wazuh v3.9.0-rc4 releases: Host and endpoint security


Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

  • Log management and analysis: Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
  • File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
  • Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
  • Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v3.9.0 RC3


  • New module to perform Security Configuration Assessment scans. (#2598)
  • Collect network and port inventory for Windows XP/Server 2003. (#2464)
  • Included inventory fields as dynamic fields in events to use them in rules. (#2441)
  • Added an option startup_healthcheck in FIM so that the the who-data health-check is optional. (#2323)
  • The real agent IP is reported by the agent and shown in alerts and the App interface. (#2577)
  • Added support for organizations in AWS wodle. (#2627)
  • Added support for hot added symbolic links in Whodata. (#2466)


  • Introduced a network buffer in Remoted to cache incomplete messages from agents. This improves the performance by preventing Remoted from waiting for complete messages. (#2528)
  • Improved alerts about disconnected agents: they will contain the data about the disconnected agent, although the alert is actually produced by the manager. (#2379)
  • Improved Remoted start-up logging messages. (#2460)
  • Let agent_auth warn when it receives extra input arguments. (#2489)
  • Update the who-data related SELinux rules for Audit 3.0. This lets who-data work on Fedora 29. (#2419)
  • Changed data source for network interface’s MAC address in Syscollector so that it will be able to get bonded interfaces’ MAC. (#2550)
  • Now labels starting with _ are reserved for internal use. (#2577)
  • Now AWS wodle fetches aws.requestParameters.disableApiTermination with an unified format (#2614)
  • Improved overall performance in cluster (#2575)
  • Some improvements has been made in the vulnerability-detector module. (#2603)


  • Fixed error in Syscollector for Windows older than Vista when gathering the hardware inventory. (#2326)
  • Fixed an error in the OSQuery configuration validation. (#2446)
  • Prevent Integrator, Syslog Client and Mail forwarded from getting stuck while reading alerts.json. (#2498)
  • Fixed a bug that could make an Agent running on Windows XP close unexpectedly while receiving a WPK file. (#2486)
  • Fixed ossec-control script in Solaris. (#2495)
  • Fixed a compilation error when building Wazuh in static linking mode with the Audit library enabled. (#2523)
  • Fixed a memory hazard in Analysisd on log pre-decoding for short logs (less than 5 bytes). (#2391)
  • Fixed defects reported by Cppcheck. (#2521)
    • Double free in GeoIP data handling with IPv6.
    • Buffer overlay when getting OS information.
    • Check for successful memory allocation in Syscollector.
  • Fix out-of-memory error in Remoted when upgrading an agent with a big data chunk. (#2594)
  • Re-registered agent are reassigned to correct groups when the multigroup is empty. (#2440)
  • Wazuh manager starts regardless of the contents of local_decoder.xml. (#2465)
  • Let Remoted wait for download module availability. (#2517)
  • Fix duplicate field names at some events for Windows eventchannel. (#2500)
  • Delete empty fields from Windows Eventchannel alerts. (#2492)
  • Fixed memory leak and crash in Vulnerability Detector. (#2620)
  • Prevent Analysisd from crashing when receiving an invalid Syscollector event. (#2621)
  • Fix a bug in the database synchronization module that left broken references of removed agents to groups. (#2628)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.