Wazuh
Platform
Overview
XDR
SIEM
Cloud
Services
Professional support
Consulting services
Training courses
Partners
Become a partner
Find a partner
Blog
Company
Customers
About us
Our team
Newsroom
Search term
Search now!
Getting started
Components
Wazuh indexer
Wazuh server
Wazuh dashboard
Wazuh agent
Architecture
Use cases
Configuration assessment
Malware detection
File integrity monitoring
Threat hunting
Log data analysis
Vulnerability detection
Incident response
Regulatory compliance
IT hygiene
Container security
Posture management
Cloud workload protection
Quickstart
Installation guide
Wazuh indexer
Assisted installation
Step-by-step installation
Wazuh server
Assisted installation
Step-by-step installation
Wazuh dashboard
Assisted installation
Step-by-step installation
Wazuh agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Packages list
Uninstalling Wazuh
Uninstalling the Wazuh central components
Uninstalling the Wazuh agent
Installation alternatives
Virtual Machine (OVA)
Amazon Machine Images (AMI)
Deployment on Docker
Docker installation
Wazuh Docker deployment
Wazuh Docker utilities
Upgrading Wazuh Docker
Migrating data from Opendistro to the Wazuh indexer
FAQ
Deployment on Kubernetes
Kubernetes configuration
Deployment
Upgrade Wazuh installed in Kubernetes
Clean Up
Offline installation
Installation from sources
Installing the Wazuh manager from sources
Installing the Wazuh agent from sources
Deployment with Ansible
Installation Guide
Install Ansible
Install Wazuh indexer and dashboard
Install Wazuh manager
Install a Wazuh cluster
Install Wazuh Agent
Remote endpoints connection
Roles
Wazuh indexer
Wazuh dashboard
Filebeat
Wazuh Manager
Wazuh Agent
Variables references
Deployment with Puppet
Set up Puppet
Installing Puppet master
Installing Puppet agent
Setting up Puppet certificates
Wazuh Puppet module
Wazuh manager class
Wazuh agent class
User manual
Wazuh server
Alert threshold
Wazuh archives
Integration with third-party APIs
Configuring Syslog output
Configuring database output
Configuring email alerts
SMTP server with authentication
Wazuh server cluster
Basics
Agents connections
Cluster management
Remote service
Certificates deployment
Wazuh indexer
Wazuh indexer indices
Re-indexing
Index life management
Wazuh indexer tuning
Migrating Wazuh indices
Certificates deployment
Wazuh dashboard
Creating custom dashboards
Filtering data using the Wazuh Query Language
Enabling multi-tenancy
Configuring third-party SSL certificates
Configuring SSL certificates directly on the Wazuh dashboard
Configuring SSL certificates on the Wazuh dashboard using NGINX
Setting up custom branding
Wazuh dashboard settings
Certificates deployment
Troubleshooting
Configuration file
Wazuh agent
Agent enrollment
Enrollment methods
Enrollment via agent configuration
Linux/Unix endpoint
Windows endpoint
macOS endpoint
Enrollment via manager API
Requesting the key
Importing the key to the agent
Additional security options
Using password authentication
Manager identity verification
Agent identity verification
Troubleshooting
Agent management
Checking connection with the Wazuh manager
Listing agents
Listing agents using the CLI
Listing agents using the Wazuh API
Listing agents using the Wazuh dashboard
Grouping agents
Removing agents
Remove agents using the CLI
Remove agents using the Wazuh API
Querying the agent configuration
Remote upgrading
Upgrading agent
Agent upgrade module
Adding a custom repository
Custom WPK packages creation
WPK
Generate WPK packages manually
Installing a custom WPK package
WPK List
Agent key request
Agent labels
Anti-flooding mechanism
Agent life cycle
Deployment variables
Linux
Windows
macOS
AIX
Upscaling a Wazuh deployment
Adding a Wazuh indexer node
Adding a Wazuh server node
