Wazuh
  • Platform
  • Cloud
  • Services
  • Partners
  • Blog
  • Company
    • Customers
    • About us
    • Our team
    • Newsroom
    Search now!
    • Getting started
      • Components
        • Wazuh indexer
        • Wazuh server
        • Wazuh dashboard
        • Wazuh agent
      • Architecture
      • Use cases
        • Log data analysis
        • File integrity monitoring
        • Rootkits detection
        • Active response
        • Configuration assessment
        • System inventory
        • Vulnerability detection
        • Cloud security
        • Container security
        • Regulatory compliance
    • Quickstart
    • Installation guide
      • Wazuh indexer
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh server
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh dashboard
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh agent
        • Linux
        • Windows
        • macOS
        • Solaris
        • AIX
        • HP-UX
      • Packages list
    • Installation alternatives
      • Virtual Machine (OVA)
      • Amazon Machine Images (AMI)
      • Deployment on Docker
        • Docker installation
        • Wazuh Docker deployment
        • Wazuh Docker utilities
        • Upgrading Wazuh Docker
        • Migrating data from Opendistro to the Wazuh indexer
        • FAQ
      • Deployment on Kubernetes
        • Kubernetes configuration
        • Deployment
        • Upgrade Wazuh installed in Kubernetes
        • Clean Up
      • Offline installation
      • Installation from sources
        • Installing the Wazuh manager from sources
        • Installing the Wazuh agent from sources
      • Installing Wazuh with Elastic Stack
        • All-in-one deployment
        • Distributed deployment
          • Elasticsearch cluster
            • Elasticsearch single-node cluster
            • Elasticsearch multi-node cluster
          • Wazuh cluster
            • Wazuh single-node cluster
            • Wazuh multi-node cluster
          • Kibana
      • Installing Wazuh with Splunk
        • Wazuh manager installation
        • Install and configure Splunk
          • Install Splunk in an all-in-one architecture
          • Install a minimal Splunk distributed architecture
          • Install Splunk in a multi-instance cluster
        • Install the Wazuh app for Splunk
        • Set up reverse proxy configuration for Splunk
        • Customize agents status indexation
        • Create and map internal users (RBAC)
      • Deployment with Ansible
        • Installation Guide
          • Install Ansible
          • Install Wazuh indexer and dashboard
          • Install Wazuh manager
          • Install a Wazuh cluster
          • Install Wazuh Agent
        • Remote endpoints connection
        • Roles
          • Wazuh indexer
          • Wazuh dashboard
          • Filebeat
          • Wazuh Manager
          • Wazuh Agent
        • Variables references
      • Deployment with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Wazuh manager class
          • Wazuh agent class
    • Upgrade guide
      • Wazuh central components
      • Wazuh and Open Distro for Elasticsearch
      • Wazuh and Elastic Stack basic license
      • Wazuh agent
        • Linux
        • Windows
        • macOS
        • Solaris
        • AIX
        • HP-UX
      • Upgrading from a legacy version
        • Upgrading the Wazuh server
          • Upgrading the Wazuh server from 2.x to 3.x
            • Restore the Wazuh alerts from Wazuh 2.x
          • Upgrading the Wazuh server from 1.x to 2.x
        • Upgrading Elastic Stack
          • Upgrading Elastic Stack from 6.8 to 7.x
          • Upgrading Elastic Stack from 6.x to 6.8
          • Upgrading Elastic Stack from 2.x to 5.x
        • Upgrading the Wazuh agent
          • Upgrading the Wazuh agent from 2.x to 3.x
          • Upgrading the Wazuh agent from 1.x to 2.x
      • Compatibility matrix
    • Migration guide
      • Migrating to the Wazuh indexer
      • Migrating to the Wazuh dashboard
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
    • Wazuh Cloud service
      • Getting started
        • Sign up for a trial
        • Access Wazuh WUI
        • Register agents
        • Cloud service FAQ
      • Your environment
        • Authentication and authorization
        • Cancellation
        • Monitor usage
        • Forward syslog events
        • Agents without Internet access
        • SMTP configuration
        • Technical FAQ
      • Account and billing
        • Edit user settings
        • Manage your billing details
        • See your billing cycle and history
        • Update billing and operational contacts
        • Stop charges for an environment
        • Billing FAQ
      • Cold storage
        • Configuration
        • Filename format
        • Access
      • Wazuh Cloud API
