Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
          • Wazuh agent
          • Wazuh server
          • Elastic Stack
        • Architecture
        • Use cases
          • Log data analysis
          • File integrity monitoring
          • Rootkits detection
          • Active response
          • Configuration assessment
          • System inventory
          • Vulnerability detection
          • Cloud security monitoring
          • Containers security monitoring
          • Regulatory compliance
      • Installation guide
        • Requirements
        • Wazuh server
          • All-in-one deployment
            • Unattended installation
            • Step-by-step installation
          • Distributed deployment
            • Unattended installation
              • Elasticsearch & Kibana unattended installation
              • Wazuh server unattended installation
            • Step-by-step installation
              • Elasticsearch cluster
              • Wazuh cluster
              • Kibana
        • Wazuh agent
          • Linux
          • Windows
          • macOS
          • AIX
          • HP-UX
          • Solaris
          • Deployment variables
            • Linux
            • Windows
            • macOS
            • AIX
        • Packages list
        • More installation alternatives
          • Wazuh with Elastic Stack basic license
            • All-in-one deployment
              • Unattended installation
              • Step-by-step installation
            • Distributed deployment
              • Unattended installation
              • Step-by-step installation
          • Wazuh with Splunk
            • Wazuh cluster installation
            • Install Splunk in single-instance mode
            • Installing & Configuring Splunk Cluster
            • Install the Wazuh app for Splunk
            • Setting up reverse proxy configuration for Splunk
            • Customize agents status indexation
          • Wazuh installation from sources
            • Installing Wazuh server from sources
            • Installing Wazuh agent from sources
      • Upgrade guide
        • Upgrading the Wazuh manager
        • Upgrade Elasticsearch, Filebeat and Kibana
          • Upgrading Open Distro for Elasticsearch
          • Upgrading Elastic Stack basic license
        • Upgrading the Wazuh agent
        • Upgrading from a legacy version
          • Upgrading the Wazuh server
            • Upgrading the Wazuh server from 2.x to 3.x
              • Restore the Wazuh alerts from Wazuh 2.x
            • Upgrading the Wazuh server from 1.x to 2.x
          • Upgrading Elastic Stack
            • Upgrading Elastic Stack from 6.8 to 7.x
            • Upgrading Elastic Stack from 6.x to 6.8
            • Upgrading Elastic Stack from 2.x to 5.x
          • Upgrading the Wazuh agent
            • Upgrading the Wazuh agent from 2.x to 3.x
            • Upgrading the Wazuh agent from 1.x to 2.x
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Configuring database output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
        • Certificates deployment
        • Registering Wazuh agents
          • Registering the Wazuh agents using the command line (CLI)
          • Registering the Wazuh agents using the Wazuh API
          • Registration service with password authorization
          • Registration service with host verification
          • Registering Wazuh agents - additional information
          • Registering Wazuh agents - Troubleshooting
        • Agent management
          • Agent life cycle
          • Listing agents
            • Listing agents using the CLI
            • Listing agents using the Wazuh API
            • Listing agents using the Wazuh app
          • Removing agents
            • Remove agents using the CLI
            • Remove agents using the Wazuh API
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Agent upgrade module
            • Adding a custom repository
            • Custom WPK packages creation
              • WPK
              • Generate WPK packages manually
            • Installing a custom WPK package
            • WPK List
        • Deploying a Wazuh cluster
          • Basics
          • Agents connections
          • Cluster management
        • Capabilities
          • Log data collection
            • How it works
            • How to collect Windows logs
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Security Configuration Assessment
            • What is SCA
            • How SCA works
            • How to configure SCA
            • Creating custom SCA policies
            • Use case: Getting an alert when a check changes its result value
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • Custom Active Response
            • Use cases
              • Blocking attacks with Active Response
              • How to integrate Wazuh with YARA
              • Detecting and removing malware
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
            • How it works
            • Compatibility matrix
            • Running a vulnerability scan
            • Offline Update
            • Scan vulnerabilities on unsupported systems
            • CPE Helper
          • VirusTotal integration
            • About VirusTotal
            • How it works
          • Osquery
          • Agent key polling
          • Fluentd forwarder
          • Wazuh-Logtest
            • How it works
            • Configuration
            • FAQ
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
            • Perl-compatible Regular Expressions
            • Sibling Decoders
          • Testing decoders and rules
          • Using CDB lists
          • Enhancing with MITRE
          • Contribute to the ruleset
          • Rules classification
        • RESTful API
          • Getting started
          • Configuration
          • Securing the Wazuh API
          • Migrating from the Wazuh API 3.X
          • Role-Based Access Control
            • How it works
            • Configuration
            • Authorization Context
            • RBAC Reference
          • Filtering data using queries
          • Examples
          • Reference
        • Wazuh Kibana plugin
          • Setting up the Wazuh Kibana plugin
          • Wazuh Kibana plugin features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
            • Query configuration
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
            • Configure the name of Elasticsearch indices
            • Create a custom dashboard
        • Reference
          • Local configuration (ossec.conf)
            • active-response
            • agentless
            • agent-upgrade
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • sca
            • rule_test
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • task-manager
            • fluent-forward
            • gcp-pubsub
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • vulnerability-detector
            • wodle name=”osquery”
            • wodle name=”docker-listener”
            • wodle name=”azure-logs”
            • wodle name=”agent-key-polling”
            • Verifying configuration
          • Centralized configuration (agent.conf)
          • Internal configuration
          • Daemons
            • wazuh-agentd
            • wazuh-agentlessd
            • wazuh-analysisd
            • wazuh-authd
            • wazuh-csyslogd
            • wazuh-dbd
            • wazuh-execd
            • wazuh-logcollector
            • wazuh-maild
            • wazuh-monitord
            • wazuh-remoted
            • wazuh-reportd
            • wazuh-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
            • wazuh-db
            • Tables available for wazuh-db
            • wazuh-integratord
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • wazuh-control
            • wazuh-logtest
            • clear_stats
            • wazuh-regex
            • update_ruleset
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
            • fim_migrate
          • Unattended Installation
          • Statistics files
            • wazuh-agentd.state
            • wazuh-remoted.state
            • wazuh-analysisd.state
            • wazuh-logcollector.state
        • Elasticsearch tuning
        • Uninstalling the Wazuh components
          • Uninstalling Wazuh with Open Distro for Elasticsearch
          • Uninstalling Wazuh with Elastic Stack
      • Cloud service
        • Getting started
          • Sign up for a trial
          • Access Wazuh WUI
          • Register agents
          • Cloud service FAQ
        • Your environment
          • Authentication and authorization
          • Cancellation
          • Monitor usage
          • Forward syslog events
          • Agents without Internet access
          • SMTP configuration
          • Technical FAQ
        • Account and billing
          • Edit user settings
          • Add your billing details
          • See your billing cycle and history
          • Update billing and operational contacts
          • Stop charges for an environment
          • Billing FAQ
        • Cold storage
          • Configuration
          • Filename format
          • Access
        • Wazuh Cloud API
          • Authentication
          • Reference
        • CLI
        • Glossary
      • Development
        • Client keys file
        • Standard OSSEC message format
        • Makefile options
        • Wazuh Cluster
        • Wazuh packages generation guide
          • AIX
          • Debian
          • HPUX
          • Wazuh Kibana plugin
          • macOS
          • RPM
          • Solaris
          • Splunk App
          • Virtual machine
          • Windows
          • WPK
        • Wazuh-Logtest
      • Containers
        • Docker
          • Docker installation
          • Wazuh Docker deployment
          • Wazuh Docker utilities
          • Upgrade Guide (3.x to 4.0)
          • FAQ
        • Deploying with Kubernetes
          • Kubernetes configuration
          • Upgrade Wazuh installed in Kubernetes
          • Clean Up
          • Deployment on local environment
      • Deployment
        • Deploying with Puppet
          • Set up Puppet
            • Installing Puppet master
            • Installing Puppet agent
            • PuppetDB installation (Optional)
            • Setting up Puppet certificates
          • Wazuh Puppet module
            • Wazuh agent class
            • Wazuh manager class
        • Deploying with Ansible
          • Installation Guide
            • Install Ansible
            • Install Wazuh Manager
            • Install Elastic Stack Server
            • Install Wazuh Agent
          • Remote Hosts Connection
          • Roles
            • Wazuh Manager
            • Filebeat
            • Elasticsearch
            • Kibana
            • Wazuh Agent
          • Variables references
        • Virtual Machine (OVA)
        • Amazon Machine Images (AMI)
      • Compliance
        • Using Wazuh for PCI DSS
          • Log analysis
          • Policy monitoring
          • Rootkit detection
          • File integrity monitoring
          • Active response
          • Elastic Stack
        • Using Wazuh for GDPR
          • GDPR II, Principles <gdpr_II>
          • GDPR III, Rights of the data subject <gdpr_III>
          • GDPR IV, Controller and processor <gdpr_IV>
      • Monitoring with Wazuh
        • Using Wazuh to monitor AWS
          • Monitoring AWS instances
          • Monitoring AWS based services
            • Prerequisites
              • Configuring an S3 Bucket
              • Configuring AWS credentials
              • Installing dependencies
              • Considerations for configuration
            • Supported services
              • AWS CloudTrail
              • Amazon VPC
              • AWS Config
              • Amazon ALB
              • Amazon CLB
              • Amazon NLB
              • AWS Key Management Service
              • Amazon Macie
              • AWS Trusted Advisor
              • Amazon GuardDuty
              • Amazon WAF
              • Amazon Inspector
              • AWS CloudWatch Logs
              • Cisco Umbrella
            • Troubleshooting
        • Using Wazuh to monitor Microsoft Azure
          • Monitoring Instances
          • Monitoring Activity
          • Monitoring Services
        • Using Wazuh to monitor Docker
          • Monitoring Docker server
          • Monitoring containers activity
        • Using Wazuh to monitor GCP services
          • Prerequisites
            • Installing dependencies
            • Configuring GCP credentials
            • Configuring Google Cloud Pub/Sub
            • Considerations for configuration
          • Configuration
          • Supported services
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Learning Wazuh
        • Prepare your Wazuh Lab Environment
          • Build the Wazuh Lab VPC
          • Launch the EC2 instances
          • Establish access to your EC2 instances
          • Install Wazuh server Components
          • Install the Elastic Stack
          • Configure X-Pack Security
          • Install the Linux Wazuh agents
          • Install the Windows Wazuh agent
        • Detect an SSH brute-force attack
        • Detect an RDP brute force attack
        • Expose hiding processes
        • Detect filesystem changes
        • Change the rules
        • Survive a log flood
        • Detect and react to a Shellshock attack
        • Keep watch for malicious command execution
        • Catch suspicious network traffic
        • Track down vulnerable applications
      • Release notes
        • 4.2.4 Release notes
        • 4.2.3 Release notes
        • 4.2.2 Release notes
        • 4.2.1 Release notes
        • 4.2.0 Release notes
        • 4.1.5 Release notes
        • 4.1.4 Release notes
        • 4.1.3 Release notes
        • 4.1.2 Release notes
        • 4.1.1 Release notes
        • 4.1.0 Release notes
        • 4.0.4 Release notes
        • 4.0.3 Release notes
        • 4.0.2 Release notes
        • 4.0.1 Release notes
        • 4.0.0 Release notes
        • 3.13.3 Release notes
        • 3.13.2 Release notes
        • 3.13.1 Release notes
        • 3.13.0 Release notes
        • 3.12.3 Release notes
        • 3.12.2 Release notes
        • 3.12.1 Release notes
        • 3.12.0 Release notes
        • 3.11.4 Release notes
        • 3.11.3 Release notes
        • 3.11.2 Release notes
        • 3.11.1 Release notes
        • 3.11.0 Release notes
        • 3.10.2 Release notes
        • 3.10.1 Release notes
        • 3.10.0 Release notes
        • 3.9.5 Release notes
        • 3.9.4 Release notes
        • 3.9.3 Release notes
        • 3.9.2 Release notes
        • 3.9.1 Release notes
        • 3.9.0 Release notes
        • 3.8.2 Release notes
        • 3.8.1 Release notes
        • 3.8.0 Release notes
        • 3.7.2 Release notes
        • 3.7.1 Release notes
        • 3.7.0 Release notes
        • 3.6.1 Release notes
        • 3.6.0 Release notes
        • 3.5.0 Release notes
        • 3.4.0 Release notes
        • 3.3.1 Release notes
        • 3.3.0 Release notes
        • 3.2.4 Release notes
        • 3.2.3 Release notes
        • 3.2.2 Release notes
        • 3.2.1 Release notes
        • 3.2.0 Release notes
        • 3.1.0 Release notes
        • 3.0.0 Release notes
        • 2.1 Release notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Capabilities
      • Wazuh-Logtest

      Wazuh-Logtest

      New in version 4.1.0.

      The Wazuh-Logtest whole solution was designed to replace ossec-logtest, now allowing to test and verify rules and decoders remotely, sharing the rules engine with wazuh-analysisd

      Contents

      • How it works
        • Use cases: Test log from Wazuh-Logtest Tool
        • Use cases: Test log from RESTful API
      • Configuration
      • FAQ
        • What happens when trying to start a new session if the maximum session limit has already been reached?
        • What happens when trying to use an invalid logtest token?
        • When is a session closed?
        • In a Wazuh Cluster, where are the logs processed?
        • What events are recognized by the Wazuh-Logtest solution?
        • How is the behavior of the firedtimes counter?
      Fluentd forwarder How it works
      © 2021 · Wazuh Inc.