Ruleset
Decoders
JSON decoder
Dynamic fields
Sibling Decoders
Custom decoders
Rules
Custom rules
Ruleset XML syntax
Decoders Syntax
Rules Syntax
Regular Expression Syntax
Perl-compatible Regular Expressions
Testing decoders and rules
Using CDB lists
Enhancing detection with MITRE ATT&CK framework
Getting started
Update ruleset
Contribute to the ruleset
Rules classification
User administration
Password management
Wazuh RBAC - How to create and map internal users
Single sign-on
Setup single sign-on with administrator role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
Setup single sign-on with read-only role
Okta
Microsoft Entra ID
PingOne
Google
Jumpcloud
OneLogin
Keycloak
LDAP integration
Capabilities
File integrity monitoring
How it works
How to configure the FIM module
Interpreting the FIM module analysis
Basic settings
Creating custom FIM rules
Advanced settings
Use cases
Detecting malware persistence technique
Detecting account manipulation
Monitoring files at specific intervals
Reporting file changes
Monitoring configuration changes
Windows Registry monitoring
Malware detection
File integrity monitoring and threat detection rules
Rootkits behavior detection
CDB lists and threat intelligence
VirusTotal integration
File integrity monitoring and YARA
ClamAV logs collection
Windows Defender logs collection
Custom rules to detect malware IOC
Osquery
Security Configuration Assessment
How SCA works
How to configure SCA
Available SCA policies
Creating custom SCA policies
Use cases
Active response
How to configure active response
Default active response scripts
Custom active response scripts
Use cases
Blocking SSH brute-force attack with active response
Restarting the Wazuh agent with active response
Disabling a Linux user account with active response
Additional information
Log data collection
How it works
Configuration for monitoring log files
Configuring syslog on the Wazuh server
Using multiple socket outputs
Configuring log collection for different operating systems
Log data analysis
Use cases
Vulnerability detection
How it works
Scan types
Configuring and running scans
Scanning unsupported systems
Scanning Windows applications using CPE Helper
Offline Update
Querying the vulnerability database
Command monitoring
How it works
Configuration
Command output analysis
Use cases
Monitoring running processes
Disk space utilization
Check if the output changed
Detect USB Storage
Load average
Container security
Using Wazuh to monitor Docker
Use cases
System inventory
How it works
Configuration
Viewing system inventory data
Generating system inventory reports
Available inventory fields
Compatibility matrix
Using Syscollector information to trigger alerts
Monitoring system calls
How it works
Configuration
Use cases
Monitoring file and directory access
Monitoring commands run as root
Privilege abuse
Agentless monitoring
How it works
Connection
Configuration
Visualization
Use cases
Monitoring security policies
Rootcheck
How it works
Configuration
FAQ
OpenSCAP
How it works
Configuration
FAQ
CIS-CAT integration
Wazuh RESTful API
Getting started
Configuration
Securing the Wazuh API
Role-Based Access Control
How it works
Configuration
Authorization Context
RBAC Reference
Migrating from the Wazuh API 3.X
Filtering data using Wazuh Query Language (WQL)
Use cases
Reference
Reference
Local configuration (ossec.conf)
active-response
agentless
agent-upgrade
alerts
auth
client
client_buffer
cluster
command
database_output
email_alerts
global
github
integration
labels
localfile
logging
ms-graph
office365
remote
reports
rootcheck
sca
rule_test
ruleset
socket
syscheck
syslog_output
task-manager
fluent-forward
gcp-pubsub
gcp-bucket
wodle name="open-scap"
wodle name="command"
wodle name="cis-cat"
wodle name="aws-s3"
