Wazuh
  • Platform
  • Cloud
  • Services
  • Partners
  • Blog
  • Company
    • Customers
    • About us
    • Our team
    • Newsroom
    Search now!
    • Getting started
      • Components
        • Wazuh indexer
        • Wazuh server
        • Wazuh dashboard
        • Wazuh agent
      • Architecture
      • Use cases
        • Log data analysis
        • File integrity monitoring
        • Rootkits detection
        • Active response
        • Configuration assessment
        • System inventory
        • Vulnerability detection
        • Cloud security
        • Container security
        • Regulatory compliance
    • Quickstart
    • Installation guide
      • Wazuh indexer
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh server
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh dashboard
        • Wazuh installation assistant
        • Step-by-step installation
      • Wazuh agent
        • Linux
        • Windows
        • macOS
        • Solaris
        • AIX
        • HP-UX
      • Packages list
    • Installation alternatives
      • Virtual Machine (OVA)
      • Amazon Machine Images (AMI)
      • Deployment on Docker
        • Docker installation
        • Wazuh Docker deployment
        • Wazuh Docker utilities
        • Upgrading Wazuh Docker
        • Migrating data from Opendistro to the Wazuh indexer
        • FAQ
      • Deployment on Kubernetes
        • Kubernetes configuration
        • Deployment
        • Upgrade Wazuh installed in Kubernetes
        • Clean Up
      • Offline installation
      • Installation from sources
        • Installing the Wazuh manager from sources
        • Installing the Wazuh agent from sources
      • Installing Wazuh with Elastic Stack
        • All-in-one deployment
        • Distributed deployment
          • Elasticsearch cluster
            • Elasticsearch single-node cluster
            • Elasticsearch multi-node cluster
          • Wazuh cluster
            • Wazuh single-node cluster
            • Wazuh multi-node cluster
          • Kibana
      • Installing Wazuh with Splunk
        • Wazuh manager installation
        • Install and configure Splunk
          • Install Splunk in an all-in-one architecture
          • Install a minimal Splunk distributed architecture
          • Install Splunk in a multi-instance cluster
        • Install the Wazuh app for Splunk
        • Set up reverse proxy configuration for Splunk
        • Customize agents status indexation
        • Create and map internal users (RBAC)
      • Deployment with Ansible
        • Installation Guide
          • Install Ansible
          • Install Wazuh indexer and dashboard
          • Install Wazuh manager
          • Install a Wazuh cluster
          • Install Wazuh Agent
        • Remote endpoints connection
        • Roles
          • Wazuh indexer
          • Wazuh dashboard
          • Filebeat
          • Wazuh Manager
          • Wazuh Agent
        • Variables references
      • Deployment with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Wazuh manager class
          • Wazuh agent class
    • Upgrade guide
      • Wazuh central components
      • Wazuh and Open Distro for Elasticsearch
      • Wazuh and Elastic Stack basic license
      • Wazuh agent
        • Linux
        • Windows
        • macOS
        • Solaris
        • AIX
        • HP-UX
      • Upgrading from a legacy version
        • Upgrading the Wazuh server
          • Upgrading the Wazuh server from 2.x to 3.x
            • Restore the Wazuh alerts from Wazuh 2.x
          • Upgrading the Wazuh server from 1.x to 2.x
        • Upgrading Elastic Stack
          • Upgrading Elastic Stack from 6.8 to 7.x
          • Upgrading Elastic Stack from 6.x to 6.8
          • Upgrading Elastic Stack from 2.x to 5.x
        • Upgrading the Wazuh agent
          • Upgrading the Wazuh agent from 2.x to 3.x
          • Upgrading the Wazuh agent from 1.x to 2.x
      • Compatibility matrix
    • Migration guide
      • Migrating to the Wazuh indexer
      • Migrating to the Wazuh dashboard
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
    • Wazuh Cloud service
      • Getting started
        • Sign up for a trial
        • Access Wazuh WUI
        • Register agents
        • Cloud service FAQ
      • Your environment
        • Authentication and authorization
        • Cancellation
        • Monitor usage
        • Forward syslog events
        • Agents without Internet access
        • SMTP configuration
        • Technical FAQ
      • Account and billing
        • Edit user settings
        • Manage your billing details
        • See your billing cycle and history
        • Update billing and operational contacts
        • Stop charges for an environment
        • Billing FAQ
      • Cold storage
        • Configuration
