Reference

This API reference is organized by resources:

Also, it is provided an Request List with all available requests.

Request List

Agents
Decoders
Manager
Rootcheck
Rules
Syscheck

Agents

Add

Add agent

Add a new agent.

Request:

POST

/agents

Parameters:

Param Type Description
name String Agent name.
ip String

If you do not include this param, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js.

Allowed values:

  • IP
  • IP/NET
  • ANY
force Number Remove old agent with same IP if disconnected since <force> seconds.

Example Request:

curl -u foo:bar -k -X POST -d '{"name":"NewHost","ip":"10.0.0.9"}' -H 'Content-Type:application/json' "https://127.0.0.1:55000/agents?pretty"

Example Response:

{
   "error": 0,
   "data": "005"
}

Add agent (quick method)

Adds a new agent with name :agent_name. This agent will use ANY as IP.

Request:

PUT

/agents/:agent_name

Parameters:

Param Type Description
agent_name String Agent name.

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/agents/myNewAgent?pretty"

Example Response:

{
   "error": 0,
   "data": "006"
}

Insert agent

Insert an agent with an existing id and key.

Request:

POST

/agents/insert

Parameters:

Param Type Description
name String Agent name.
ip String

If you do not include this param, the API will get the IP automatically. If you are behind a proxy, you must set the option config.BehindProxyServer to yes at config.js.

Allowed values:

  • IP
  • IP/NET
  • ANY
id String Agent ID.
key String Agent key. Minimum length: 64 characters. Allowed values: ^[a-zA-Z0-9]+$
force Number Remove old agent with same IP if disconnected since <force> seconds.

Example Request:

curl -u foo:bar -k -X POST -d '{"name":"NewHost_2","ip":"10.0.10.10","id":"123","key":"1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64"}' -H 'Content-Type:application/json' "https://127.0.0.1:55000/agents/insert?pretty"

Example Response:

{
   "error": 0,
   "data": "123"
}

Delete

Delete a list of agents

Removes a list of agents. You must restart OSSEC after removing an agent.

Request:

DELETE

/agents

Parameters:

Param Type Description
ids String[] Array of agent ID’s.

Example Request:

curl -u foo:bar -k -X DELETE -H "Content-Type:application/json" -d '{"ids":["001","002"]}' "https://127.0.0.1:55000/agents?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "All selected agents were removed"
   }
}

Delete an agent

Removes an agent. You must restart OSSEC after removing an agent.

Request:

DELETE

/agents/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/agents/002?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "Some agents were not removed",
      "ids": [
         "002"
      ]
   }
}

Info

Get OS summary

Returns a summary of OS.

Request:

GET

/agents/summary/os

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents/summary/os?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         "debian",
         "ubuntu",
         "windows"
      ]
   }
}

Get agents summary

Returns a summary of the available agents.

Request:

GET

/agents/summary

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents/summary?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "Active": 3,
      "Never connected": 3,
      "Total": 6,
      "Disconnected": 0
   }
}

Get all agents

Returns a list with the available agents.

Request:

GET

/agents

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
status string

Filters by agent status.

Allowed values:

  • active
  • never connected
  • disconnected
os.platform String Filters by OS platform
os.version String Filters by OS version

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents?pretty&offset=0&limit=5&sort=-ip,name"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 6,
      "items": [
         {
            "status": "Active",
            "ip": "any",
            "os": {
               "platform": "windows",
               "version": "10.0.14393",
               "name": "Microsoft Windows Server 2016 Datacenter"
            },
            "id": "004",
            "name": "win_server"
         },
         {
            "status": "Active",
            "ip": "any",
            "os": {
               "platform": "ubuntu",
               "version": "16.04.2 LTS",
               "name": "Ubuntu"
            },
            "id": "003",
            "name": "u16"
         },
         {
            "status": "Never connected",
            "ip": "any",
            "id": "006",
            "name": "myNewAgent"
         },
         {
            "status": "Never connected",
            "ip": "10.0.10.10",
            "id": "123",
            "name": "NewHost_2"
         },
         {
            "status": "Never connected",
            "ip": "10.0.0.9",
            "id": "005",
            "name": "NewHost"
         }
      ]
   }
}

Get an agent

Returns the information of an agent.

