Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

• Log management and analysis: Wazuh agents read the operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
• File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
• Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
• Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v3.11

Added

• Add support to Windows agents for vulnerability detector. (#2787)
• Make the Wazuh service to start after the network systemd unit (by @VAdamec). (#1106)
• Add process inventory support for Mac OS X agents. (#3322)
• Add port inventory support for MAC OS X agents. (#3349)
• Make Analysisd compile the CDB list upon start. (#3488)
• New rules option global_frequency to make frequency rules independent from the event source. (#3931)
• Add a validation for avoiding agents to keep trying to connect to an invalid address indefinitely. (#3951)

Changed

• Now EventChannel alerts include the full message with the translation of coded fields. (#3320)
• Changed -G agent-auth description in help message. (#3856)
• Unified the Makefile flags allowed values. (#4034)

Fixed

• Fix frequency rules to be increased for the same agent by default. (#3931)
• Fix protocol, system_name, data and extra_data static fields detection. (#3591)
• Fix overwriting agents by Authd when force option is less than 0. (#3527)
• Fix Syscheck nodiff option for substring paths. (#3015)
• Fix Logcollector wildcards to not detect directories as log files. (#3788)
• Make Slack integration work with agentless alerts (by @dmitryax). (#3971)
• Fix bugs reported by Clang analyzer. (#3887)
• Fix compilation errors on OpenBSD platform. (#3105)
• Fix on-demand configuration labels section to obtain labels attributes. (#3490)
• Fixed race condition between wazuh-clusterd and wazuh-modulesd showing a ‘No such file or directory’ in cluster.log when synchronizing agent-info files in a cluster environment (#4007)
• Fixed ‘ConnectionError object has no attribute code’ error when package repository is not available (#3441)
• Fix the blocking of files monitored by Who-data in Windows agents. (#3872)
• Fix the processing of EventChannel logs with unexpected characters. (#3320)
• Active response Kaspersky script now logs the action request in active-responses.log (#2748)
• Fix service’s installation path for CentOS 8. (#4060)
• Add macOS Catalina to the list of detected versions. (#4061)
• Prevent FIM from producing false negatives due to wrong checksum comparison. (#4066)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.