        • Filename format
        • Access
      • Wazuh Cloud API
        • Authentication
        • Reference
      • CLI
      • Glossary
    • User manual
      • Wazuh server administration
        • Remote service
        • Defining an alert level threshold
        • Integration with external APIs
        • Configuring syslog output
        • Configuring database output
        • Generating automatic reports
        • Configuring email alerts
          • SMTP server with authentication
      • Certificates deployment
      • Deployment variables
        • Linux
        • Windows
        • macOS
        • AIX
      • Wazuh agent enrollment
        • Enrollment via agent configuration
          • Linux/Unix endpoint
          • Windows endpoint
          • macOS endpoint
        • Enrollment via manager API
          • Requesting the key
          • Importing the key to the agent
        • Additional security options
          • Using password authentication
          • Manager identity verification
          • Agent identity verification
        • Troubleshooting
      • Agent management
        • Agent life cycle
        • Listing agents
          • Listing agents using the CLI
          • Listing agents using the Wazuh API
          • Listing agents using the Wazuh dashboard
        • Removing agents
          • Remove agents using the CLI
          • Remove agents using the Wazuh API
        • Checking connection with the Wazuh manager
        • Grouping agents
        • Remote upgrading
          • Upgrading agent
          • Agent upgrade module
          • Adding a custom repository
          • Custom WPK packages creation
            • WPK
            • Generate WPK packages manually
          • Installing a custom WPK package
          • WPK List
        • Query configuration
      • Deploying a Wazuh cluster
        • Basics
        • Agents connections
        • Cluster management
      • Capabilities
        • Log data collection
          • How it works
          • How to collect Windows logs
          • How to collect macOS ULS logs
          • Configuration
          • FAQ
        • File integrity monitoring
          • How it works
          • FIM fields rule mapping
          • Configuration
        • Auditing who-data
          • Auditing who-data in Linux
          • Auditing who-data in Windows
          • Manual configuration of the Local Audit Policies in Windows
        • Anomaly and malware detection
          • How it works
          • Configuration
          • FAQ
        • Security Configuration Assessment
          • What is SCA
          • How SCA works
          • How to configure SCA
          • Creating custom SCA policies
          • Use case: Getting an alert when a check changes its result value
        • Monitoring security policies
          • Rootcheck
            • How it works
            • Configuration
            • FAQ
          • OpenSCAP
            • How it works
            • Configuration
            • FAQ
          • CIS-CAT integration
        • Monitoring system calls
          • How it works
          • Configuration
        • Command monitoring
          • How it works
          • Configuration
          • FAQ
        • Active response
          • How it works
          • Configuration
          • Custom Active Response
          • Use cases
            • Blocking attacks with Active Response
            • How to integrate Wazuh with YARA
            • Detecting and removing malware
          • FAQ
        • Agentless monitoring
          • How it works
          • Configuration
          • FAQ
        • Anti-flooding mechanism
        • Agent labels
        • System inventory
        • Vulnerability detection
          • How it works
          • Scan types
          • Configuring and running scans
          • Scanning unsupported systems
          • Scanning Windows applications using CPE Helper
          • Offline Update
        • VirusTotal integration
          • About VirusTotal
          • How it works
        • Osquery
        • Agent key polling
        • Fluentd forwarder
        • Wazuh-Logtest
          • How it works
          • Configuration
          • FAQ
      • Ruleset
        • Getting started
        • Update ruleset
        • JSON decoder
        • Custom rules and decoders
        • Dynamic fields
        • Ruleset XML syntax
          • Decoders Syntax
          • Rules Syntax
          • Regular Expression Syntax
          • Perl-compatible Regular Expressions
          • Sibling Decoders
        • Testing decoders and rules
        • Using CDB lists
        • Enhancing with MITRE
        • Contribute to the ruleset
        • Rules classification
      • RESTful API
        • Getting started
        • Configuration
        • Securing the Wazuh API