        • Authentication
        • Reference
      • CLI
      • Glossary
    • User manual
      • Wazuh server administration
        • Remote service
        • Defining an alert level threshold
        • Integration with external APIs
        • Configuring syslog output
        • Configuring database output
        • Generating automatic reports
        • Configuring email alerts
          • SMTP server with authentication
        • Wazuh-DB backup restoration
      • Certificates deployment
      • Deployment variables
        • Linux
        • Windows
        • macOS
        • AIX
      • Wazuh agent enrollment
        • Enrollment via agent configuration
          • Linux/Unix endpoint
          • Windows endpoint
          • macOS endpoint
        • Enrollment via manager API
          • Requesting the key
          • Importing the key to the agent
        • Additional security options
          • Using password authentication
          • Manager identity verification
          • Agent identity verification
        • Troubleshooting
      • Agent management
        • Agent life cycle
        • Listing agents
          • Listing agents using the CLI
          • Listing agents using the Wazuh API
          • Listing agents using the Wazuh dashboard
        • Removing agents
          • Remove agents using the CLI
          • Remove agents using the Wazuh API
        • Checking connection with the Wazuh manager
        • Grouping agents
        • Remote upgrading
          • Upgrading agent
          • Agent upgrade module
          • Adding a custom repository
          • Custom WPK packages creation
            • WPK
            • Generate WPK packages manually
          • Installing a custom WPK package
          • WPK List
        • Query configuration
        • Agent key request
      • Deploying a Wazuh cluster
        • Basics
        • Agents connections
        • Cluster management
      • Capabilities
        • Log data collection
          • How it works
          • How to collect Windows logs
          • How to collect macOS ULS logs
          • Configuration
          • FAQ
        • File integrity monitoring
          • How it works
          • FIM fields rule mapping
          • Configuration
        • Auditing who-data
          • Auditing who-data in Linux
          • Auditing who-data in Windows
          • Manual configuration of the Local Audit Policies in Windows
        • Malware detection
          • File integrity monitoring and threat detection rules
          • Rootkits behavior detection
          • CDB lists and threat intelligence
          • VirusTotal integration
          • File integrity monitoring and YARA
          • ClamAV logs collection
          • Windows Defender logs collection
          • Custom rules to detect malware IOC
        • Security Configuration Assessment
          • How SCA works
          • How to configure SCA
          • Available SCA policies
          • Creating custom SCA policies
          • Use cases
        • Monitoring security policies
          • Rootcheck
            • How it works
            • Configuration
            • FAQ
          • OpenSCAP
            • How it works
            • Configuration
            • FAQ
          • CIS-CAT integration
        • Monitoring system calls
          • How it works
          • Configuration
        • Command monitoring
          • How it works
          • Configuration
          • FAQ
        • Active response
          • How to configure active response
          • Default active response scripts
          • Custom active response scripts
          • Use cases
            • Blocking SSH brute-force attack with active response
            • Restarting the Wazuh agent with active response
            • Disabling a Linux user account with active response
          • Additional information
        • Agentless monitoring
          • How it works
          • Configuration
          • FAQ
        • Anti-flooding mechanism
        • Agent labels
        • System inventory
        • Vulnerability detection
          • How it works
          • Scan types
          • Configuring and running scans
          • Scanning unsupported systems
          • Scanning Windows applications using CPE Helper
          • Offline Update
        • Osquery
        • Fluentd forwarder
        • Wazuh-Logtest
          • How it works
          • Configuration
          • FAQ
      • Ruleset
        • Getting started
        • Update ruleset
        • JSON decoder
        • Custom rules and decoders
        • Dynamic fields
        • Ruleset XML syntax
          • Decoders Syntax
          • Rules Syntax
          • Regular Expression Syntax
          • Perl-compatible Regular Expressions
          • Sibling Decoders
        • Testing decoders and rules
        • Using CDB lists
