Blog
Community
Contact us
X
LinkedIn
Reddit
GitHub
Discord
Slack
Mailing list
Search here
Close
Search
Wazuh
Platform
Overview
XDR
SIEM
Cloud
CTI
Documentation
Services
Professional support
Consulting services
Training courses
Partners
Become a partner
Find a partner
Company
Customers
About us
Our team
Resources
Contact us
Search term
Search now!
Getting started
Components
Wazuh indexer
Wazuh server
Wazuh dashboard
Wazuh agent
Architecture
Use cases
Configuration assessment
Malware detection
File integrity monitoring
Threat hunting
Log data analysis
Vulnerability detection
Incident response
Regulatory compliance
IT hygiene
Container security
Posture management
Cloud workload protection
Quickstart
Installation guide
Wazuh indexer
Assisted installation
Step-by-step installation
Wazuh server
Assisted installation
Step-by-step installation
Wazuh dashboard
Assisted installation
Step-by-step installation
Wazuh agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Packages list
Uninstalling Wazuh
Uninstalling the Wazuh central components
Uninstalling the Wazuh agent
Installation alternatives
Virtual machine (VM)
Amazon Machine Images (AMI)
Deployment on Docker
Wazuh Docker deployment
Changing the default password of Wazuh users
Building Docker images locally
Wazuh Docker utilities
Upgrading Wazuh Docker
Uninstalling the Wazuh Docker deployment
Deployment on Kubernetes
Kubernetes configuration
Deployment
Upgrade Wazuh installed in Kubernetes
Clean Up
Offline installation guide
Install Wazuh components using the assisted method
Install Wazuh components step by step
Installation from sources
Installing the Wazuh manager from sources
Installing the Wazuh agent from sources
Deployment with Ansible
Installation Guide
Install Ansible
Install Wazuh indexer and dashboard
Install Wazuh manager
Install a Wazuh cluster
Install Wazuh Agent
Remote endpoints connection
Roles
Wazuh indexer
Wazuh dashboard
Filebeat
Wazuh Manager
Wazuh Agent
Variables references
Deployment with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
Setting up Puppet certificates
Wazuh Puppet module
Wazuh manager class
Wazuh agent class
User manual
Wazuh server
Wazuh manager
Indexer integration
Alert management
Event logging
External API integration
Queuing mechanisms
Wazuh server cluster
Architecture overview
Types of nodes in a Wazuh server cluster
How the Wazuh server cluster works
Wazuh cluster nodes configuration
Data synchronization
Certificates deployment
Adding new Wazuh server nodes
Certificates creation
Configuring existing components to connect with the new node
Wazuh server node(s) installation
Testing the cluster
Agent connections
Load balancers
Wazuh server API
Getting started
Configuration
Securing the Wazuh server API
Role-Based Access Control
How it works
Authorization Context
RBAC Reference
Filtering data using Wazuh Query Language (WQL)
Use cases
Reference
Wazuh indexer
Wazuh indexer indices
Re-indexing
Wazuh indexer tuning
Migrating Wazuh indices
Wazuh indexer configuration on hardened endpoints
Wazuh indexer cluster
Certificates deployment
Adding Wazuh indexer nodes
Wazuh indexer cluster tuning
Index lifecycle management
Cluster management
Wazuh indexer API
Getting started
Configuration
Securing the Wazuh indexer API
Use cases
Reference
Wazuh dashboard
Navigating the Wazuh dashboard
Creating custom dashboards
Filtering data using Wazuh Query Language (WQL)
Enabling multi-tenancy
Configuring third-party SSL certificates
Configuring SSL certificates on the Wazuh dashboard using Let’s Encrypt
Configuring SSL certificates on the Wazuh dashboard using NGINX
Setting up custom branding
Wazuh dashboard settings
Wazuh global queries
Troubleshooting
Certificates deployment
Wazuh agent
Wazuh agent enrollment
Requirements
Wazuh agent life cycle
Enrollment methods
Enrollment via agent configuration
Linux/Unix
Windows
macOS
Enrollment via Wazuh server API
Requesting the client key
Importing the client key to the Wazuh agent
Additional security options
Using password authentication
Wazuh manager identity verification
Wazuh agent identity verification
Deployment variables
Linux
Windows
macOS
AIX
Troubleshooting
Wazuh agent management
Wazuh agent connection
Wazuh agent administration
Querying the Wazuh agent configuration
Grouping agents
Listing agents
Listing agents using the CLI
Listing agents using the Wazuh server API
Listing agents using the Wazuh dashboard
Anti-tampering
Removing agents
Remove agents using the CLI
Remove agents using the Wazuh server API
Remote upgrading
Upgrading the Wazuh agent
Wazuh signed package (WPK) files
Agent upgrade module - How it works
Wazuh agent queue
Agent labels
Agent key request
Data analysis
Decoders
JSON decoder
Dynamic fields
Sibling Decoders
Custom decoders
Rules
Default rules
Custom rules
Rules classification
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Testing decoders and rules
Using CDB lists
MITRE ATT&CK framework
User administration
