Wazuh home
Wazuh documentation index
Product
Cloud
Services
Partners
Resources
Blog
FAQ
Company
Customers
About us
Our team
Newsroom
Search term
Search now!
Getting started
Components
Wazuh indexer
Wazuh server
Wazuh dashboard
Wazuh agent
Architecture
Use cases
Log data analysis
File integrity monitoring
Rootkits detection
Active response
Configuration assessment
System inventory
Vulnerability detection
Cloud security
Container security
Regulatory compliance
Quickstart
Installation guide
Wazuh indexer
Wazuh installation assistant
Step-by-step installation
Wazuh server
Wazuh installation assistant
Step-by-step installation
Wazuh dashboard
Wazuh installation assistant
Step-by-step installation
Wazuh agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Packages list
Installation alternatives
Virtual Machine (OVA)
Amazon Machine Images (AMI)
Deployment on Docker
Docker installation
Wazuh Docker deployment
Wazuh Docker utilities
FAQ
Deployment on Kubernetes
Kubernetes configuration
Deployment
Upgrade Wazuh installed in Kubernetes
Clean Up
Offline installation
Installation from sources
Installing Wazuh server from sources
Installing Wazuh agent from sources
Installing Wazuh with Elastic Stack basic license
All-in-one deployment
Distributed deployment
Elasticsearch cluster
Elasticsearch single-node cluster
Elasticsearch multi-node cluster
Wazuh cluster
Wazuh single-node cluster
Wazuh multi-node cluster
Kibana
Installing Wazuh with Splunk
Wazuh manager installation
Install and configure Splunk
Install Splunk in an all-in-one architecture
Install a minimal Splunk distributed architecture
Install Splunk in a multi-instance cluster
Install the Wazuh app for Splunk
Set up reverse proxy configuration for Splunk
Customize agents status indexation
Create and map internal users (RBAC)
Deployment with Ansible
Installation Guide
Install Ansible
Install Wazuh indexer and dashboard
Install Wazuh manager
Install a Wazuh cluster
Install Wazuh Agent
Remote endpoints connection
Roles
Wazuh indexer
Wazuh dashboard
Filebeat
Wazuh Manager
Wazuh Agent
Variables references
Deployment with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
Setting up Puppet certificates
Wazuh Puppet module
Wazuh manager class
Wazuh agent class
Upgrade guide
Upgrading the Wazuh manager
Upgrade Elasticsearch, Filebeat and Kibana
Upgrading Open Distro for Elasticsearch
Upgrading Elastic Stack basic license
Upgrading the Wazuh agent
Upgrading from a legacy version
Upgrading the Wazuh server
Upgrading the Wazuh server from 2.x to 3.x
Restore the Wazuh alerts from Wazuh 2.x
Upgrading the Wazuh server from 1.x to 2.x
Upgrading Elastic Stack
Upgrading Elastic Stack from 6.8 to 7.x
Upgrading Elastic Stack from 6.x to 6.8
Upgrading Elastic Stack from 2.x to 5.x
Upgrading the Wazuh agent
Upgrading the Wazuh agent from 2.x to 3.x
Upgrading the Wazuh agent from 1.x to 2.x
Compatibility matrix
Migration guide
Migrating to the Wazuh indexer
Migrating to the Wazuh dashboard
Migrating from OSSEC
Migrating OSSEC server
Migrating OSSEC agent
Wazuh Cloud service
Getting started
Sign up for a trial
Access Wazuh WUI
Register agents
Cloud service FAQ
Your environment
Authentication and authorization
Cancellation
Monitor usage
Forward syslog events
Agents without Internet access
SMTP configuration
Technical FAQ
Account and billing
Edit user settings
Manage your billing details
See your billing cycle and history
Update billing and operational contacts
Stop charges for an environment
Billing FAQ
Cold storage
Configuration
Filename format
Access
Wazuh Cloud API
Authentication
Reference
CLI
Glossary
User manual
Wazuh server administration
Remote service
Defining an alert level threshold
Integration with external APIs
Configuring syslog output
Configuring database output
Generating automatic reports
Configuring email alerts
SMTP server with authentication
Certificates deployment
Deployment variables
Linux
Windows
macOS
AIX
Wazuh agent enrollment
Enrollment via agent configuration
Linux/Unix endpoint
Windows endpoint
macOS endpoint
Enrollment via manager API
Requesting the key
Importing the key to the agent
Additional security options
Using password authentication
Manager identity verification
Agent identity verification
Troubleshooting
Agent management
Agent life cycle