Request:

GET

/agents/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents/000?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "status": "Active",
      "name": "ip-10-0-0-10",
      "ip": "127.0.0.1",
      "dateAdd": "2017-08-05 14:47:01",
      "version": "Wazuh v2.1.0",
      "lastKeepAlive": "9999-12-31 23:59:59",
      "os": {
         "major": "8",
         "name": "Debian GNU/Linux",
         "platform": "debian",
         "uname": "Linux ip-10-0-0-10 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64",
         "version": "8",
         "codename": "jessie"
      },
      "id": "000"
   }
}

Key

Get agent key

Returns the key of an agent.

Request:

GET

/agents/:agent_id/key

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/agents/001/key?pretty"

Example Response:

{
   "error": 0,
   "data": "MDAxIFdlYlNlcnZlcjEgMTAuMC4wLjYyIDNlZjEwYTQ2MGZmZDEwNDlhNDhiMmI1NjRjZmFiNGQxNmFiYzIzMzQ2NDM3MWY0ODQwZDQ0ZDJjN2RkNDkwZTE"
}

Restart

Restart a list of agents

Restarts a list of agents.

Request:

POST

/agents/restart

Parameters:

Param Type Description
ids String[] Array of agent ID’s.

Example Request:

curl -u foo:bar -k -X POST -H "Content-Type:application/json" -d '{"ids":["001","002"]}' "https://127.0.0.1:55000/agents/restart?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "msg": "Some agents were not restarted",
      "ids": [
         "001",
         "002"
      ]
   }
}

Restart all agents

Restarts all agents.

Request:

PUT

/agents/restart

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/agents/restart?pretty"

Example Response:

{
    "data": "Restarting all agents",
    "error": 0
}

Restart an agent

Restarts the agent.

Request:

PUT

/agents/:agent_id/restart

Parameters:

Param Type Description
agent_id Number Agent unique ID.

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/agents/000/restart?pretty"

Example Response:

{
    "data": "Restarting agent",
    "error": 0
}

Decoders

Info

Get all decoders

Returns all decoders included in ossec.conf.

Request:

GET

/decoders

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
file String Filters by filename.
path String Filters by path.
status String

Filters the decoders by status.

Allowed values:

  • enabled
  • disabled
  • all

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/decoders?pretty&offset=0&limit=2&sort=+file,position"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 480,
      "items": [
         {
            "status": "enabled",
            "name": "wazuh",
            "details": {
               "prematch": "^wazuh: "
            },
            "file": "0005-wazuh_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "agent-buffer",
            "details": {
               "regex": "^ '(\\S+)'.",
               "prematch": "^Agent buffer:",
               "parent": "wazuh",
               "order": "status"
            },
            "file": "0005-wazuh_decoders.xml",
            "position": 1,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Get all decoders files

Returns all decoders files included in ossec.conf.

Request:

GET

/decoders/files

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
status String

Filters the decoders by status.

Allowed values:

  • enabled
  • disabled
  • all
file String Filters by filename.
path String Filters by path.
download String Downloads the file

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/decoders/files?pretty&offset=0&limit=10&sort=-path"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 85,
      "items": [
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0060-cisco-estreamer_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0150-mysql_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0215-portsentry_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0325-suhosin_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0190-openvpn_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0405-mongodb_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0090-dragon-nids_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0085-dovecot_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0335-telnet_decoders.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/decoders",
            "file": "0165-netscreen_decoders.xml"
         }
      ]
   }
}

Get all parent decoders

Returns all parent decoders included in ossec.conf

Request:

GET

/decoders/parents

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/decoders/parents?pretty&offset=0&limit=2&sort=-file"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 121,
      "items": [
         {
            "status": "enabled",
            "name": "local_decoder_example",
            "details": {
               "program_name": "local_decoder_example"
            },
            "file": "local_decoder.xml",
            "position": 0,
            "path": "/var/ossec/etc/decoders"
         },
         {
            "status": "enabled",
            "name": "jenkins",
            "details": {
               "prematch": "^\\w+ \\d+, \\d+ \\d+:\\d+:\\d+ \\w\\w \\S+ \\w+\\s"
            },
            "file": "0415-jenkins_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Get decoders by name

Returns the decoders with the specified name.