        • Migrating from the Wazuh API 3.X
        • Role-Based Access Control
          • How it works
          • Configuration
          • Authorization Context
          • RBAC Reference
        • Filtering data using queries
        • Examples
        • Reference
      • User administration
        • Password management
        • Wazuh RBAC - How to create and map internal users
        • Single sign-on
          • Okta
          • Azure Active Directory
          • PingOne
          • Google
          • Jumpcloud
          • OneLogin
          • Keycloak
      • Reference
        • Local configuration (ossec.conf)
          • active-response
          • agentless
          • agent-upgrade
          • alerts
          • auth
          • client
          • client_buffer
          • cluster
          • command
          • database_output
          • email_alerts
          • global
          • github
          • integration
          • labels
          • localfile
          • logging
          • office365
          • remote
          • reports
          • rootcheck
          • sca
          • rule_test
          • ruleset
          • socket
          • syscheck
          • syslog_output
          • task-manager
          • fluent-forward
          • gcp-pubsub
          • gcp-bucket
          • wodle name="open-scap"
          • wodle name="command"
          • wodle name="cis-cat"
          • wodle name="aws-s3"
          • wodle name="syscollector"
          • vulnerability-detector
          • wodle name="osquery"
          • wodle name="docker-listener"
          • wodle name="azure-logs"
          • wodle name="agent-key-polling"
          • Verifying configuration
        • Centralized configuration (agent.conf)
        • Internal configuration
        • Daemons
          • wazuh-agentd
          • wazuh-agentlessd
          • wazuh-analysisd
          • wazuh-authd
          • wazuh-csyslogd
          • wazuh-dbd
          • wazuh-execd
          • wazuh-logcollector
          • wazuh-maild
          • wazuh-monitord
          • wazuh-remoted
          • wazuh-reportd
          • wazuh-syscheckd
          • wazuh-clusterd
          • wazuh-modulesd
          • wazuh-db
          • Tables available for wazuh-db
          • wazuh-integratord
        • Tools
          • agent-auth
          • agent_control
          • manage_agents
          • wazuh-control
          • wazuh-logtest
          • clear_stats
          • wazuh-regex
          • update_ruleset
          • verify-agent-conf
          • agent_groups
          • agent_upgrade
          • cluster_control
          • fim_migrate
        • Unattended Installation
        • Statistics files
          • wazuh-agentd.state
          • wazuh-remoted.state
          • wazuh-analysisd.state
          • wazuh-logcollector.state
      • Elasticsearch
        • Elasticsearch tuning
        • Wazuh Kibana plugin troubleshooting
        • Indices configuration
        • Elasticsearch indices
      • Wazuh dashboard
        • How to enable multi-tenancy
        • Settings
        • Configuration file
        • Configuring third-party SSL certificates
          • Configuring SSL certificates directly on the Wazuh dashboard
          • Configuring SSL certificates on the Wazuh dashboard using NGINX
        • Troubleshooting
      • Uninstalling the Wazuh components
        • Uninstalling the Wazuh central components
        • Uninstalling Wazuh with Open Distro for Elasticsearch
        • Uninstalling Wazuh with Elastic Stack
      • Wazuh files backup
        • Wazuh central components
        • Wazuh agent
    • Cloud security
      • Using Wazuh to monitor AWS
        • Monitoring AWS instances
        • Monitoring AWS based services
          • Prerequisites
            • Configuring an S3 Bucket
            • Configuring AWS credentials
            • Installing dependencies
            • Considerations for configuration
          • Supported services
            • AWS CloudTrail
            • Amazon VPC
            • AWS Config
            • Amazon ALB
            • Amazon CLB
            • Amazon NLB
            • AWS Key Management Service
            • Amazon Macie
            • AWS Trusted Advisor
            • Amazon GuardDuty
            • Amazon WAF
            • S3 Server Access
            • Amazon Inspector
            • AWS CloudWatch Logs
            • Amazon ECR Image scanning
            • Cisco Umbrella
          • Troubleshooting
      • Using Wazuh to monitor Microsoft Azure
        • Monitoring instances
        • Monitoring activity and services
          • Prerequisites
            • Configuring Azure credentials
            • Considerations for configuration
          • Monitoring Azure platform and services
            • Using Azure Log Analytics
            • Using Azure Storage