wodle name="syscollector"
vulnerability-detector
wazuh-db
wodle name="osquery"
wodle name="docker-listener"
wodle name="azure-logs"
wodle name="agent-key-polling"
Verifying configuration
Centralized configuration (agent.conf)
Internal configuration
Daemons
wazuh-agentd
wazuh-agentlessd
wazuh-analysisd
wazuh-authd
wazuh-csyslogd
wazuh-dbd
wazuh-execd
wazuh-logcollector
wazuh-maild
wazuh-monitord
wazuh-remoted
wazuh-reportd
wazuh-syscheckd
wazuh-clusterd
wazuh-modulesd
wazuh-db
Tables available for wazuh-db
wazuh-integratord
Tools
agent-auth
agent_control
manage_agents
wazuh-control
wazuh-logtest
clear_stats
wazuh-regex
rbac_control
update_ruleset
verify-agent-conf
agent_groups
agent_upgrade
cluster_control
fim_migrate
Unattended Installation
Statistics files
wazuh-agentd.state
wazuh-remoted.state
wazuh-analysisd.state
wazuh-logcollector.state
Cloud security
Using Wazuh to monitor AWS
Monitoring AWS instances
Monitoring AWS based services
Prerequisites
Configuring an S3 Bucket
Configuring AWS credentials
Installing dependencies
Considerations for configuration
Supported services
AWS CloudTrail
Amazon Virtual Private Cloud (VPC)
AWS Config
AWS Key Management Service (KMS)
Amazon Macie
AWS Trusted Advisor
Amazon GuardDuty
Amazon Web Application Firewall (WAF)
Amazon S3 Server Access
Amazon Inspector Classic
Amazon CloudWatch Logs
Amazon ECR Image scanning
Cisco Umbrella
Elastic Load Balancers
Amazon Application Load Balancer (ALB)
Amazon Classic Load Balancer (CLB)
Amazon Network Load Balancer (NLB)
Amazon Security Lake
Custom Logs Buckets
Troubleshooting
Using Wazuh to monitor Microsoft Azure
Monitoring instances
Monitoring activity and services
Prerequisites
Installing dependencies
Configuring Azure credentials
Considerations for configuration
Monitoring Azure platform and services
Using Azure Log Analytics
Using Azure Storage
Monitoring Microsoft Entra ID
Using Microsoft Graph
Cloud Security Posture Management
Monitoring GitHub
Monitoring GitHub audit logs
Monitoring Google Cloud
Monitoring Google Cloud instances
Monitoring Google Cloud services
Prerequisites
Installing dependencies
Creating Google Cloud credentials
Gcloud Python script
Visualizing Google Cloud events on the Wazuh dashboard
Configuring the supported services
Monitoring Google Cloud Pub/Sub
Use cases
Monitoring Google Cloud Storage buckets
Cloud Security Posture Management
Using Wazuh to monitor Microsoft Graph
Monitoring Microsoft Graph Activity
Monitoring Office 365
Monitoring Office 365 audit logs
Regulatory compliance
Using Wazuh for PCI DSS compliance
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active response
System inventory
Visualization and dashboard
Using Wazuh for GDPR compliance
GDPR II, Principles <gdpr_II>
GDPR III, Rights of the data subject <gdpr_III>
GDPR IV, Controller and processor <gdpr_IV>
Using Wazuh for HIPAA compliance
Visualization and dashboard
Log data analysis
Configuration assessment
Malware detection
File integrity monitoring
Vulnerability detection
Active response
Using Wazuh for NIST 800-53 compliance
Visualization and dashboard
Log data analysis
Security configuration assessment
Malware detection
File integrity monitoring
System inventory
Vulnerability detection
Active response
Threat intelligence
Using Wazuh for TSC compliance
Common criteria 2.1
Common criteria 3.1
Common criteria 5.1
Common criteria 6.1
Common criteria 7.1
Common criteria 8.1
The additional criteria
Availability - A1.1
Processing integrity - PI1.4
Proof of Concept guide
Blocking a known malicious actor
File integrity monitoring
Detecting a brute-force attack
Monitoring Docker events
Monitoring AWS infrastructure
Detecting unauthorized processes
Network IDS integration
Detecting an SQL injection attack
