Install Elastic Stack Server
Install Wazuh Agent
Remote Hosts Connection
Roles
Wazuh Manager
Filebeat
Elasticsearch
Kibana
Wazuh Agent
Variables references
Compliance
Using Wazuh for PCI DSS
Log analysis
Policy monitoring
Rootkit detection
File integrity monitoring
Active response
Elastic Stack
Using Wazuh for GDPR
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Monitoring with Wazuh
Using Wazuh to monitor AWS
Monitoring AWS instances
Monitoring AWS services
AWS S3 Bucket
AWS CloudTrail
AWS Config
Amazon VPC
Amazon GuardDuty
Amazon Macie
AWS Key Management Service
Amazon Inspector
AWS Trusted Advisor
Module configurations
Installing dependencies
Configuring AWS credentials
Considerations for configuration
Troubleshooting
Using Wazuh to Monitor Microsoft Azure
Monitoring Instances
Monitoring Activity
Monitoring Services
Using Wazuh to Monitor Docker
Monitoring Docker server
Monitoring containers activity
Migrating from OSSEC
Migrating OSSEC server
Migrating OSSEC agent
Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.1 Release notes
Edit on GitHub
Documentation
Development
Development
¶
This section contains technical documentation for developers.
Contents
Client keys file
Location
File format
Standard OSSEC message format
Input logs
Standard OSSEC event
Secure message format
Makefile options
Compiling the source code
Makefile reference
ossec-analysisd.state
Client keys file