Request:

GET

/decoders/:decoder_name

Parameters:

Param Type Description
decoder_name String Decoder name.
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/decoders/apache-errorlog?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 3,
      "items": [
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "program_name": "^apache2|^httpd"
            },
            "file": "0025-apache_decoders.xml",
            "position": 0,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "prematch": "^[warn] |^[notice] |^[error] "
            },
            "file": "0025-apache_decoders.xml",
            "position": 1,
            "path": "/var/ossec/ruleset/decoders"
         },
         {
            "status": "enabled",
            "name": "apache-errorlog",
            "details": {
               "prematch": "^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:warn] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:notice] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S*:error] |^[\\w+ \\w+ \\d+ \\d+:\\d+:\\d+.\\d+ \\d+] [\\S+:info] "
            },
            "file": "0025-apache_decoders.xml",
            "position": 2,
            "path": "/var/ossec/ruleset/decoders"
         }
      ]
   }
}

Manager

Configuration

Get manager configuration

Returns ossec.conf in JSON format.

Request:

GET

/manager/configuration

Parameters:

Param Type Description
section String Indicates the ossec.conf section: global, rules, syscheck, rootcheck, remote, alerts, command, active-response, localfile.
field String Indicates a section child, e.g, fields for rule section are: include, decoder_dir, etc.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/configuration?section=global&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "email_notification": "no",
      "alerts_log": "yes",
      "jsonout_output": "yes",
      "smtp_server": "smtp.example.wazuh.com",
      "email_to": "recipient@example.wazuh.com",
      "logall": "no",
      "email_maxperhour": "12",
      "white_list": [
         "127.0.0.1",
         "^localhost.localdomain$",
         "10.0.0.2"
      ],
      "email_from": "ossecm@example.wazuh.com",
      "logall_json": "no"
   }
}

Info

Get manager information

Returns basic information about Manager.

Request:

GET

/manager/info

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/info?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "installation_date": "Sat Aug  5 14:46:32 UTC 2017",
      "version": "v2.1.0",
      "openssl_support": "yes",
      "max_agents": "8000",
      "ruleset_version": "v2.1.0",
      "path": "/var/ossec",
      "tz_name": "UTC",
      "type": "server",
      "tz_offset": "+0000"
   }
}

Get manager status

Returns the Manager processes that are running.

Request:

GET

/manager/status

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/status?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": "running",
      "ossec-authd": "stopped",
      "ossec-monitord": "running",
      "ossec-logcollector": "running",
      "ossec-execd": "running",
      "ossec-remoted": "running",
      "ossec-syscheckd": "running",
      "ossec-analysisd": "running",
      "ossec-maild": "stopped"
   }
}

Logs

Get ossec.log

Returns the 3 last months of ossec.log.

Request:

GET

/manager/logs

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
type_log string

Filters by type of log.

Allowed values:

  • all
  • error
  • info
category string Filters by category of log.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/logs?offset=0&limit=5&pretty"

Example Response:

{
    "data": {
        "totalItems": 16480,
        "items": [
            "2016/07/15 09:33:49 ossec-syscheckd: INFO: Syscheck scan frequency: 3600 seconds",
            "2016/07/15 09:33:49 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).",
            "2016/07/15 09:33:49 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).",
            "2016/07/15 09:33:42 ossec-logcollector: INFO: Started (pid: 2832).",
            "2016/07/15 09:33:42 ossec-logcollector: INFO: Monitoring output of command(360): df -P"
        ]
    },
    "error": 0
}

Get summary of ossec.log

Returns a summary about the 3 last months of ossec.log.

