The wazuh-modulesd program manages the Wazuh modules described below.

Database wodle

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data. This information is highly optimized to be handled by the core.

In order to provide well-structured data that can be accessed by the user or the Wazuh API, new SQLite-based databases have been introduced in the Wazuh manager. The Database Synchronization Module is a user-transparent component that collects the following information from the core:

  • Agent information: name, address, encryption key, last connection time, operating system, version and shared configuration hash.

  • FIM data: creation, modification and deletion of regular files and Windows registry entries.

  • Rootcheck detected defects: issue message, first detection date and last alert time.

  • Static core settings: maximum permitted agents or SSL being enabled for Authd.

CIS-CAT wodle

The CIS-CAT wodle allows you to run CIS policy scans visualizing the results of assessments in the Wazuh App. See the CIS-CAT integration for more information on this functionality.

Command wodle

The Command module allows running external commands asynchronously, one in each thread.

Syscollector wodle

The Syscollector module performs periodic scans in the system to obtain information related to the installed hardware, operating system information, network information, installed packages, active ports, and running processes.

AWS S3 wodle

The AWS S3 wodle allows you to gather and parse logs from multiple AWS services, such as Guard Duty, Macie, VPC Flow, etc. See the AWS S3 section for more information on this functionality.

Vulnerability detector wodle

The Vulnerability Detector module detects applications that are known to be vulnerable (affected by a CVE).

Osquery wodle

The Osquery wodle provides the user an operating system instrumentation tool that makes low-level operating system analytics and monitoring both efficient and intuitive using SQL-based queries. For more information, read through the documentation for osquery integration.

Key polling wodle

The key polling wodle allows you to fetch a client key from an external source, for example, a database. This provides a mechanism to auto-register agents when they are not registered on a manager instance but reporting to it.

SCA module

The SCA module allows users to check the system configuration against policy files to determine vulnerabilities and misconfigurations.

wazuh-modulesd options


Basic debug mode.


Verbose debug mode.


Run in the foreground.


Display the help message.


Test configuration.