Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

• Log management and analysis: Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
• File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
• Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
• Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v3.7.0

Added

• Adding feature to remotely query agent configuration on demand. (#548)
• Boost Analysisd performance with multithreading. (#1039)
• Adding feature to let agents belong to multiple groups. (#1135)
  • API support for multiple groups. (#1300 #1135)
• Boost FIM decoding performance by storing data into Wazuh DB using SQLite databases. (#1333)
  • FIM database is cleaned after restarting agent 3 times, deleting all entries that left being monitored.
  • Added script to migrate older Syscheck databases to WazuhDB. (#1504) (#1333)
• Added rule testing output when restarting manager. (#1196)
• New wodle for Azure environment log and process collection. (#1306)
• New wodle for Docker container monitoring. (#1368)
• Disconnect manager nodes in cluster if no keep alive is received or sent during two minutes. (#1482)
• API requests are forwarded to the proper manager node in cluster. (#885)
• Centralized configuration pushed from manager overwrite the configuration of directories that exist with the same path in ossec.conf. (#1740)

Changed

• Refactor Python framework code to standardize database requests and support queries. (#921)
• Replaced the execvpe function by execvp for the Wazuh modules. (#1207)
• Avoid the use of reference ID in Syscollector network tables. (#1315)
• Make Syscheck case insensitive on Windows agent. (#1349)
• Avoid conflicts with the size of time_t variable in wazuh-db. (#1366)
• Osquery integration updated: (#1369)
  • Nest the result data into a “osquery” object.
  • Extract the pack name into a new field.
  • Include the query name in the alert description.
  • Minor fixes.
• Increased AWS S3 database entry limit to 5000 to prevent reprocessing repeated events. (#1391)
• Increased the limit of concurrent agent requests: 1024 by default, configurable up to 4096. (#1473)
• Change the default vulnerability-detector interval from 1 to 5 minutes. (#1729)
• Port the UNIX version of Auth client (agent_auth) to the Windows agent. (#1790)
  • Support of TLSv1.2 through embedded OpenSSL library.
  • Support of SSL certificates for agent and manager validation.
  • Unify Auth client option set.

Fixed

• Fixed email_alerts configuration for multiple recipients. (#1193)
• Fixed manager stopping when no command timeout is allowed. (#1194)
• Fixed getting RAM memory information from mac OS X and FreeBSD agents. (#1203)
• Fixed mandatory configuration labels check. (#1208)
• Fix 0 value at check options from Syscheck. (1209)
• Fix bug in whodata field extraction for Windows. (#1233)
• Fix stack overflow when monitoring deep files. (#1239)
• Fix typo in whodata alerts. (#1242)
• Fix bug when running quick commands with timeout of 1 second. (#1259)
• Prevent offline agents from generating vulnerability-detector alerts. (#1292)
• Fix empty SHA256 of rotated alerts and log files. (#1308)
• Fixed service startup on error. (#1324)
• Set connection timeout for Auth server (#1336)
• Fix the cleaning of the temporary folder. (#1361)
• Fix check_mtime and check_inode views in Syscheck alerts. (#1364)
• Fixed the reading of the destination address and type for PPP interfaces. (#1405)
• Fixed a memory bug in regex when getting empty strings. (#1430)
• Fixed report_changes with a big ammount of files. (#1465)
• Prevent Logcollector from null-terminating socket output messages. (#1547)
• Fix timeout overtaken message using infinite timeout. (#1604)
• Prevent service from crashing if global.db is not created. (#1485)
• Set new agent.conf template when creating new groups. (#1647)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.