Docs
Docs
Product
Blog
Cloud
Services
Community
Contact us
Getting started
Components
Wazuh agent
Wazuh server
Elastic Stack
Architecture
Use cases
Log data analysis
File integrity monitoring
Rootkits detection
Active response
Configuration assessment
System inventory
Vulnerability detection
Cloud security monitoring
Containers security monitoring
Regulatory compliance
Installation guide
Requirements
Wazuh server
All-in-one deployment
Unattended installation
Step-by-step installation
Distributed deployment
Unattended installation
Elasticsearch & Kibana unattended installation
Wazuh server unattended installation
Step-by-step installation
Elasticsearch cluster
Wazuh cluster
Kibana
Wazuh agent
AIX
HP-UX
Linux
macOS
Solaris
Windows
Deployment variables
Deployment variables for AIX
Deployment variables for Linux
Deployment variables for Linux using apt repository
Deployment variables for Linux using dnf repository
Deployment variables for Linux using yum repository
Deployment variables for Linux using zypper repository
Deployment variables for macOS
Deployment variables for Windows
Packages list
More installation alternatives
Wazuh with Elastic Stack basic license
All-in-one deployment
Unattended installation
Step-by-step installation
Distributed deployment
Unattended installation
Step-by-step installation
Wazuh with Splunk
Wazuh installation from sources
Installing Wazuh server from sources
Installing Wazuh agent from sources
Upgrade guide
Upgrading the Wazuh manager
Upgrade Elasticsearch, Filebeat and Kibana
Upgrading Open Distro for Elasticsearch
Upgrading Elastic Stack basic license
Upgrading the Wazuh agent
Upgrading from a legacy version
Upgrading the Wazuh server
Upgrading the Wazuh server from 2.x to 3.x
Restore the Wazuh alerts from Wazuh 2.x
Upgrading the Wazuh server from 1.x to 2.x
Upgrading Elastic Stack
Upgrading Elastic Stack from 6.8 to 7.x
Upgrading Elastic Stack from 6.x to 6.8
Upgrading Elastic Stack from 2.x to 5.x
Upgrading the Wazuh agent
Upgrading the Wazuh agent from 2.x to 3.x
Upgrading the Wazuh agent from 1.x to 2.x
Compatibility matrix
User manual
Overview
Wazuh server administration
Remote service
Defining an alert level threshold
Integration with external APIs
Configuring syslog output
Configuring database output
Generating automatic reports
Configuring email alerts
SMTP server with authentication
Certificates deployment
Registering Wazuh agents
Registering the Wazuh agents using the command line (CLI)
Registering the Wazuh agents using the Wazuh API
Registration service with password authorization
Registration service with host verification
Registering Wazuh agents - additional information
Registering Wazuh agents - Troubleshooting
Agent management
Agent life cycle
Listing agents
Listing agents using the CLI
Listing agents using the Wazuh API
Listing agents using the Wazuh app
Removing agents
Remove agents using the CLI
Remove agents using the Wazuh API
Checking connection with Manager
Grouping agents
Remote upgrading
Upgrading agent
Agent upgrade module
Adding a custom repository
Custom WPK packages creation
WPK
Generate WPK packages manually
Installing a custom WPK package
WPK List
Deploying a Wazuh cluster
Basics
Agents connections
Cluster management
Capabilities
Log data collection
How it works
How to collect Windows logs
Configuration
FAQ
File integrity monitoring
How it works
Configuration
Auditing who-data
Auditing who-data in Linux
Auditing who-data in Windows
Manual configuration of the Local Audit Policies in Windows
Anomaly and malware detection
How it works
Configuration
FAQ
Security Configuration Assessment
What is SCA
How SCA works
How to configure SCA
Creating custom SCA policies
Use case: Getting an alert when a check changes its result value
Monitoring security policies
Rootcheck
How it works
Configuration
FAQ
OpenSCAP
How it works
Configuration
FAQ
CIS-CAT integration
Monitoring system calls
How it works
Configuration
Command monitoring
How it works
Configuration
FAQ
Active response
How it works
Configuration
FAQ
Agentless monitoring
How it works
Configuration
FAQ
Anti-flooding mechanism
Agent labels
System inventory
Vulnerability detection
How it works
Compatibility matrix
Running a vulnerability scan
Offline Update
Scan vulnerabilities on unsupported systems
CPE Helper
VirusTotal integration
About VirusTotal
How it works
Osquery
Agent key polling
Fluentd forwarder
Wazuh-Logtest
How it works
Configuration
FAQ
Ruleset
Getting started
Update ruleset
JSON decoder
Custom rules and decoders
Dynamic fields
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Sibling Decoders
Testing decoders and rules
Using CDB lists
Enhancing with MITRE
Contribute to the ruleset
Rules classification
RESTful API
Getting started
Configuration
Securing the Wazuh API
Migrating from the Wazuh API 3.X
Role-Based Access Control
How it works
Configuration
Authorization Context
RBAC Reference
Filtering data using queries
Examples
Reference
Wazuh Kibana plugin
Setting up the Wazuh Kibana plugin
Wazuh Kibana plugin features
App overview
Ruleset
Settings
Dev tools
Reporting
Index pattern selector
Download as CSV
Query configuration
Troubleshooting
Reference
Configuration file
Elasticsearch indices