Password management
Wazuh RBAC - How to create and map internal users
Single sign-on
Setup single sign-on with administrator role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
Setup single sign-on with read-only role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
LDAP integration
Capabilities
File integrity monitoring
How it works
How to configure the FIM module
Interpreting the FIM module analysis
Basic settings
Creating custom FIM rules
Advanced settings
Use cases
Detecting malware persistence technique
Detecting account manipulation
Monitoring files at specific intervals
Reporting file changes
Monitoring configuration changes
Windows Registry monitoring
Malware detection
File integrity monitoring and threat detection rules
Rootkits behavior detection
CDB lists and threat intelligence
VirusTotal integration
File integrity monitoring and YARA
ClamAV logs collection
Windows Defender logs collection
Custom rules to detect malware IOC
Security Configuration Assessment
How SCA works
How to configure SCA
Available SCA policies
Creating custom SCA policies
Use cases
Active Response
How to configure Active Response
Default active response scripts
Custom active response scripts
Use cases
Blocking SSH brute-force attack with Active Response
Restarting the Wazuh agent with Active Response
Disabling a Linux user account with Active Response
Additional information
Log data collection
How it works
Configuration for monitoring log files
Configuring syslog on the Wazuh server
Journald log collection
Using multiple socket outputs
Configuring log collection for different operating systems
Log data analysis
Use cases
Vulnerability detection
How it works
Configuration
Command monitoring
How it works
Configuration
Command output analysis
Use cases
Monitoring running processes
Disk space utilization
Check if the output changed
Detect USB Storage
Load average
Container security
Using Wazuh to monitor Docker
Use cases
System inventory
How it works
Configuration
Viewing system inventory data
Generating system inventory reports
Available inventory fields
Compatibility matrix
Using Syscollector information to trigger alerts
Osquery
Use cases
Monitoring system calls
How it works
Configuration
Use cases
Monitoring file and directory access
Monitoring commands run as root
Privilege abuse
Agentless monitoring
How it works
Connection
Configuration
Visualization
Use cases
Reference
Local configuration (ossec.conf)
active-response
agentless
agent-upgrade
alerts
anti_tampering
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
github
indexer
integration
labels
localfile
logging
ms-graph
office365
remote
reports
rootcheck
sca
rule_test
ruleset
socket
syscheck
syslog_output
task-manager
fluent-forward
gcp-pubsub
gcp-bucket
vulnerability-detection
wodle name="command"
wodle name="aws-s3"
wodle name="syscollector"
wazuh-db
wodle name="osquery"
wodle name="docker-listener"
wodle name="azure-logs"
wodle name="agent-key-polling"
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
wazuh-agentd
wazuh-agentlessd
wazuh-analysisd
wazuh-authd
wazuh-csyslogd
wazuh-dbd
wazuh-execd
wazuh-logcollector
wazuh-maild
wazuh-monitord
wazuh-remoted
wazuh-reportd
wazuh-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
wazuh-integratord
Tools
wazuh-control
agent-auth
agent_control
manage_agents
wazuh-logtest
clear_stats
wazuh-regex
rbac_control
update_ruleset
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
wazuh-keystore
Unattended Installation
Statistics files
wazuh-agentd.state
wazuh-remoted.state
wazuh-analysisd.state
wazuh-logcollector.state
Cloud security
Monitoring Amazon Web Services (AWS)
Monitoring AWS instances
Monitoring AWS based services
Prerequisites
Installing dependencies
Configuring an S3 Bucket
Configuring AWS IAM Identities
Configuring AWS policy
Configuring AWS credentials
Considerations for the Wazuh module for AWS configuration
Supported services
AWS CloudTrail
Amazon Virtual Private Cloud (VPC)
AWS Config
AWS Key Management Service (KMS)
Amazon Macie
AWS Trusted Advisor
Amazon GuardDuty
Amazon Web Application Firewall (WAF)
Amazon S3 Server Access
Amazon Inspector
Amazon CloudWatch Logs
Amazon ECR Image scanning
Cisco Umbrella
Elastic Load Balancers
Amazon Application Load Balancer (ALB)
Amazon Classic Load Balancer (CLB)
Amazon Network Load Balancer (NLB)
Amazon Security Lake
Custom Logs Buckets
AWS Security Hub
Troubleshooting
Monitoring Microsoft Azure with Wazuh
Monitoring instances
Monitoring Azure platform and services
Microsoft Azure Log Analytics
Microsoft Azure Storage
Microsoft Graph
Monitoring Microsoft Graph services with Wazuh
Microsoft Graph API setup
Microsoft Intune integration
Monitoring GitHub
Monitoring GitHub audit logs
Monitoring Google Cloud
Monitoring Google Cloud instances
Monitoring Google Cloud services
Prerequisites
Installing dependencies
Creating Google Cloud credentials
Gcloud Python script
Visualizing Google Cloud events on the Wazuh dashboard