Request:

GET

/manager/logs/summary

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/logs/summary?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "wazuh-modulesd": {
         "info": 2,
         "all": 2,
         "error": 0
      },
      "ossec-testrule": {
         "info": 172,
         "all": 172,
         "error": 0
      },
      "wazuh-modulesd:oscap": {
         "info": 2,
         "all": 2,
         "error": 0
      },
      "ossec-rootcheck": {
         "info": 6,
         "all": 6,
         "error": 0
      },
      "ossec-monitord": {
         "info": 3,
         "all": 3,
         "error": 0
      },
      "ossec-logcollector": {
         "info": 25,
         "all": 27,
         "error": 2
      },
      "ossec-execd": {
         "info": 4,
         "all": 4,
         "error": 0
      },
      "ossec-remoted": {
         "info": 416,
         "all": 1047,
         "error": 631
      },
      "ossec-syscheckd": {
         "info": 51,
         "all": 51,
         "error": 0
      },
      "ossec-analysisd": {
         "info": 389,
         "all": 389,
         "error": 0
      },
      "wazuh-modulesd:database": {
         "info": 2,
         "all": 2,
         "error": 0
      }
   }
}

Stats

Get manager stats

Returns OSSEC statistical information of current date.

Request:

GET

/manager/stats

Parameters:

Param Type Description
date String Selects the date for getting the statistical information. Format: YYYYMMDD

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/stats?pretty"

Example Response:

{
    "data": [
        {
            "hour": 5,
            "firewall": 0,
            "alerts": [
                {
                    "level": 3,
                    "sigid": 5715,
                    "times": 4
                },
                {
                    "level": 2,
                    "sigid": 1002,
                    "times": 2
                },
                {
                    "...": "..."
                }
            ],
            "totalAlerts": 107,
            "syscheck": 1257,
            "events": 1483
        },
        {
            "...": "..."
        }
    ],
    "error": 0
}

Get manager stats by hour

Returns OSSEC statistical information per hour. Each item in averages field represents the average of alerts per hour.

Request:

GET

/manager/stats/hourly

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/stats/hourly?pretty"

Example Response:

{
    "data": {
        "averages": [
            100,
            357,
            242,
            500,
            422,
            "...",
            123
        ],
        "interactions": 0
    },
    "error": 0
}

Get manager stats by week

Returns OSSEC statistical information per week. Each item in hours field represents the average of alerts per hour and week day.

Request:

GET

/manager/stats/weekly

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/manager/stats/weekly?pretty"

Example Response:

{
    "data": {
        "Wed": {
            "hours": [
                223,
                "...",
                456
            ],
            "interactions": 0
        },
        "Sun": {
            "hours": [
                332,
                "...",
                313
            ],
            "interactions": 0
        },
        "Thu": {
            "hours": [
                888,
                "...",
                123
            ],
            "interactions": 0
        },
        "Tue": {
            "hours": [
                536,
                "...",
                345
            ],
            "interactions": 0
        },
        "Mon": {
            "hours": [
                444,
                "...",
                556
            ],
            "interactions": 0
        },
        "Fri": {
            "hours": [
                131,
                "...",
                432
            ],
            "interactions": 0
        },
        "Sat": {
            "hours": [
                134,
                "...",
                995
            ],
            "interactions": 0
        }
    },
    "error": 0
}

Rootcheck

Clear

Clear rootcheck database

Clears the rootcheck database for all agents.

Request:

DELETE

/rootcheck

Example Request:

curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/rootcheck?pretty"

Example Response:

{
    "data": "Rootcheck database deleted",
    "error": 0
}

Clear rootcheck database of an agent

Clears the rootcheck database for an agent.

Request:

DELETE

/rootcheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/rootcheck/000?pretty"

Example Response:

{
    "data": "Rootcheck database deleted",
    "error": 0
}

Info

Get last rootcheck scan

Return the timestamp of the last rootcheck scan.

