Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
          • Wazuh agent
          • Wazuh server
          • Elastic Stack
        • Architecture
        • Use cases
          • Log data analysis
          • File integrity monitoring
          • Rootkits detection
          • Active response
          • Configuration assessment
          • System inventory
          • Vulnerability detection
          • Cloud security monitoring
          • Containers security monitoring
          • Regulatory compliance
      • Installation guide
        • Requirements
        • Wazuh server
          • All-in-one deployment
            • Unattended installation
            • Step-by-step installation
          • Distributed deployment
            • Unattended installation
              • Elasticsearch & Kibana unattended installation
              • Wazuh server unattended installation
            • Step-by-step installation
              • Elasticsearch cluster
              • Wazuh cluster
              • Kibana
        • Wazuh agent
          • AIX
          • HP-UX
          • Linux
          • macOS
          • Solaris
          • Windows
          • Deployment variables
            • Deployment variables for AIX
            • Deployment variables for Linux
              • Deployment variables for Linux using apt repository
              • Deployment variables for Linux using dnf repository
              • Deployment variables for Linux using yum repository
              • Deployment variables for Linux using zypper repository
            • Deployment variables for macOS
            • Deployment variables for Windows
        • Packages list
        • More installation alternatives
          • Wazuh with Elastic Stack basic license
            • All-in-one deployment
              • Unattended installation
              • Step-by-step installation
            • Distributed deployment
              • Unattended installation
              • Step-by-step installation
          • Wazuh with Splunk
          • Wazuh installation from sources
            • Installing Wazuh server from sources
            • Installing Wazuh agent from sources
      • Upgrade guide
        • Upgrading the Wazuh manager
        • Upgrade Elasticsearch, Filebeat and Kibana
          • Upgrading Open Distro for Elasticsearch
          • Upgrading Elastic Stack basic license
        • Upgrading the Wazuh agent
        • Upgrading from a legacy version
          • Upgrading the Wazuh server
            • Upgrading the Wazuh server from 2.x to 3.x
              • Restore the Wazuh alerts from Wazuh 2.x
            • Upgrading the Wazuh server from 1.x to 2.x
          • Upgrading Elastic Stack
            • Upgrading Elastic Stack from 6.8 to 7.x
            • Upgrading Elastic Stack from 6.x to 6.8
            • Upgrading Elastic Stack from 2.x to 5.x
          • Upgrading the Wazuh agent
            • Upgrading the Wazuh agent from 2.x to 3.x
            • Upgrading the Wazuh agent from 1.x to 2.x
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Configuring database output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
        • Certificates deployment
        • Registering Wazuh agents
          • Registering the Wazuh agents using the command line (CLI)
          • Registering the Wazuh agents using the Wazuh API
          • Registration service with password authorization
          • Registration service with host verification
          • Registering Wazuh agents - additional information
          • Registering Wazuh agents - Troubleshooting
        • Agent management
          • Agent life cycle
          • Listing agents
            • Listing agents using the CLI
            • Listing agents using the Wazuh API
            • Listing agents using the Wazuh app
          • Removing agents
            • Remove agents using the CLI
            • Remove agents using the Wazuh API
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Agent upgrade module
            • Adding a custom repository
            • Custom WPK packages creation
              • WPK
              • Generate WPK packages manually
            • Installing a custom WPK package
            • WPK List
        • Deploying a Wazuh cluster
          • Basics
          • Agents connections
          • Cluster management
        • Capabilities
          • Log data collection
            • How it works
            • How to collect Windows logs
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Security Configuration Assessment
            • What is SCA
            • How SCA works
            • How to configure SCA
            • Creating custom SCA policies
            • Use case: Getting an alert when a check changes its result value
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
            • How it works
            • Compatibility matrix
            • Running a vulnerability scan
            • Offline Update
            • Scan vulnerabilities on unsupported systems
            • CPE Helper
          • VirusTotal integration
            • About VirusTotal
            • How it works
          • Osquery
          • Agent key polling
          • Fluentd forwarder
          • Wazuh-Logtest
            • How it works
            • Configuration
            • FAQ
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
            • Perl-compatible Regular Expressions
            • Sibling Decoders
          • Testing decoders and rules
          • Using CDB lists
          • Enhancing with MITRE
          • Contribute to the ruleset
          • Rules classification
        • RESTful API
          • Getting started
          • Configuration
          • Securing the Wazuh API
          • Migrating from the Wazuh API 3.X
          • Role-Based Access Control
            • How it works
            • Configuration
            • Authorization Context
            • RBAC Reference
          • Filtering data using queries
          • Examples
          • Reference
        • Wazuh Kibana plugin
          • Setting up the Wazuh Kibana plugin
          • Wazuh Kibana plugin features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
            • Query configuration
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
            • Configure the name of Elasticsearch indices
            • Create a custom dashboard
        • Reference
          • Local configuration (ossec.conf)
            • active-response
            • agentless
            • agent-upgrade
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • sca
            • rule_test
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • task-manager
            • fluent-forward
            • gcp-pubsub
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • vulnerability-detector
            • wodle name=”osquery”
            • wodle name=”docker-listener”