Configuring the supported services
Monitoring Google Cloud Pub/Sub
Use cases
Monitoring Google Cloud Storage buckets
Cloud Security Posture Management
Monitoring Office 365
Monitoring Office 365 audit logs
Regulatory compliance
Using Wazuh for PCI DSS compliance
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active Response
System inventory
Visualization and dashboard
Using Wazuh for GDPR compliance
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Using Wazuh for HIPAA compliance
Visualization and dashboard
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active Response
Using Wazuh for NIST 800-53 compliance
Visualization and dashboard
Log data analysis
Security configuration assessment
Malware detection
File integrity monitoring
System inventory
Vulnerability detection
Active Response
Threat intelligence
Using Wazuh for TSC compliance
Common criteria 2.1
Common criteria 3.1
Common criteria 5.1
Common criteria 6.1
Common criteria 7.1
Common criteria 8.1
The additional criteria
Availability - A1.1
Processing integrity - PI1.4
Proof of Concept guide
Blocking a known malicious actor
File integrity monitoring
Detecting a brute-force attack
Monitoring Docker events
Monitoring AWS infrastructure
Detecting unauthorized processes
Network IDS integration
Detecting an SQL injection attack
Detecting suspicious binaries
Detecting and removing malware using VirusTotal integration
Vulnerability detection
Detecting malware using YARA integration
Detecting hidden processes
Monitoring execution of malicious commands
Detecting a Shellshock attack
Leveraging LLMs for alert enrichment
Upgrade guide
Wazuh central components
Wazuh agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Troubleshooting
Integrations guide
Elastic Stack integration
OpenSearch integration
Splunk integration
Amazon Security Lake integration
Backup guide
Creating a backup
Wazuh central components
Wazuh agent
Restoring Wazuh from backup
Wazuh central components
Wazuh agent
Wazuh Cloud service
Getting started
Sign up for a trial
Access the Wazuh dashboard
Enroll agents
Cloud service FAQ
Your environment
Authentication and authorization
Settings
Limits
Cancellation
Monitor usage
Forward syslog events
Agents without Internet access
SMTP configuration
Custom DNS
Technical FAQ
AI Analyst
Account and billing
Edit user settings
Manage your billing details
See your billing cycle and history
Update billing and operational contacts
Stop charges for an environment
Billing FAQ
Archive data
Configuration
Filename format
Access
Wazuh Cloud API
Authentication
Reference
CLI
Glossary
Development
Client keys file
Standard OSSEC message format
Makefile options
Wazuh cluster
Wazuh package generation
Virtual machine
Wazuh server
Wazuh indexer
Wazuh dashboard
Wazuh agent
Wazuh-Logtest
SELinux Wazuh context
RBAC database integrity
Configuring core dump generation
Release notes
4.x
4.14.0 Release notes
4.13.1 Release notes
4.13.0 Release notes
4.12.0 Release notes
4.11.2 Release notes
4.11.1 Release notes
4.11.0 Release notes
4.10.3 Release notes
4.10.2 Release notes
4.10.1 Release notes
4.10.0 Release notes
4.9.2 Release notes
4.9.1 Release notes
4.9.0 Release notes
4.8.2 Release notes
4.8.1 Release notes
4.8.0 Release notes
4.7.5 Release notes
4.7.4 Release notes
4.7.3 Release notes
4.7.2 Release notes
4.7.1 Release notes
4.7.0 Release notes
4.6.0 Release notes
4.5.4 Release notes
4.5.3 Release notes
4.5.2 Release notes
4.5.1 Release notes
4.5.0 Release notes
4.4.5 Release notes
4.4.4 Release notes
4.4.3 Release notes
4.4.2 Release notes
4.4.1 Release notes
4.4.0 Release notes
4.3.11 Release notes
4.3.10 Release notes
4.3.9 Release notes
4.3.8 Release notes
4.3.7 Release notes
4.3.6 Release notes
4.3.5 Release notes
4.3.4 Release notes
4.3.3 Release notes
4.3.2 Release notes
4.3.1 Release notes
4.3.0 Release notes
4.2.7 Release notes
4.2.6 Release notes
4.2.5 Release notes
4.2.4 Release notes
4.2.3 Release notes
4.2.2 Release notes
4.2.1 Release notes
4.2.0 Release notes
4.1.5 Release notes
4.1.4 Release notes
4.1.3 Release notes
4.1.2 Release notes
4.1.1 Release notes
4.1.0 Release notes
4.0.4 Release notes
4.0.3 Release notes
4.0.2 Release notes
4.0.1 Release notes
4.0.0 Release notes
3.x
3.13.6 Release notes
3.13.5 Release notes
3.13.4 Release notes
3.13.3 Release notes
3.13.2 Release notes
3.13.1 Release notes
3.13.0 Release notes
3.12.3 Release notes
3.12.2 Release notes
3.12.1 Release notes
3.12.0 Release notes
3.11.4 Release notes
3.11.3 Release notes
3.11.2 Release notes
3.11.1 Release notes
3.11.0 Release notes
3.10.2 Release notes
3.10.1 Release notes
3.10.0 Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.x
2.1.0 Release notes
User manual
Data analysis
Ruleset XML syntax
Ruleset XML syntax
This section provides detailed information on how the rules and decoders syntax function.
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Rules classification
Decoders Syntax
Close