4.6.0 Release notes - 31 October 2023

This section lists the changes in version 4.6.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.


  • Included support for the Microsoft Graph Security API. This addition enables users to integrate and fetch security alerts from multiple Microsoft products. It provides a cohesive security perspective.

  • Added the Webhook input API endpoint. It paves the way to dynamic integrations and real-time responses. It enhances automation capabilities and responsiveness.

  • Incorporated Office 365 support for GCC/GCCH. This addition extends monitoring coverage for organizations with a strong reliance on Office 365, particularly in GCC/GCCH environments. It ensures comprehensive compliance and security.

  • Support for AlmaLinux OS, Debian 12, and Amazon Linux 2022 is now included in Vulnerability Detector. Expanding support to newer OS versions demonstrates the platform adaptability to the evolving Linux ecosystem. It also highlights our commitment to user safety across diverse environments.

  • Included PCRE2 support in Security Configuration Assessment (SCA). This addition provides users with a more powerful pattern-matching tool. It enhances the software auditing and compliance capabilities

Breaking changes

  • The integration methods for Splunk, OpenSearch, and Elastic Stack have been changed. Please refer to the Integrations guide to learn more.

What's new

This release includes new features or enhancements as the following:

Wazuh manager

  • #13559 wazuh-authd can now generate X509 certificates.

  • #13797 Introduced a new CLI to manage features related to the Wazuh API RBAC resources.

  • #13034 Added support for Amazon Linux 2022 in Vulnerability Detector.

  • #16343 Added support for Alma Linux in Vulnerability Detector.

  • #18542 Added support for Debian 12 in Vulnerability Detector.

  • #14953 Added mechanism in wazuh-db to identify fragmentation and perform vacuum.

  • #19956 Adjusted the default settings for wazuh-db to perform database auto-vacuum more often.

  • #18333 Added an option to set whether the manager should ban newer agents.

  • #15661 Added mechanism to prevent Wazuh agents connections to lower manager versions.

  • #14659 wazuh-remoted now checks the size of the files to avoid malformed merged.mg.

  • #14024 Added a limit option for the Rsync dispatch queue size.

  • #14026 Added a limit option for the Rsync thread pool.

  • #14549 wazuh-authd now shows a warning when deprecated forcing options are present in the configuration.

  • #14804 The agent now notifies the manager when Active Response fails to run netsh.

  • #13906 Use a new broadcast system to send agent group information from the master node of a cluster.

  • #15220 Changed cluster send_request method so that timeouts are treated as exceptions and not as responses.

  • #13065 Refactored methods responsible for file synchronization within the cluster.

  • #16065 Changed schema constraints for sys_hwinfo table.

  • #15709 The Auth process does not start when the registration password is empty.

  • #19400 Changed the message type for GetSecurityInfo from error to debug.


  • #15226 Added GuardDuty Native support to the AWS integration.

  • #14768 Added --prefix parameter to Azure Storage integration.

  • #16493 Added validations for empty and invalid values in AWS integration.

  • #13573 Added new unit tests for GCloud integration and increased coverage to 99%.

  • #14104 Added new unit tests for Azure Storage integration and increased coverage to 99%.

  • #14177 Added new unit tests for Docker Listener integration.

  • #18116 Added support for Microsoft Graph security API. Thanks to Bryce Shurts (@S-Bryce).

  • #15852 Added wildcard support in FIM Windows registers.

  • #15973 Added wildcards support for folders in the localfile configuration on Windows.

  • #14782 Added new settings ignore and restrict to logcollector.

  • #12745 Added RSync and DBSync to FIM.

  • #17124 Added PCRE2 regex for SCA policies.

  • #14763 Added mechanism to detect policy changes.

  • #13264 FIM option fim_check_ignore now applies to files and directories.

  • #16531 Changed AWS integration to take into account the user configuration found in the .aws/config file.

  • #14537 Changed the calculation of timestamps in AWS and Azure modules by using UTC timezone.

  • #15009 Changed the AWS integration to only show the Skipping file with another prefix message in debug mode.

  • #14999 Changed debug level required to display CloudWatch Logs event messages.

  • #17447 Changed syscollector database default permissions.

  • #17161 Changed agent IP lookup algorithm.