        • Enhancing with MITRE
        • Contribute to the ruleset
        • Rules classification
      • RESTful API
        • Getting started
        • Configuration
        • Securing the Wazuh API
        • Migrating from the Wazuh API 3.X
        • Role-Based Access Control
          • How it works
          • Configuration
          • Authorization Context
          • RBAC Reference
        • Filtering data using queries
        • Examples
        • Reference
      • User administration
        • Password management
        • Wazuh RBAC - How to create and map internal users
        • Single sign-on
          • Okta
          • Azure Active Directory
          • PingOne
          • Google
          • Jumpcloud
          • OneLogin
          • Keycloak
      • Reference
        • Local configuration (ossec.conf)
          • active-response
          • agentless
          • agent-upgrade
          • alerts
          • auth
          • client
          • client_buffer
          • cluster
          • command
          • database_output
          • email_alerts
          • global
          • github
          • integration
          • labels
          • localfile
          • logging
          • office365
          • remote
          • reports
          • rootcheck
          • sca
          • rule_test
          • ruleset
          • socket
          • syscheck
          • syslog_output
          • task-manager
          • fluent-forward
          • gcp-pubsub
          • gcp-bucket
          • wodle name="open-scap"
          • wodle name="command"
          • wodle name="cis-cat"
          • wodle name="aws-s3"
          • wodle name="syscollector"
          • vulnerability-detector
          • wazuh-db
          • wodle name="osquery"
          • wodle name="docker-listener"
          • wodle name="azure-logs"
          • wodle name="agent-key-polling"
          • Verifying configuration
        • Centralized configuration (agent.conf)
        • Internal configuration
        • Daemons
          • wazuh-agentd
          • wazuh-agentlessd
          • wazuh-analysisd
          • wazuh-authd
          • wazuh-csyslogd
          • wazuh-dbd
          • wazuh-execd
          • wazuh-logcollector
          • wazuh-maild
          • wazuh-monitord
          • wazuh-remoted
          • wazuh-reportd
          • wazuh-syscheckd
          • wazuh-clusterd
          • wazuh-modulesd
          • wazuh-db
          • Tables available for wazuh-db
          • wazuh-integratord
        • Tools
          • agent-auth
          • agent_control
          • manage_agents
          • wazuh-control
          • wazuh-logtest
          • clear_stats
          • wazuh-regex
          • update_ruleset
          • verify-agent-conf
          • agent_groups
          • agent_upgrade
          • cluster_control
          • fim_migrate
        • Unattended Installation
        • Statistics files
          • wazuh-agentd.state
          • wazuh-remoted.state
          • wazuh-analysisd.state
          • wazuh-logcollector.state
      • Elasticsearch
        • Elasticsearch tuning
        • Wazuh Kibana plugin troubleshooting
        • Indices configuration
        • Elasticsearch indices
      • Wazuh dashboard
        • How to enable multi-tenancy
        • Settings
        • Configuration file
        • How to set up custom branding
        • Configuring third-party SSL certificates
          • Configuring SSL certificates directly on the Wazuh dashboard
          • Configuring SSL certificates on the Wazuh dashboard using NGINX
        • Troubleshooting
      • Uninstalling the Wazuh components
        • Uninstalling the Wazuh central components
        • Uninstalling Wazuh with Open Distro for Elasticsearch
        • Uninstalling Wazuh with Elastic Stack
      • Wazuh files backup
        • Wazuh central components
        • Wazuh agent
    • Cloud security
      • Using Wazuh to monitor AWS
        • Monitoring AWS instances
        • Monitoring AWS based services
          • Prerequisites
            • Configuring an S3 Bucket
            • Configuring AWS credentials
            • Installing dependencies
            • Considerations for configuration
          • Supported services
            • AWS CloudTrail
            • Amazon Virtual Private Cloud (VPC)
            • AWS Config
            • AWS Key Management Service (KMS)
            • Amazon Macie
            • AWS Trusted Advisor
            • Amazon GuardDuty
            • Amazon Web Application Firewall (WAF)
            • Amazon S3 Server Access
            • Amazon Inspector Classic
            • Amazon CloudWatch Logs
            • Amazon ECR Image scanning
            • Cisco Umbrella
            • Elastic Load Balancers
              • Amazon Application Load Balancer (ALB)
              • Amazon Classic Load Balancer (CLB)
