Wazuh Commands & Reference Guide

⚙️

Service Management

Wazuh Manager

systemctl commands (recommended)

sudo systemctl start wazuh-manager
sudo systemctl stop wazuh-manager
sudo systemctl restart wazuh-manager
sudo systemctl status wazuh-manager

wazuh-control commands

sudo /var/ossec/bin/wazuh-control start
sudo /var/ossec/bin/wazuh-control stop
sudo /var/ossec/bin/wazuh-control restart
sudo /var/ossec/bin/wazuh-control status

Wazuh Stack Components

Indexer, Dashboard & Filebeat

# Wazuh Indexer
sudo systemctl restart wazuh-indexer
sudo systemctl status wazuh-indexer

# Wazuh Dashboard
sudo systemctl restart wazuh-dashboard
sudo systemctl status wazuh-dashboard

# Filebeat
sudo systemctl restart filebeat
sudo systemctl status filebeat

🖥️

Agent Management

List Agents

agent_control commands

# List all agents
sudo /var/ossec/bin/agent_control -l

# List connected agents only
sudo /var/ossec/bin/agent_control -lc

# List disconnected agents
sudo /var/ossec/bin/agent_control -ln

# Get specific agent info
sudo /var/ossec/bin/agent_control -i <agent_id>

Agent Operations

Restart, Remove, Add Agents

# Restart specific agent remotely
sudo /var/ossec/bin/agent_control -R <agent_id>

# Restart all agents
sudo /var/ossec/bin/agent_control -R -a

# Remove agent
sudo /var/ossec/bin/manage_agents -r <agent_id>

# Extract agent key
sudo /var/ossec/bin/manage_agents -e <agent_id>

# Add new agent interactively
sudo /var/ossec/bin/manage_agents -a

Agent Groups

Group management commands

# List all groups
sudo /var/ossec/bin/agent_groups -l

# List agents in a group
sudo /var/ossec/bin/agent_groups -l -g <group_name>

# Add agent to group
sudo /var/ossec/bin/agent_groups -a -i <agent_id> -g <group_name>

# Remove agent from group
sudo /var/ossec/bin/agent_groups -r -i <agent_id> -g <group_name>

📄

Log Files & Locations

Manager Log Files

Log File	Purpose
`/var/ossec/logs/ossec.log`	Main Wazuh log (errors, warnings, info)
`/var/ossec/logs/alerts/alerts.log`	Generated alerts (plain text)
`/var/ossec/logs/alerts/alerts.json`	Generated alerts (JSON format)
`/var/ossec/logs/archives/archives.log`	All events (if logall enabled)
`/var/ossec/logs/active-responses.log`	Active response execution log
`/var/ossec/logs/api.log`	API access log
`/var/ossec/logs/cluster.log`	Cluster operations log

View Logs in Real-time

tail -f commands

# Watch main log
sudo tail -f /var/ossec/logs/ossec.log

# Watch alerts
sudo tail -f /var/ossec/logs/alerts/alerts.log

# Watch alerts JSON
sudo tail -f /var/ossec/logs/alerts/alerts.json

# Watch active responses
sudo tail -f /var/ossec/logs/active-responses.log

📁

Configuration Files

Important Files

File	Purpose
`/var/ossec/etc/ossec.conf`	Main manager configuration
`/var/ossec/etc/rules/local_rules.xml`	Custom rules
`/var/ossec/etc/decoders/local_decoder.xml`	Custom decoders
`/var/ossec/etc/shared/default/agent.conf`	Centralized agent config
`/var/ossec/etc/lists/`	CDB lists directory

Validate Configuration

Config validation commands

# Test configuration syntax
sudo /var/ossec/bin/wazuh-analysisd -t

# Verify agent.conf syntax
sudo /var/ossec/bin/verify-agent-conf

# XML validation
xmllint --noout /var/ossec/etc/ossec.conf

⚠️

Critical: Always fix permissions after editing config files! sudo chown wazuh:wazuh /var/ossec/etc/ossec.conf