  • #14499 Changed InstallDate origin in Windows installed programs.

  • #14524 Enhanced clarity of certain error messages in the AWS integration for better exception tracing.

  • #13420 Improved external integrations SQLite queries.

  • #16325 Improved items iteration for Config and VPCFlow AWS integrations.

  • #14784 Unit tests have been added to the shared JSON handling library.

  • #14476 Unit tests have been added to the shared SQLite handling library.

  • #15032 Improved command to change user and group from version 4.2.x to 4.x.x.

  • #15647 Changed the internal value of the open_attemps configuration.

  • #13878 The unused option local_ip for agent configuration has been deleted.

  • #14684 Removed unused migration functionality from the AWS integration.

  • #17655 Deleted definitions of repeated classes in the AWS integration.

  • #15031 Removed duplicate methods in AWSBucket and reuse inherited ones from WazuhIntegration.

  • #16547 Added support for Office365 MS/Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) API. Thanks to Bryce Shurts (@S-Bryce).

  • #19758 Reduced the default FIM event throughput to 50 EPS.


  • #17670 Added POST /events API endpoint to ingest logs through the API.

  • #17865 Added query, select and distinct parameters to multiple endpoints.

  • #13919 Added a new upgrade and migration mechanism for the RBAC database.

  • #13654 Added a new API configuration option to rotate log files based on a given size.

  • #15994 Added relative_dirname parameter to GET, PUT and DELETE methods of the /decoder/files/{filename} and /rule/files/{filename} endpoints.

  • #18212 Added a new configuration option to disable uploading configurations containing the new allow_higher_version setting.

  • #13615 Added API integration tests documentation.

  • #13646 Changed the API's response status code for Wazuh cluster errors from 400 to 500.

  • #15934 Removed legacy code related to agent databases in /var/agents/db.

  • #19001 Changed Operational API error messages to include additional information.


  • #14138 The SSHD decoder has been improved to catch disconnection events.

Wazuh dashboard

  • #5197 #5274 #5298 #5409 Added rel="noopener noreferrer" in documentation links.

  • #5203 Added ignore and restrict options to Syslog configuration.

  • #5376 Added the extensions.github and extensions.office settings to the default configuration file.

  • #4163 Added new global error treatment (client-side).

  • #5519 Added new CLI to generate API data from specification file.

  • #5551 Added specific RBAC permissions to the Security section.

  • #5443 Added Refresh and Export formatted button to panels in Agents > Inventory data.

  • #5491 Added Refresh and Export formatted buttons to Management > Cluster > Nodes.

  • #5201 Changed of regular expression in RBAC.

  • #5384 Migrated the timeFilter, metaFields, and maxBuckets health checks inside the pattern check.

  • #5485 Changed the query to search for an agent in Management > Configuration.

  • #5476 Changed the search bar in management/log to the one used in the rest of the app.

  • #5457 Changed the design of the wizard to add agents.

  • #5363 #5442 #5443 #5444 #5445 #5447 #5452 #5491 #5785 Introduced a new, enhanced search bar. It adds new features to all the searchable tables which leverages the Wazuh API. It also addresses some of the issues found in the previous version.

  • #5451 Removed deprecated request and code in agent's view.

  • #5453 Removed unnecessary dashboard queries caused by the deploy agent view.

  • #5500 Removed repeated and unnecessary requests in the Security section.

  • #5519 Removed scripts to generate API data from live Wazuh manager.

  • #5532 Removed the pretty parameter from cron job requests.

  • #5528 Removed unnecessary requests in the Management > Status section.

  • #5485 Removed obsolete code that caused duplicate requests to the API in Management.

  • #5592 Removed unused embedded jquery-ui.

Resolved issues

This release resolves known issues as the following:

Wazuh manager




Fixed wazuh-remoted not updating total bytes sent in UDP.


Fixed translation of packages with a missing version in CPE Helper for Vulnerability Detector.


Fixed undefined behavior issues in Vulnerability Detector unit tests.


Fixed permission error when producing FIM alerts.


Fixed memory leaks in wazuh-authd.


Fixed Audit policy change detection in FIM for Windows.


Fixed origin_module variable value when sending API or framework messages to core sockets.


Fixed an issue where an erroneous tag appeared in the cluster logs.


