This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

wodle name=”osquery”

XML section name

<wodle name="osquery">
</wodle>

Configuration options of the osquery wodle.

Warning

Osquery is not installed by default. It is a open source software that you have to obtain for using this module.

Options

Options Allowed values
disabled yes, no
run_daemon yes, no
bin_path Any valid path
log_path Any valid path
config_path Any valid path
add_labels yes, no
pack Any available pack

disabled

Disable the osquery wodle.

Default value no
Allowed values yes, no

run_daemon

Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery.

Default value yes
Allowed values yes, no

bin_path

Full path to the folder that contains the osqueryd executable.

Default value on Linux Empty
Default value on Windows C:\ProgramData\osquery\osqueryd
Allowed values Any valid path

log_path

Full path to the results log written by Osquery.

Default value on Linux /var/log/osquery/osqueryd.results.log
Default value on Windows C:\ProgramData\osquery\log\osqueryd.results.log
Allowed values Any valid path

config_path

Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running.

Default value on Linux /etc/osquery/osquery.conf
Default value on Windows C:\ProgramData\osquery\osquery.conf
Allowed values Any valid path

add_labels

Add the agent labels defined as decorators.

Default value yes
Allowed values yes, no

pack

Add a query pack to the configuration. This option can be defined multiple times.

Default value Empty
Allowed values Path to pack configuration file

Attributes:

name Name for this pack
Allowed values Any

Example of configuration

<wodle name="osquery">
    <disabled>no</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>/usr/bin</bin_path>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>no</add_labels>
    <pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>