Request:

GET

/rootcheck/:agent_id/last_scan

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rootcheck/000/last_scan?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "start": "2017-08-05 14:48:07",
      "end": "2017-08-05 14:47:33"
   }
}

Get rootcheck CIS requirements

Returns the CIS requirements of all rootchecks of the agent.

Request:

GET

/rootcheck/:agent_id/cis

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rootcheck/000/cis?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         "1.4 Debian Linux",
         "4.13 Debian Linux"
      ]
   }
}

Get rootcheck database

Returns the rootcheck database of an agent.

Request:

GET

/rootcheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.
pci String Filters by pci requirement.
cis String Filters by CIS.
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rootcheck/000?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 8,
      "items": [
         {
            "status": "outstanding",
            "oldDay": "2017-08-05 14:47:18",
            "readDay": "2017-08-05 14:48:08",
            "event": "File '/var/lib/test' is owned by root and has written permissions to anyone."
         },
         {
            "status": "outstanding",
            "oldDay": "2017-08-05 14:47:18",
            "cis": "1.4 Debian Linux",
            "readDay": "2017-08-05 14:48:07",
            "event": "System Audit: CIS - Debian Linux - 1.4 - Robust partition scheme - /opt is not on its own partition {CIS: 1.4 Debian Linux}. File: /opt. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf ."
         }
      ]
   }
}

Get rootcheck pci requirements

Returns the PCI requirements of all rootchecks of the agent.

Request:

GET

/rootcheck/:agent_id/pci

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rootcheck/000/pci?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 2,
      "items": [
         "2.2.2",
         "2.2.4"
      ]
   }
}

Run

Run rootcheck scan in all agents

Runs syscheck and rootcheck on all agent, due to OSSEC launches both processes at once.

Request:

PUT

/rootcheck

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/rootcheck?pretty"

Example Response:

{
    "data": "Restarting Syscheck/Rootcheck on all agents",
    "error": 0
}

Run rootcheck scan in an agent

Runs syscheck and rootcheck on an agent, due to OSSEC launches both processes at once.

Request:

PUT

/rootcheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/rootcheck/000?pretty"

Example Response:

{
   "error": 0,
   "data": "Restarting Syscheck/Rootcheck locally"
}

Rules

Info

Get all rules

Returns all rules.

Request:

GET

/rules

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
status String

Filters the rules by status.

Allowed values:

  • enabled
  • disabled
  • all
group String Filters the rules by group.
level Range Filters the rules by level. level=2 or level=2-5.
path String Filters the rules by path.
file String Filters the rules by file name.
pci String Filters the rules by pci requirement.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rules?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1701,
      "items": [
         {
            "status": "enabled",
            "pci": [],
            "description": "Generic template for all syslog rules.",
            "file": "0010-rules_config.xml",
            "level": 0,
            "path": "/var/ossec/ruleset/rules",
            "groups": [
               "syslog"
            ],
            "id": 1,
            "details": {
               "category": "syslog",
               "noalert": "1"
            }
         },
         {
            "status": "enabled",
            "pci": [],
            "description": "Generic template for all firewall rules.",
            "file": "0010-rules_config.xml",
            "level": 0,
            "path": "/var/ossec/ruleset/rules",
            "groups": [
               "firewall"
            ],
            "id": 2,
            "details": {
               "category": "firewall",
               "noalert": "1"
            }
         }
      ]
   }
}

Get files of rules

Returns the files of all rules.

Request:

GET

/rules/files

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
status String

Filters files by status.

Allowed values:

  • enabled
  • disabled
  • all
path String Filters the rules by path.
file String Filters the rules by filefile.
download String Downloads the file

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rules/files?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 95,
      "items": [
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0010-rules_config.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0015-ossec_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0016-wazuh_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0020-syslog_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0025-sendmail_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0030-postfix_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0035-spamd_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0040-imapd_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0045-mailscanner_rules.xml"
         },
         {
            "status": "enabled",
            "path": "/var/ossec/ruleset/rules",
            "file": "0050-ms-exchange_rules.xml"
         }
      ]
   }
}

Get rule groups

Returns the groups of all rules.

