Wazuh home Wazuh documentation index
  • Product
  • Cloud
  • Services
  • Partners
  • Resources
    • Blog
    • FAQ
  • Company
    • Customers
    • About us
    • Our team
    • Newsroom
    Search now!
    • Getting started
      • Components
        • Wazuh indexer
        • Wazuh server
        • Wazuh dashboard
        • Wazuh agent
      • Architecture
      • Use cases
        • Log data analysis
        • File integrity monitoring
        • Rootkits detection
        • Active response
        • Configuration assessment
        • System inventory
        • Vulnerability detection
        • Cloud security
        • Container security
        • Regulatory compliance
    • Quickstart
    • Installation guide
      • Wazuh indexer
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh server
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh dashboard
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh agent
        • Linux
        • Windows
        • macOS
        • Solaris
        • AIX
        • HP-UX
      • Packages list
    • Installation alternatives
      • Virtual Machine (OVA)
      • Amazon Machine Images (AMI)
      • Deployment on Docker
        • Docker installation
        • Wazuh Docker deployment
        • Wazuh Docker utilities
        • FAQ
      • Deployment on Kubernetes
        • Kubernetes configuration
        • Deployment
        • Upgrade Wazuh installed in Kubernetes
        • Clean Up
      • Offline installation
      • Installation from sources
        • Installing Wazuh server from sources
        • Installing Wazuh agent from sources
      • Installing Wazuh with Elastic Stack basic license
        • All-in-one deployment
        • Distributed deployment
          • Elasticsearch cluster
            • Elasticsearch single-node cluster
            • Elasticsearch multi-node cluster
          • Wazuh cluster
            • Wazuh single-node cluster
            • Wazuh multi-node cluster
          • Kibana
      • Installing Wazuh with Splunk
        • Wazuh manager installation
        • Install and configure Splunk
          • Install Splunk in an all-in-one architecture
          • Install a minimal Splunk distributed architecture
          • Install Splunk in a multi-instance cluster
        • Install the Wazuh app for Splunk
        • Set up reverse proxy configuration for Splunk
        • Customize agents status indexation
        • Create and map internal users (RBAC)
      • Deployment with Ansible
        • Installation Guide
          • Install Ansible
          • Install Wazuh indexer and dashboard
          • Install Wazuh manager
          • Install a Wazuh cluster
          • Install Wazuh Agent
        • Remote endpoints connection
        • Roles
          • Wazuh indexer
          • Wazuh dashboard
          • Filebeat
          • Wazuh Manager
          • Wazuh Agent
        • Variables references
      • Deployment with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Wazuh manager class
          • Wazuh agent class
    • Upgrade guide
      • Upgrading the Wazuh manager
      • Upgrade Elasticsearch, Filebeat and Kibana
        • Upgrading Open Distro for Elasticsearch
        • Upgrading Elastic Stack basic license
      • Upgrading the Wazuh agent
      • Upgrading from a legacy version
        • Upgrading the Wazuh server
          • Upgrading the Wazuh server from 2.x to 3.x
            • Restore the Wazuh alerts from Wazuh 2.x
          • Upgrading the Wazuh server from 1.x to 2.x
        • Upgrading Elastic Stack
          • Upgrading Elastic Stack from 6.8 to 7.x
          • Upgrading Elastic Stack from 6.x to 6.8
          • Upgrading Elastic Stack from 2.x to 5.x
        • Upgrading the Wazuh agent
          • Upgrading the Wazuh agent from 2.x to 3.x
          • Upgrading the Wazuh agent from 1.x to 2.x
      • Compatibility matrix
    • Migration guide
      • Migrating to the Wazuh indexer
      • Migrating to the Wazuh dashboard
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
    • Wazuh Cloud service
      • Getting started
        • Sign up for a trial
        • Access Wazuh WUI
        • Register agents
        • Cloud service FAQ
      • Your environment
        • Authentication and authorization
        • Cancellation
        • Monitor usage
        • Forward syslog events
        • Agents without Internet access
        • SMTP configuration
        • Technical FAQ
      • Account and billing
        • Edit user settings
        • Manage your billing details
        • See your billing cycle and history
        • Update billing and operational contacts
        • Stop charges for an environment
        • Billing FAQ
      • Cold storage
