Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
        • Architecture
        • Use cases
      • Installation guide
        • Installing Wazuh server
          • Amazon Linux
            • Amazon Linux from packages
            • Amazon Linux from sources
          • CentOS
            • CentOS from packages
            • CentOS from sources
          • Debian
            • Debian from packages
            • Debian from sources
          • Fedora
            • Fedora from packages
            • Fedora from sources
          • OpenSUSE
            • OpenSUSE from packages
            • OpenSUSE from sources
          • Oracle Linux
            • Oracle Linux from packages
            • Oracle Linux from sources
          • Red Hat Enterprise Linux
            • Red Hat Enterprise Linux from packages
            • Red Hat Enterprise Linux from sources
          • SUSE
            • SUSE from packages
            • SUSE from sources
          • Ubuntu
            • Ubuntu from packages
            • Ubuntu from sources
        • Installing Elastic Stack
          • Install Elastic Stack with RPM packages
          • Install Elastic Stack with Debian packages
          • Protect your data in the Elastic Stack
            • X-Pack
            • Search Guard
            • NGINX SSL and authentication for Kibana
          • Transform your data with Logstash
          • Elasticsearch tuning
          • Insert a Wazuh API entry automatically
          • Configure Elasticsearch cluster
        • Installing Wazuh agent
          • AIX
            • AIX from package
          • HP-UX
            • HP-UX from package
          • Linux
            • Amazon Linux
              • Amazon Linux from package
              • Amazon Linux from sources
            • CentOS 5
              • CentOS 5 from package
            • CentOS 6 or greater
              • CentOS 6 or greater from package
              • CentOS 6 or greater from sources
            • Debian
              • Debian from package
              • Debian from sources
            • Fedora
              • Fedora from package
              • Fedora from sources
            • OpenSUSE
              • OpenSUSE from package
              • OpenSUSE from sources
            • Oracle Linux 5
              • Oracle Linux 5 from package
            • Oracle Linux 6 or greater
              • Oracle Linux 6 or greater from package
              • Oracle Linux 6 or greater from sources
            • Red Hat Enterprise Linux 5
              • Red Hat Enterprise Linux 5 from package
            • Red Hat Enterprise Linux 6 or greater
              • Red Hat Enterprise Linux 6 or greater from package
              • Red Hat Enterprise Linux 6 or greater from sources
            • SUSE 11
              • SUSE 11 from package
              • SUSE 11 from sources
            • SUSE 12
              • SUSE 12 from package
              • SUSE 12 from sources
            • Ubuntu
              • Ubuntu from package
              • Ubuntu from sources
          • macOS
            • macOS from package
            • macOS from sources
          • Solaris
            • Solaris 10
              • Solaris 10 from package
              • Solaris 10 from sources
            • Solaris 11
              • Solaris 11 from package
              • Solaris 11 from sources
          • Windows
            • Windows from package
            • Windows from sources
          • Deployment variables
            • Deployment variables for AIX
            • Deployment variables for Linux
              • Deployment variables for Linux using apt repository
              • Deployment variables for Linux using dnf repository
              • Deployment variables for Linux using yum repository
              • Deployment variables for Linux using zypper repository
            • Deployment variables for macOS
            • Deployment variables for Windows
        • Installing Splunk
          • Install Splunk in single-instance mode
          • Installing & Configuring Splunk Cluster
          • Install Wazuh app for Splunk
          • Install and configure Splunk Forwarder
          • Setting up reverse proxy configuration for Splunk
          • Customize agents status indexation
        • Virtual Machine
        • Packages List
        • Compatibility matrix
        • Securing the Wazuh API
      • Upgrade guide
        • Upgrading Wazuh
          • Upgrading from a legacy version
            • Upgrading Wazuh server
            • Upgrading Elastic Stack server
            • Upgrading Wazuh agents
          • Upgrade from the same minor or major version
          • Upgrade from different major version
          • Upgrade from the same major version (3.x)
          • Restore Wazuh alerts from Wazuh 2.x
        • Upgrading Elastic Stack
          • Upgrading Elastic Stack from 7.x to 7.y
          • Upgrading Elastic Stack from 6.8 to 7.x
          • Upgrading Elastic Stack from 6.x to 6.8
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Configuring database output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
          • Configuring a cluster
        • Registering agents
          • The registration process
          • Registering agents using the command line (CLI)
            • Using the CLI in Linux hosts
            • Using the CLI in Windows hosts
            • Using the CLI in MacOS X hosts
            • Using the CLI in Unix hosts
          • Using the simple registration service
            • Linux and Unix agents
            • Windows agents
            • MacOS X agents
          • Using the registration service with password authorization
            • Linux and Unix agents
            • Windows agents
            • MacOS X agents
          • Registration service with host verification
            • Manager verification using SSL
              • Linux and Unix agents
              • Windows agents
              • MacOS X agents
            • Agent verification using SSL
              • Linux and Unix agents
              • Windows agents
              • MacOS X agents
          • Using the Wazuh API
            • Linux and UNIX hosts
            • Windows hosts
            • MacOS X hosts
        • Agent management
          • Agent life cycle
          • Listing agents
            • Listing agents using the CLI
            • Listing agents using the Wazuh API
            • Listing agents using the Wazuh app
          • Removing agents
            • Remove agents using the CLI
            • Remove agents using the Wazuh API