          • Monitoring Azure Active Directory
            • Using Microsoft Graph
      • Using Wazuh to monitor GitHub
        • Monitoring GitHub Activity
      • Using Wazuh to monitor GCP services
        • Prerequisites
          • Installing dependencies
          • Configuring GCP credentials
          • Configuring Google Cloud Pub/Sub
          • Considerations for configuration
        • Supported services
          • Audited resources
          • DNS queries
          • VPC Flow logs
          • Firewall Rules Logging
          • HTTP(S) Load Balancing Logging
          • Usage logs & storage logs
      • Using Wazuh to monitor Office 365
        • Monitoring Office 365 Activity
    • Container security
      • Using Wazuh to monitor Docker
        • Installing dependencies
        • Monitoring Docker server
        • Monitoring containers activity
    • Development
      • Client keys file
      • Standard OSSEC message format
      • Makefile options
      • Wazuh cluster
      • Wazuh packages generation guide
        • AIX
        • Debian
        • HPUX
        • Wazuh Kibana plugin
        • macOS
        • RPM
        • Solaris
        • Splunk App
        • Virtual machine
        • Windows
        • WPK
      • Wazuh-Logtest
      • SELinux Wazuh context
    • Regulatory compliance
      • Using Wazuh for PCI DSS compliance
        • Log data analysis
        • Configuration assessment
        • Malware detection
        • File integrity monitoring
        • Vulnerability detection
        • Active response
        • System inventory
        • Visualization and dashboard
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
      • Using Wazuh for HIPAA compliance
        • Visualization and dashboard
        • Log data analysis
        • Configuration assessment
        • Malware detection
        • File integrity monitoring
        • Vulnerability detection
        • Active response
    • Proof of Concept guide
      • Blocking a known malicious actor
      • File integrity monitoring
      • Detecting a brute-force attack
      • Monitoring Docker events
      • Monitoring AWS infrastructure
      • Detecting unauthorized processes
      • Network IDS integration
      • Detecting an SQL injection attack
      • Detecting suspicious binaries
      • Detecting and removing malware using VirusTotal integration
      • Vulnerability detection
      • Detecting malware using Yara integration
      • Detecting hidden processes
      • Monitoring execution of malicious commands
      • Detecting a Shellshock attack
    • Release notes
      • 4.x
        • 4.3.10 Release notes
        • 4.3.9 Release notes
        • 4.3.8 Release notes
        • 4.3.7 Release notes
        • 4.3.6 Release notes
        • 4.3.5 Release notes
        • 4.3.4 Release notes
        • 4.3.3 Release notes
        • 4.3.2 Release notes
        • 4.3.1 Release notes
        • 4.3.0 Release notes
        • 4.2.7 Release notes
        • 4.2.6 Release notes
        • 4.2.5 Release notes
        • 4.2.4 Release notes
        • 4.2.3 Release notes
        • 4.2.2 Release notes
        • 4.2.1 Release notes
        • 4.2.0 Release notes
        • 4.1.5 Release notes
        • 4.1.4 Release notes
        • 4.1.3 Release notes
        • 4.1.2 Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
      • 3.x
        • 3.13.6 Release notes
        • 3.13.5 Release notes
        • 3.13.4 Release notes
        • 3.13.3 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
      • 2.x
        • 2.1.0 Release notes
    • User manual
    • Capabilities
    • Command monitoring

    Command monitoring

    There are times when you may want to monitor things that are not in the logs. To address this, Wazuh incorporates the ability to monitor the output of specific commands and treat the output as though it were log file content.

    Contents

    • How it works
      • Configure Wazuh agents to accept remote commands from the manager
      • Configure a command to monitor
      • Process the output
    • Configuration
      • Basic usage
      • Monitor running Windows processes
      • Disk space utilization
      • Check if the output changed
      • Load average
      • Detect USB Storage
    • FAQ
      • Can I monitor commands on Linux and Windows?
      • What are the command monitoring capabilities?
      • Can I check if an application is running on an agent?
    Configuration How it works
    EXPLORE
    • Platform
    • Cloud
    Documentation
    • Quickstart
    • Getting started
    • Installation guide
    Services
    • Support
    • Training
    Resources
    • Blog
    • Community
    Company
    • About us
    • Customers
    • Our partners
    • Careers
    • Contact us
    • Community
    • Contact us
    © 2023 · Wazuh Inc.
    Edit on GitHub