        • Configuration
        • Filename format
        • Access
      • Wazuh Cloud API
        • Authentication
        • Reference
      • CLI
      • Glossary
    • User manual
      • Wazuh server administration
        • Remote service
        • Defining an alert level threshold
        • Integration with external APIs
        • Configuring syslog output
        • Configuring database output
        • Generating automatic reports
        • Configuring email alerts
          • SMTP server with authentication
      • Certificates deployment
      • Deployment variables
        • Linux
        • Windows
        • macOS
        • AIX
      • Wazuh agent enrollment
        • Enrollment via agent configuration
          • Linux/Unix endpoint
          • Windows endpoint
          • macOS endpoint
        • Enrollment via manager API
          • Requesting the key
          • Importing the key to the agent
        • Additional security options
          • Using password authentication
          • Manager identity verification
          • Agent identity verification
        • Troubleshooting
      • Agent management
        • Agent life cycle
        • Listing agents
          • Listing agents using the CLI
          • Listing agents using the Wazuh API
          • Listing agents using the Wazuh app
        • Removing agents
          • Remove agents using the CLI
          • Remove agents using the Wazuh API
        • Checking connection with Manager
        • Grouping agents
        • Remote upgrading
          • Upgrading agent
          • Agent upgrade module
          • Adding a custom repository
          • Custom WPK packages creation
            • WPK
            • Generate WPK packages manually
          • Installing a custom WPK package
          • WPK List
        • Query configuration
      • Deploying a Wazuh cluster
        • Basics
        • Agents connections
        • Cluster management
      • Capabilities
        • Log data collection
          • How it works
          • How to collect Windows logs
          • How to collect macOS ULS logs
          • Configuration
          • FAQ
        • File integrity monitoring
          • How it works
          • FIM fields rule mapping
          • Configuration
        • Auditing who-data
          • Auditing who-data in Linux
          • Auditing who-data in Windows
          • Manual configuration of the Local Audit Policies in Windows
        • Anomaly and malware detection
          • How it works
          • Configuration
          • FAQ
        • Security Configuration Assessment
          • What is SCA
          • How SCA works
          • How to configure SCA
          • Creating custom SCA policies
          • Use case: Getting an alert when a check changes its result value
        • Monitoring security policies
          • Rootcheck
            • How it works
            • Configuration
            • FAQ
          • OpenSCAP
            • How it works
            • Configuration
            • FAQ
          • CIS-CAT integration
        • Monitoring system calls
          • How it works
          • Configuration
        • Command monitoring
          • How it works
          • Configuration
          • FAQ
        • Active response
          • How it works
          • Configuration
          • Custom Active Response
          • Use cases
            • Blocking attacks with Active Response
            • How to integrate Wazuh with YARA
            • Detecting and removing malware
          • FAQ
        • Agentless monitoring
          • How it works
          • Configuration
          • FAQ
        • Anti-flooding mechanism
        • Agent labels
        • System inventory
        • Vulnerability detection
          • How it works
          • Compatibility matrix
          • Running a vulnerability scan
          • Offline Update
          • Scan vulnerabilities on unsupported systems
          • CPE Helper
        • VirusTotal integration
          • About VirusTotal
          • How it works
        • Osquery
        • Agent key polling
        • Fluentd forwarder
        • Wazuh-Logtest
          • How it works
          • Configuration
          • FAQ
      • Ruleset
        • Getting started
        • Update ruleset
        • JSON decoder
        • Custom rules and decoders
        • Dynamic fields
        • Ruleset XML syntax
          • Decoders Syntax
          • Rules Syntax
          • Regular Expression Syntax
          • Perl-compatible Regular Expressions
          • Sibling Decoders
        • Testing decoders and rules
        • Using CDB lists
        • Enhancing with MITRE
        • Contribute to the ruleset
        • Rules classification