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Adding a custom repository
            • Custom WPK packages creation
              • Manual custom WPK packages creation
              • Automated custom WPK packages creation
            • Installing a custom WPK package
            • WPK List
        • Capabilities
          • Log data collection
            • How it works
            • How to collect Windows logs
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
            • FAQ
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Security Configuration Assessment
            • Security Configuration Assessment
            • How it works
            • Use case: Getting an alert when a check changes its result value
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
          • VirusTotal integration
            • About VirusTotal
            • How it works
          • Osquery
          • Agent key polling
          • Fluentd forwarder
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
          • Testing decoders and rules
          • Using CDB lists
          • Contribute to the ruleset
          • Rules classification
        • RESTful API
          • Getting started
          • Filtering data using queries
          • Configuration
          • Reference
          • Examples
        • Kibana app
          • Setting up the app
          • App features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
            • Query configuration
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
            • Configure the name of Elasticsearch indices
            • Create a custom dashboard
        • Reference
          • Local configuration (ossec.conf)
            • active-response
            • agentless
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • sca
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • fluent-forward
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • wodle name=”vulnerability-detector”
            • wodle name=”osquery”
            • wodle name=”docker-listener”
            • wodle name=”azure-logs”
            • wodle name=”agent-key-polling”
            • Verifying configuration
          • Centralized configuration (agent.conf)
          • Internal configuration
          • Daemons
            • ossec-agentd
            • ossec-agentlessd
            • ossec-analysisd
            • ossec-authd
            • ossec-csyslogd
            • ossec-dbd
            • ossec-execd
            • ossec-logcollector
            • ossec-maild
            • ossec-monitord
            • ossec-remoted
            • ossec-reportd
            • ossec-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
            • wazuh-db
            • Tables available for wazuh-db
            • ossec-integratord
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • ossec-control
            • ossec-logtest
            • ossec-makelists
            • rootcheck_control
            • syscheck_control
            • syscheck_update
            • clear_stats
            • ossec-regex
            • update_ruleset
            • util.sh
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
            • fim_migrate
          • Unattended Installation
          • Statistics files
            • ossec-agentd.state
            • ossec-remoted.state
            • ossec-analysisd.state
      • Development
        • Client keys file
        • Standard OSSEC message format
        • Makefile options
      • Containers
        • Docker
          • Docker installation
          • Wazuh Docker deployment
          • Wazuh Docker utilities
          • FAQ
        • Deploying with Kubernetes
          • Kubernetes configuration
          • Upgrade Wazuh installed in Kubernetes
          • Clean Up
      • Deployment
        • Deploying with Puppet
          • Set up Puppet
            • Installing Puppet master
            • Installing Puppet agent
            • PuppetDB installation (Optional)
            • Setting up Puppet certificates
          • Wazuh Puppet module
            • Scan paths configuration
            • Wazuh agent class
            • Wazuh server class
        • Deploying with Ansible
          • Installation Guide
            • Install Ansible
            • Install Wazuh Manager
            • Install Elastic Stack Server
            • Install Wazuh Agent
          • Remote Hosts Connection
          • Roles
            • Wazuh Manager
            • Filebeat
            • Elasticsearch
            • Kibana
            • Wazuh Agent
          • Variables references
      • Compliance
        • Using Wazuh for PCI DSS
          • Log analysis
          • Policy monitoring
          • Rootkit detection
          • File integrity monitoring
          • Active response
          • Elastic Stack
        • Using Wazuh for GDPR
          • GDPR II, Principles <gdpr_II>
          • GDPR III, Rights of the data subject <gdpr_III>
          • GDPR IV, Controller and processor <gdpr_IV>
      • Monitoring with Wazuh
        • Using Wazuh to monitor AWS
          • Monitoring AWS instances
          • Monitoring AWS services
            • AWS S3 Bucket
            • AWS CloudTrail
            • AWS Config
            • Amazon VPC
            • Amazon GuardDuty
            • Amazon Macie
            • AWS Key Management Service
            • Amazon Inspector
            • AWS Trusted Advisor
          • Module configurations
            • Installing dependencies
            • Configuring AWS credentials
            • Considerations for configuration
          • Troubleshooting
        • Using Wazuh to Monitor Microsoft Azure
          • Monitoring Instances
          • Monitoring Activity
          • Monitoring Services
        • Using Wazuh to Monitor Docker
          • Monitoring Docker server
          • Monitoring containers activity
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
        • 2.1 Release notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • Development
      Warning: This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

      Development¶

      This section contains technical documentation for developers.

      Contents

      • Client keys file
        • Location
        • File format
      • Standard OSSEC message format
        • Input logs
        • Standard OSSEC event
        • Secure message format
      • Makefile options
        • Compiling the source code
        • Makefile reference
      ossec-analysisd.state Client keys file
      © 2021 · Wazuh Inc.