This section shows the most relevant new features of Wazuh v2.1. You will find more detailed information in our changelog file.
The Anti-flooding mechanism is designed to prevent large bursts of events on an agent from negatively impacting the network or the manager. It uses a leaky bucket queue that collects all generated events and sends them to the manager at a rate below a specified events per second threshold.
Learn more about this new mechanism at Anti-flooding mechanism.
This feature allows agent-specific attributes to be included in each alert. These labels provide a simple way of adding valuable metadata to alert records and can include data points like who is in charge of a particular agent or the agent’s installation date and .
For more details about this new feature see our Labels section.
The Authd program has been improved in this version such that the Wazuh API and the
manage_agents tools can now register an agent while
ossec-authd is running.
ossec-authd now runs in the background and can be enabled using the command
ossec-control enable auth. See the auth section of
ossec.conf for configuration options and sample configuration.
Finally, the new
force_time options in Authd (
-F<time> from the
ossec-authd command line) allow for the automatic deletion of agents that match the name or IP address of a new agent you are attempting to register.
As JSON is one of the most popular logging formats, we have made it possible in this new version to have internal logs written in JSON format, plain text or both. This can be configured in the logging section of
In addition, we have simplified the management of internal logs such that they are rotated and compressed daily. We have further made it possible to control the use of disk space by configuring a the length of time for between the rotated logs before they are automatically deleted.
These parameters are configured in the
monitord section of Internal configuration.
External libraries used by Wazuh have been updated to improve their integration with our components.
/agents now returns information about the OS and a specified list of agents can now be restarted or deleted.