      • RESTful API
        • Getting started
        • Configuration
        • Securing the Wazuh API
        • Migrating from the Wazuh API 3.X
        • Role-Based Access Control
          • How it works
          • Configuration
          • Authorization Context
          • RBAC Reference
        • Filtering data using queries
        • Examples
        • Reference
      • Securing Wazuh
        • Change the Wazuh indexer passwords
        • Change the Open Distro for Elasticsearch passwords
        • Change the Elasticsearch passwords
      • Reference
        • Local configuration (ossec.conf)
          • active-response
          • agentless
          • agent-upgrade
          • alerts
          • auth
          • client
          • client_buffer
          • cluster
          • command
          • database_output
          • email_alerts
          • global
          • github
          • integration
          • labels
          • localfile
          • logging
          • office365
          • remote
          • reports
          • rootcheck
          • sca
          • rule_test
          • ruleset
          • socket
          • syscheck
          • syslog_output
          • task-manager
          • fluent-forward
          • gcp-pubsub
          • gcp-bucket
          • wodle name=”open-scap”
          • wodle name=”command”
          • wodle name=”cis-cat”
          • wodle name=”aws-s3”
          • wodle name=”syscollector”
          • vulnerability-detector
          • wodle name=”osquery”
          • wodle name=”docker-listener”
          • wodle name=”azure-logs”
          • wodle name=”agent-key-polling”
          • Verifying configuration
        • Centralized configuration (agent.conf)
        • Internal configuration
        • Daemons
          • wazuh-agentd
          • wazuh-agentlessd
          • wazuh-analysisd
          • wazuh-authd
          • wazuh-csyslogd
          • wazuh-dbd
          • wazuh-execd
          • wazuh-logcollector
          • wazuh-maild
          • wazuh-monitord
          • wazuh-remoted
          • wazuh-reportd
          • wazuh-syscheckd
          • wazuh-clusterd
          • wazuh-modulesd
          • wazuh-db
          • Tables available for wazuh-db
          • wazuh-integratord
        • Tools
          • agent-auth
          • agent_control
          • manage_agents
          • wazuh-control
          • wazuh-logtest
          • clear_stats
          • wazuh-regex
          • update_ruleset
          • verify-agent-conf
          • agent_groups
          • agent_upgrade
          • cluster_control
          • fim_migrate
        • Unattended Installation
        • Statistics files
          • wazuh-agentd.state
          • wazuh-remoted.state
          • wazuh-analysisd.state
          • wazuh-logcollector.state
      • Elasticsearch
        • Elasticsearch tuning
        • Wazuh Kibana plugin troubleshooting
        • Indices configuration
        • Elasticsearch indices
      • Wazuh dashboard
        • Wazuh RBAC - How to create and map internal users
        • How to enable multi-tenancy
        • Settings
        • Configuration file
        • Troubleshooting
      • Uninstalling the Wazuh components
        • Uninstalling the Wazuh central components
        • Uninstalling Wazuh with Open Distro for Elasticsearch
        • Uninstalling Wazuh with Elastic Stack
    • Cloud security
      • Using Wazuh to monitor AWS
        • Monitoring AWS instances
        • Monitoring AWS based services
          • Prerequisites
            • Configuring an S3 Bucket
            • Configuring AWS credentials
            • Installing dependencies
            • Considerations for configuration
          • Supported services
            • AWS CloudTrail
            • Amazon VPC
            • AWS Config
            • Amazon ALB
            • Amazon CLB
            • Amazon NLB
            • AWS Key Management Service
            • Amazon Macie
            • AWS Trusted Advisor
            • Amazon GuardDuty
            • Amazon WAF
            • S3 Server Access
            • Amazon Inspector
            • AWS CloudWatch Logs
            • Amazon ECR Image scanning
            • Cisco Umbrella
          • Troubleshooting
      • Using Wazuh to monitor Microsoft Azure
        • Monitoring instances
        • Monitoring activity and services
          • Prerequisites
            • Authentication options
            • Considerations for configuration
          • Monitoring Azure platform and services
            • Using Azure Log Analytics
            • Using Azure Storage
          • Monitoring Azure Active Directory
            • Using Microsoft Graph
      • Using Wazuh to monitor GitHub