File Permissions Reference

File/Directory	Owner	Permissions
`/var/ossec/etc/ossec.conf`	wazuh:wazuh	640
`/var/ossec/etc/rules/local_rules.xml`	wazuh:wazuh	660
`/var/ossec/etc/decoders/local_decoder.xml`	wazuh:wazuh	660
`/var/ossec/etc/shared/`	wazuh:wazuh	770

🧪

Rule Testing & Debugging

Wazuh Logtest

Interactive rule testing

# Start interactive logtest
sudo /var/ossec/bin/wazuh-logtest

# Test with verbose output
sudo /var/ossec/bin/wazuh-logtest -v

# Test specific log file
cat /path/to/logfile | sudo /var/ossec/bin/wazuh-logtest

# Test from archives
grep "keyword" /var/ossec/logs/archives/archives.log | head -1 | sudo /var/ossec/bin/wazuh-logtest

💡

Tip: Use wazuh-logtest to verify decoder extraction and rule matching before deploying new rules to production.

🛡️

Active Response

Check Active Response Status

AR monitoring commands

# View AR log
sudo tail -f /var/ossec/logs/active-responses.log

# Check AR configuration
grep -A10 "active-response" /var/ossec/etc/ossec.conf

# List available AR commands
grep -A5 "<command>" /var/ossec/etc/ossec.conf

Available AR Scripts

Linux

`firewall-drop`	Block IP (iptables)
`firewalld-drop`	Block IP (firewalld)
`host-deny`	Add to hosts.deny
`route-null`	Null route IP
`disable-account`	Disable user

Windows

`netsh.exe`	Block IP (Windows FW)
`route-null.exe`	Null route IP
`restart-wazuh.exe`	Restart agent