Listing agents
Listing agents using the CLI
Listing agents using the Wazuh API
Listing agents using the Wazuh app
Removing agents
Remove agents using the CLI
Remove agents using the Wazuh API
Checking connection with Manager
Grouping agents
Remote upgrading
Upgrading agent
Agent upgrade module
Adding a custom repository
Custom WPK packages creation
WPK
Generate WPK packages manually
Installing a custom WPK package
WPK List
Query configuration
Deploying a Wazuh cluster
Basics
Agents connections
Cluster management
Capabilities
Log data collection
How it works
How to collect Windows logs
How to collect macOS ULS logs
Configuration
FAQ
File integrity monitoring
How it works
FIM fields rule mapping
Configuration
Auditing who-data
Auditing who-data in Linux
Auditing who-data in Windows
Manual configuration of the Local Audit Policies in Windows
Anomaly and malware detection
How it works
Configuration
FAQ
Security Configuration Assessment
What is SCA
How SCA works
How to configure SCA
Creating custom SCA policies
Use case: Getting an alert when a check changes its result value
Monitoring security policies
Rootcheck
How it works
Configuration
FAQ
OpenSCAP
How it works
Configuration
FAQ
CIS-CAT integration
Monitoring system calls
How it works
Configuration
Command monitoring
How it works
Configuration
FAQ
Active response
How it works
Configuration
Custom Active Response
Use cases
Blocking attacks with Active Response
How to integrate Wazuh with YARA
Detecting and removing malware
FAQ
Agentless monitoring
How it works
Configuration
FAQ
Anti-flooding mechanism
Agent labels
System inventory
Vulnerability detection
How it works
Compatibility matrix
Running a vulnerability scan
Offline Update
Scan vulnerabilities on unsupported systems
CPE Helper
VirusTotal integration
About VirusTotal
How it works
Osquery
Agent key polling
Fluentd forwarder
Wazuh-Logtest
How it works
Configuration
FAQ
Ruleset
Getting started
Update ruleset
JSON decoder
Custom rules and decoders
Dynamic fields
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Sibling Decoders
Testing decoders and rules
Using CDB lists
Enhancing with MITRE
Contribute to the ruleset
Rules classification
RESTful API
Getting started
Configuration
Securing the Wazuh API
Migrating from the Wazuh API 3.X
Role-Based Access Control
How it works
Configuration
Authorization Context
RBAC Reference
Filtering data using queries
Examples
Reference
Securing Wazuh
Change the Wazuh indexer passwords
Change the Open Distro for Elasticsearch passwords
Change the Elasticsearch passwords
Reference
Local configuration (ossec.conf)
active-response
agentless
agent-upgrade
alerts
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
github
integration
labels
localfile
logging
office365
remote
reports
rootcheck
sca
rule_test
ruleset
socket
syscheck
syslog_output
task-manager
fluent-forward
gcp-pubsub
gcp-bucket
wodle name=”open-scap”
wodle name=”command”
wodle name=”cis-cat”
wodle name=”aws-s3”
wodle name=”syscollector”
vulnerability-detector
wodle name=”osquery”
wodle name=”docker-listener”
wodle name=”azure-logs”
wodle name=”agent-key-polling”
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
wazuh-agentd
wazuh-agentlessd
wazuh-analysisd
wazuh-authd
wazuh-csyslogd
wazuh-dbd
wazuh-execd
wazuh-logcollector
wazuh-maild
wazuh-monitord
wazuh-remoted
wazuh-reportd
wazuh-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
wazuh-integratord
Tools
agent-auth
agent_control
manage_agents
wazuh-control
wazuh-logtest
clear_stats
wazuh-regex
update_ruleset
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
Unattended Installation
Statistics files
wazuh-agentd.state
wazuh-remoted.state
wazuh-analysisd.state
wazuh-logcollector.state
Elasticsearch
Elasticsearch tuning
Wazuh Kibana plugin troubleshooting
Indices configuration
Elasticsearch indices
Wazuh dashboard
Wazuh RBAC - How to create and map internal users
How to enable multi-tenancy
Settings
Configuration file
Troubleshooting
Uninstalling the Wazuh components
Uninstalling the Wazuh central components
Uninstalling Wazuh with Open Distro for Elasticsearch
Uninstalling Wazuh with Elastic Stack
Cloud security
Using Wazuh to monitor AWS
Monitoring AWS instances
Monitoring AWS based services
Prerequisites
Configuring an S3 Bucket