        • Monitoring GitHub Activity
      • Using Wazuh to monitor GCP services
        • Prerequisites
          • Installing dependencies
          • Configuring GCP credentials
          • Configuring Google Cloud Pub/Sub
          • Considerations for configuration
        • Supported services
          • Audited resources
          • DNS queries
          • VPC Flow logs
          • Firewall Rules Logging
          • HTTP(S) Load Balancing Logging
          • Usage logs & storage logs
      • Using Wazuh to monitor Office 365
        • Monitoring Office 365 Activity
    • Container security
      • Using Wazuh to monitor Docker
        • Installing dependencies
        • Monitoring Docker server
        • Monitoring containers activity
    • Development
      • Client keys file
      • Standard OSSEC message format
      • Makefile options
      • Wazuh cluster
      • Wazuh packages generation guide
        • AIX
        • Debian
        • HPUX
        • Wazuh Kibana plugin
        • macOS
        • RPM
        • Solaris
        • Splunk App
        • Virtual machine
        • Windows
        • WPK
      • Wazuh-Logtest
      • SELinux Wazuh context
    • Compliance
      • Using Wazuh for PCI DSS
        • Log analysis
        • Policy monitoring
        • Rootkit detection
        • File integrity monitoring
        • Active response
        • Wazuh dashboard
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
    • Learning Wazuh
      • Prepare your Wazuh Lab Environment
        • Build the Wazuh Lab VPC
        • Launch the EC2 instances
        • Establish access to your EC2 instances
        • Install Wazuh server Components
        • Install the Elastic Stack
        • Configure X-Pack Security
        • Install the Linux Wazuh agents
        • Install the Windows Wazuh agent
      • Detect an SSH brute-force attack
      • Detect an RDP brute force attack
      • Expose hiding processes
      • Detect filesystem changes
      • Change the rules
      • Survive a log flood
      • Detect and react to a Shellshock attack
      • Keep watch for malicious command execution
      • Catch suspicious network traffic
      • Track down vulnerable applications
    • Proof of Concept guide
      • Auditing commands run by a user
      • Amazon AWS infrastructure monitoring
      • Detecting a brute-force attack
      • Monitoring Docker
      • File integrity monitoring
      • Blocking a malicious actor
      • Detecting unauthorized processes
      • Osquery integration
      • Network IDS integration
      • Detecting a Shellshock attack
      • Detecting an SQL Injection attack
      • Slack integration
      • Detecting suspicious binaries
      • Detecting and removing malware using VirusTotal integration
      • Vulnerability Detector
      • Detecting malware using Yara integration
    • Release notes
      • 4.x
        • 4.3.0 Release notes
        • 4.2.6 Release notes
        • 4.2.5 Release notes
        • 4.2.4 Release notes
        • 4.2.3 Release notes
        • 4.2.2 Release notes
        • 4.2.1 Release notes
        • 4.2.0 Release notes
        • 4.1.5 Release notes
        • 4.1.4 Release notes
        • 4.1.3 Release notes
        • 4.1.2 Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
      • 3.x
        • 3.13.3 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
      • 2.x
        • 2.1 Release notes
    • Documentation
    • User manual
    • Capabilities
    • Command monitoring

    Command monitoring

    There are times when you may want to monitor things that are not in the logs. To address this, Wazuh incorporates the ability to monitor the output of specific commands and treat the output as though it were log file content.

    Contents

    • How it works
      • Configure Wazuh agents to accept remote commands from the manager
      • Configure a command to monitor
      • Process the output
    • Configuration
      • Basic usage
      • Monitor running Windows processes
      • Disk space utilization
      • Check if the output changed
      • Load average
      • Detect USB Storage
    • FAQ
      • Can I monitor commands on Linux and Windows?
      • What are the command monitoring capabilities?
      • Can I check if an application is running on an agent?
    Configuration How it works
    Wazuh Wazuh
    Platform
    • Product
    • Cloud
    Documentation
    • Quickstart
    • Getting started
    • Installation guide
    Services
    • Support
    • Training
    Resources
    • Blog
    • FAQ
    • Community
    Company
    • About us
    • Customers
    • Our partners
    • Careers
    • Contact us
    • Community
    • Contact us
    © 2022 · Wazuh Inc.
    Edit on GitHub