              • Amazon Network Load Balancer (NLB)
          • Troubleshooting
      • Using Wazuh to monitor Microsoft Azure
        • Monitoring instances
        • Monitoring activity and services
          • Prerequisites
            • Installing dependencies
            • Configuring Azure credentials
            • Considerations for configuration
          • Monitoring Azure platform and services
            • Using Azure Log Analytics
            • Using Azure Storage
          • Monitoring Azure Active Directory
            • Using Microsoft Graph
      • Using Wazuh to monitor GitHub
        • Monitoring GitHub Activity
      • Using Wazuh to monitor GCP services
        • Prerequisites
          • Installing dependencies
          • Configuring GCP credentials
          • Configuring Google Cloud Pub/Sub
          • Considerations for configuration
        • Supported services
          • Audited resources
          • DNS queries
          • VPC Flow logs
          • Firewall Rules Logging
          • HTTP(S) Load Balancing Logging
          • Usage logs & storage logs
      • Using Wazuh to monitor Office 365
        • Monitoring Office 365 Activity
    • Container security
      • Using Wazuh to monitor Docker
        • Installing dependencies
        • Monitoring Docker server
        • Monitoring containers activity
    • Development
      • Client keys file
      • Standard OSSEC message format
      • Makefile options
      • Wazuh cluster
      • Wazuh packages generation guide
        • AIX
        • Debian
        • HPUX
        • Wazuh Kibana plugin
        • macOS
        • RPM
        • Solaris
        • Splunk App
        • Virtual machine
        • Windows
        • WPK
      • Wazuh-Logtest
      • SELinux Wazuh context
    • Regulatory compliance
      • Using Wazuh for PCI DSS compliance
        • Log data analysis
        • Configuration assessment
        • Malware detection
        • File integrity monitoring
        • Vulnerability detection
        • Active response
        • System inventory
        • Visualization and dashboard
      • Using Wazuh for GDPR compliance
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
      • Using Wazuh for HIPAA compliance
        • Visualization and dashboard
        • Log data analysis
        • Configuration assessment
        • Malware detection
        • File integrity monitoring
        • Vulnerability detection
        • Active response
    • Proof of Concept guide
      • Blocking a known malicious actor
      • File integrity monitoring
      • Detecting a brute-force attack
      • Monitoring Docker events
      • Monitoring AWS infrastructure
      • Detecting unauthorized processes
      • Network IDS integration
      • Detecting an SQL injection attack
      • Detecting suspicious binaries
      • Detecting and removing malware using VirusTotal integration
      • Vulnerability detection
      • Detecting malware using Yara integration
      • Detecting hidden processes
      • Monitoring execution of malicious commands
      • Detecting a Shellshock attack
    • Release notes
      • 4.x
        • 4.4.0 Release notes
        • 4.3.10 Release notes
        • 4.3.9 Release notes
        • 4.3.8 Release notes
        • 4.3.7 Release notes
        • 4.3.6 Release notes
        • 4.3.5 Release notes
        • 4.3.4 Release notes
        • 4.3.3 Release notes
        • 4.3.2 Release notes
        • 4.3.1 Release notes
        • 4.3.0 Release notes
        • 4.2.7 Release notes
        • 4.2.6 Release notes
        • 4.2.5 Release notes
        • 4.2.4 Release notes
        • 4.2.3 Release notes
        • 4.2.2 Release notes
        • 4.2.1 Release notes
        • 4.2.0 Release notes
        • 4.1.5 Release notes
        • 4.1.4 Release notes
        • 4.1.3 Release notes
        • 4.1.2 Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
      • 3.x
        • 3.13.6 Release notes
        • 3.13.5 Release notes
        • 3.13.4 Release notes
        • 3.13.3 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
      • 2.x
        • 2.1.0 Release notes
    • User manual
    • Capabilities
    • Active response
    • Use cases

    Use cases

    • Blocking SSH brute-force attack with active response
    • Restarting the Wazuh agent with active response
    • Disabling a Linux user account with active response
    Custom active response scripts Blocking SSH brute-force attack with active response
    EXPLORE
    • Platform
    • Cloud
    Documentation
    • Quickstart
    • Getting started
    • Installation guide
    Services
    • Support
    • Training
    Resources
    • Blog
    • Community
    Company
    • About us
    • Customers
    • Our partners
    • Careers
    • Contact us
    • Community
    • Contact us
    © 2023 · Wazuh Inc.
    Edit on GitHub