            • wodle name=”azure-logs”
            • wodle name=”agent-key-polling”
            • Verifying configuration
          • Centralized configuration (agent.conf)
          • Internal configuration
          • Daemons
            • ossec-agentd
            • ossec-agentlessd
            • ossec-analysisd
            • ossec-authd
            • ossec-csyslogd
            • ossec-dbd
            • ossec-execd
            • ossec-logcollector
            • ossec-maild
            • ossec-monitord
            • ossec-remoted
            • ossec-reportd
            • ossec-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
            • wazuh-db
            • Tables available for wazuh-db
            • ossec-integratord
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • ossec-control
            • ossec-logtest
            • wazuh-logtest
            • ossec-makelists
            • rootcheck_control
            • syscheck_control
            • syscheck_update
            • clear_stats
            • ossec-regex
            • update_ruleset
            • util.sh
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
            • fim_migrate
          • Unattended Installation
          • Statistics files
            • ossec-agentd.state
            • ossec-remoted.state
            • ossec-analysisd.state
        • Elasticsearch tuning
        • Uninstalling the Wazuh components
          • Uninstalling Wazuh with Open Distro for Elasticsearch
          • Uninstalling Wazuh with Elastic Stack
      • Development
        • Client keys file
        • Standard OSSEC message format
        • Makefile options
        • Wazuh Cluster
        • Wazuh packages generation guide
          • AIX
          • Debian
          • HPUX
          • Wazuh Kibana plugin
          • macOS
          • RPM
          • Solaris
          • Splunk App
          • Virtual machine
          • Windows
          • WPK
        • Wazuh-Logtest
      • Containers
        • Docker
          • Docker installation
          • Wazuh Docker deployment
          • Wazuh Docker utilities
          • Upgrade Guide (3.x to 4.0)
          • FAQ
        • Deploying with Kubernetes
          • Kubernetes configuration
          • Upgrade Wazuh installed in Kubernetes
          • Clean Up
          • Deployment on local environment
      • Deployment
        • Deploying with Puppet
          • Set up Puppet
            • Installing Puppet master
            • Installing Puppet agent
            • PuppetDB installation (Optional)
            • Setting up Puppet certificates
          • Wazuh Puppet module
            • Wazuh agent class
            • Wazuh manager class
        • Deploying with Ansible
          • Installation Guide
            • Install Ansible
            • Install Wazuh Manager
            • Install Elastic Stack Server
            • Install Wazuh Agent
          • Remote Hosts Connection
          • Roles
            • Wazuh Manager
            • Filebeat
            • Elasticsearch
            • Kibana
            • Wazuh Agent
          • Variables references
        • Virtual Machine (OVA)
      • Compliance
        • Using Wazuh for PCI DSS
          • Log analysis
          • Policy monitoring
          • Rootkit detection
          • File integrity monitoring
          • Active response
          • Elastic Stack
        • Using Wazuh for GDPR
          • GDPR II, Principles <gdpr_II>
          • GDPR III, Rights of the data subject <gdpr_III>
          • GDPR IV, Controller and processor <gdpr_IV>
      • Monitoring with Wazuh
        • Using Wazuh to monitor AWS
          • Monitoring AWS instances
          • Monitoring AWS based services
            • Prerequisites
              • Configuring an S3 Bucket
              • Configuring AWS credentials
              • Installing dependencies
              • Considerations for configuration
            • Supported services
              • AWS CloudTrail
              • Amazon VPC
              • AWS Config
              • Amazon ALB
              • Amazon CLB
              • Amazon NLB
              • AWS Key Management Service
              • Amazon Macie
              • AWS Trusted Advisor
              • Amazon GuardDuty
              • Amazon WAF
              • Amazon Inspector
              • AWS CloudWatch Logs
              • Cisco Umbrella
            • Troubleshooting
        • Using Wazuh to monitor Microsoft Azure
          • Monitoring Instances
          • Monitoring Activity
          • Monitoring Services
        • Using Wazuh to monitor Docker
          • Monitoring Docker server
          • Monitoring containers activity
        • Using Wazuh to monitor GCP services
          • Prerequisites
            • Installing dependencies
            • Configuring GCP credentials
            • Configuring Google Cloud Pub/Sub
            • Considerations for configuration
          • Configuration
          • Supported services
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Learning Wazuh
        • Prepare your Wazuh Lab Environment
          • Build the Wazuh Lab VPC
          • Launch the EC2 instances
          • Establish access to your EC2 instances
          • Install Wazuh server Components
          • Install the Elastic Stack
          • Configure X-Pack Security
          • Install the Linux Wazuh agents
          • Install the Windows Wazuh agent
        • Detect an SSH brute-force attack
        • Detect an RDP brute force attack
        • Expose hiding processes
        • Detect filesystem changes
        • Change the rules
        • Survive a log flood
        • Detect and react to a Shellshock attack
        • Keep watch for malicious command execution
        • Catch suspicious network traffic
        • Track down vulnerable applications
      • Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
        • 2.1 Release notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Capabilities
      • Command monitoring

      Command monitoring¶

      There are times when you may want to monitor things that are not in the logs. To address this, Wazuh incorporates the ability to monitor the output of specific commands and treat the output as though it were log file content.

      Contents

      • How it works
        • Configure Wazuh agents to accept remote commands from the manager
        • Configure a command to monitor
        • Process the output
      • Configuration
        • Basic usage
        • Monitor running Windows processes
        • Disk space utilization
        • Check if the output changed
        • Load average
        • Detect USB Storage
      • FAQ
        • Can I monitor commands on Linux and Windows?
        • What are the command monitoring capabilities?
        • Can I check if an application is running on an agent?
      Configuration How it works
      © 2021 · Wazuh Inc.