Documentation: wazuh - Agent (to be continued)

Posted by rhysmeister on Thu, 10 Feb 2022 15:50:56 +0100

Wazuh consists of three parts: Agent side, Server side and ES side
The following figure is the official overall structure diagram:


The agent side is responsible for information collection, threat prevention, detection and response. Continue to watch in detail~~
The following figure shows the official detailed architecture of the Agent side:

Here are some of his functions~~

Log collector

This module can read log information and Windows events

The included logcollector module collects information and sends the data to the server for analysis
Here, the remote receiving system log is realized: (the user-defined port is accepted and stored in a plain text file)


The code that implements the custom port indicates

  • The manager will receive the system log information from the network
  • Define wazuh the port that needs to listen and retrieve logs as idle port 513
  • Defines the transport protocol
  • Define log source IP

File integrity monitoring

The module scans regularly, compares the monitored files with the previous ones for modification, deletion and addition, and then synchronizes the results to the database and transmits them to the manager. If there is a difference, an alarm is generated.
Visualization results can be seen in kibana in real time

Anomaly and malware detection

This module mainly includes the following functions:

File monitoring
Monitor registry
system call
Signature rootkit

Security Configuration Assessment

Security configuration assessment (SCA), which evaluates whether the host is secure by scanning the policy file

Monitoring security policies->Rootcheck

View through root check engine:

  • Check if the process is running
  • Check whether the file exists
  • Check whether the contents of the file contain patterns, or whether the Windows registry key contains strings or exists only.

Monitoring system calls

It is a service provided by the Linux system. Match the tracked security event information with the rules to check whether it violates the settings of the security policy.

Command monitoring

wazuh will collect the specific commands to be monitored on the Agent side and send them to the server in the form of logs. You can monitor running Windows processes, disk space utilization, check whether the output changes, average load and USB storage

Active Response

When a rule is used to trigger an alarm, automatic countermeasures will be taken to execute the corresponding script

Agent Labels

Classify different agent groups, and the grouping will be displayed in the output of JSON format, for example!

  "timestamp": "2017-03-07T13:31:41-0800",
  "rule": {
    "level": 7,
    "description": "Integrity checksum changed.",
    "id": "550",
    "firedtimes": 1,
    "groups": [
    "pci_dss": [
  "agent": {
    "id": "001",
    "name": "92603de31548",
    "ip": "",
    "labels": {
      "aws": {
        "instance-id": "i-052a1838c",
        "sec-group": "sg-1103"
      "network": {
        "ip": "",
        "mac": "02:42:ac:11:00:02"
  "manager": {
    "name": "ubuntu"
  "full_log": "Integrity checksum changed for: '/var/ossec/etc/ossec.conf' Size changed from '3663' to '3664' Old md5sum was: '98b351df146410f174a967d726f9965e' New md5sum is : '7f4f5846dcaa0013a91bd6d3ac4a1915' Old sha1sum was: 'c6368b866a835b15baf20976ae5ea7ea2788a30e' New sha1sum is : 'c959321244bdcec824ff0a32cad6d4f1246f53e9'",
  "syscheck": {
    "path": "/var/ossec/etc/ossec.conf",
    "size_before": "3663",
    "size_after": "3664",
    "perm_after": "100640",
    "uid_after": "0",
    "gid_after": "999",
    "md5_before": "98b351df146410f174a967d726f9965e",
    "md5_after": "7f4f5846dcaa0013a91bd6d3ac4a1915",
    "sha1_before": "c6368b866a835b15baf20976ae5ea7ea2788a30e",
    "sha1_after": "c959321244bdcec824ff0a32cad6d4f1246f53e9",
    "event": "modified"
  "decoder": {
    "name": "syscheck_integrity_changed"
  "location": "syscheck"

Or in the form of e-mail:!!

