FAQ

  1. How can I collect logs via syslog using agentless?

  2. If I add an agentless device will it show as an agent?

  3. Is it possible to monitor the output of a command on a remote device?

  4. Can I monitor directories on a remote system?

  5. How can I remove the Agentless monitoring configuration?

How can I collect logs via syslog using agentless?

The agentless capability allows you to monitor devices or systems with no agent via SSH, by providing the capability to run commands on the device. Wazuh includes several built-in commands that allow you to detect any output, difference between outputs as well as verifying the integrity of files in the agentless device.

To collect logs you can configure your device to forward logs using syslog and configure Wazuh to receive them using remote syslog.

If I add an agentless device will it show as an agent?

Agentless devices do not appear as individual agents themselves, their logs are registered with the manager's agent name and ID 000. Agentless devices don't affect the total agent count.

You may filter agentless logs by searching for location:agentless and each specific host can be identified by the agentless.host field.

Is it possible to monitor the output of a command on a remote device?

Yes, using the ssh_generic_diff option: example.

Can I monitor directories on a remote system?

Yes, using either the ssh_integrity_check_bsd or ssh_integrity_check_linux options.

How can I remove the Agentless monitoring configuration?

To remove your agentless configuration and passwords you have to perform the following steps:

  1. Remove the agentless configuration from your ossec.conf file.

  2. Remove the file .passlist located at /var/ossec/agentless/.passlist.

  3. Restart your Wazuh manager to apply the changes.