Detecting suspicious binaries
Detecting and removing malware using VirusTotal integration
Vulnerability detection
Detecting malware using YARA integration
Detecting hidden processes
Monitoring execution of malicious commands
Detecting a Shellshock attack
Upgrade guide
Wazuh central components
Wazuh agent
Linux
Windows
macOS
Solaris
AIX
HP-UX
Compatibility matrix
Wazuh-DB backup restoration
Integrations guide
Elastic Stack integration
OpenSearch integration
Splunk integration
Migration guide
Migrating to the Wazuh indexer
Migrating to the Wazuh dashboard
Migrating from OSSEC
Migrating OSSEC server
Migrating OSSEC agent
Wazuh files backup
Creating a backup
Wazuh central components
Wazuh agent
Restoring Wazuh from backup
Wazuh central components
Wazuh agent
Wazuh Cloud service
Getting started
Sign up for a trial
Access Wazuh WUI
Enroll agents
Cloud service FAQ
Your environment
Authentication and authorization
Settings
Limits
Cancellation
Monitor usage
Forward syslog events
Agents without Internet access
SMTP configuration
Technical FAQ
Account and billing
Edit user settings
Manage your billing details
See your billing cycle and history
Update billing and operational contacts
Stop charges for an environment
Billing FAQ
Archive data
Configuration
Filename format
Access
Wazuh Cloud API
Authentication
Reference
CLI
Glossary
Development
Client keys file
Standard OSSEC message format
Makefile options
Wazuh cluster
Wazuh packages generation guide
AIX
Debian
HPUX
macOS
RPM
Solaris
Virtual machine
Windows
WPK
Wazuh-Logtest
SELinux Wazuh context
RBAC database integrity
Release notes
4.x
4.7.3 Release notes
4.7.2 Release notes
4.7.1 Release notes
4.7.0 Release notes
4.6.0 Release notes
4.5.4 Release notes
4.5.3 Release notes
4.5.2 Release notes
4.5.1 Release notes
4.5.0 Release notes
4.4.5 Release notes
4.4.4 Release notes
4.4.3 Release notes
4.4.2 Release notes
4.4.1 Release notes
4.4.0 Release notes
4.3.11 Release notes
4.3.10 Release notes
4.3.9 Release notes
4.3.8 Release notes
4.3.7 Release notes
4.3.6 Release notes
4.3.5 Release notes
4.3.4 Release notes
4.3.3 Release notes
4.3.2 Release notes
4.3.1 Release notes
4.3.0 Release notes
4.2.7 Release notes
4.2.6 Release notes
4.2.5 Release notes
4.2.4 Release notes
4.2.3 Release notes
4.2.2 Release notes
4.2.1 Release notes
4.2.0 Release notes
4.1.5 Release notes
4.1.4 Release notes
4.1.3 Release notes
4.1.2 Release notes
4.1.1 Release notes
4.1.0 Release notes
4.0.4 Release notes
4.0.3 Release notes
4.0.2 Release notes
4.0.1 Release notes
4.0.0 Release notes
3.x
3.13.6 Release notes
3.13.5 Release notes
3.13.4 Release notes
3.13.3 Release notes
3.13.2 Release notes
3.13.1 Release notes
3.13.0 Release notes
3.12.3 Release notes
3.12.2 Release notes
3.12.1 Release notes
3.12.0 Release notes
3.11.4 Release notes
3.11.3 Release notes
3.11.2 Release notes
3.11.1 Release notes
3.11.0 Release notes
3.10.2 Release notes
3.10.1 Release notes
3.10.0 Release notes
3.9.5 Release notes
3.9.4 Release notes
3.9.3 Release notes
3.9.2 Release notes
3.9.1 Release notes
3.9.0 Release notes
3.8.2 Release notes
3.8.1 Release notes
3.8.0 Release notes
3.7.2 Release notes
3.7.1 Release notes
3.7.0 Release notes
3.6.1 Release notes
3.6.0 Release notes
3.5.0 Release notes
3.4.0 Release notes
3.3.1 Release notes
3.3.0 Release notes
3.2.4 Release notes
3.2.3 Release notes
3.2.2 Release notes
3.2.1 Release notes
3.2.0 Release notes
3.1.0 Release notes
3.0.0 Release notes
2.x
2.1.0 Release notes
Installation guide
Uninstalling Wazuh
Uninstalling Wazuh
This section describes how to uninstall the Wazuh central components and agent.
Uninstalling the Wazuh central components
Uninstalling the Wazuh agent
Packages list
Uninstalling the Wazuh central components
Edit on GitHub
Close