Wazuh Notification.
2017 Mar 07 13:31:41

Received From: (92603de31548)>syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

aws.instance-id: i-052a1838c
aws.sec-group: sg-1103
network.mac: 02:42:ac:11:00:02
Integrity checksum changed for: '/var/ossec/etc/ossec.conf'
Old md5sum was: '98b351df146410f174a967d726f9965e'
New md5sum is : '7f4f5846dcaa0013a91bd6d3ac4a1915'
Old sha1sum was: 'c6368b866a835b15baf20976ae5ea7ea2788a30e'
New sha1sum is : 'c959321244bdcec824ff0a32cad6d4f1246f53e9'

System inventory

In this module, syskellector is used to collect information, such as basic information of system hardware components, basic information of operating system, etc
The applicable operating system and scanning module are given below:

Vulnerability detection

It can detect whether the installed application on the agent side has vulnerabilities and send it to the server side regularly

VirusTotal integration

From version 3.0.0, wazuh can integrate VirusTotal to scan whether the file contains malicious content (virus, worm, Trojan horse)


Starting with version 3.5.0, you can set the Osquery configuration and collect the information generated by Osquery to send it to the manager, and generate corresponding alerts if necessary.

"timestamp": "2018-07-30T13:54:46.476+0000",
"rule": {
    "level": 3,
    "description": "osquery data grouped",
    "id": "24010",
    "firedtimes": 207,
    "mail": false,
    "groups": [
"agent": {
    "id": "000",
    "name": "manager"
"manager": {
    "name": "manager"
"id": "1532958886.437707",
"full_log": "{\"name\":\"system_info\",\"hostIdentifier\":\"manager\",\"calendarTime\":\"Mon Jul 30 13:54:45 2018 UTC\",\"unixTime\":1532958885,\"epoch\":0,\"counter\":461,\"columns\":{\"cgroup_namespace\":\"4026531835\",\"cmdline\":\"\",\"cwd\":\"/\",\"disk_bytes_read\":\"0\",\"disk_bytes_written\":\"0\",\"egid\":\"0\",\"euid\":\"0\",\"gid\":\"0\",\"ipc_namespace\":\"4026531839\",\"mnt_namespace\":\"4026531840\",\"name\":\"migration/0\",\"net_namespace\":\"4026531957\",\"nice\":\"0\",\"on_disk\":\"-1\",\"parent\":\"2\",\"path\":\"\",\"pgroup\":\"0\",\"pid\":\"9\",\"pid_namespace\":\"4026531836\",\"resident_size\":\"\",\"root\":\"/\",\"sgid\":\"0\",\"start_time\":\"0\",\"state\":\"S\",\"suid\":\"0\",\"system_time\":\"2\",\"threads\":\"1\",\"total_size\":\"\",\"uid\":\"0\",\"user_namespace\":\"4026531837\",\"user_time\":\"0\",\"uts_namespace\":\"4026531838\",\"wired_size\":\"0\"},\"action\":\"added\"}",
"decoder": {
    "name": "json"
"data": {
    "action": "added",
    "name": "system_info",
    "hostIdentifier": "manager",
    "calendarTime": "Mon Jul 30 13:54:45 2018 UTC",
    "unixTime": "1532958885",
    "epoch": "0",
    "counter": "461",
    "columns": {
        "cgroup_namespace": "4026531835",
        "cmdline": "",
        "cwd": "/",
        "disk_bytes_read": "0",
        "disk_bytes_written": "0",
        "egid": "0",
        "euid": "0",
        "gid": "0",
        "ipc_namespace": "4026531839",
        "mnt_namespace": "4026531840",
        "name": "migration/0",
        "net_namespace": "4026531957",
        "nice": "0",
        "on_disk": "-1",
        "parent": "2",
        "path": "",
        "pgroup": "0",
        "pid": "9",
        "pid_namespace": "4026531836",
        "resident_size": "",
        "root": "/",
        "sgid": "0",
        "start_time": "0",
        "state": "S",
        "suid": "0",
        "system_time": "2",
        "threads": "1",
        "total_size": "",
        "uid": "0",
        "user_namespace": "4026531837",
        "user_time": "0",
        "uts_namespace": "4026531838",
        "wired_size": "0"
"predecoder": {
    "hostname": "manager"
"location": "osquery"

Agent key polling

polling: polling: the CPU sends out inquiries regularly and asks each peripheral device whether it needs its service in order. If so, it will give the service. After the service is finished, it will ask the next peripheral, and then continue to repeat

This module obtains the user key stored in the external database

Topics: Linux