You can use the
restart-wazuh active response script to restart the Wazuh agent on a monitored endpoint. In this use case, we configure it to restart the Wazuh agent whenever the
/var/ossec/etc/ossec.conf configuration file changes.
We save changes to the Wazuh agent configuration file on this endpoint to trigger an active response.
Open the Wazuh server
/var/ossec/etc/ossec.conffile and verify that a
restart-wazuhwith the following configuration is present within the
<command> <name>restart-wazuh</name> <executable>restart-wazuh</executable> </command>
<command>block contains information about the action to be executed on the Wazuh agent:
<name>: Sets a name for the command. In this case,
<executable>: Specifies the active response script or executable that must run after a trigger. In this case, it’s the
<timeout_allowed>: Allows a timeout after a period of time. This tag is set to no here, which represents a stateless active response.
<active-response>block below to the Wazuh server
<ossec_config> <active-response> <command>restart-wazuh</command> <location>local</location> <rules_id>100009</rules_id> </active-response> </ossec_config>
<command>: Specifies the command to configure. This is the command name
restart-wazuhdefined in the previous step.
<location>: Specifies where the command executes. Using the
localvalue here means that the command executes on the monitored endpoint where the trigger event occurs.
<rules_id>: The active response module executes the command if rule ID
Add the rules below to the Wazuh server
<group name="restart,"> <rule id="100009" level="5"> <if_sid>550</if_sid> <match>ossec.conf</match> <description>Changes made to the agent configuration file - $(file)</description> </rule> </group>
This rule detects changes in the Wazuh agent configuration file.
Restart the Wazuh manager service to apply changes:
$ sudo systemctl restart wazuh-manager
/var/ossec/etc/ossec.conffile and add the following configuration to the
This monitors the Wazuh agent configuration file for any changes.
Restart the Wazuh agent service to apply changes:
$ sudo systemctl restart wazuh-agent
Add the following block in the
<syscheck>block of the Wazuh agent
/var/ossec/etc/ossec.confconfiguration file and save it:
This addition allows monitoring file changes in the
/rootdirectory of the monitored endpoint. You don’t need to actually add or modify files. It’s just to test the configuration.
Incorrect modifications to the Wazuh agent configuration file might cause the service to crash. It’s important to thoroughly review any changes before implementing them in a production environment.
You can visualize the alert data on the Wazuh dashboard.