Fixed log error displayed when there's a duplicate worker node name within a cluster.


Resolved an issue in the agent_upgrade CLI when used from worker nodes.


Fixed error in the agent_upgrade CLI when displaying upgrade result.


Fixed error in which the connection with the cluster was broken in local clients for not sending keepalives messages.


Fixed error in which exceptions were not correctly handled when dapi_err command could not be sent to peers.


Fixed error in worker's Integrity sync task when a group folder was deleted in master.


Fixed error when trying to update an agent through the API or the CLI while pointing to a WPK file.


Fixed wazuh-remoted high CPU usage in a master node without agents.


Fixed race condition in wazuh-analysisd handling the rule ignore option.


Fixed missing rules and decoders in Analysisd JSON report.


Fixed translation of packages with missing version in CPE Helper.


Fixed log date parsing at predecoding stage.


Fixed permission error in JSON alert.





Fixed the architecture of the dependency URL for macOS.


Fixed a path length limitation that prevented FIM from reporting changes on Windows.


Updated the AWS integration to use the regions specified in the AWS config file when no regions are provided in ossec.conf.


Corrected the error code #2 for the SIGINT signal within the AWS integration.


Fixed the discard_regex functionality for the AWS GuardDuty integration.


Fixed error messages in the AWS integration when there is a ClientError.


Fixed error that could lead to duplicate logs when using the same dates in the AWS integration.


Fixed check_bucket method in AWS integration to be able to find logs without a folder in root.


Added field validation for last_date.json in Azure Storage integration.


Improved handling of invalid regions given to the VPCFlow AWS integration, enhancing exception clarity.


Fixed error in the GCloud Subscriber unit tests.


Fixed the marker that AWS custom integrations use.


Fixed error messages when there are no logs to process in the WAF and Server Access AWS integrations.


Added region validation before instantiating AWS service class in the AWS integration.


Fixed InstallDate format in Windows installed programs.


Fixed syscollector default interval time when the configuration is empty.


Fixed agent starts with an invalid FIM configuration.


Fixed rootcheck scan trying to read deleted files.


Fixed compilation and build in Gentoo.


Fixed a crash when FIM scanned long Windows paths.


Fixed FIM who-data support for AArch64 platforms.





Fixed an unexpected behavior when using the q and select parameters in some endpoints.


Resolved an issue in the GET /manager/configuration API endpoint when retrieving the vulnerability detector configuration section.


Fixed GET /agents/upgrade_result endpoint internal error with code 1814 in large environments.


Enhanced the alphanumeric_symbols regex to better accommodate specific SCA remediation fields.


Fixed bug that would not allow retrieving the Wazuh logs if only the JSON format was configured.


Fixed error in GET /rules when variables are used inside id or level ruleset fields.


Fixed PUT /syscheck and PUT /rootcheck endpoints to exclude exception codes properly.


Adjusted test_agent_PUT_endpoints.tavern.yaml to resolve a race condition error.


Fixed some errors in API integration tests for RBAC white agents.

Wazuh dashboard




Fixed trailing hyphen character for OS value in the list of agents.


Fixed several typos in the code.


Fixed the display of more than one protocol in the Global configuration section.


Fixed uncaught error and wrong error message in the PCI DSS Control tab.


Fixed references to Elasticsearch in Wazuh-stack plugin.


Fixed the 2 errors that appeared in console in Settings > Configuration section.


Fixed the GitHub and Office 365 module visibility configuration for each API host that was not kept when changing/upgrading the plugin.


Fixed the GitHub and Office 365 modules appearing in the main menu when they were not configured.


Fixed TypeError in FIM Inventory using a new error handler.


Fixed error when using invalid group configuration.


Fixed repeated requests in inventory data and configurations of an agent.


Fixed repeated requests in the group table when adding a group or refreshing the table.


Fixed an error in the request body suggestions of API Console.


Fixed some errors related to relative dirname of rule and decoder files.


Fixed package URLs in the aarch64 commands.


Fixed the install macOS agent commands.





Fixed debug redirection in packages installation in the Wazuh installation assistant.


Fixed dashboard dependencies in RHEL systems.


Replaced requestHeadersWhitelist with requestHeadersAllowlist.


Fixed common WPK container.


More details about these changes are provided in the changelog of each component: