Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt

Use this file to discover all available pages before exploring further.

Two ossec.conf variants are provided for Wazuh agents in this deployment. agent/conf/ossec.conf is used for the co-located agent that runs on the same Docker host as the Wazuh stack — it connects to the Manager using the Docker service hostname wazuh.manager. agent/conf/remote_ossec.conf is for agents installed on external hosts — it adds <agent_name>${HOSTNAME}</agent_name> to the enrollment block so each remote agent registers with its own system hostname. Both files are otherwise identical in terms of monitoring capabilities.
Rootcheck ignores /var/lib/containerd and /var/lib/docker/overlay2 on all agents. Without these exclusions, rootcheck would generate a high volume of false-positive alerts from the constantly-changing overlay filesystem layers used by Docker containers.

Client Connection Settings

The co-located agent connects directly to the wazuh.manager Docker service hostname, which resolves within the Docker network:
<client>
  <server>
    <address>wazuh.manager</address>
    <port>1514</port>
    <protocol>tcp</protocol>
  </server>
  <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
  <notify_time>20</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
  <crypto_method>aes</crypto_method>
  <enrollment>
    <enabled>yes</enabled>
    <groups>default</groups>
    <authorization_pass_path>etc/authd.pass</authorization_pass_path>
  </enrollment>
</client>
The agent name is derived automatically from the system hostname at enrollment time.

Connection Parameter Reference

ParameterValueDescription
port1514Manager TCP port for agent event forwarding
protocoltcpTransport protocol — TCP ensures reliable delivery
notify_time20Seconds between keep-alive heartbeats sent to the Manager
time-reconnect60Seconds to wait before attempting reconnection after a lost connection
auto_restartyesAutomatically restart the agent process if it exits unexpectedly
crypto_methodaesAES-256 encryption for all agent-to-manager traffic
enrollment.enabledyesUse the auto-enrollment protocol (authd) instead of manual key import
enrollment.groupsdefaultAssign the agent to the default group on enrollment
Client Buffer
ParameterValueDescription
disablednoEvent buffering is active
queue_size5000Maximum events held in the agent’s outbound queue
events_per_second500Maximum event dispatch rate to the Manager

Wodles (Extension Modules)

The docker-listener wodle subscribes to the Docker daemon event stream on the agent host and forwards container lifecycle events to the Manager as Wazuh alerts.
ParameterValueDescription
disablednoDocker monitoring is active
interval10Polling interval in seconds when event streaming is unavailable
attempts5Number of connection attempts before the wodle backs off
run_on_startyesBegin monitoring immediately on agent startup
Events captured include: container start, stop, die, pause, unpause, create, and destroy. These appear in the Wazuh Dashboard under Threat Intelligence → Docker Listener.
Syscollector collects a comprehensive hardware and software inventory of the agent host and pushes it to the Indexer for storage and search.
ParameterValueDescription
disablednoSyscollector is active
interval1hFull inventory scan every hour
scan_on_startyesRun a scan immediately on agent startup
hardwareyesCPU, memory, and system board details
osyesOperating system name, version, and kernel
networkyesNetwork interfaces, IP addresses, and routes
packagesyesInstalled package list (dpkg/apt)
ports (all=yes)yesAll open ports, including non-listening sockets
processesyesRunning process list
usersyesLocal user accounts
groupsyesLocal groups and their membership
servicesyesSystemd service states
browser_extensionsyesInstalled browser extensions (Chrome/Firefox)
max_eps10Maximum inventory events per second sent to the Indexer
The agent’s syscollector also enables vulnerability detection — the Manager cross-references the collected package list against CVE feeds to identify vulnerable software installed on each agent host.
The CIS-CAT wodle integrates with the CIS-CAT Pro Assessor to run detailed CIS benchmark compliance scans. It is currently disabled in this deployment — the CIS-CAT jar file and Java runtime are not installed on agent hosts.
<wodle name="cis-cat">
  <disabled>yes</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  <java_path>wodles/java</java_path>
  <ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
The Osquery wodle forwards Osquery result logs to the Manager for rule-based analysis. It is currently disabled — Osquery is not installed on agent hosts.
<wodle name="osquery">
  <disabled>yes</disabled>
  <run_daemon>yes</run_daemon>
  <log_path>/var/log/osquery/osqueryd.results.log</log_path>
  <config_path>/etc/osquery/osquery.conf</config_path>
  <add_labels>yes</add_labels>
</wodle>

Security Configuration Assessment (SCA)

SCA evaluates the agent host’s configuration against a security benchmark and reports each check result as a pass, fail, or not applicable finding.
ParameterValueDescription
enabledyesSCA is active
scan_on_startyesRun a full policy scan at agent startup
interval12hRe-scan every 12 hours
skip_nfsyesSkip NFS-mounted paths during policy checks
policycis_ubuntu22-04.ymlCIS Ubuntu 22.04 LTS Benchmark — the built-in policy file covering system hardening, user accounts, network settings, and service configuration
SCA results are visible in the Wazuh Dashboard under Security Configuration Assessment for each agent. Failed checks include remediation guidance linked to the CIS benchmark control ID.

File Integrity Monitoring (syscheck)

Syscheck monitors the agent’s filesystem for unauthorized changes and alerts when file content, permissions, ownership, or attributes are modified.

Scan Settings

ParameterValueDescription
frequency43200Full filesystem scan every 12 hours
scan_on_startyesRun an immediate scan on agent startup
process_priority10Run at lower CPU scheduling priority (nice value 10)
max_eps50Maximum FIM events per second to avoid overwhelming the Manager
skip_nfsyesSkip NFS-mounted directories
skip_devyesSkip /dev device files
skip_procyesSkip /proc process filesystem
skip_sysyesSkip /sys kernel interface filesystem

Monitored Directories

PathAttributesNotes
/etc, /usr/bin, /usr/sbinDefault checksSystem configuration and administrative binaries (periodic scan)
/bin, /sbin, /bootDefault checksCore binaries and bootloader (periodic scan)
/etccheck_all, realtimeCritical config directory — also monitored in real-time for instant alerts
/usr/bin, /usr/sbincheck_all, realtimeAdministrative binaries — real-time monitoring
/bin, /sbincheck_all, realtimeCore binaries — real-time monitoring
/var/lib/lxccheck_all, realtimeLXC container definitions and configs (Proxmox hosts)
/etc/pvecheck_all, realtimeProxmox VE cluster configuration (Proxmox hosts)
Real-time monitoring uses Linux inotify events to generate alerts within seconds of a change, without waiting for the next periodic scan cycle.

Ignored Paths

The following paths are excluded from FIM to reduce noise from legitimately and frequently updated files:
PathReason
/etc/mtabUpdated on every mount/unmount operation
/etc/hosts.denyModified by active-response rules
/etc/mail/statisticsUpdated by mail delivery agents
/etc/random-seedRefreshed on each boot/shutdown
/etc/random.seedRefreshed on each boot/shutdown
/etc/adjtimeUpdated by hardware clock sync
/etc/httpd/logsLog directory (high write frequency)
/etc/utmpxLogin tracking file
/etc/wtmpxLogin history file
/etc/cups/certsPrinter certificate directory
/etc/dumpdatesUpdated after each filesystem dump
/etc/svc/volatileVolatile service runtime state
*.log (regex)Log files (all directories)
*.swp (regex)Editor swap files (all directories)
/etc/ssl/private.key is monitored for changes but content diff is suppressed via <nodiff> — alerts fire if the file is modified, but the key material never appears in alert data.

Synchronization

ParameterValueDescription
enabledyesFIM database synchronization with Manager is active
interval5mSync the agent’s local FIM database with the Manager every 5 minutes
max_eps10Maximum synchronization events per second

Active Monitoring Commands

These <localfile> command entries run system commands on a schedule and forward their output to the Manager for analysis and alerting.
AliasCommandFormatFrequencyDescription
(none)df -Pcommand360sDisk utilization per filesystem (POSIX format)
netstat listening portsnetstat -tulpn | sed ...full_command360sActive TCP/UDP listeners with port and process
(none)last -n 20full_command360sLast 20 login sessions
Uptimeuptimefull_command3600sSystem uptime and 1/5/15-minute load averages
Disk Usagedf -hfull_command3600sHuman-readable disk utilization per filesystem
Memory Usagefree -mfull_command300sRAM and swap utilization in megabytes
Process Listps aux --sort=-%cpu | head -20full_command300sTop 20 processes by CPU consumption
Docker Statusdocker ps --format "table {{.Names}}\t{{.Status}}\t{{.Image}}"full_command300sRunning containers with name, status, and image
Command output is received by the Manager as log events and evaluated against the Wazuh ruleset. Disk usage warnings, unexpected process appearances, and Docker container state changes can all trigger alerts.

Log Sources

These <localfile> syslog entries configure the agent to tail standard Linux log files and stream their content to the Manager for rule-based analysis.
SourceFormatDescription
journaldjournaldSystemd journal — covers all systemd-managed services
/var/ossec/logs/active-responses.logsyslogRecord of active response actions taken on this host
/var/log/dpkg.logsyslogDebian package installation, removal, and upgrade events
/var/log/syslogsyslogGeneral system messages
/var/log/auth.logsyslogAuthentication events — SSH logins, sudo, PAM
/var/log/apt/history.logsyslogAPT package manager history
The auth.log source is particularly important for detecting brute-force SSH attacks, privilege escalation via sudo, and failed authentication attempts — Wazuh’s built-in rules generate alerts for repeated failures and suspicious patterns.

Active Response

The agent’s active response block enables the agent to receive and execute response commands dispatched by the Manager.
<active-response>
  <disabled>no</disabled>
  <ca_store>etc/wpk_root.pem</ca_store>
  <ca_verification>yes</ca_verification>
</active-response>
ParameterValueDescription
disablednoActive response is enabled — this agent will execute Manager-dispatched actions
ca_storeetc/wpk_root.pemCA certificate used to verify the integrity of WPK (Wazuh Package) files before execution
ca_verificationyesVerify WPK file signatures against the CA — prevents execution of tampered response scripts
Active response commands configured on the Manager (such as firewall-drop or host-deny) will be executed on this agent when matching alert conditions are triggered.

Build docs developers (and LLMs) love