Request:

GET

/rules/groups

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rules/groups?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 242,
      "items": [
         "access_control",
         "access_denied",
         "accesslog",
         "account_changed",
         "active_response",
         "adduser",
         "agent",
         "agent_flooding",
         "agentless",
         "amazon"
      ]
   }
}

Get rule pci requirements

Returns the PCI requirements of all rules.

Request:

GET

/rules/pci

Parameters:

Param Type Description
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rules/pci?offset=0&limit=10&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 38,
      "items": [
         "1.1.1",
         "1.3.4",
         "1.4",
         "10.1",
         "10.2.1",
         "10.2.2",
         "10.2.4",
         "10.2.5",
         "10.2.6",
         "10.2.7"
      ]
   }
}

Get rules by id

Returns the rules with the specified id.

Request:

GET

/rules/:rule_id

Parameters:

Param Type Description
id Number rule.
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/rules/1002?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 1,
      "items": [
         {
            "status": "enabled",
            "pci": [],
            "description": "Unknown problem somewhere in the system.",
            "file": "0020-syslog_rules.xml",
            "level": 2,
            "path": "/var/ossec/ruleset/rules",
            "groups": [
               "syslog",
               "errors"
            ],
            "id": 1002,
            "details": {
               "options": "alert_by_email",
               "match": "$BAD_WORDS"
            }
         }
      ]
   }
}

Syscheck

Clear

Clear syscheck database

Clears the syscheck database for all agents.

Request:

DELETE

/syscheck

Example Request:

curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/syscheck?pretty"

Example Response:

{
    "data": "Syscheck database deleted",
    "error": 0
}

Clear syscheck database of an agent

Clears the syscheck database for an agent.

Request:

DELETE

/syscheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/syscheck/000?pretty"

Example Response:

{
    "data": "Syscheck database deleted",
    "error": 0
}

Info

Get last syscheck scan

Return the timestamp of the last syscheck scan.

Request:

GET

/syscheck/:agent_id/last_scan

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/syscheck/000/last_scan?pretty"

Example Response:

{
   "error": 0,
   "data": {
      "start": "2017-08-05 14:48:04",
      "end": "2017-08-05 14:48:07"
   }
}

Get syscheck files

Returns the syscheck files of an agent.

Request:

GET

/syscheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.
offset Number First element to return in the collection.
limit Number Maximum number of elements to return.
sort String Sorts the collection by a field or fields (separated by comma). Use +/- at the beginning to ascending or descending order.
search String Looks for elements with the specified string.
event String

Filters files by event.

Allowed values:

  • added
  • readded
  • modified
  • deleted
file String Filters file by filename.
filetype String

Selects type of file.

Allowed values:

  • file
  • registry
summary String

Returns a summary grouping by filename.

Allowed values:

  • yes
  • no
md5 String Returns the files with the specified md5 hash.
sha1 String Returns the files with the specified sha1 hash.
hash String Returns the files with the specified hash (md5 or sha1).

Example Request:

curl -u foo:bar -k -X GET "https://127.0.0.1:55000/syscheck/000?offset=0&limit=2&pretty"

Example Response:

{
   "error": 0,
   "data": {
      "totalItems": 0,
      "items": []
   }
}

Run

Run syscheck scan in all agents

Runs syscheck and rootcheck on all agent, due to OSSEC launches both processes at once.

Request:

PUT

/syscheck

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/syscheck?pretty"

Example Response:

{
    "data": "Restarting Syscheck/Rootcheck on all agents",
    "error": 0
}

Run syscheck scan in an agent

Runs syscheck and rootcheck on an agent, due to OSSEC launches both processes at once.

Request:

PUT

/syscheck/:agent_id

Parameters:

Param Type Description
agent_id Number Agent ID.

Example Request:

curl -u foo:bar -k -X PUT "https://127.0.0.1:55000/syscheck/000?pretty"

Example Response:

{
   "error": 0,
   "data": "Restarting Syscheck/Rootcheck locally"
}