Check Blocked IPs

Linux - Check blocked IPs

# iptables
sudo iptables -L -n | grep DROP

# firewalld
sudo firewall-cmd --list-rich-rules

# hosts.deny
cat /etc/hosts.deny

# null routes
ip route show | grep blackhole

🔌

API Commands

Authentication

Get API Token

# Get authentication token
TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

# Use token in requests
curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"

Common API Endpoints

API endpoint examples

# Get manager info
curl -k -X GET "https://localhost:55000/manager/info" -H "Authorization: Bearer $TOKEN"

# List all agents
curl -k -X GET "https://localhost:55000/agents" -H "Authorization: Bearer $TOKEN"

# Get agent summary
curl -k -X GET "https://localhost:55000/agents/summary/status" -H "Authorization: Bearer $TOKEN"

# Restart specific agent
curl -k -X PUT "https://localhost:55000/agents/001/restart" -H "Authorization: Bearer $TOKEN"

🌐

Cluster Management

Cluster commands

# Check cluster status
sudo /var/ossec/bin/cluster_control -l

# Get cluster health
sudo /var/ossec/bin/cluster_control -i

# Get node info
sudo /var/ossec/bin/cluster_control -a

# View cluster log
sudo tail -f /var/ossec/logs/cluster.log

🔧

Troubleshooting

Manager Won't Start

Diagnostic commands

# Check configuration syntax
sudo /var/ossec/bin/wazuh-analysisd -t

# Check for XML errors
xmllint --noout /var/ossec/etc/ossec.conf

# Check permissions
ls -la /var/ossec/etc/ossec.conf

# Fix permissions
sudo chown wazuh:wazuh /var/ossec/etc/ossec.conf
sudo chmod 640 /var/ossec/etc/ossec.conf

# Check logs for errors
sudo tail -50 /var/ossec/logs/ossec.log

Agent Not Connecting

Connection troubleshooting

# On manager - check agent status
sudo /var/ossec/bin/agent_control -l

# On agent - check connection
sudo /var/ossec/bin/agent_control -s

# Check agent log
sudo tail -50 /var/ossec/logs/ossec.log

# Test connectivity (agent to manager)
telnet <manager_ip> 1514
nc -zv <manager_ip> 1514

Active Response Not Working

AR troubleshooting

# Check AR log
sudo tail -f /var/ossec/logs/active-responses.log

# Verify AR is enabled
grep -A20 "active-response" /var/ossec/etc/ossec.conf

# Check if command exists
ls -la /var/ossec/active-response/bin/

# Check whitelist
grep "white_list" /var/ossec/etc/ossec.conf

# Test AR manually
sudo /var/ossec/active-response/bin/firewall-drop add - 1.2.3.4 100100 000

🪟

Windows Agent Commands

Service Management

PowerShell commands

# Start/Stop/Restart service
Restart-Service WazuhSvc
Start-Service WazuhSvc
Stop-Service WazuhSvc
Get-Service WazuhSvc

# Using net command
net start WazuhSvc
net stop WazuhSvc

Check Agent Status & Logs

Agent diagnostics

# Check agent status
& "C:\Program Files (x86)\ossec-agent\agent-control.exe" -s

# View agent log
Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" -Tail 50

# View active response log
Get-Content "C:\Program Files (x86)\ossec-agent\active-response\active-responses.log" -Tail 20

Windows Firewall (Wazuh AR)

Firewall commands

# List all Wazuh firewall rules
netsh advfirewall firewall show rule name=all | findstr /i "wazuh"

# Show specific rule details
netsh advfirewall firewall show rule name="WAZUH ACTIVE RESPONSE BLOCKED IP" verbose

# Delete Wazuh block rule
netsh advfirewall firewall delete rule name="WAZUH ACTIVE RESPONSE BLOCKED IP"

# Check firewall status
netsh advfirewall show allprofiles state

# Enable/Disable firewall
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles state off

🔍

Useful Search Commands

Search Alerts

grep commands for alerts

# Search by rule ID
grep "rule_id\":\"100121" /var/ossec/logs/alerts/alerts.json | tail -10

# Search by agent
grep "agent.*DC" /var/ossec/logs/alerts/alerts.log | tail -10

# Search by IP
grep "10.10.1.103" /var/ossec/logs/alerts/alerts.log | tail -10

# Search by description
grep -i "brute force" /var/ossec/logs/alerts/alerts.log | tail -10

# Find errors in logs
grep -i "error" /var/ossec/logs/ossec.log | tail -20

# Find specific Windows Event ID
grep "4625" /var/ossec/logs/alerts/alerts.log | tail -10

✨

Best Practices

📦 Backup Before Changes

Always create backups before modifying configuration files.

sudo cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.backup.$(date +%Y%m%d)

✅ Validate Before Restart

Always validate configuration syntax before restarting services.

sudo /var/ossec/bin/wazuh-analysisd -t

🔒 Fix Permissions

Ensure correct ownership after editing config files.

sudo chown wazuh:wazuh /var/ossec/etc/ossec.conf

🛡️ Whitelist Admin IPs

Add management IPs to whitelist to prevent lockout.

<white_list>YOUR_ADMIN_IP</white_list>

⚠️

Important: Monitor disk space regularly - Wazuh logs can grow quickly in high-volume environments!

⚡

Quick Reference Table

Task	Command
Restart manager	`sudo systemctl restart wazuh-manager`
Check status	`sudo /var/ossec/bin/wazuh-control status`
List agents	`sudo /var/ossec/bin/agent_control -l`
Test config	`sudo /var/ossec/bin/wazuh-analysisd -t`
Test rules	`sudo /var/ossec/bin/wazuh-logtest`
Watch alerts	`sudo tail -f /var/ossec/logs/alerts/alerts.log`
Watch AR	`sudo tail -f /var/ossec/logs/active-responses.log`
Fix permissions	`sudo chown wazuh:wazuh /var/ossec/etc/ossec.conf`
Restart Windows agent	`Restart-Service WazuhSvc`
Check Windows FW rules	`netsh advfirewall firewall show rule name=all \| findstr /i "wazuh"`