Configuring AWS credentials
Installing dependencies
Considerations for configuration
Supported services
AWS CloudTrail
Amazon VPC
AWS Config
Amazon ALB
Amazon CLB
Amazon NLB
AWS Key Management Service
Amazon Macie
AWS Trusted Advisor
Amazon GuardDuty
Amazon WAF
S3 Server Access
Amazon Inspector
AWS CloudWatch Logs
Amazon ECR Image scanning
Cisco Umbrella
Troubleshooting
Using Wazuh to monitor Microsoft Azure
Monitoring instances
Monitoring activity and services
Prerequisites
Authentication options
Considerations for configuration
Monitoring Azure platform and services
Using Azure Log Analytics
Using Azure Storage
Monitoring Azure Active Directory
Using Microsoft Graph
Using Wazuh to monitor GitHub
Monitoring GitHub Activity
Using Wazuh to monitor GCP services
Prerequisites
Installing dependencies
Configuring GCP credentials
Configuring Google Cloud Pub/Sub
Considerations for configuration
Supported services
Audited resources
DNS queries
VPC Flow logs
Firewall Rules Logging
HTTP(S) Load Balancing Logging
Usage logs & storage logs
Using Wazuh to monitor Office 365
Monitoring Office 365 Activity
Container security
Using Wazuh to monitor Docker
Installing dependencies
Monitoring Docker server
Monitoring containers activity
Development
Client keys file
Standard OSSEC message format
Makefile options
Wazuh cluster
Wazuh packages generation guide
AIX
Debian
HPUX
Wazuh Kibana plugin
macOS
RPM
Solaris
Splunk App
Virtual machine
Windows
WPK
Wazuh-Logtest
SELinux Wazuh context
Compliance
Using Wazuh for PCI DSS
Log analysis
Policy monitoring
Rootkit detection
File integrity monitoring
Active response
Wazuh dashboard
Using Wazuh for GDPR
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Learning Wazuh
Prepare your Wazuh Lab Environment
Build the Wazuh Lab VPC
Launch the EC2 instances
Establish access to your EC2 instances
Install Wazuh server Components
Install the Elastic Stack
Configure X-Pack Security
Install the Linux Wazuh agents
Install the Windows Wazuh agent
Detect an SSH brute-force attack
Detect an RDP brute force attack
Expose hiding processes
Detect filesystem changes
Change the rules
Survive a log flood
Detect and react to a Shellshock attack
Keep watch for malicious command execution
Catch suspicious network traffic
Track down vulnerable applications
Proof of Concept guide
Auditing commands run by a user
Amazon AWS infrastructure monitoring
Detecting a brute-force attack
Monitoring Docker
File integrity monitoring
Blocking a malicious actor
Detecting unauthorized processes
Osquery integration
Network IDS integration
Detecting a Shellshock attack
Detecting an SQL Injection attack
Slack integration
Detecting suspicious binaries
Detecting and removing malware using VirusTotal integration
Vulnerability Detector
Detecting malware using Yara integration
Release notes
4.x
4.3.0 Release notes
4.2.6 Release notes
4.2.5 Release notes
4.2.4 Release notes
4.2.3 Release notes
4.2.2 Release notes
4.2.1 Release notes
4.2.0 Release notes
4.1.5 Release notes
4.1.4 Release notes
4.1.3 Release notes
4.1.2 Release notes
4.1.1 Release notes
4.1.0 Release notes
4.0.4 Release notes
4.0.3 Release notes
4.0.2 Release notes
4.0.1 Release notes
4.0.0 Release notes
3.x
3.13.3 Release notes
3.13.2 Release notes
3.13.1 Release notes
3.13.0 Release notes
3.12.3 Release notes
3.12.2 Release notes
3.12.1 Release notes
3.12.0 Release notes
3.11.4 Release notes
3.11.3 Release notes
3.11.2 Release notes
3.11.1 Release notes
3.11.0 Release notes
3.10.2 Release notes
3.10.1 Release notes
3.10.0 Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.x
2.1 Release notes
Documentation
Development
Development
This section contains technical documentation for developers.
Contents
Client keys file
Location
File format
Standard OSSEC message format
Input logs
Standard OSSEC event
Secure message format
Makefile options
Compiling the source code
Makefile reference
Wazuh cluster
Introduction
Architecture overview
Code structure
Troubleshooting
Wazuh packages generation guide
AIX
Debian
HPUX
Wazuh Kibana plugin
macOS
RPM
Solaris
Splunk App
Virtual machine
Windows
WPK
Wazuh-Logtest
Sessions
SELinux Wazuh context
Create Wazuh context
Create custom SELinux module
Troubleshooting
Monitoring containers activity
Client keys file
Edit on GitHub
Close