Configure the name of Elasticsearch indices
Create a custom dashboard
Reference
Local configuration (ossec.conf)
active-response
agentless
agent-upgrade
alerts
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
integration
labels
localfile
logging
remote
reports
rootcheck
sca
rule_test
ruleset
socket
syscheck
syslog_output
task-manager
fluent-forward
gcp-pubsub
wodle name=”open-scap”
wodle name=”command”
wodle name=”cis-cat”
wodle name=”aws-s3”
wodle name=”syscollector”
vulnerability-detector
wodle name=”osquery”
wodle name=”docker-listener”
wodle name=”azure-logs”
wodle name=”agent-key-polling”
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
ossec-agentd
ossec-agentlessd
ossec-analysisd
ossec-authd
ossec-csyslogd
ossec-dbd
ossec-execd
ossec-logcollector
ossec-maild
ossec-monitord
ossec-remoted
ossec-reportd
ossec-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
ossec-integratord
Tools
agent-auth
agent_control
manage_agents
ossec-control
ossec-logtest
wazuh-logtest
ossec-makelists
rootcheck_control
syscheck_control
syscheck_update
clear_stats
ossec-regex
update_ruleset
util.sh
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
Unattended Installation
Statistics files
ossec-agentd.state
ossec-remoted.state
ossec-analysisd.state
Elasticsearch tuning
Uninstalling the Wazuh components
Uninstalling Wazuh with Open Distro for Elasticsearch
Uninstalling Wazuh with Elastic Stack
Development
Client keys file
Standard OSSEC message format
Makefile options
Wazuh Cluster
Wazuh packages generation guide
AIX
Debian
HPUX
Wazuh Kibana plugin
macOS
RPM
Solaris
Splunk App
Virtual machine
Windows
WPK
Wazuh-Logtest
Containers
Docker
Docker installation
Wazuh Docker deployment
Wazuh Docker utilities
Upgrade Guide (3.x to 4.0)
FAQ
Deploying with Kubernetes
Kubernetes configuration
Upgrade Wazuh installed in Kubernetes
Clean Up
Deployment on local environment
Deployment
Deploying with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
PuppetDB installation (Optional)
Setting up Puppet certificates
Wazuh Puppet module
Wazuh agent class
Wazuh manager class
Deploying with Ansible
Installation Guide
Install Ansible
Install Wazuh Manager
Install Elastic Stack Server
Install Wazuh Agent
Remote Hosts Connection
Roles
Wazuh Manager
Filebeat
Elasticsearch
Kibana
Wazuh Agent
Variables references
Virtual Machine (OVA)
Compliance
Using Wazuh for PCI DSS
Log analysis
Policy monitoring
Rootkit detection
File integrity monitoring
Active response
Elastic Stack
Using Wazuh for GDPR
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Monitoring with Wazuh
Using Wazuh to monitor AWS
Monitoring AWS instances
Monitoring AWS based services
Prerequisites
Configuring an S3 Bucket
Configuring AWS credentials
Installing dependencies
Considerations for configuration
Supported services
AWS CloudTrail
Amazon VPC
AWS Config
Amazon ALB
Amazon CLB
Amazon NLB
AWS Key Management Service
Amazon Macie
AWS Trusted Advisor
Amazon GuardDuty
Amazon WAF
Amazon Inspector
AWS CloudWatch Logs
Cisco Umbrella
Troubleshooting
Using Wazuh to monitor Microsoft Azure
Monitoring Instances
Monitoring Activity
Monitoring Services
Using Wazuh to monitor Docker
Monitoring Docker server
Monitoring containers activity
Using Wazuh to monitor GCP services
Prerequisites
Installing dependencies
Configuring GCP credentials
Configuring Google Cloud Pub/Sub
Considerations for configuration
Configuration
Supported services
Migrating from OSSEC
Migrating OSSEC server
Migrating OSSEC agent
Learning Wazuh
Prepare your Wazuh Lab Environment
Build the Wazuh Lab VPC
Launch the EC2 instances
Establish access to your EC2 instances
Install Wazuh server Components
Install the Elastic Stack
Configure X-Pack Security
Install the Linux Wazuh agents
Install the Windows Wazuh agent
Detect an SSH brute-force attack
Detect an RDP brute force attack
Expose hiding processes
Detect filesystem changes
Change the rules
Survive a log flood
Detect and react to a Shellshock attack
Keep watch for malicious command execution
Catch suspicious network traffic
Track down vulnerable applications
Release notes
4.1.1 Release notes
4.1.0 Release notes
4.0.4 Release notes
4.0.3 Release notes
4.0.2 Release notes
4.0.1 Release notes
4.0.0 Release notes
3.13.2 Release notes
3.13.1 Release notes
3.13.0 Release notes
3.12.3 Release notes
3.12.2 Release notes
3.12.1 Release notes
3.12.0 Release notes
3.11.4 Release notes
3.11.3 Release notes
3.11.2 Release notes
3.11.1 Release notes
3.11.0 Release notes
3.10.2 Release notes
3.10.1 Release notes
3.10.0 Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.1 Release notes
Edit on GitHub
Documentation
Development
Development
¶
This section contains technical documentation for developers.
Contents
Client keys file
Location
File format
Standard OSSEC message format
Input logs
Standard OSSEC event
Secure message format
Makefile options
Compiling the source code
Makefile reference
Wazuh Cluster
Introduction
Architecture Overview
Code structure
Troubleshooting
Wazuh packages generation guide
AIX
Debian
HPUX
Wazuh Kibana plugin
macOS
RPM
Solaris
Splunk App
Virtual machine
Windows
WPK
Wazuh-Logtest
Sessions
Uninstalling Wazuh with Elastic Stack
Client keys file
